Remove cache invalidation when using expired token
This can create a race condition for long running services that reuse their token (eg. Kubernetes Cinder CSI plugin) in this case for example: 1 [user] Asks nova to attach a volume to a server 2 ...the user's token expires 3 [user] Asks cinder if the volume has been attached 4 [nova] Asks cinder to attach the volume In step 3 the token is marked as invalid in the cache and step 4 fails even if allow_expired is true Closes-Bug: #1987355 Change-Id: Ice8e34440a5fe1baa370646ed70b5e085c4af70e
This commit is contained in:
parent
dc0b796495
commit
e05466c5f4
@ -245,7 +245,6 @@ from keystonemiddleware.i18n import _
|
|||||||
|
|
||||||
|
|
||||||
_LOG = logging.getLogger(__name__)
|
_LOG = logging.getLogger(__name__)
|
||||||
_CACHE_INVALID_INDICATOR = 'invalid'
|
|
||||||
oslo_cache.configure(cfg.CONF)
|
oslo_cache.configure(cfg.CONF)
|
||||||
|
|
||||||
AUTH_TOKEN_OPTS = [
|
AUTH_TOKEN_OPTS = [
|
||||||
@ -736,10 +735,6 @@ class AuthProtocol(BaseAuthProtocol):
|
|||||||
cached = self._token_cache.get(token)
|
cached = self._token_cache.get(token)
|
||||||
|
|
||||||
if cached:
|
if cached:
|
||||||
if cached == _CACHE_INVALID_INDICATOR:
|
|
||||||
self.log.debug('Cached token is marked unauthorized')
|
|
||||||
raise ksm_exceptions.InvalidToken()
|
|
||||||
|
|
||||||
# NOTE(jamielennox): Cached values used to be stored as a tuple
|
# NOTE(jamielennox): Cached values used to be stored as a tuple
|
||||||
# of data and expiry time. They no longer are but we have to
|
# of data and expiry time. They no longer are but we have to
|
||||||
# allow some time to transition the old format so if it's a
|
# allow some time to transition the old format so if it's a
|
||||||
@ -769,7 +764,6 @@ class AuthProtocol(BaseAuthProtocol):
|
|||||||
'The Keystone service is temporarily unavailable.')
|
'The Keystone service is temporarily unavailable.')
|
||||||
except ksm_exceptions.InvalidToken:
|
except ksm_exceptions.InvalidToken:
|
||||||
self.log.debug('Token validation failure.', exc_info=True)
|
self.log.debug('Token validation failure.', exc_info=True)
|
||||||
self._token_cache.set(token, _CACHE_INVALID_INDICATOR)
|
|
||||||
self.log.warning('Authorization failed for token')
|
self.log.warning('Authorization failed for token')
|
||||||
raise
|
raise
|
||||||
except ksa_exceptions.EndpointNotFound:
|
except ksa_exceptions.EndpointNotFound:
|
||||||
|
@ -595,25 +595,6 @@ class CommonAuthTokenMiddlewareTest(object):
|
|||||||
token = 'invalid-token'
|
token = 'invalid-token'
|
||||||
self.call_middleware(headers={'X-Auth-Token': token},
|
self.call_middleware(headers={'X-Auth-Token': token},
|
||||||
expected_status=401)
|
expected_status=401)
|
||||||
self.assertEqual(auth_token._CACHE_INVALID_INDICATOR,
|
|
||||||
self._get_cached_token(token))
|
|
||||||
|
|
||||||
def test_memcache_hit_invalid_token(self):
|
|
||||||
token = 'invalid-token'
|
|
||||||
invalid_uri = '%s/v3/tokens/invalid-token' % BASE_URI
|
|
||||||
self.requests_mock.get(invalid_uri, status_code=404)
|
|
||||||
|
|
||||||
# Call once to cache token's invalid state; verify it cached as such
|
|
||||||
self.call_middleware(headers={'X-Auth-Token': token},
|
|
||||||
expected_status=401)
|
|
||||||
self.assertEqual(auth_token._CACHE_INVALID_INDICATOR,
|
|
||||||
self._get_cached_token(token))
|
|
||||||
|
|
||||||
# Call again for a cache hit; verify it detected as cached and invalid
|
|
||||||
self.call_middleware(headers={'X-Auth-Token': token},
|
|
||||||
expected_status=401)
|
|
||||||
self.assertIn('Cached token is marked unauthorized',
|
|
||||||
self.logger.output)
|
|
||||||
|
|
||||||
def test_memcache_set_expired(self, extra_conf={}, extra_environ={}):
|
def test_memcache_set_expired(self, extra_conf={}, extra_environ={}):
|
||||||
token_cache_time = 10
|
token_cache_time = 10
|
||||||
|
Loading…
x
Reference in New Issue
Block a user