Ask Your Question

astone's profile - activity

2014-12-19 19:47:50 -0500 received badge  Famous Question (source)
2014-11-25 23:34:50 -0500 received badge  Famous Question (source)
2014-09-15 11:32:27 -0500 received badge  Famous Question (source)
2014-09-02 11:55:08 -0500 commented answer 404 retrieving os-revoked events?

thanks! I'll take a look into this.

2014-09-02 09:39:02 -0500 received badge  Popular Question (source)
2014-08-31 16:08:31 -0500 asked a question 404 retrieving os-revoked events?

I'm trying to retrieve the list of revoked events using the V3 API but I keep getting a 404 not found message.

I'm using icehouse-3 and using this as my reference: http://docs.openstack.org/api/opensta...

Is my url below incorrect?

Thank you!

  curl -ki \
    -H "X-Auth-Token: password" \
    -X GET \
    https://xxxx:35357/v3/OS-REVOKE/events

HTTP/1.1 404 Not Found
Vary: X-Auth-Token
Content-Type: application/json
Content-Length: 93
Date: Sun, 31 Aug 2014 21:04:34 GMT

{"error": {"message": "The resource could not be found.", "code": 404, "title": "Not Found"}}>
2014-08-28 12:43:34 -0500 commented answer Keystone HTTP PATCH - Transfer-Encoding chunked support

Hi Haneef - I was wondering if you happened to see my update? Even using CURL the problem can be seen. Thanks!

2014-08-28 00:44:29 -0500 received badge  Notable Question (source)
2014-08-26 12:10:52 -0500 received badge  Notable Question (source)
2014-08-26 10:04:01 -0500 received badge  Famous Question (source)
2014-08-26 09:40:36 -0500 received badge  Self-Learner (source)
2014-08-26 09:40:36 -0500 received badge  Teacher (source)
2014-08-26 09:16:58 -0500 received badge  Popular Question (source)
2014-08-25 15:48:20 -0500 asked a question Keystone HTTP PATCH - Transfer-Encoding chunked support

This is a follow up to https://ask.openstack.org/en/question...

When I used Transfer-Encoding: chunked on an HTTP PATCH, Keystone wasn't actually receiving/loading the JSON payload.

When I use POST with Transfer-Encoding: chunked, there are no problems.

Is the design intent to support chunked encoding for PATCH? Could this simply be a bug?

I'm using Icehouse-3 on RHEL6

Thank you


Update 1:

The following POST command does work:

curl -ki \
  -H "Content-Type: application/json" \
  -H "X-Auth-Token: password" \
  -H "Transfer-Encoding: chunked" \
  -X POST \
  -d '
{ "project": {
     "name" : "mynewProject"
  }
}' \
  https://x.x.x.x:35357/v3/projects

>   https://x.x.x.x:35357/v3/projects
HTTP/1.1 201 Created
Vary: X-Auth-Token
Content-Type: application/json
Content-Length: 234

The following PATCH command does work

curl -ki \
  -H "Content-Type: application/json" \
  -H "X-Auth-Token: password" \
  -X PATCH \
  -d '
{ "project": {
     "description" : "Testing description"
  }
}' \
  https://x.x.x.x:35357/v3/projects/ad0c62c9869e4a33975e6784d76d2d1f

>   https://x.x.x.x:35357/v3/projects/ad0c62c9869e4a33975e6784d76d2d1f
HTTP/1.1 200 OK
Vary: X-Auth-Token
Content-Type: application/json
Content-Length: 291

The following PATCH command does not work:

curl -ki \
  -H "Content-Type: application/json" \
  -H "X-Auth-Token: password" \
  -H "Transfer-Encoding: chunked" \
  -X PATCH \
  -d '
{ "project": {
     "description" : "Testing description"
  }
}' \
  https:/x.x.x.x:35357/v3/projects/ad0c62c9869e4a33975e6784d76d2d1f

>   https://x.x.x.x:35357/v3/projects/ad0c62c9869e4a33975e6784d76d2d1f
HTTP/1.1 400 Bad Request
Vary: X-Auth-Token
Content-Type: application/json
Content-Length: 127
{"error": {"message": "update_project() takes exactly 4 non-keyword arguments (3 given)", "code": 400, "title": "Bad Request"}}>
2014-08-25 15:43:42 -0500 received badge  Commentator
2014-08-25 15:43:42 -0500 commented answer Updating objects in Keystone using v3 API http patch error

After digging deep with wireshark it turns out Transfer-Encoding: chunked is what was causing the problem. Once i turned off chunked encoding with my client the PATCH method worked. I'll open up another thread specifically for this. Thank you so much once again!

