git-server-git.apps.pok.os.sepia.ceph.com Git

author	Tobias Urdin <tobias.urdin@binero.se>
	Thu, 18 Jan 2024 09:29:05 +0000 (09:29 +0000)
committer	Casey Bodley <cbodley@redhat.com>
	Wed, 17 Apr 2024 15:30:27 +0000 (11:30 -0400)
commit	5538ae244bfcc6b56ff889c9a2f044421a3b1f6f
tree	8246b20083c655b930334b19a6394ce313deaa1e	tree \| snapshot
parent	a0df3e2b3ed3368be298d00064d6d4dc945a527e	commit \| diff

rgw: invalidate and retry keystone admin token

We validate client tokens against the Keystone API by
sending our own "admin token" that is allowed to lookup
client tokens.

This "admin token" is cached and upon checking the cache
we verify the expiration on the token before using it but
we have no logic to invalidate the cache if the response
from the Keystone API says that the "admin token" is invalid.

Since we don't invalidate it and it still has not expired
it will stay in our cache and continue to cause Swift API
requests for clients to be dropped because of the invalid
admin token, until service is restarted, admin token is
expired (which it can already be) or until
the whole cache is dropped or TokenCache::invalidate()
called on the admin token.

There is probably multiple places in Keystone where it
invalidates tokens, but one example where the "admin token"
would be invalidated and return HTTP 401 status code is if
the user that is configured in rgw_keystone_admin_user has
it's password changed (even if it's the same password as the
current one) then Keystone will invalidate it's cache and
invalidated existing tokens even if they have not expired yet.

Fixes: https://tracker.ceph.com/issues/64094
Signed-off-by: Tobias Urdin <tobias.urdin@binero.se>
(cherry picked from commit df23e4b2ea4f8647271a9ce541a1fdbc4d9fe4a6)

src/rgw/rgw_auth_keystone.cc		diff \| blob \| history
src/rgw/rgw_keystone.cc		diff \| blob \| history
src/rgw/rgw_keystone.h		diff \| blob \| history