nova.compute ImageNotAuthorized when using strategy keystone

Bug #1152303 reported by Duffie Cooley
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Invalid
Undecided
Unassigned

Bug Description

This compute node is running the latest code from:
http://ubuntu-cloud.archive.canonical.com/ubuntu precise-updates/folsom main

When glance is secured with keystone then nova-compute is not authorized to deploy an image from glance. This is a problem specific to the context of the token.

per this question:
https://answers.launchpad.net/nova/+question/218145

I am getting the same error.

http://codepad.org/jYi5GZ72

I have updated the code in nova.image.glance to this:

def _create_glance_client(context, host, port, use_ssl, version=1):
    """Instantiate a new glanceclient.Client object"""
    if use_ssl:
        scheme = 'https'
    else:
        scheme = 'http'
    params = {}
    params['insecure'] = FLAGS.glance_api_insecure
    if FLAGS.auth_strategy == 'keystone':
        dicttoken = context.to_dict().get('auth_token')
        contexttoken = context.auth_token
        LOG.error("### dict token is %s" % dicttoken)
        LOG.error("### context token is %s" % contexttoken)
        params['token'] = context.auth_token
    endpoint = '%s://%s:%s' % (scheme, host, port)
    return glanceclient.Client(str(version), endpoint, **params)

And as you can see from the paste

The params['token'] code is being called twice.

The second time the context.auth_token call is failing.

root@server12:~# grep req-f66255ef-13fe-4791-b137-f76855197aa4 /var/log/nova/nova-compute.log | grep ERROR
2013-03-07 11:07:44 ERROR nova.image.glance [req-f66255ef-13fe-4791-b137-f76855197aa4 5e363b8f0665443d89ca9d9787a19a81 eb4f9252e66843b3b7eaa6662d6062c8] ### dict token is fff534d1a18c4b4a816c076d4fce0e70

2013-03-07 11:07:44 ERROR nova.image.glance [req-f66255ef-13fe-4791-b137-f76855197aa4 5e363b8f0665443d89ca9d9787a19a81 eb4f9252e66843b3b7eaa6662d6062c8] ### context token is fff534d1a18c4b4a816c076d4fce0e70

2013-03-07 11:07:49 ERROR nova.image.glance [req-f66255ef-13fe-4791-b137-f76855197aa4 5e363b8f0665443d89ca9d9787a19a81 eb4f9252e66843b3b7eaa6662d6062c8] ### dict token is fff534d1a18c4b4a816c076d4fce0e70

2013-03-07 11:07:49 ERROR nova.image.glance [req-f66255ef-13fe-4791-b137-f76855197aa4 5e363b8f0665443d89ca9d9787a19a81 eb4f9252e66843b3b7eaa6662d6062c8] ### context token is None

2013-03-07 11:07:49 ERROR nova.compute.manager [req-f66255ef-13fe-4791-b137-f76855197aa4 5e363b8f0665443d89ca9d9787a19a81 eb4f9252e66843b3b7eaa6662d6062c8] [instance: 3e89c0a7-11c8-4b4f-8b4b-b04ea97a9d88] Instance failed to spawn

If I use the dict option the token works and I am no longer blocked.

description: updated
description: updated
Revision history for this message
Duffie Cooley (opekstac4) wrote :
Aaron Rosen (arosen)
Changed in nova:
status: New → Confirmed
Changed in nova:
status: Confirmed → New
status: New → Confirmed
lizheming (lizheming-li)
Changed in nova:
assignee: nobody → lizheming (lizheming-li)
lizheming (lizheming-li)
Changed in nova:
assignee: lizheming (lizheming-li) → nobody
Revision history for this message
Joe Gordon (jogo) wrote :

folsom has been end of lifed

Changed in nova:
status: Confirmed → Incomplete
Sean Dague (sdague)
Changed in nova:
status: Incomplete → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.