OpenStack Heat

SignalResponder could leak users

Bug #1262177 reported by Steven Hardy on 2013-12-18

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Heat	Fix Released	Undecided	Steven Hardy	OpenStack Heat 2014.1 "icehouse"

Bug Description

SignalResponder only sets the resource_id if we manage to create an ec2 keypair, meaning that we will leak users in the event that creating the user works, but creating the keypair does not.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-12-18: Fix proposed to heat (master)

Fix proposed to branch: master
Review: https://review.openstack.org/62862

Changed in heat:
assignee:	nobody → Steven Hardy (shardy)
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-12-20: Fix merged to heat (master)

Reviewed: https://review.openstack.org/62862
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=151bfa1d119900f897f7185cba9f1b437b44654e
Submitter: Jenkins
Branch: master

commit 151bfa1d119900f897f7185cba9f1b437b44654e
Author: Steven Hardy <email address hidden>
Date: Wed Dec 18 12:08:43 2013 +0000

SignalResponder, set resource_id in the correct place

If there is an error creating the ec2 keypair, but we have created
a user, we will lose track of the user id and be unable to delete

Change-Id: Ib8704f1054dd16003849700c659d0fea83c13916
Closes-Bug: #1262177

Changed in heat:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-12-23: Related fix proposed to heat (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/63829

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-01-10: Related fix merged to heat (master)

Reviewed: https://review.openstack.org/63829
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=7214c146f1c2582e293ded65bf6947c50f617534
Submitter: Jenkins
Branch: master

commit 7214c146f1c2582e293ded65bf6947c50f617534
Author: Steven Hardy <email address hidden>
Date: Mon Dec 23 20:45:13 2013 +0000

Store AccessKey secret_key in resource data

    Similar to the change for SignalResponder, store the secret key
    encrypted in resource data, rather than requesting it from keystone
    every time the user requests the SecretKey attribute.

    Unlike SignalResponder (which stores the signed URL after using
    the keypair to sign the request), we need this to be backwards
    compatible, to cope with upgrading heat with stacks in the DB
    which contain the AccessKey resource but don't have the secret
    stored.

blueprint: instance-users
Related-Bug: #1262177

Change-Id: I92826a6dc028b151d98c0a5e2f6ec27db4b744b9

Thierry Carrez (ttx) on 2014-01-22

Changed in heat:
milestone:	none → icehouse-2
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2014-04-17

Changed in heat:
milestone:	icehouse-2 → 2014.1

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.