[openstack-dev] [Nova] Tokens in memcache become unauthorized

Nadya Privalova nprivalova at mirantis.com
Mon Dec 2 12:54:44 UTC 2013


Hi guys,

I've faced with nova+memcache issue on the cluster in HA-mode.

Issue is related to nova in case of using REST (that includes Horizon):
it's impossible to use auth-token several times because it became
unauthorized in cache.

Logs:

Nov 13 06:58:49 controller-1461 nova keystoneclient.middleware.auth_token
DEBUG Token validation failure.
Traceback (most recent call last):
  File
"/usr/lib/python2.6/site-packages/keystoneclient/middleware/auth_token.py",
line 684, in _validate_u
ser_token
    cached = self._cache_get(token_id)
  File
"/usr/lib/python2.6/site-packages/keystoneclient/middleware/auth_token.py",
line 898, in _cache_get
    raise InvalidUserToken('Token authorization failed')
InvalidUserToken: Token authorization failed
Nov 13 06:58:49 controller-1461 nova keystoneclient.middleware.auth_token
DEBUG Marking token 211b590c4ba94d62a3981fbf91e934dc as unauthorized in
memcache

Issue was fixed after the following was added to [keystone_authtoken]
section in nova.conf to all controller's nodes:
memcache_security_strategy=ENCRYPT
memcache_secret_key=any_key

But from docs I see that these configs are not required. The issue does not
appear with any other services but all of them have
memcache_security_strategy empty. So is it a nova-bug or for HA-mode I
should configure this params? May the issue be caused by the fact that
memcaches are not syncked on controllers?

Thanks,
Nadya
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20131202/3d214796/attachment.html>


More information about the OpenStack-dev mailing list