2014-08-25 15:42:06 -0500 commented answer Keystone v3 Token Validation

I see it - excellent. Thank you very much again!

2014-08-25 14:36:32 -0500 commented answer Updating objects in Keystone using v3 API http patch error

You are absolutely correct. I just ran with CURL and it worked. Comparing the LOG output, the Project {} payload is completely missing from args. It appears my HTTP client is corrupting PATCH data for some reason (it doesn't with POST). Thank you so much for helping - I'll hunt this down further

2014-08-25 14:17:22 -0500 commented answer Updating objects in Keystone using v3 API http patch error

(This comment limitation is silly). Updated my previous post. Added the warn output. args is empty.

I wiresharked the packets and PATCH does have the json data (however my wireshark didn't pick it up as HTTP protocol, so i'll investigate if its corrupted

2014-08-25 12:43:48 -0500 commented answer Updating objects in Keystone using v3 API http patch error

I believe I'm using Icehouse version 3. Perhaps I'll spin up a VM with version 4 and try.

I installed using the following: yum install -y http://repos.fedorapeople.org/repos/o...

Thank you again for following up with me!

2014-08-25 12:25:07 -0500 received badge  Notable Question (source)
2014-08-25 10:58:45 -0500 answered a question Updating objects in Keystone using v3 API http patch error

After using debug logs and wireshark - turns out chunked encoding (Transfer-Encoding: chunked) was the problem. Once I disabled it on my client the PATCH worked correctly.

2014-08-25 09:43:02 -0500 received badge  Popular Question (source)
2014-08-25 07:27:53 -0500 received badge  Popular Question (source)
2014-08-24 20:58:34 -0500 commented answer Updating objects in Keystone using v3 API http patch error

Thanks for the update. Didn't get a chance to try today but will tomorrow. I'm surprised that keystone would still need to validate the domain_id of the caller - shouldn't using the admin token completely bypass any kind of authorization checking? Essentially - admin token == god user - let them do all.

2014-08-24 00:19:19 -0500 commented answer Updating objects in Keystone using v3 API http patch error

Thanks for the reply. That is correct, I am using the password defined in the config as my token value. Would that make a difference? And why? I'll try with regular token. I am using a client I'm writing in Java. Intent is to act as full admin/control from within the client.

2014-08-23 16:02:59 -0500 asked a question Updating objects in Keystone using v3 API http patch error

I've been trying update objects in keystone with the v3 API but keep receiving the same kind of message. For example, if i try to change the password of a user or if i try to change the description on a domain. It all boils down to takes exactly 4 non-keyword arguments...3 given

I'm completely lost as to why this is failing as it's following the same patterns explained in this API doc: http://developer.openstack.org/api-re...

Prove that the object does exist:

 INFO: 1 * Sending client request on thread main
1 > GET https://135.121.18.47:35357/v3/domains/f50f4689424d4a2ba6254924d0edb8d4
1 > X-Auth-Token: password

INFO: 2 * Client response received on thread main
2 < 200
2 < Connection: keep-alive
2 < Content-Length: 186
2 < Content-Type: application/json
2 < Date: Sat, 23 Aug 2014 20:56:15 GMT
2 < Vary: X-Auth-Token
{"domain": {"enabled": true, "id": "f50f4689424d4a2ba6254924d0edb8d4", "links": {"self": "https://135.121.18.47:35357/v3/domains/f50f4689424d4a2ba6254924d0edb8d4"}, "name": "wscDomain"}}

Update the description for the domain

INFO: 1 * Sending client request on thread main
1 > PATCH https://XXXX:35357/v3/domains/f50f4689424d4a2ba6254924d0edb8d4
1 > Content-Type: application/json
1 > X-Auth-Token: password
{
  "domain" : {
    "description" : "new description",
    "enabled" : true
  }
}

INFO: 2 * Client response received on thread main
2 < 400
2 < Connection: keep-alive
2 < Content-Length: 126
2 < Content-Type: application/json
2 < Date: Sat, 23 Aug 2014 20:56:15 GMT
2 < Vary: X-Auth-Token
{"error": {"message": "update_domain() takes exactly 4 non-keyword arguments (3 given)", "code": 400, "title": "Bad Request"}}

Here's the keystone log entries:

