Bug 866451 - Space in token string leads to exceptions in logs.
Space in token string leads to exceptions in logs.
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-keystone (Show other bugs)
1.0 (Essex)
x86_64 Linux
medium Severity low
: snapshot4
: 2.1
Assigned To: Alan Pevec
Jaroslav Henner
: Triaged
Depends On:
  Show dependency treegraph
Reported: 2012-10-15 07:59 EDT by Jaroslav Henner
Modified: 2016-04-26 18:28 EDT (History)
1 user (show)

See Also:
Fixed In Version: openstack-keystone-2012.2.3-4.el6ost
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-03-21 15:03:11 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jaroslav Henner 2012-10-15 07:59:28 EDT
Description of problem:
Sending invalid token (containing space) leads to exceptions in api.log.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. curl http://nova-api:8774/v2/d4319f044dd043ec964f235cc2993e40/servers/559ab9d4-8ace-41d8-a03f-2edd57dd972a/action -H 'X-Auth-Token: a b' -H 'Content-Type: application/json' -d '<?xml version="1.0" encoding="UTF-8"?>\n<addFloatingIp address=""/>' -X POST -v
Actual results:
2012-10-15 11:39:15 INFO nova.api.openstack [-] http://nova-api:8774/v2/d4319f044dd043ec964f235cc2993e40/servers/559ab9d4-8ace-41d8-a03f-2edd57dd972a/action returned with HTTP 500
2012-10-15 11:39:20 INFO nova.virt.libvirt.connection [-] Compute_service record updated for node-02.lithium.rhev.lab.eng.brq.redhat.com 
2012-10-15 11:39:53 ERROR nova.api.openstack [-] Caught error: 'access'
2012-10-15 11:39:53 TRACE nova.api.openstack Traceback (most recent call last):
2012-10-15 11:39:53 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/api/openstack/__init__.py", line 82, in __call__
2012-10-15 11:39:53 TRACE nova.api.openstack     return req.get_response(self.application)
2012-10-15 11:39:53 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/WebOb-1.0.8-py2.6.egg/webob/request.py", line 1053, in get_response
2012-10-15 11:39:53 TRACE nova.api.openstack     application, catch_exc_info=False)
2012-10-15 11:39:53 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/WebOb-1.0.8-py2.6.egg/webob/request.py", line 1022, in call_application
2012-10-15 11:39:53 TRACE nova.api.openstack     app_iter = application(self.environ, start_response)
2012-10-15 11:39:53 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/keystone/middleware/auth_token.py", line 174, in __call__
2012-10-15 11:39:53 TRACE nova.api.openstack     user_headers = self._build_user_headers(token_info)
2012-10-15 11:39:53 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/keystone/middleware/auth_token.py", line 396, in _build_user_headers
2012-10-15 11:39:53 TRACE nova.api.openstack     user = token_info['access']['user']
2012-10-15 11:39:53 TRACE nova.api.openstack KeyError: 'access'
2012-10-15 11:39:53 TRACE nova.api.openstack 

Expected results:
Some message about auth deny.

Additional info:
Comment 1 Jaroslav Henner 2012-10-15 08:08:21 EDT
The POST to the nova-api looks like following:

> POST /v2/d4319f044dd043ec964f235cc2993e40/servers/559ab9d4-8ace-41d8-a03f-2edd57dd972a/action HTTP/1.1
> User-Agent: curl/7.24.0 (x86_64-redhat-linux-gnu) libcurl/7.24.0 NSS/ zlib/1.2.5 libidn/1.24 libssh2/1.4.1
> Host: nova-api.lithium.rhev.lab.eng.brq.redhat.com:8774
> Accept: */*
> X-Auth-Token: a b
> Content-Type: application/json
> Content-Length: 77
* upload completely sent off: 77 out of 77 bytes
< HTTP/1.1 500 Internal Server Error
< Content-Length: 128
< Content-Type: application/json; charset=UTF-8
< Date: Mon, 15 Oct 2012 12:04:01 GMT
* Connection #0 to host nova-api... left intact
{"computeFault": {"message": "The server has either erred or is incapable of performing the requested operation.", "code": 500}}* Closing connection #0

I also don't like it is failing with HTTP 500 and not with HTTP 401 Unauthorized.

Note there is https://bugs.launchpad.net/keystone/+bug/974319
Comment 3 Adam Young 2012-12-14 14:34:48 EST
Upstream fix for Grizzly

Comment 13 errata-xmlrpc 2013-03-21 15:03:11 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.