[openstack-dev] 2 Minute tokens

Matthew Treinish mtreinish at kortar.org
Tue Sep 30 20:50:33 UTC 2014


On Tue, Sep 30, 2014 at 04:23:37PM -0400, Adam Young wrote:
> On 09/30/2014 12:21 PM, Sean Dague wrote:
> >On 09/30/2014 11:58 AM, Jay Pipes wrote:
> >>On 09/30/2014 11:37 AM, Adam Young wrote:
> >>>On 09/30/2014 11:06 AM, Louis Taylor wrote:
> >>>>On Tue, Sep 30, 2014 at 10:44:51AM -0400, Adam Young wrote:
> >>>>>What are the uses that require long lived tokens?
> >>>>Glance has operations which can take a long time, such as uploading and
> >>>>downloading large images.
> >>>Yes, but the token is only authenticated at the start of the operation.
> >>>Does anything need to happen afterwards?
> >>Funny you mention it... :) We were just having this conversation on IRC
> >>about Nikesh's issues with some Tempest volume tests and a token
> >>expiration problem.
> >>
> >>So, yes, a Glance upload operation makes a series of HTTP calls in the
> >>course of the upload:
> >>
> >>  POST $registry/images <-- Creates the queued image record
> >>  ...  upload of chunked body of HTTP request to backend like Swift ..
> >>  PUT $registry/images/<IMAGE_ID> <-- update image status and checksum
> >>
> >>So, what seems to be happening here is that the PUT call at the end of
> >>uploading the snapshot is using the same token that was created in the
> >>keystone client of the tempest test case during the test classes'
> >>setUpClass() method, and the test class ends up running for >1 hour, and
> >>by the time the PUT call is reached, the token has expired.
> >Yes... and there is this whole unresolved dev thread on this -
> >http://lists.openstack.org/pipermail/openstack-dev/2014-September/045567.html
> >
> >	-Sean
> >
> 
> This is a test case, so the tempest test has enough information to request a
> new token, it just does not request it?
> 

No, I don't think that's the case. The tempest auth code handles token
expiration and prempts it. See:

http://git.openstack.org/cgit/openstack/tempest/tree/tempest/auth.py#n340

and 

http://git.openstack.org/cgit/openstack/tempest/tree/tempest/auth.py#n464

depending on which keystone api version is being used. These get called before
each outgoing http call from tempest is made and if it's expired it'll get a
new token. There could be a bug in that code, but I think it is probably
something else.

I think the issue here is probably caused by the token that glance is using is
expiring because the upload takes too long and it doesn't know how to handle
that. (unless I'm misreading Jay's comment) So things fail when it tries to use
the same token for another operation which is part of the same api request after
the upload is finished. This is the topic of that thread which Sean pointed out
above.

-Matt Treinish
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140930/3dff7537/attachment.pgp>


More information about the OpenStack-dev mailing list