Public bug reported: If you are authed using application credentials and try to add a loadbalancer listener with TERMINATED_HTTPS, keystone produce an error causing a 500 internal error.
After digging through the code I found that it's caused by keystone adding application_credential as allowed method and then trying to read application_credential from auth payload, even when it is not set. Octavia doesn't try to use application credentials in the payload, it tries to auth with method: ["token"]. It is keystone that adds application_credential as a method. Octavia auth payload is created here: https://opendev.org/openstack/octavia/src/branch/master/octavia/certificates/common/auth/barbican_acl.py#L87 The payload sent to keystone looks like this: { "data": { "auth": { "identity": { "methods": ["token"], "token": { "id": "<token id>" } }, "scope": { "project": { "id": "<project id>" } } } } } Keystone adds application_secret to allowed_methods here: https://opendev.org/openstack/keystone/src/branch/master/keystone/api/_shared/authentication.py#L206 Keystone then tries to read the id of the application credential, which will fail as it is not included in the auth payload: https://opendev.org/openstack/keystone/src/branch/master/keystone/api/_shared/authentication.py#L210-L212 This cause a keystone error and you get a 500 internal error sent back to octavia. Steps to reproduce: 1. Create an application credential with openstack application credential create. 2. Auth using the application credential 3. Try to add a terminated_https loadbalancer with openstack loadbalancer listener create If you want to isolate the keystone auth failure without going through octavia you can do so with: curl -H "Content-Type: application/json" https://<keystone url>/v3/auth/tokens -d '{"auth": {"identity": {"methods": ["token"], "token": {"id": "<token id>"}}, "scope": {"project": {"id": "<project id>"}}}}' ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1959674 Title: Keystone produce error after trying to read application_credential even if not set Status in OpenStack Identity (keystone): New Bug description: If you are authed using application credentials and try to add a loadbalancer listener with TERMINATED_HTTPS, keystone produce an error causing a 500 internal error. After digging through the code I found that it's caused by keystone adding application_credential as allowed method and then trying to read application_credential from auth payload, even when it is not set. Octavia doesn't try to use application credentials in the payload, it tries to auth with method: ["token"]. It is keystone that adds application_credential as a method. Octavia auth payload is created here: https://opendev.org/openstack/octavia/src/branch/master/octavia/certificates/common/auth/barbican_acl.py#L87 The payload sent to keystone looks like this: { "data": { "auth": { "identity": { "methods": ["token"], "token": { "id": "<token id>" } }, "scope": { "project": { "id": "<project id>" } } } } } Keystone adds application_secret to allowed_methods here: https://opendev.org/openstack/keystone/src/branch/master/keystone/api/_shared/authentication.py#L206 Keystone then tries to read the id of the application credential, which will fail as it is not included in the auth payload: https://opendev.org/openstack/keystone/src/branch/master/keystone/api/_shared/authentication.py#L210-L212 This cause a keystone error and you get a 500 internal error sent back to octavia. Steps to reproduce: 1. Create an application credential with openstack application credential create. 2. Auth using the application credential 3. Try to add a terminated_https loadbalancer with openstack loadbalancer listener create If you want to isolate the keystone auth failure without going through octavia you can do so with: curl -H "Content-Type: application/json" https://<keystone url>/v3/auth/tokens -d '{"auth": {"identity": {"methods": ["token"], "token": {"id": "<token id>"}}, "scope": {"project": {"id": "<project id>"}}}}' To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1959674/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
