libcloud-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Farrell (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (LIBCLOUD-428) OpenStack provider does not check if auth token has expired before trying to use it
Date Mon, 04 Nov 2013 01:41:18 GMT

    [ https://issues.apache.org/jira/browse/LIBCLOUD-428?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13812563#comment-13812563
] 

Michael Farrell commented on LIBCLOUD-428:
------------------------------------------

If I call the constructor for {{OpenStackAuthConnection}} in {{OpenStackBaseConnection.__init__}},
there is another issue.  The existing function uses the auth URL from the following sources
in this order:

1. {{self.auth_url}}
2. Constructor parameter {{ex_force_auth_url}}
3. If neither of these are available, it will throw {{LibcloudError}}.

However, if the instantiation of the {{OpenStackAuthConnection}} is done in the {{OpenStackBaseConnection.__init__}}
constructor, it will mean that it is no longer possible to use {{self.auth_url}}, as this
cannot be set before the constructor is called.

A specific example of where this would fail is in {{storage.drivers.CloudFilesConnection}},
the {{auth_url}} is set after calling the base constructor.

> OpenStack provider does not check if auth token has expired before trying to use it
> -----------------------------------------------------------------------------------
>
>                 Key: LIBCLOUD-428
>                 URL: https://issues.apache.org/jira/browse/LIBCLOUD-428
>             Project: Libcloud
>          Issue Type: Bug
>          Components: Core
>    Affects Versions: 0.13.2
>         Environment: Linux Python 2.7
>            Reporter: Michael Farrell
>
> The OpenStack provider (and by extension, the Rackspace provider) does not check to see
if the authentication token has expired before attempting to use it.
> In {{libcloud/common/openstack.py}} at {{OpenStackBaseConnection._populate_hosts_and_request_paths}},
the library checks that a token exists, and creates it if it does not.
> The issue is that it does not check if the token has expired, despite having this information
in {{self.auth_token_expires}}.
> So a long-running Python process will eventually fail because the token will expire,
and the API will return {{HTTP 401 Unauthorized}}.
> I've written a hacky workaround to this, by copying {{OpenStackAuthConnection._is_token_valid}}
into {{OpenStackBaseConnection}}, then replacing the {{_populate_hosts_and_requests_paths}}
auth token check with a call to {{_is_token_valid}}.
> This is shown in this commit: https://github.com/Caramel/libcloud/commit/317a039
> There's probably a better way to implement it without duplicating this function, but
I don't know enough of the codebase to make this change.  I'm also unsure if other drivers
also have this problem that are not based on OpenStack.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

Mime
View raw message