[Bug 1987355] Please test proposed package

[Timo Aaltonen]

Hello Jorge, or anyone else affected,

Accepted python-keystonemiddleware into focal-proposed. The package will
build now and be available at
https://launchpad.net/ubuntu/+source/python-
keystonemiddleware/9.0.0-0ubuntu1.1 in a few hours, and then in the
-proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
focal to verification-done-focal. If it does not fix the bug for you,
please add a comment stating that, and change the tag to verification-
failed-focal. In either case, without details of your testing we will
not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/1987355

Title:
  [SRU] Error validating X-Service-Token

Status in Ubuntu Cloud Archive:
  Fix Released
Status in Ubuntu Cloud Archive antelope series:
  Fix Released
Status in Ubuntu Cloud Archive bobcat series:
  Fix Released
Status in Ubuntu Cloud Archive ussuri series:
  Triaged
Status in Ubuntu Cloud Archive victoria series:
  Triaged
Status in Ubuntu Cloud Archive wallaby series:
  Triaged
Status in Ubuntu Cloud Archive xena series:
  Triaged
Status in Ubuntu Cloud Archive yoga series:
  Triaged
Status in Ubuntu Cloud Archive zed series:
  Triaged
Status in keystonemiddleware:
  Fix Released
Status in python-keystonemiddleware package in Ubuntu:
  Fix Released
Status in python-keystonemiddleware source package in Focal:
  Fix Committed
Status in python-keystonemiddleware source package in Jammy:
  Fix Committed
Status in python-keystonemiddleware source package in Lunar:
  Fix Released
Status in python-keystonemiddleware source package in Mantic:
  Fix Released

Bug description:
  [Impact]
  This bug can cause a race condition for long running services that reuse their token (eg. Kubernetes Cinder CSI plugin) when the following occurs:

  1 [service] Asks nova to attach a volume to a server
  2 ...the user's token expires
  3 [service] Asks cinder if the volume has been attached
  4 [nova] Asks cinder to attach the volume

  In step 3 the token is marked as invalid in the cache and step 4 fails
  even if the token is accompanied by a valid service token. The key is
  that step 3 has to happen before step 4 which is not frequent hence
  the race condition.

  Also, the client will ask for a new user token if it is not authorized
  in the calls in steps 1 or 3 but if the token is marked as invalid in
  step 3 then step 4 fails and the volume becomes stuck in "detaching"
  status.

  [Test Plan]
  It hard to reproduce this bug as it depends on the timing of packets and the token expiration. I was able to reproduce by reducing the token expiration to 60 seconds and running a go script that is constantly attaching and detaching volumes. Even then it may take some time for the bug to occur.

  The code used is here: https://paste.ubuntu.com/p/CbGNzGxYt9/
  The openstack auth information should be set in lines 99-105 and then the script should be called with 3 parameters: the id of a volume and the ids of two servers. The script attaches and detaches the volume between those two servers.

  [Where problems could occur]
  The patch removes code that work as an optimization in order to save the time needed for rechecking invalid tokens. So it should not add problems beside the loss of the optimization. The new code will return all tokens from the cache for validation instead of throwing an exception. If the token is actually invalid it will be detected later on.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1987355/+subscriptions