If the server not able to communicate with keystone or with the relational database it is a server side issue. Using 4xx HTTP status code in the error responses is not correct in this case. The 5xx codes are appropriate. You can reproduce this issues by ruin your settings in the /etc/cinder/cinder.conf [keystone_authtoken] section or you miss configure the [Default].sql_connection. python-cinder-2012.2.3-4.el6ost.noarch
Created attachment 751330 [details] how to reproduce It looks like the sql_connection being wrong does return a 500, but keystone settings being wrong can return a 401.
From cinder/api.log: looks like 401 is being passed from keystone.middleware 2013-05-21 13:29:14 3175 WARNING keystone.middleware.auth_token [-] Unexpected response from keystone service: {u'error': {u'message': u'The request you have made requires authentication.', u'code': 401, u'title': u'Not Authorized'}} 2013-05-21 13:29:14 3175 WARNING keystone.middleware.auth_token [-] Authorization failed for token c681ef1ad3a94af3a14137b98ed4d56c 2013-05-21 13:29:14 3175 INFO keystone.middleware.auth_token [-] Invalid user token - rejecting request 2013-05-21 13:29:14 3175 WARNING keystone.middleware.auth_token [-] Unexpected response from keystone service: {u'error': {u'message': u'The request you have made requires authentication.', u'code': 401, u'title': u'Not Authorized'}} 2013-05-21 13:29:14 3175 WARNING keystone.middleware.auth_token [-] Authorization failed for token 29e2f71817de41d9b0cfc5f66838d8ef 2013-05-21 13:29:14 3175 INFO keystone.middleware.auth_token [-] Invalid user token - rejecting request
FWIW, Nova has this behavior too.
Adam: I'm curious what you think about this -- if Cinder isn't able to talk to Keystone correctly due to Cinder's keystone_authtoken settings not being correct, should Cinder return 500 or 401 error codes? I'm not 100% convinced this is a bug -- it may be returning 401 by design.
From ayoung: "I don't know if Keystone client can determine the difference between misconfigured and erroneous. I think the 401 means, in this case "we can't authenticate you" which is the right response." This makes sense to me as well.