[Bug 1987355] Re: [SRU] Error validating X-Service-Token
Jorge Merlino
1987355 at bugs.launchpad.net
Wed Sep 27 18:17:21 UTC 2023
Tested OK on cloud archive for:
wallaby: version 9.2.0-0ubuntu1~cloud1
xena: version 9.3.0-0ubuntu1~cloud1
yoga: version 9.4.0-0ubuntu1.1~cloud0
zed: version 10.1.0-0ubuntu1~cloud1
** Tags removed: verification-wallaby-needed verification-xena-needed verification-yoga-needed verification-zed-needed
** Tags added: verification-wallaby-done verification-xena-done verification-yoga-done verification-zed-done
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/1987355
Title:
[SRU] Error validating X-Service-Token
Status in Ubuntu Cloud Archive:
Fix Released
Status in Ubuntu Cloud Archive antelope series:
Fix Released
Status in Ubuntu Cloud Archive bobcat series:
Fix Released
Status in Ubuntu Cloud Archive ussuri series:
Fix Committed
Status in Ubuntu Cloud Archive victoria series:
Fix Committed
Status in Ubuntu Cloud Archive wallaby series:
Fix Committed
Status in Ubuntu Cloud Archive xena series:
Fix Committed
Status in Ubuntu Cloud Archive yoga series:
Fix Committed
Status in Ubuntu Cloud Archive zed series:
Fix Committed
Status in keystonemiddleware:
Fix Released
Status in python-keystonemiddleware package in Ubuntu:
Fix Released
Status in python-keystonemiddleware source package in Focal:
Fix Committed
Status in python-keystonemiddleware source package in Jammy:
Fix Committed
Status in python-keystonemiddleware source package in Lunar:
Fix Released
Status in python-keystonemiddleware source package in Mantic:
Fix Released
Bug description:
[Impact]
This bug can cause a race condition for long running services that reuse their token (eg. Kubernetes Cinder CSI plugin) when the following occurs:
1 [service] Asks nova to attach a volume to a server
2 ...the user's token expires
3 [service] Asks cinder if the volume has been attached
4 [nova] Asks cinder to attach the volume
In step 3 the token is marked as invalid in the cache and step 4 fails
even if the token is accompanied by a valid service token. The key is
that step 3 has to happen before step 4 which is not frequent hence
the race condition.
Also, the client will ask for a new user token if it is not authorized
in the calls in steps 1 or 3 but if the token is marked as invalid in
step 3 then step 4 fails and the volume becomes stuck in "detaching"
status.
[Test Plan]
It hard to reproduce this bug as it depends on the timing of packets and the token expiration. I was able to reproduce by reducing the token expiration to 60 seconds and running a go script that is constantly attaching and detaching volumes. Even then it may take some time for the bug to occur.
The code used is here: https://paste.ubuntu.com/p/CbGNzGxYt9/
The openstack auth information should be set in lines 99-105 and then the script should be called with 3 parameters: the id of a volume and the ids of two servers. The script attaches and detaches the volume between those two servers.
[Where problems could occur]
The patch removes code that work as an optimization in order to save the time needed for rechecking invalid tokens. So it should not add problems beside the loss of the optimization. The new code will return all tokens from the cache for validation instead of throwing an exception. If the token is actually invalid it will be detected later on.
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1987355/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list