From f602fa718d12e4ab15ab134256fa835db2a1b7ee Mon Sep 17 00:00:00 2001 From: Jorge Merlino Date: Wed, 5 Oct 2022 14:41:06 -0300 Subject: [PATCH] Remove cache invalidation when using expired token This can create a race condition for long running services that reuse their token (eg. Kubernetes Cinder CSI plugin) in this case for example: 1 [user] Asks nova to attach a volume to a server 2 ...the user's token expires 3 [user] Asks cinder if the volume has been attached 4 [nova] Asks cinder to attach the volume In step 3 the token is marked as invalid in the cache and step 4 fails even if allow_expired is true Closes-Bug: #1987355 Change-Id: Ice8e34440a5fe1baa370646ed70b5e085c4af70e (cherry picked from commit e05466c5f439cd05482f109e6eb97a50ba156698) --- keystonemiddleware/auth_token/__init__.py | 6 ------ .../auth_token/test_auth_token_middleware.py | 19 ------------------- 2 files changed, 25 deletions(-) diff --git a/keystonemiddleware/auth_token/__init__.py b/keystonemiddleware/auth_token/__init__.py index 0feed6f8..ddb2ddc4 100644 --- a/keystonemiddleware/auth_token/__init__.py +++ b/keystonemiddleware/auth_token/__init__.py @@ -245,7 +245,6 @@ from keystonemiddleware.i18n import _ _LOG = logging.getLogger(__name__) -_CACHE_INVALID_INDICATOR = 'invalid' oslo_cache.configure(cfg.CONF) AUTH_TOKEN_OPTS = [ @@ -736,10 +735,6 @@ class AuthProtocol(BaseAuthProtocol): cached = self._token_cache.get(token) if cached: - if cached == _CACHE_INVALID_INDICATOR: - self.log.debug('Cached token is marked unauthorized') - raise ksm_exceptions.InvalidToken() - # NOTE(jamielennox): Cached values used to be stored as a tuple # of data and expiry time. They no longer are but we have to # allow some time to transition the old format so if it's a @@ -769,7 +764,6 @@ class AuthProtocol(BaseAuthProtocol): 'The Keystone service is temporarily unavailable.') except ksm_exceptions.InvalidToken: self.log.debug('Token validation failure.', exc_info=True) - self._token_cache.set(token, _CACHE_INVALID_INDICATOR) self.log.warning('Authorization failed for token') raise except ksa_exceptions.EndpointNotFound: diff --git a/keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py b/keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py index 1abe3223..564cdc55 100644 --- a/keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py +++ b/keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py @@ -595,25 +595,6 @@ class CommonAuthTokenMiddlewareTest(object): token = 'invalid-token' self.call_middleware(headers={'X-Auth-Token': token}, expected_status=401) - self.assertEqual(auth_token._CACHE_INVALID_INDICATOR, - self._get_cached_token(token)) - - def test_memcache_hit_invalid_token(self): - token = 'invalid-token' - invalid_uri = '%s/v3/tokens/invalid-token' % BASE_URI - self.requests_mock.get(invalid_uri, status_code=404) - - # Call once to cache token's invalid state; verify it cached as such - self.call_middleware(headers={'X-Auth-Token': token}, - expected_status=401) - self.assertEqual(auth_token._CACHE_INVALID_INDICATOR, - self._get_cached_token(token)) - - # Call again for a cache hit; verify it detected as cached and invalid - self.call_middleware(headers={'X-Auth-Token': token}, - expected_status=401) - self.assertIn('Cached token is marked unauthorized', - self.logger.output) def test_memcache_set_expired(self, extra_conf={}, extra_environ={}): token_cache_time = 10