** Description changed: + [Impact] + When a service (nova, cinder, etc) checks a user's token, it's possible the service's token has become invalid and needs to be refreshed before checking the user's token. However, there is a bug in keystonemiddleware v1.0.0 which doesn't properly refresh the token, so the invalid token is used twice and keystonemiddleware incorrectly asserts that the user's token is invalid. This causes all API requests to return 401 Unauthorized until the service is restarted: Nova: ERROR: Unauthorized (HTTP 401) (Request-ID: ...) Cinder: ERROR: Unauthorized (HTTP 401) Glance: Request returned failure status. Invalid OpenStack Identity credentials. This bug is fixed in v1.1.0 I'm creating this issue because Ubuntu packages v1.0.0 so potentially many people are running into this problem but I didn't see a bug report for it. The solution is to use a newer version of keystonemiddleware. + + [Test Case] + + 1. start the service with a username, password, and tenant + 2. perform some API request, so the server (ie. nova) gets a token and caches it internally + 3. restart memcache, purging the service's cached token + 4. perform the API request again + + [Regression Potential] + + The fix provided is minimal and has very low regression potential.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1460833 Title: [SRU] admin token is not properly refreshed if it expires in v1.0.0 To manage notifications about this bug go to: https://bugs.launchpad.net/keystonemiddleware/+bug/1460833/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
