Ask Your Question
0

Keystone failure response "error" or "identityFault"?

asked 2014-04-15 16:17:37 -0500

Dave Graham gravatar image

Hello, I recently installed a devstack in order to build an OpenStack monitoring client. Getting my client to authenticate with Keystone has been the first order of business.

My client needs to be able to report authentication errors up to the end user so they can know that the client configuration needs to be updated. The problem I am having is parsing the error responses from the keystone server.

When I send the wrong user name I get back:

<?xml version="1.0" encoding="UTF-8"?>
<error xmlns="http://docs.openstack.org/identity/api/v2.0" message="Could not find user, test_user." code="401" title="Unauthorized"/>

But when I try to parse this error I get:

javax.xml.bind.UnmarshalException: unexpected element 
(uri:"http://docs.openstack.org/identity/api/v2.0", local:"error"). 
Expected elements are 
<{http://docs.openstack.org/identity/api/v2.0}access>,
<{http://docs.openstack.org/identity/api/v2.0}auth>,
<{http://docs.openstack.org/identity/api/v2.0}badRequest>,
<{http://docs.openstack.org/identity/api/v2.0}credential>,
<{http://docs.openstack.org/identity/api/v2.0}credentials>,
<{http://docs.openstack.org/identity/api/v2.0}endpoint>,
<{http://docs.openstack.org/identity/api/v2.0}endpoints>,
<{http://docs.openstack.org/identity/api/v2.0}forbidden>,
<{http://docs.openstack.org/identity/api/v2.0}identityFault>,
<{http://docs.openstack.org/identity/api/v2.0}itemNotFound>,
<{http://docs.openstack.org/identity/api/v2.0}overLimit>,
<{http://docs.openstack.org/identity/api/v2.0}passwordCredentials>,
<{http://docs.openstack.org/identity/api/v2.0}role>,
<{http://docs.openstack.org/identity/api/v2.0}roles>,
<{http://docs.openstack.org/identity/api/v2.0}serviceUnavailable>,
<{http://docs.openstack.org/identity/api/v2.0}tenant>,
<{http://docs.openstack.org/identity/api/v2.0}tenantConflict>,
<{http://docs.openstack.org/identity/api/v2.0}tenants>,
<{http://docs.openstack.org/identity/api/v2.0}unauthorized>,
<{http://docs.openstack.org/identity/api/v2.0}user>,
<{http://docs.openstack.org/identity/api/v2.0}userDisabled>,
<{http://docs.openstack.org/identity/api/v2.0}users>

Which is expected since there is no definition for a fault called “error” in the schema: https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v2.0/src/docbkx/xsd/fault.xsd (https://github.com/openstack/identity...)

I am trying to understand my next steps here. I looked online and it seems there are plenty of examples of systems returning this “error” element. But there are also numerous examples of systems returning “identityFault” elements instead.

  • Does the “error” element predate the “identityFault” elements? Is this from pre-v2.0?
  • My version of Keystone is 2014.1.dev107.g6940924 which seems to be pretty recent (long after v2.0) so is it a bug?
  • Is there some configuration switch that needs to be thrown to cause the keystone server to respond with “IdentityFault” instead of “error”?

Look forward to your feedback.

Dave Graham CA Technologies

edit retag flag offensive close merge delete

1 answer

Sort by » oldest newest most voted
1

answered 2014-04-18 09:47:35 -0500

I believe it is a bug. In keystone v2.0 the errors are called IdentityFault, itemNotFound etc. In v3.0 it is called as error. Here I believe they are returning v3 error instead of v2 error for v2 api request.

I believe you are using v2.0 api. If you are using v3.0 api, then the response is correct and you need to validate against v3.0 schema

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2014-04-15 16:17:37 -0500

Seen: 202 times

Last updated: Apr 18 '14