917125 – Cinder on server side issues responses with client side error codes

Bug 917125 - Cinder on server side issues responses with client side error codes

Summary: Cinder on server side issues responses with client side error codes

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-cinder
Sub Component:
Version:	3.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	4.0
Assignee:	Eric Harney
QA Contact:	Giulio Fidente
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-03-01 19:17 UTC by Attila Fazekas
Modified:	2016-04-26 23:04 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-07-18 15:09:09 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
how to reproduce (6.08 KB, text/plain) 2013-05-21 17:27 UTC, Eric Harney	no flags	Details
View All

Description Attila Fazekas 2013-03-01 19:17:40 UTC

If the server not able to communicate with keystone or with the relational database it is a server side issue. Using 4xx HTTP status code in the error responses is not correct in this case. The 5xx codes are appropriate.

You can reproduce this issues by ruin your settings in the  /etc/cinder/cinder.conf [keystone_authtoken] section or you miss configure the  [Default].sql_connection.

python-cinder-2012.2.3-4.el6ost.noarch

Comment 2 Eric Harney 2013-05-21 17:27:34 UTC

Created attachment 751330 [details]
how to reproduce

It looks like the sql_connection being wrong does return a 500, but keystone settings being wrong can return a 401.

Comment 3 Eric Harney 2013-05-21 17:30:03 UTC

From cinder/api.log:  looks like 401 is being passed from keystone.middleware

2013-05-21 13:29:14 3175 WARNING keystone.middleware.auth_token [-] Unexpected response from keystone service: {u'error': {u'message': u'The request you have made requires authentication.', u'code': 401, u'title': u'Not Authorized'}}
2013-05-21 13:29:14 3175 WARNING keystone.middleware.auth_token [-] Authorization failed for token c681ef1ad3a94af3a14137b98ed4d56c
2013-05-21 13:29:14 3175 INFO keystone.middleware.auth_token [-] Invalid user token - rejecting request
2013-05-21 13:29:14 3175 WARNING keystone.middleware.auth_token [-] Unexpected response from keystone service: {u'error': {u'message': u'The request you have made requires authentication.', u'code': 401, u'title': u'Not Authorized'}}
2013-05-21 13:29:14 3175 WARNING keystone.middleware.auth_token [-] Authorization failed for token 29e2f71817de41d9b0cfc5f66838d8ef
2013-05-21 13:29:14 3175 INFO keystone.middleware.auth_token [-] Invalid user token - rejecting request

Comment 4 Eric Harney 2013-05-21 17:36:53 UTC

FWIW, Nova has this behavior too.

Comment 5 Eric Harney 2013-05-21 18:05:44 UTC

Adam:

I'm curious what you think about this -- if Cinder isn't able to talk to Keystone correctly due to Cinder's keystone_authtoken settings not being correct, should Cinder return 500 or 401 error codes?

I'm not 100% convinced this is a bug -- it may be returning 401 by design.

Comment 6 Eric Harney 2013-07-18 15:09:09 UTC

From ayoung:

"I don't know if Keystone client can determine the difference between misconfigured and erroneous.  I think the 401 means, in this case "we can't authenticate you" which is the right response."

This makes sense to me as well.

Note You need to log in before you can comment on or make changes to this bug.