Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 917125

Summary: Cinder on server side issues responses with client side error codes
Product: Red Hat OpenStack Reporter: Attila Fazekas <afazekas>
Component: openstack-cinderAssignee: Eric Harney <eharney>
Status: CLOSED NOTABUG QA Contact: Giulio Fidente <gfidente>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 3.0CC: abaron, ayoung, eharney, hateya
Target Milestone: ---   
Target Release: 4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-07-18 15:09:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
how to reproduce none

Description Attila Fazekas 2013-03-01 19:17:40 UTC 
If the server not able to communicate with keystone or with the relational database it is a server side issue. Using 4xx HTTP status code in the error responses is not correct in this case. The 5xx codes are appropriate.

You can reproduce this issues by ruin your settings in the  /etc/cinder/cinder.conf [keystone_authtoken] section or you miss configure the  [Default].sql_connection.

python-cinder-2012.2.3-4.el6ost.noarch
Comment 2 Eric Harney 2013-05-21 17:27:34 UTC 
Created attachment 751330 [details]
how to reproduce

It looks like the sql_connection being wrong does return a 500, but keystone settings being wrong can return a 401.
Comment 3 Eric Harney 2013-05-21 17:30:03 UTC 
From cinder/api.log:  looks like 401 is being passed from keystone.middleware

2013-05-21 13:29:14 3175 WARNING keystone.middleware.auth_token [-] Unexpected response from keystone service: {u'error': {u'message': u'The request you have made requires authentication.', u'code': 401, u'title': u'Not Authorized'}}
2013-05-21 13:29:14 3175 WARNING keystone.middleware.auth_token [-] Authorization failed for token c681ef1ad3a94af3a14137b98ed4d56c
2013-05-21 13:29:14 3175 INFO keystone.middleware.auth_token [-] Invalid user token - rejecting request
2013-05-21 13:29:14 3175 WARNING keystone.middleware.auth_token [-] Unexpected response from keystone service: {u'error': {u'message': u'The request you have made requires authentication.', u'code': 401, u'title': u'Not Authorized'}}
2013-05-21 13:29:14 3175 WARNING keystone.middleware.auth_token [-] Authorization failed for token 29e2f71817de41d9b0cfc5f66838d8ef
2013-05-21 13:29:14 3175 INFO keystone.middleware.auth_token [-] Invalid user token - rejecting request
Comment 4 Eric Harney 2013-05-21 17:36:53 UTC 
FWIW, Nova has this behavior too.
Comment 5 Eric Harney 2013-05-21 18:05:44 UTC 
Adam:

I'm curious what you think about this -- if Cinder isn't able to talk to Keystone correctly due to Cinder's keystone_authtoken settings not being correct, should Cinder return 500 or 401 error codes?

I'm not 100% convinced this is a bug -- it may be returning 401 by design.
Comment 6 Eric Harney 2013-07-18 15:09:09 UTC 
From ayoung:

"I don't know if Keystone client can determine the difference between misconfigured and erroneous.  I think the 401 means, in this case "we can't authenticate you" which is the right response."

This makes sense to me as well.