openstack/keystonemiddleware
Code Issues Proposed changes

Remove cache invalidation when using expired token

Browse Source 
This can create a race condition for long running services that reuse
their token (eg. Kubernetes Cinder CSI plugin) in this case for
example:

1 [user] Asks nova to attach a volume to a server
2 ...the user's token expires
3 [user] Asks cinder if the volume has been attached
4 [nova] Asks cinder to attach the volume

In step 3 the token is marked as invalid in the cache and step 4 fails
even if allow_expired is true

Closes-Bug: #1987355
Change-Id: Ice8e34440a5fe1baa370646ed70b5e085c4af70e
This commit is contained in:
Jorge Merlino 2022-10-05 14:41:06 -03:00
parent dc0b796495
commit e05466c5f4
2 changed files with 0 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
keystonemiddleware/auth_token/__init__.py
View File

@ -245,7 +245,6 @@ from keystonemiddleware.i18n import _
_LOG = logging.getLogger(__name__) _LOG = logging.getLogger(__name__)
_CACHE_INVALID_INDICATOR = 'invalid'
oslo_cache.configure(cfg.CONF) oslo_cache.configure(cfg.CONF)
AUTH_TOKEN_OPTS = [ AUTH_TOKEN_OPTS = [
@ -736,10 +735,6 @@ class AuthProtocol(BaseAuthProtocol):
cached = self._token_cache.get(token) cached = self._token_cache.get(token)
if cached: if cached:
if cached == _CACHE_INVALID_INDICATOR:
self.log.debug('Cached token is marked unauthorized')
raise ksm_exceptions.InvalidToken()
# NOTE(jamielennox): Cached values used to be stored as a tuple # NOTE(jamielennox): Cached values used to be stored as a tuple
# of data and expiry time. They no longer are but we have to # of data and expiry time. They no longer are but we have to
# allow some time to transition the old format so if it's a # allow some time to transition the old format so if it's a
@ -769,7 +764,6 @@ class AuthProtocol(BaseAuthProtocol):
'The Keystone service is temporarily unavailable.') 'The Keystone service is temporarily unavailable.')
except ksm_exceptions.InvalidToken: except ksm_exceptions.InvalidToken:
self.log.debug('Token validation failure.', exc_info=True) self.log.debug('Token validation failure.', exc_info=True)
self._token_cache.set(token, _CACHE_INVALID_INDICATOR)
self.log.warning('Authorization failed for token') self.log.warning('Authorization failed for token')
raise raise
except ksa_exceptions.EndpointNotFound: except ksa_exceptions.EndpointNotFound:

19
keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py
View File

@ -595,25 +595,6 @@ class CommonAuthTokenMiddlewareTest(object):
token = 'invalid-token' token = 'invalid-token'
self.call_middleware(headers={'X-Auth-Token': token}, self.call_middleware(headers={'X-Auth-Token': token},
expected_status=401) expected_status=401)
self.assertEqual(auth_token._CACHE_INVALID_INDICATOR,
self._get_cached_token(token))
def test_memcache_hit_invalid_token(self):
token = 'invalid-token'
invalid_uri = '%s/v3/tokens/invalid-token' % BASE_URI
self.requests_mock.get(invalid_uri, status_code=404)
# Call once to cache token's invalid state; verify it cached as such
self.call_middleware(headers={'X-Auth-Token': token},
expected_status=401)
self.assertEqual(auth_token._CACHE_INVALID_INDICATOR,
self._get_cached_token(token))
# Call again for a cache hit; verify it detected as cached and invalid
self.call_middleware(headers={'X-Auth-Token': token},
expected_status=401)
self.assertIn('Cached token is marked unauthorized',
self.logger.output)
def test_memcache_set_expired(self, extra_conf={}, extra_environ={}): def test_memcache_set_expired(self, extra_conf={}, extra_environ={}):
token_cache_time = 10 token_cache_time = 10