Loading...

Type: Bug
Resolution: Obsolete
Priority: Major
Fix Version/s: None
Affects Version/s: quay-v3.4.0
Component/s: -area/auth, quay
Labels:
- quay-enterprise
- triaged

Blocked:
False
Ready:
False
Release Note Text:
Undefined
Market:

RICE Score:
0

SFDC Cases Links:
SFDC Cases Counter:

Description:

This is an issue found when configured Quay Authentication to use KeyStone(Openstack Identity), then login Quay with Keystone user, the result was failed. See the following Quay POD Logs.

gunicorn-web stdout | 2020-12-16 08:23:12,474 [328] [DEBUG] [app] Starting request: urn:request:dac68b2d-223b-41ea-a06d-e6f06b3c69b6 (/api/v1/signin)
gunicorn-web stdout | 2020-12-16 08:23:12,477 [328] [DEBUG] [keystoneauth.identity.v3.base] Making authentication request to http://3.18.220.200:8050/v3/auth/tokens
gunicorn-web stdout | 2020-12-16 08:23:12,479 [328] [DEBUG] [urllib3.connectionpool] Starting new HTTP connection (1): 3.18.220.200:8050
gunicorn-web stdout | 2020-12-16 08:23:12,869 [328] [DEBUG] [urllib3.connectionpool] http://3.18.220.200:8050 "POST /v3/auth/tokens HTTP/1.1" 201 312
gunicorn-web stdout | 2020-12-16 08:23:12,870 [328] [DEBUG] [keystoneauth.identity.v3.base] {"token": {"issued_at": "2020-12-16T08:23:12.000000Z", "audit_ids": ["Z4cNG1D3TK64he7hmjZDMg"], "methods": ["password"], "expires_at": "2020-12-16T09:23:12.000000Z", "user": {"password_expires_at": null, "domain": {"id": "default", "name": "Default"}, "id": "4684cb622232430fb58d51f00d6ec045", "name": "admin"}}}
gunicorn-web stdout | 2020-12-16 08:23:12,871 [328] [DEBUG] [keystoneauth.identity.v3.base] Making authentication request to http://3.18.220.200:8050/v3/auth/tokens
gunicorn-web stdout | 2020-12-16 08:23:12,872 [328] [DEBUG] [urllib3.connectionpool] Starting new HTTP connection (1): 3.18.220.200:8050
gunicorn-web stdout | 2020-12-16 08:23:12,889 [328] [DEBUG] [urllib3.connectionpool] http://3.18.220.200:8050 "POST /v3/auth/tokens HTTP/1.1" 401 114
gunicorn-web stdout | 2020-12-16 08:23:12,889 [328] [DEBUG] [keystoneauth.session] Request returned failure status: 401
gunicorn-web stdout | 2020-12-16 08:23:12,890 [328] [ERROR] [data.users.keystone] Keystone unauthorized for user: admin
gunicorn-web stdout | Traceback (most recent call last):
gunicorn-web stdout |   File "/quay-registry/data/users/keystone.py", line 231, in verify_credentials
gunicorn-web stdout |     user = keystone_client.users.get(user_id)
gunicorn-web stdout |   File "/usr/local/lib/python3.8/site-packages/keystoneclient/v3/users.py", line 148, in get
gunicorn-web stdout |     return super(UserManager, self).get(
gunicorn-web stdout |   File "/usr/local/lib/python3.8/site-packages/keystoneclient/base.py", line 86, in func
gunicorn-web stdout |     return f(*args, **new_kwargs)
gunicorn-web stdout |   File "/usr/local/lib/python3.8/site-packages/keystoneclient/base.py", line 390, in get
gunicorn-web stdout |     return self._get(
gunicorn-web stdout |   File "/usr/local/lib/python3.8/site-packages/keystoneclient/base.py", line 167, in _get
gunicorn-web stdout |     resp, body = self.client.get(url, **kwargs)
gunicorn-web stdout |   File "/usr/local/lib/python3.8/site-packages/keystoneauth1/adapter.py", line 386, in get
gunicorn-web stdout |     return self.request(url, 'GET', **kwargs)
gunicorn-web stdout |   File "/usr/local/lib/python3.8/site-packages/keystoneauth1/adapter.py", line 545, in request
gunicorn-web stdout |     resp = super(LegacyJsonAdapter, self).request(*args, **kwargs)
gunicorn-web stdout |   File "/usr/local/lib/python3.8/site-packages/keystoneauth1/adapter.py", line 248, in request
gunicorn-web stdout |     return self.session.request(url, method, **kwargs)
gunicorn-web stdout |   File "/usr/local/lib/python3.8/site-packages/keystoneauth1/session.py", line 772, in request
gunicorn-web stdout |     auth_headers = self.get_auth_headers(auth)
gunicorn-web stdout |   File "/usr/local/lib/python3.8/site-packages/keystoneauth1/session.py", line 1183, in get_auth_headers
gunicorn-web stdout |     return auth.get_headers(self, **kwargs)
gunicorn-web stdout |   File "/usr/local/lib/python3.8/site-packages/keystoneauth1/plugin.py", line 95, in get_headers
gunicorn-web stdout |     token = self.get_token(session)
gunicorn-web stdout |   File "/usr/local/lib/python3.8/site-packages/keystoneauth1/identity/base.py", line 88, in get_token
gunicorn-web stdout |     return self.get_access(session).auth_token
gunicorn-web stdout |   File "/usr/local/lib/python3.8/site-packages/keystoneauth1/identity/base.py", line 134, in get_access
gunicorn-web stdout |     self.auth_ref = self.get_auth_ref(session)
gunicorn-web stdout |   File "/usr/local/lib/python3.8/site-packages/keystoneauth1/identity/v3/base.py", line 183, in get_auth_ref
gunicorn-web stdout |     resp = session.post(token_url, json=body, headers=headers,
gunicorn-web stdout |   File "/usr/local/lib/python3.8/site-packages/keystoneauth1/session.py", line 1131, in post
gunicorn-web stdout |     return self.request(url, 'POST', **kwargs)
gunicorn-web stdout |   File "/usr/local/lib/python3.8/site-packages/keystoneauth1/session.py", line 968, in request
gunicorn-web stdout |     raise exceptions.from_response(resp, method, url)
gunicorn-web stdout | keystoneauth1.exceptions.http.Unauthorized: The request you have made requires authentication. (HTTP 401) (Request-ID: req-0f3d9090-07d1-44b3-bb99-bf1cefd47620)
gunicorn-web stdout | 2020-12-16 08:23:12,892 [328] [DEBUG] [app] Ending request: urn:request:dac68b2d-223b-41ea-a06d-e6f06b3c69b6 (/api/v1/signin)
nginx stdout | 10.128.2.30 () - - [16/Dec/2020:08:23:12 +0000] "POST /api/v1/signin HTTP/2.0" 403 105 "https://quayregistry-quay-quay-enterprise.apps.quay-444.qe.devcluster.openshift.com/repository/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0" (0.420 495 0.421)

