[Bug 1987355] Please test proposed package

[Corey Bryant]

Hello Jorge, or anyone else affected,

Accepted python-keystonemiddleware into wallaby-proposed. The package
will build now and be available in the Ubuntu Cloud Archive in a few
hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed
repository:

  sudo add-apt-repository cloud-archive:wallaby-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-wallaby-needed to verification-wallaby-done. If it
does not fix the bug for you, please add a comment stating that, and
change the tag to verification-wallaby-failed. In either case, details
of your testing will help us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in
advance!

** Changed in: cloud-archive/wallaby
       Status: Triaged => Fix Committed

** Tags added: verification-wallaby-needed

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/1987355

Title:
  [SRU] Error validating X-Service-Token

Status in Ubuntu Cloud Archive:
  Fix Released
Status in Ubuntu Cloud Archive antelope series:
  Fix Released
Status in Ubuntu Cloud Archive bobcat series:
  Fix Released
Status in Ubuntu Cloud Archive ussuri series:
  Fix Committed
Status in Ubuntu Cloud Archive victoria series:
  Fix Committed
Status in Ubuntu Cloud Archive wallaby series:
  Fix Committed
Status in Ubuntu Cloud Archive xena series:
  Fix Committed
Status in Ubuntu Cloud Archive yoga series:
  Fix Committed
Status in Ubuntu Cloud Archive zed series:
  Fix Committed
Status in keystonemiddleware:
  Fix Released
Status in python-keystonemiddleware package in Ubuntu:
  Fix Released
Status in python-keystonemiddleware source package in Focal:
  Fix Committed
Status in python-keystonemiddleware source package in Jammy:
  Fix Committed
Status in python-keystonemiddleware source package in Lunar:
  Fix Released
Status in python-keystonemiddleware source package in Mantic:
  Fix Released

Bug description:
  [Impact]
  This bug can cause a race condition for long running services that reuse their token (eg. Kubernetes Cinder CSI plugin) when the following occurs:

  1 [service] Asks nova to attach a volume to a server
  2 ...the user's token expires
  3 [service] Asks cinder if the volume has been attached
  4 [nova] Asks cinder to attach the volume

  In step 3 the token is marked as invalid in the cache and step 4 fails
  even if the token is accompanied by a valid service token. The key is
  that step 3 has to happen before step 4 which is not frequent hence
  the race condition.

  Also, the client will ask for a new user token if it is not authorized
  in the calls in steps 1 or 3 but if the token is marked as invalid in
  step 3 then step 4 fails and the volume becomes stuck in "detaching"
  status.

  [Test Plan]
  It hard to reproduce this bug as it depends on the timing of packets and the token expiration. I was able to reproduce by reducing the token expiration to 60 seconds and running a go script that is constantly attaching and detaching volumes. Even then it may take some time for the bug to occur.

  The code used is here: https://paste.ubuntu.com/p/CbGNzGxYt9/
  The openstack auth information should be set in lines 99-105 and then the script should be called with 3 parameters: the id of a volume and the ids of two servers. The script attaches and detaches the volume between those two servers.

  [Where problems could occur]
  The patch removes code that work as an optimization in order to save the time needed for rechecking invalid tokens. So it should not add problems beside the loss of the optimization. The new code will return all tokens from the cache for validation instead of throwing an exception. If the token is actually invalid it will be detected later on.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1987355/+subscriptions