libcloud-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Farrell (JIRA)" <>
Subject [jira] [Commented] (LIBCLOUD-428) OpenStack provider does not check if auth token has expired before trying to use it
Date Mon, 04 Nov 2013 01:41:18 GMT


Michael Farrell commented on LIBCLOUD-428:

If I call the constructor for {{OpenStackAuthConnection}} in {{OpenStackBaseConnection.__init__}},
there is another issue.  The existing function uses the auth URL from the following sources
in this order:

1. {{self.auth_url}}
2. Constructor parameter {{ex_force_auth_url}}
3. If neither of these are available, it will throw {{LibcloudError}}.

However, if the instantiation of the {{OpenStackAuthConnection}} is done in the {{OpenStackBaseConnection.__init__}}
constructor, it will mean that it is no longer possible to use {{self.auth_url}}, as this
cannot be set before the constructor is called.

A specific example of where this would fail is in {{storage.drivers.CloudFilesConnection}},
the {{auth_url}} is set after calling the base constructor.

> OpenStack provider does not check if auth token has expired before trying to use it
> -----------------------------------------------------------------------------------
>                 Key: LIBCLOUD-428
>                 URL:
>             Project: Libcloud
>          Issue Type: Bug
>          Components: Core
>    Affects Versions: 0.13.2
>         Environment: Linux Python 2.7
>            Reporter: Michael Farrell
> The OpenStack provider (and by extension, the Rackspace provider) does not check to see
if the authentication token has expired before attempting to use it.
> In {{libcloud/common/}} at {{OpenStackBaseConnection._populate_hosts_and_request_paths}},
the library checks that a token exists, and creates it if it does not.
> The issue is that it does not check if the token has expired, despite having this information
in {{self.auth_token_expires}}.
> So a long-running Python process will eventually fail because the token will expire,
and the API will return {{HTTP 401 Unauthorized}}.
> I've written a hacky workaround to this, by copying {{OpenStackAuthConnection._is_token_valid}}
into {{OpenStackBaseConnection}}, then replacing the {{_populate_hosts_and_requests_paths}}
auth token check with a call to {{_is_token_valid}}.
> This is shown in this commit:
> There's probably a better way to implement it without duplicating this function, but
I don't know enough of the codebase to make this change.  I'm also unsure if other drivers
also have this problem that are not based on OpenStack.

This message was sent by Atlassian JIRA

View raw message