OpenStack Compute (nova)

nova.compute ImageNotAuthorized when using strategy keystone

Bug #1152303 reported by Duffie Cooley on 2013-03-07

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Invalid	Undecided	Unassigned

Bug Description

This compute node is running the latest code from:
http://ubuntu-cloud.archive.canonical.com/ubuntu precise-updates/folsom main

When glance is secured with keystone then nova-compute is not authorized to deploy an image from glance. This is a problem specific to the context of the token.

per this question:
https://answers.launchpad.net/nova/+question/218145

I am getting the same error.

http://codepad.org/jYi5GZ72

I have updated the code in nova.image.glance to this:

def _create_glance_client(context, host, port, use_ssl, version=1):
    """Instantiate a new glanceclient.Client object"""
    if use_ssl:
        scheme = 'https'
    else:
        scheme = 'http'
    params = {}
    params['insecure'] = FLAGS.glance_api_insecure
    if FLAGS.auth_strategy == 'keystone':
        dicttoken = context.to_dict().get('auth_token')
        contexttoken = context.auth_token
        LOG.error("### dict token is %s" % dicttoken)
        LOG.error("### context token is %s" % contexttoken)
        params['token'] = context.auth_token
    endpoint = '%s://%s:%s' % (scheme, host, port)
    return glanceclient.Client(str(version), endpoint, **params)

And as you can see from the paste

The params['token'] code is being called twice.

The second time the context.auth_token call is failing.

root@server12:~# grep req-f66255ef-13fe-4791-b137-f76855197aa4 /var/log/nova/nova-compute.log | grep ERROR
2013-03-07 11:07:44 ERROR nova.image.glance [req-f66255ef-13fe-4791-b137-f76855197aa4 5e363b8f0665443d89ca9d9787a19a81 eb4f9252e66843b3b7eaa6662d6062c8] ### dict token is fff534d1a18c4b4a816c076d4fce0e70

2013-03-07 11:07:44 ERROR nova.image.glance [req-f66255ef-13fe-4791-b137-f76855197aa4 5e363b8f0665443d89ca9d9787a19a81 eb4f9252e66843b3b7eaa6662d6062c8] ### context token is fff534d1a18c4b4a816c076d4fce0e70

2013-03-07 11:07:49 ERROR nova.image.glance [req-f66255ef-13fe-4791-b137-f76855197aa4 5e363b8f0665443d89ca9d9787a19a81 eb4f9252e66843b3b7eaa6662d6062c8] ### dict token is fff534d1a18c4b4a816c076d4fce0e70

2013-03-07 11:07:49 ERROR nova.image.glance [req-f66255ef-13fe-4791-b137-f76855197aa4 5e363b8f0665443d89ca9d9787a19a81 eb4f9252e66843b3b7eaa6662d6062c8] ### context token is None

2013-03-07 11:07:49 ERROR nova.compute.manager [req-f66255ef-13fe-4791-b137-f76855197aa4 5e363b8f0665443d89ca9d9787a19a81 eb4f9252e66843b3b7eaa6662d6062c8] [instance: 3e89c0a7-11c8-4b4f-8b4b-b04ea97a9d88] Instance failed to spawn

If I use the dict option the token works and I am no longer blocked.

See original description

Tags:

Duffie Cooley (opekstac4) on 2013-03-07

description:	updated
description:	updated

Revision history for this message

Duffie Cooley (opekstac4) wrote on 2013-03-07:

apport report Edit (11.6 KiB, text/plain)

Aaron Rosen (arosen) on 2013-03-07

Changed in nova:
status:	New → Confirmed

Duffie Cooley (opekstac4) on 2013-03-07

Changed in nova:
status:	Confirmed → New
status:	New → Confirmed

lizheming (lizheming-li) on 2013-12-28

Changed in nova:
assignee:	nobody → lizheming (lizheming-li)

lizheming (lizheming-li) on 2014-01-08

Changed in nova:
assignee:	lizheming (lizheming-li) → nobody

Revision history for this message

Joe Gordon (jogo) wrote on 2014-07-28:

folsom has been end of lifed

Changed in nova:
status:	Confirmed → Incomplete

Sean Dague (sdague) on 2014-09-17

Changed in nova:
status:	Incomplete → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

apport report Edit

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.