2014-08-23 21:04:12.243 1265 ERROR keystone.common.wsgi [-] update_domain() takes exactly 4 non-keyword arguments (3 given)
2014-08-23 21:04:12.243 1265 TRACE keystone.common.wsgi Traceback (most recent call last):
2014-08-23 21:04:12.243 1265 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/common/wsgi.py", line 207, in __call__
2014-08-23 21:04:12.243 1265 TRACE keystone.common.wsgi     result = method(context, **params)
2014-08-23 21:04:12.243 1265 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/common/controller.py", line 152, in inner
2014-08-23 21:04:12.243 1265 TRACE keystone.common.wsgi     return f(self, context, *args, **kwargs)
2014-08-23 21:04:12.243 1265 TRACE keystone.common.wsgi TypeError: update_domain() takes exactly 4 non-keyword arguments (3 given)

Here's my current situation (dev enviroment - passwords/id aren't important):

Role called 'admin'
Domain called 'testDomain'
Project called 'projectTest'
User called 'admin' with password 'admin' created in the domain 'testDomain' and has been assigned role 'admin'

I'm trying to change project enabled from true to false. Here's all the output.

###################################################
 FETCHING TOKEN AS USER ADMIN, WITH THE SCOPE OF THE DOMAIN
###################################################

Aug 25, 2014 11:51:59 AM org.glassfish.jersey.filter.LoggingFilter log
INFO: 1 * Sending client request on thread main
1 > POST https://x.x.x.x:35357/v3/auth/tokens
1 > Content-Type: application/json
{
  "auth" : {
    "identity" : {
      "methods" : [ "password" ],
      "password" : {
        "user" : {
          "name" : "admin",
          "domain" : {
            "id" : "f50f4689424d4a2ba6254924d0edb8d4"
          },
          "password" : "admin"
        }
      }
    },
    "scope" : {
      "domain" : {
        "id" : "f50f4689424d4a2ba6254924d0edb8d4"
      }
    }
  }
}

Aug 25 ...
(more)
2014-08-22 09:13:06 -0500 received badge  Notable Question (source)
2014-08-21 22:02:36 -0500 received badge  Supporter (source)
2014-08-21 22:02:21 -0500 commented answer Keystone v3 Token Validation

Sounds good. Thanks for all the information - much appreciated!

2014-08-21 18:31:12 -0500 commented answer Keystone v3 Token Validation

Please see comment replied to question - ran out of space in the comment box =)

2014-08-21 18:30:50 -0500 answered a question Keystone v3 Token Validation

Thanks for the reply.

I've read and experienced quite the opposite with v2. I've seen no documentation for GET /v2.0/tokens and the only way to validate the token is using the PKI method. As apposed to V3.0, there is an API which will do the validation (glad it's there).

Regardless, there is no v3.0 API to retrieve the certificates, which makes me inclined to believe that it (along with all v2.0) could one day be fully deprecated and removed, while keystone may still having support for v3.0.

So in summary, if I plan on using the v3.0 API and validating using the PKI method, it seems questionable to be using the GET /v2.0/certificates/signing API to pull certs to validate against objects provided by the v3.0 API - which leads me to wonder if this is a questionable thing to do ?

2014-08-21 13:45:51 -0500 asked a question Keystone v3 Token Validation

Hello,

Planning on using keystone for an application as the identity service.

I know in v2.0 a token can be authenticated and therefore validated and decoded.

I know in v3.0 there's an API method (GET /auth/tokens/) that can be called to verify a token.

My only concern with the v3.0 API is that during an authentication check, the act of querying keystone to verify is added delay and would essentially hamper API performance. Granted I could cache the tokens, but would I still need to pull 'revoked' tokens?

I noticed that a v3.0 token uses the same signing system as v2.0

Is there any harm, short and long, in using the v2.0 system of token validation/decoding on a v3.0 Token? In other words, pull the certificate from keystone (every minute or two for example) and check the signature of the token? Using the certificate is more heavy on system resource, but at least it would avoid marshall/unmarshall/network latency for verify token via the API for each single request

2014-08-21 12:53:15 -0500 received badge  Enthusiast
2014-08-20 21:07:12 -0500 received badge  Editor
2014-08-13 14:37:06 -0500 received badge  Popular Question (source)
2014-08-13 09:22:39 -0500 answered a question Decode Keystone Token in Java

Thank you for the quicky reply! that's exactly the kind of detail I was missing.

