Bug 919526 - Temporary network outage results in connection refused and invalid token
Summary: Temporary network outage results in connection refused and invalid token
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-keystone
Version: 2.0 (Folsom)
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: async
: 2.1
Assignee: Alan Pevec
QA Contact: Pavel Sedlák
URL:
Whiteboard:
Depends On: 950132
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-03-08 17:53 UTC by Alan Pevec
Modified: 2022-07-09 06:06 UTC (History)
2 users (show)

Fixed In Version: openstack-keystone-2012.2.4-1.el6ost
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-05-09 18:16:57 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Script used for verification - sends requests during keystone restart or while traffic is rejected (1.69 KB, text/x-python)
2013-05-02 19:29 UTC, Pavel Sedlák 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Launchpad 1150299 0 None None None Never
OpenStack gerrit 23729 0 None None None Never
Red Hat Product Errata RHSA-2013:0806 0 normal SHIPPED_LIVE Low: openstack-keystone security and bug fix update 2013-05-09 22:13:52 UTC

Description Alan Pevec 2013-03-08 17:53:09 UTC 
Description of problem:
The auth_token middleware does not retry if it gets an http error. This means a temporary network outage or keystone restart will cause the token to be listed as invalid. The middleware should retry a few times before failing.
Comment 4 Pavel Sedlák 2013-05-02 19:29:14 UTC 
Created attachment 742897 [details]
Script used for verification - sends requests during keystone restart or while traffic is rejected

This script obtains token from keystone, then launches requests for nova servers list.

First, third and fifth are alignment tests and should always succeed.
When this bug is not fixed:
- second request should fail because keystone is restarting
- fourth request should fail because keystone traffic is rejected by iptables

Output for new version - openstack-keystone-2012.2.4-1.el6ost:
> $ ./919526-network-outage-unauth.py 
> OK
> Stopping keystone:                                         [  OK  ]
> Starting keystone:                                         [  OK  ]
> OLD SHOULD FAIL ::  OK
> OK
> OLD SHOULD FAIL ::  OK
> OK

Output for old version - openstack-keystone-2012.2.3-8.el6ost:
> OK
> Stopping keystone: OLD SHOULD FAIL ::  Failed:
> 401 Unauthorized
> 
> This server could not verify that you are authorized to access the document you requested. Either you supplied the wrong credentials (e.g., bad password), or your browser does not understand how to supply the credentials required.
> 
>  Authentication required  
>                                                            [  OK  ]
> Starting keystone:                                         [  OK  ]
> OK
> OLD SHOULD FAIL ::  Failed:
> 401 Unauthorized
> 
> This server could not verify that you are authorized to access the document you requested. Either you supplied the wrong credentials (e.g., bad password), or your browser does not understand how to supply the credentials required.
> 
>  Authentication required  
> OK
Comment 5 Pavel Sedlák 2013-05-02 19:30:13 UTC 
Verified - details provided with previous comment for example test script.
Comment 7 errata-xmlrpc 2013-05-09 18:16:57 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0806.html
Note You need to log in before you can comment on or make changes to this bug.