Nova does not re-raise 401 Unauthorized received from Neutron for admin users
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Triaged
|
Low
|
Unassigned |
Bug Description
Description
===========
If a Keystone token issued for a admin user (e.g. ceilometer) is expired or revoked right after it's been validated by keystoneauthtok
Steps to reproduce
==================
The condition described above is easy to reproduce synthetically by putting breakpoints into Nova code and revoking a token. One can reproduce the very same problem in real life by running enough ceilometer polling agents.
Make sure you use credentials of an admin user (e.g. admin or ceilometer in Devstack) and have at least 1 instance running (so that `nova list` triggers an HTTP request to neutron-server).
1. Put a breakpoint on entering get_client() nova/network/
2. Do `nova list`
3. Revoke the the issued token with `openstack token revoke $token` (you may also need to restart memcached to make sure token validation result is not cached)
4. Continue execution of nova-api
Expected result
===============
As token is now invalid (expired or revoked), it's expected that nova-api responds with 401 Unauthorized, so that a client can handle this, re-authenticate and retry the original request.
Actual result
=============
nova-api responds with 400 Bad Request and outputs the following error into logs
2017-01-19 15:02:09.952 595 ERROR nova.network.
to generate a valid admin token, please verify Neutron admin credential located in nova.conf
Environment
===========
Devstack, master (Ocata), nova HEAD at da54487edad28c8
Changed in nova: | |
assignee: | nobody → Roman Podoliaka (rpodolyaka) |
tags: | added: api neutron |
Changed in nova: | |
status: | Confirmed → In Progress |
Changed in nova: | |
assignee: | Roman Podoliaka (rpodolyaka) → Vladyslav Drok (vdrok) |
Changed in nova: | |
assignee: | Vladyslav Drok (vdrok) → nobody |
status: | In Progress → Triaged |
importance: | Undecided → Low |
Fix proposed to branch: master /review. openstack. org/422696
Review: https:/