-
Bug
-
Resolution: Obsolete
-
Major
-
None
-
quay-v3.4.0
-
False
-
False
-
Undefined
-
-
0
Description:
This is an issue found when configured Quay Authentication to use KeyStone(Openstack Identity), then login Quay with Keystone user, the result was failed. See the following Quay POD Logs.
gunicorn-web stdout | 2020-12-16 08:23:12,474 [328] [DEBUG] [app] Starting request: urn:request:dac68b2d-223b-41ea-a06d-e6f06b3c69b6 (/api/v1/signin) gunicorn-web stdout | 2020-12-16 08:23:12,477 [328] [DEBUG] [keystoneauth.identity.v3.base] Making authentication request to http://3.18.220.200:8050/v3/auth/tokens gunicorn-web stdout | 2020-12-16 08:23:12,479 [328] [DEBUG] [urllib3.connectionpool] Starting new HTTP connection (1): 3.18.220.200:8050 gunicorn-web stdout | 2020-12-16 08:23:12,869 [328] [DEBUG] [urllib3.connectionpool] http://3.18.220.200:8050 "POST /v3/auth/tokens HTTP/1.1" 201 312 gunicorn-web stdout | 2020-12-16 08:23:12,870 [328] [DEBUG] [keystoneauth.identity.v3.base] {"token": {"issued_at": "2020-12-16T08:23:12.000000Z", "audit_ids": ["Z4cNG1D3TK64he7hmjZDMg"], "methods": ["password"], "expires_at": "2020-12-16T09:23:12.000000Z", "user": {"password_expires_at": null, "domain": {"id": "default", "name": "Default"}, "id": "4684cb622232430fb58d51f00d6ec045", "name": "admin"}}} gunicorn-web stdout | 2020-12-16 08:23:12,871 [328] [DEBUG] [keystoneauth.identity.v3.base] Making authentication request to http://3.18.220.200:8050/v3/auth/tokens gunicorn-web stdout | 2020-12-16 08:23:12,872 [328] [DEBUG] [urllib3.connectionpool] Starting new HTTP connection (1): 3.18.220.200:8050 gunicorn-web stdout | 2020-12-16 08:23:12,889 [328] [DEBUG] [urllib3.connectionpool] http://3.18.220.200:8050 "POST /v3/auth/tokens HTTP/1.1" 401 114 gunicorn-web stdout | 2020-12-16 08:23:12,889 [328] [DEBUG] [keystoneauth.session] Request returned failure status: 401 gunicorn-web stdout | 2020-12-16 08:23:12,890 [328] [ERROR] [data.users.keystone] Keystone unauthorized for user: admin gunicorn-web stdout | Traceback (most recent call last): gunicorn-web stdout | File "/quay-registry/data/users/keystone.py", line 231, in verify_credentials gunicorn-web stdout | user = keystone_client.users.get(user_id) gunicorn-web stdout | File "/usr/local/lib/python3.8/site-packages/keystoneclient/v3/users.py", line 148, in get gunicorn-web stdout | return super(UserManager, self).get( gunicorn-web stdout | File "/usr/local/lib/python3.8/site-packages/keystoneclient/base.py", line 86, in func gunicorn-web stdout | return f(*args, **new_kwargs) gunicorn-web stdout | File "/usr/local/lib/python3.8/site-packages/keystoneclient/base.py", line 390, in get gunicorn-web stdout | return self._get( gunicorn-web stdout | File "/usr/local/lib/python3.8/site-packages/keystoneclient/base.py", line 167, in _get gunicorn-web stdout | resp, body = self.client.get(url, **kwargs) gunicorn-web stdout | File "/usr/local/lib/python3.8/site-packages/keystoneauth1/adapter.py", line 386, in get gunicorn-web stdout | return self.request(url, 'GET', **kwargs) gunicorn-web stdout | File "/usr/local/lib/python3.8/site-packages/keystoneauth1/adapter.py", line 545, in request gunicorn-web stdout | resp = super(LegacyJsonAdapter, self).request(*args, **kwargs) gunicorn-web stdout | File "/usr/local/lib/python3.8/site-packages/keystoneauth1/adapter.py", line 248, in request gunicorn-web stdout | return self.session.request(url, method, **kwargs) gunicorn-web stdout | File "/usr/local/lib/python3.8/site-packages/keystoneauth1/session.py", line 