git.apps.os.sepia.ceph.com Git

author	Tobias Urdin <tobias.urdin@binero.se>
	Thu, 18 Jan 2024 09:29:05 +0000 (09:29 +0000)
committer	Tobias Urdin <tobias.urdin@binero.com>
	Wed, 7 Aug 2024 08:12:17 +0000 (10:12 +0200)
commit	df5cf5cc97a97cee7d90ec0babc2e73e1f5f29eb
tree	d9415f4725e07e2c281ac31f50f189bde7db710f	tree \| snapshot
parent	6ae874902b63652fa199563b6e7950cd75151304	commit \| diff

reef: rgw: invalidate and retry keystone admin token

We validate client tokens against the Keystone API by
sending our own "admin token" that is allowed to lookup
client tokens.

This "admin token" is cached and upon checking the cache
we verify the expiration on the token before using it but
we have no logic to invalidate the cache if the response
from the Keystone API says that the "admin token" is invalid.

Since we don't invalidate it and it still has not expired
it will stay in our cache and continue to cause Swift API
requests for clients to be dropped because of the invalid
admin token, until service is restarted, admin token is
expired (which it can already be) or until
the whole cache is dropped or TokenCache::invalidate()
called on the admin token.

There is probably multiple places in Keystone where it
invalidates tokens, but one example where the "admin token"
would be invalidated and return HTTP 401 status code is if
the user that is configured in rgw_keystone_admin_user has
it's password changed (even if it's the same password as the
current one) then Keystone will invalidate it's cache and
invalidated existing tokens even if they have not expired yet.

Fixes: https://tracker.ceph.com/issues/64494
Signed-off-by: Tobias Urdin <tobias.urdin@binero.se>
(cherry picked from commit df23e4b2ea4f8647271a9ce541a1fdbc4d9fe4a6)

src/rgw/rgw_auth_keystone.cc		diff \| blob \| history
src/rgw/rgw_keystone.cc		diff \| blob \| history
src/rgw/rgw_keystone.h		diff \| blob \| history