OpenStack V2 Authentication Failed since RequestOpts.MoreHeaders does not make sense

[freedywu]

In provider_client.go:322, RequestOpts.Header says it will be omitted if it is a blank value.

// RequestOpts customizes the behavior of the provider.Request() method.
type RequestOpts struct {
	// MoreHeaders specifies additional HTTP headers to be provide on the request. If a header is
	// provided with a blank value (""), that header will be *omitted* instead: use this to suppress
	// the default Accept header or an inferred Content-Type, for example.
	MoreHeaders map[string]string
}

But in commit 29581a2 [Swift V1: fix setting empty headers (#2218)], the method locate in ​provider_client.go:411 has been changed, and blank header no longer been removed.

This caused an Authentication Failed error when trying to get an v2auth client due to an empty X-Auth-Token header.
This symptom is imported after v0.21.0.

openstack/identity/v2/tokens/requests.go:94:

resp, err := client.Post(CreateURL(client), b, &r.Body, &gophercloud.RequestOpts{
	OkCodes:     []int{200, 203},
	MoreHeaders: map[string]string{"X-Auth-Token": ""},
})

How can I make it correct? Is there any suggestion or work around?

[freedywu]

And, after testing, V3 auth is also affected.
openstack/identity/v3/tokens/requests.go: 137

resp, err := c.Post(tokenURL(c), b, &r.Body, &gophercloud.RequestOpts{
	MoreHeaders: map[string]string{"X-Auth-Token": ""},
})

[jtopjian]

Thank you for the report.

In provider_client.go:322, RequestOpts.Header says it will be omitted if it is a blank value.

Good catch. This docstring/comment needs to be updated to reflect the new behaviour.

This caused an Authentication Failed error when trying to get an v2auth client due to an empty X-Auth-Token header.
This symptom is imported after v0.21.0.

The openstack/identity/v2/tokens/requests.go and openstack/identity/v3/tokens/requests.go code that you're looking at is part of the tokens.Create functions for Identity v2 and v3. This function is tested in the acceptance tests suite:

gophercloud/acceptance/openstack/identity/v3/credentials_test.go

Lines 38 to 40 in 18a1ee5

	token, err := tokens.Create(client, &authOptions).Extract()
	th.AssertNoErr(t, err)
	tools.PrintResource(t, token)

According to prior acceptance test reports (for example here and here), the TestCredentialsCRUD test passed.

Off the top of my head, this might either be 1) a change introduced in a newer release of OpenStack or 2) something that the OpenStack cloud you're working in is doing differently than upstream OpenStack.

[freedywu]

Thank you for your reply!

Off the top of my head, this might either be 1) a change introduced in a newer release of OpenStack or 2) something that the OpenStack cloud you're working in is doing differently than upstream OpenStack.

My current OpenStack has been worked for a long time under the production environment(maybe 5 years ago?). So, it may behave little bit differently than the upstream version.
After testing, i found the identity module works well if there is no blank X-Auth-Token header.

So, i wonder if something like RequestOpts.OmitHeader could be added to make adaptation to multi-version openStack.

[jtopjian]

1. a change introduced in a newer release of OpenStack

My current OpenStack has been worked for a long time under the production environment(maybe 5 years ago?).

I wonder if it's the opposite then: a change was introduced in a newer release of OpenStack which allows an empty X-Auth-Token header. Do you know what release your cloud is using? If you let us know, someone can build a devstack environment of that release and try to reproduce the problem.

If this turns out to be the case, then I support the fix in #2315. I just want to try to figure out what's triggering the issue to begin with.

[freedywu]

I'm willing to provide more information about the problem.

As far as I know, our cloud is running on a customized branch. The keystone version is about 10.0.0.0b or earlier, since the latest commit history I could found is openstack/keystone@f6f4eb2.

Additionally, we also use the latest python-novaclient for production usage, it make the authentication request without a blank X-Auth-Token and works well. That's the reason why I want to remove the header.

[jtopjian]

Thanks for the info. I will try to get some time in the next day or two to create a devstack instance running Newton. I just want to try a quick test to see if the acceptance test fails. If it does, then we know the reason.

[freedywu]

Thanks for the info. I will try to get some time in the next day or two to create a devstack instance running Newton. I just want to try a quick test to see if the acceptance test fails. If it does, then we know the reason.

After confirm with my colleagues, the running keystone version is 2014.1.5.

[jtopjian]

whoa - now that brings back some memories.

Unfortunately I don't think there's any way I'll get a working version of that running and it's safe to say that OpenStack behaved differently in this context. In fact, I wonder if the original reason why Gophercloud automatically removed empty headers was for reasons like this.