libcloud-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tomaz Muraus (JIRA)" <>
Subject [jira] [Commented] (LIBCLOUD-428) OpenStack provider does not check if auth token has expired before trying to use it
Date Wed, 30 Oct 2013 09:14:28 GMT


Tomaz Muraus commented on LIBCLOUD-428:

Thanks for the report.

That's a good catch. It looks like we missed this issue when we added support for re-using
auth tokens to the OpenStack driver.

One thing we could do to avoid code duplication is refactor the code a bit:

1. Instantiate OpenStackAuthConnection class inside the Connection constructor. There is no
need to do it inside _populate_hosts_and_request_paths since the arguments it works with don't
change during the lifetime of the driver class.
2. Make "_is_token_valid" "public" (rename it to "is_token_valid")
3. Change to _populate_hosts_and_request_paths to call osa.is_token_valid() and only proceed
with calling authenticate and so on if auth token is not valied

There is still some code duplication (both authenticate and _populate_hosts_and_request_paths
methods check if token is valid), but that's not actually a bad things since. OpenStackAuthConnection
can be re-used in other places and we want to leave the check in authenticate() method.

> OpenStack provider does not check if auth token has expired before trying to use it
> -----------------------------------------------------------------------------------
>                 Key: LIBCLOUD-428
>                 URL:
>             Project: Libcloud
>          Issue Type: Bug
>          Components: Core
>    Affects Versions: 0.13.2
>         Environment: Linux Python 2.7
>            Reporter: Michael Farrell
> The OpenStack provider (and by extension, the Rackspace provider) does not check to see
if the authentication token has expired before attempting to use it.
> In {{libcloud/common/}} at {{OpenStackBaseConnection._populate_hosts_and_request_paths}},
the library checks that a token exists, and creates it if it does not.
> The issue is that it does not check if the token has expired, despite having this information
in {{self.auth_token_expires}}.
> So a long-running Python process will eventually fail because the token will expire,
and the API will return {{HTTP 401 Unauthorized}}.
> I've written a hacky workaround to this, by copying {{OpenStackAuthConnection._is_token_valid}}
into {{OpenStackBaseConnection}}, then replacing the {{_populate_hosts_and_requests_paths}}
auth token check with a call to {{_is_token_valid}}.
> This is shown in this commit:
> There's probably a better way to implement it without duplicating this function, but
I don't know enough of the codebase to make this change.  I'm also unsure if other drivers
also have this problem that are not based on OpenStack.

This message was sent by Atlassian JIRA

View raw message