git-server-git.apps.pok.os.sepia.ceph.com Git

author	Tobias Urdin <tobias.urdin@binero.se>
	Thu, 18 Jan 2024 09:29:05 +0000 (09:29 +0000)
committer	Tobias Urdin <tobias.urdin@binero.com>
	Wed, 7 Aug 2024 08:18:26 +0000 (10:18 +0200)
commit	eb5392e391e5f6d06ed0e990822095cd70893c31
tree	dbef9311d06bfb7639cce051577330a9a6553c29	tree \| snapshot
parent	fa2edff82e9104da8c8fe8105682c99b5b3fc06e	commit \| diff

quincy: rgw: invalidate and retry keystone admin token

We validate client tokens against the Keystone API by
sending our own "admin token" that is allowed to lookup
client tokens.

This "admin token" is cached and upon checking the cache
we verify the expiration on the token before using it but
we have no logic to invalidate the cache if the response
from the Keystone API says that the "admin token" is invalid.

Since we don't invalidate it and it still has not expired
it will stay in our cache and continue to cause Swift API
requests for clients to be dropped because of the invalid
admin token, until service is restarted, admin token is
expired (which it can already be) or until
the whole cache is dropped or TokenCache::invalidate()
called on the admin token.

There is probably multiple places in Keystone where it
invalidates tokens, but one example where the "admin token"
would be invalidated and return HTTP 401 status code is if
the user that is configured in rgw_keystone_admin_user has
it's password changed (even if it's the same password as the
current one) then Keystone will invalidate it's cache and
invalidated existing tokens even if they have not expired yet.

Fixes: https://tracker.ceph.com/issues/64495
Signed-off-by: Tobias Urdin <tobias.urdin@binero.se>
(cherry picked from commit df23e4b2ea4f8647271a9ce541a1fdbc4d9fe4a6)

src/rgw/rgw_auth_keystone.cc		diff \| blob \| history
src/rgw/rgw_keystone.cc		diff \| blob \| history
src/rgw/rgw_keystone.h		diff \| blob \| history