772, in request gunicorn-web stdout | auth_headers = self.get_auth_headers(auth) gunicorn-web stdout | File "/usr/local/lib/python3.8/site-packages/keystoneauth1/session.py", line 1183, in get_auth_headers gunicorn-web stdout | return auth.get_headers(self, **kwargs) gunicorn-web stdout | File "/usr/local/lib/python3.8/site-packages/keystoneauth1/plugin.py", line 95, in get_headers gunicorn-web stdout | token = self.get_token(session) gunicorn-web stdout | File "/usr/local/lib/python3.8/site-packages/keystoneauth1/identity/base.py", line 88, in get_token gunicorn-web stdout | return self.get_access(session).auth_token gunicorn-web stdout | File "/usr/local/lib/python3.8/site-packages/keystoneauth1/identity/base.py", line 134, in get_access gunicorn-web stdout | self.auth_ref = self.get_auth_ref(session) gunicorn-web stdout | File "/usr/local/lib/python3.8/site-packages/keystoneauth1/identity/v3/base.py", line 183, in get_auth_ref gunicorn-web stdout | resp = session.post(token_url, json=body, headers=headers, gunicorn-web stdout | File "/usr/local/lib/python3.8/site-packages/keystoneauth1/session.py", line 1131, in post gunicorn-web stdout | return self.request(url, 'POST', **kwargs) gunicorn-web stdout | File "/usr/local/lib/python3.8/site-packages/keystoneauth1/session.py", line 968, in request gunicorn-web stdout | raise exceptions.from_response(resp, method, url) gunicorn-web stdout | keystoneauth1.exceptions.http.Unauthorized: The request you have made requires authentication. (HTTP 401) (Request-ID: req-0f3d9090-07d1-44b3-bb99-bf1cefd47620) gunicorn-web stdout | 2020-12-16 08:23:12,892 [328] [DEBUG] [app] Ending request: urn:request:dac68b2d-223b-41ea-a06d-e6f06b3c69b6 (/api/v1/signin) nginx stdout | 10.128.2.30 () - - [16/Dec/2020:08:23:12 +0000] "POST /api/v1/signin HTTP/2.0" 403 105 "https://quayregistry-quay-quay-enterprise.apps.quay-444.qe.devcluster.openshift.com/repository/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0" (0.420 495 0.421)
Quay Image:
lizhang@lzha-mac Downloads % oc get pod NAME READY STATUS RESTARTS AGE quay-operator-86d66598b8-j7fhp 1/1 Running 0 4h18m quayregistry-clair-app-76bd9f79b6-8gr2t 1/1 Running 0 48m quayregistry-clair-postgres-58f4b94bbc-llff6 1/1 Running 1 3h23m quayregistry-quay-app-69979f5b49-hgksg 1/1 Running 0 43m quayregistry-quay-config-editor-5df98d5479-g6fwp 1/1 Running 0 48m quayregistry-quay-database-b96c99b55-sxffr 1/1 Running 0 3h23m quayregistry-quay-mirror-7b89d7db7d-9g5vn 1/1 Running 0 48m quayregistry-quay-postgres-init-4szv4 0/1 Completed 0 3h23m quayregistry-quay-redis-d98744d58-z26fl 1/1 Running 0 3h23m lizhang@lzha-mac Downloads % oc get pod quayregistry-quay-app-69979f5b49-hgksg -o json | jq '.spec.containers[0].image' "registry.redhat.io/quay/quay@sha256:bb58d111dfd3663281f998e10acb49a150245171f0d5215702a2eb75de2f92a9"
Steps:
- Deploy Quay with TNG Operator with managed postgresql and unmanaged Storage(AWS S3)
- Open Quay Config editor to choose Authentication to use Keystone
- Input valid configurations, including choose "Keystone API Version" as V3, "Keystone Authentication URL", "Keystone Administrator Username" and "Keystone Administrator Password", "Keystone Administrator Tenant"
- Click "validate configuration changes"
- Click "reconfigure"
- After New Quay POD is ready, open Quay Console
- Login with valid Keystone username/password
Expected Results:
Login Quay with Keystone user completed successfully.
Actual Results:
Login Quay with Keystone user was failed.