Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Keystone failure response "error" or "identityFault"?

Hello, I recently installed a devstack in order to build an OpenStack monitoring client. Getting my client to authenticate with Keystone has been the first order of business.

My client needs to be able to report authentication errors up to the end user so they can know that the client configuration needs to be updated. The problem I am having is parsing the error responses from the keystone server.

When I send the wrong user name I get back:

<?xml version="1.0" encoding="UTF-8"?>
<error xmlns="http://docs.openstack.org/identity/api/v2.0" message="Could not find user, test_user." code="401" title="Unauthorized"/>

But when I try to parse this error I get:

javax.xml.bind.UnmarshalException: unexpected element 
(uri:"http://docs.openstack.org/identity/api/v2.0", local:"error"). 
Expected elements are 
<{http://docs.openstack.org/identity/api/v2.0}access>,
<{http://docs.openstack.org/identity/api/v2.0}auth>,
<{http://docs.openstack.org/identity/api/v2.0}badRequest>,
<{http://docs.openstack.org/identity/api/v2.0}credential>,
<{http://docs.openstack.org/identity/api/v2.0}credentials>,
<{http://docs.openstack.org/identity/api/v2.0}endpoint>,
<{http://docs.openstack.org/identity/api/v2.0}endpoints>,
<{http://docs.openstack.org/identity/api/v2.0}forbidden>,
<{http://docs.openstack.org/identity/api/v2.0}identityFault>,
<{http://docs.openstack.org/identity/api/v2.0}itemNotFound>,
<{http://docs.openstack.org/identity/api/v2.0}overLimit>,
<{http://docs.openstack.org/identity/api/v2.0}passwordCredentials>,
<{http://docs.openstack.org/identity/api/v2.0}role>,
<{http://docs.openstack.org/identity/api/v2.0}roles>,
<{http://docs.openstack.org/identity/api/v2.0}serviceUnavailable>,
<{http://docs.openstack.org/identity/api/v2.0}tenant>,
<{http://docs.openstack.org/identity/api/v2.0}tenantConflict>,
<{http://docs.openstack.org/identity/api/v2.0}tenants>,
<{http://docs.openstack.org/identity/api/v2.0}unauthorized>,
<{http://docs.openstack.org/identity/api/v2.0}user>,
<{http://docs.openstack.org/identity/api/v2.0}userDisabled>,
<{http://docs.openstack.org/identity/api/v2.0}users>

Which is expected since there is no definition for a fault called “error” in the schema: https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v2.0/src/docbkx/xsd/fault.xsd

I am trying to understand my next steps here. I looked online and it seems there are plenty of examples of systems returning this “error” element. But there are also numerous examples of systems returning “identityFault” elements instead.

  • Does the “error” element predate the “identityFault” elements? Is this from pre-v2.0?
  • My version of Keystone is 2014.1.dev107.g6940924 which seems to be pretty recent (long after v2.0) so is it a bug?
  • Is there some configuration switch that needs to be thrown to cause the keystone server to respond with “IdentityFault” instead of “error”?

Look forward to your feedback.

Dave Graham CA Technologies