866451 – Space in token string leads to exceptions in logs.

Bug 866451 - Space in token string leads to exceptions in logs.

Summary: Space in token string leads to exceptions in logs.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-keystone
Sub Component:
Version:	1.0 (Essex)
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	low
Target Milestone:	snapshot4
Target Release:	2.1
Assignee:	Alan Pevec
QA Contact:	Jaroslav Henner
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-10-15 11:59 UTC by Jaroslav Henner
Modified:	2016-04-26 22:28 UTC (History)
CC List:	1 user (show)
Fixed In Version:	openstack-keystone-2012.2.3-4.el6ost
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-03-21 19:03:11 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2013:0672	0	normal	SHIPPED_LIVE	Red Hat OpenStack 2.0 (Folsom) Preview bug fix and enhancement update	2013-03-21 23:02:46 UTC

Description Jaroslav Henner 2012-10-15 11:59:28 UTC

Description of problem:
Sending invalid token (containing space) leads to exceptions in api.log.

Version-Release number of selected component (if applicable):
openstack-keystone-2012.1.2-4.el6.noarch

How reproducible:


Steps to Reproduce:
1. curl http://nova-api:8774/v2/d4319f044dd043ec964f235cc2993e40/servers/559ab9d4-8ace-41d8-a03f-2edd57dd972a/action -H 'X-Auth-Token: a b' -H 'Content-Type: application/json' -d '<?xml version="1.0" encoding="UTF-8"?>\n<addFloatingIp address="10.11.12.13"/>' -X POST -v
  
Actual results:
2012-10-15 11:39:15 INFO nova.api.openstack [-] http://nova-api:8774/v2/d4319f044dd043ec964f235cc2993e40/servers/559ab9d4-8ace-41d8-a03f-2edd57dd972a/action returned with HTTP 500
2012-10-15 11:39:20 INFO nova.virt.libvirt.connection [-] Compute_service record updated for node-02.lithium.rhev.lab.eng.brq.redhat.com 
2012-10-15 11:39:53 ERROR nova.api.openstack [-] Caught error: 'access'
2012-10-15 11:39:53 TRACE nova.api.openstack Traceback (most recent call last):
2012-10-15 11:39:53 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/api/openstack/__init__.py", line 82, in __call__
2012-10-15 11:39:53 TRACE nova.api.openstack     return req.get_response(self.application)
2012-10-15 11:39:53 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/WebOb-1.0.8-py2.6.egg/webob/request.py", line 1053, in get_response
2012-10-15 11:39:53 TRACE nova.api.openstack     application, catch_exc_info=False)
2012-10-15 11:39:53 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/WebOb-1.0.8-py2.6.egg/webob/request.py", line 1022, in call_application
2012-10-15 11:39:53 TRACE nova.api.openstack     app_iter = application(self.environ, start_response)
2012-10-15 11:39:53 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/keystone/middleware/auth_token.py", line 174, in __call__
2012-10-15 11:39:53 TRACE nova.api.openstack     user_headers = self._build_user_headers(token_info)
2012-10-15 11:39:53 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/keystone/middleware/auth_token.py", line 396, in _build_user_headers
2012-10-15 11:39:53 TRACE nova.api.openstack     user = token_info['access']['user']
2012-10-15 11:39:53 TRACE nova.api.openstack KeyError: 'access'
2012-10-15 11:39:53 TRACE nova.api.openstack 


Expected results:
Some message about auth deny.


Additional info:

Comment 1 Jaroslav Henner 2012-10-15 12:08:21 UTC

The POST to the nova-api looks like following:

> POST /v2/d4319f044dd043ec964f235cc2993e40/servers/559ab9d4-8ace-41d8-a03f-2edd57dd972a/action HTTP/1.1
> User-Agent: curl/7.24.0 (x86_64-redhat-linux-gnu) libcurl/7.24.0 NSS/3.13.5.0 zlib/1.2.5 libidn/1.24 libssh2/1.4.1
> Host: nova-api.lithium.rhev.lab.eng.brq.redhat.com:8774
> Accept: */*
> X-Auth-Token: a b
> Content-Type: application/json
> Content-Length: 77
> 
* upload completely sent off: 77 out of 77 bytes
< HTTP/1.1 500 Internal Server Error
< Content-Length: 128
< Content-Type: application/json; charset=UTF-8
< Date: Mon, 15 Oct 2012 12:04:01 GMT
< 
* Connection #0 to host nova-api... left intact
{"computeFault": {"message": "The server has either erred or is incapable of performing the requested operation.", "code": 500}}* Closing connection #0


I also don't like it is failing with HTTP 500 and not with HTTP 401 Unauthorized.

Note there is https://bugs.launchpad.net/keystone/+bug/974319

Comment 3 Adam Young 2012-12-14 19:34:48 UTC

Upstream fix for Grizzly

https://review.openstack.org/#/c/18062/

Comment 13 errata-xmlrpc 2013-03-21 19:03:11 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0672.html

Note You need to log in before you can comment on or make changes to this bug.