Quay Image:

lizhang@lzha-mac Downloads % oc get pod    
NAME                                               READY   STATUS      RESTARTS   AGE
quay-operator-86d66598b8-j7fhp                     1/1     Running     0          4h18m
quayregistry-clair-app-76bd9f79b6-8gr2t            1/1     Running     0          48m
quayregistry-clair-postgres-58f4b94bbc-llff6       1/1     Running     1          3h23m
quayregistry-quay-app-69979f5b49-hgksg             1/1     Running     0          43m
quayregistry-quay-config-editor-5df98d5479-g6fwp   1/1     Running     0          48m
quayregistry-quay-database-b96c99b55-sxffr         1/1     Running     0          3h23m
quayregistry-quay-mirror-7b89d7db7d-9g5vn          1/1     Running     0          48m
quayregistry-quay-postgres-init-4szv4              0/1     Completed   0          3h23m
quayregistry-quay-redis-d98744d58-z26fl            1/1     Running     0          3h23m

lizhang@lzha-mac Downloads % oc get pod quayregistry-quay-app-69979f5b49-hgksg  -o json | jq '.spec.containers[0].image'
"registry.redhat.io/quay/quay@sha256:bb58d111dfd3663281f998e10acb49a150245171f0d5215702a2eb75de2f92a9"

Steps:

Deploy Quay with TNG Operator with managed postgresql and unmanaged Storage(AWS S3)
Open Quay Config editor to choose Authentication to use Keystone
Input valid configurations, including choose "Keystone API Version" as V3, "Keystone Authentication URL", "Keystone Administrator Username" and "Keystone Administrator Password", "Keystone Administrator Tenant"
Click "validate configuration changes"
Click "reconfigure"
After New Quay POD is ready, open Quay Console
Login with valid Keystone username/password

Expected Results:

Login Quay with Keystone user completed successfully.

Actual Results:

Login Quay with Keystone user was failed.