For anyone that stumbled on to this, here's some sample code. I'n using openstack4j as my communication library, I wrote a thin wrapper to request the certificates from OS as a String, and bouncy castle for the signature verification.

This code needs more cleanup / handle multiple certificates but it shows the workflow:


<dependency>
    <groupId>org.bouncycastle</groupId>
    <artifactId>bcpkix-jdk15on</artifactId>
    <version>1.51</version>
</dependency>

<dependency>
    <groupId>org.pacesys</groupId>
    <artifactId>openstack4j</artifactId>
    <version>1.0.1</version>
</dependency>

import org.apache.commons.codec.binary.Base64;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cms.CMSException;
import org.bouncycastle.cms.CMSSignedData;
import org.bouncycastle.cms.DefaultCMSSignatureAlgorithmNameGenerator;
import org.bouncycastle.cms.SignerInformation;
import org.bouncycastle.cms.SignerInformationStore;
import org.bouncycastle.cms.SignerInformationVerifier;
import org.bouncycastle.cms.bc.BcRSASignerInfoVerifierBuilder;
import org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder;
import org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.bc.BcDigestCalculatorProvider;
import org.bouncycastle.util.io.pem.PemObject;
import org.bouncycastle.util.io.pem.PemReader;
import org.codehaus.jackson.map.DeserializationConfig;
import org.codehaus.jackson.map.ObjectMapper;
import org.codehaus.jackson.map.SerializationConfig;
import org.openstack4j.openstack.identity.domain.KeystoneAccess;

import java.io.BufferedReader;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.Reader;
import java.util.Collection;
import java.util.Date;

    public static SignerInformationVerifier createTokenVerifier(String aInSigningCertificate) throws IOException, OperatorCreationException
{
    // The cert is PEM encoded - need to translate those bytes into a PEM object
    Reader lCertBufferedReader = new BufferedReader(new InputStreamReader(new ByteArrayInputStream(aInSigningCertificate.getBytes())));
    PemObject lPemObj = new PemReader(lCertBufferedReader).readPemObject();

    // Create our verify builder - basically we need to make an object that will verify the cert
    BcRSASignerInfoVerifierBuilder signerInfoBuilder = new BcRSASignerInfoVerifierBuilder(
            new DefaultCMSSignatureAlgorithmNameGenerator(),
            new DefaultSignatureAlgorithmIdentifierFinder(),
            new DefaultDigestAlgorithmIdentifierFinder(),
            new BcDigestCalculatorProvider());

    // Using the PEM object, create a cert holder and a verifier for the cert
    SignerInformationVerifier lVerifier = signerInfoBuilder.build(new X509CertificateHolder(lPemObj.getContent()));

    return lVerifier;
}

    public static CMSSignedData getSignedDataFromRawToken(String lRawKeystoneToken) throws CMSException
{
    // Keystone takes all '/' characters and replaced them by '-' in order to
    // encode the token into base 64. Let's reverse that..
    String lRealTokenData = lRawKeystoneToken.replace("-", "/");
    byte[] lData = Base64.decodeBase64(lRealTokenData.getBytes());

    // Now that we have the raw encoded token we can make a CMSSigned data out of it
    CMSSignedData lSignedData = new CMSSignedData(lData);
    return lSignedData;
}

    public static String getTokenContentAsString(CMSSignedData aInSignedData)
{
    Object lObj = aInSignedData.getSignedContent().getContent();
    if (lObj instanceof byte[])
    {
        String lObjString = new String((byte[]) lObj);
        return lObjString;
    }
    return null;
}

    public static boolean isValidTokenSignature(CMSSignedData aInSignedData, SignerInformationVerifier aInVerifier) throws CMSException
{
    // The token contained the signer Info and has been parsed out
    // For each signer on the token, attempt to verify against the certificate
    SignerInformationStore lSignerInfo = aInSignedData.getSignerInfos();
    Collection lSigners = lSignerInfo.getSigners();
    for (Object lObj : lSigners)
    {
        if (lObj instanceof SignerInformation)
        {
            SignerInformation lSigner = (SignerInformation) lObj;
            boolean lIsValid = lSigner.verify(aInVerifier);
            if (lIsValid)
            {
                return true;
            }
        }
    }
    return false;
}


    // Pki client is a just a class that requests cert info from Keystone
    PkiClient lPki = new PkiClient(lConfig);
    String lCaCert = lPki.getCaCertificate();
    String lSigningCert ...
(more)