wrong password set in api-paste.ini, but still pass the auth
This bug report was converted into a question: question #231155: wrong password set in api-paste.ini, but still pass the auth.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
I'm working on Grizzly, and I saw a really strange phenomenon in keystone log.
When I run command "nova list", I get two INFO output:
2013-06-19 15:01:26 INFO [access] 192.168.11.12 - - [19/Jun/
2013-06-19 15:01:26 INFO [access] 192.168.11.11 - - [19/Jun/
I think this matches my understanding about how auth work, although I have questions about the "revoked".
First, user get a new token, then nova verify the token.
Then, suddenly, the second log disappeared, I can only get:
2013-06-20 16:35:45 INFO [access] 192.168.11.12 - - [20/Jun/
This come to me a question, how nova-api verify user's token ?
So, I edited /etc/nova/
Also, I cleaned all tokens in keystone (directly going to database, delete all of them by hand), and restart nova-api.
I suppose this will cause "nova list" failed in auth.
But, I still get my instance list.
I have set "auth_strategy = keystone" in nova.conf.
And before I clean database's token table, I checked the revoke query in keystone log, it contains tokens for both user and nova.
And, I have restarted nova-api, there is a log like:
2013-06-20 17:41:23.505 4605 DEBUG nova.wsgi [-] Loading app osapi_compute from /etc/nova/
So, the change in api-paste.ini should be reloaded.
And, this is also happen for glance, and cinder.
Then, I let the wrong password stays in /etc/nova/
nova list
ERROR: Unauthorized (HTTP 401)
Looks like the change to api-paste.ini do not work directly if I was in a correct auth before.
Changed in keystone: | |
status: | New → Invalid |
Hi dolph,
Why you think this is a question not a bug?
The change in api-paste.ini do not work directly after service reboot is by design?
Why?