Cinder

InstanceLocalityFilter fails with Keystone error 401

Bug #1686616 reported by György Szombathelyi on 2017-04-27

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Cinder	Fix Released	Undecided	György Szombathelyi

Bug Description

Tryint to use InstanceLocalityFilter throws an exception

Unauthorized: The request you have made requires authentication. (HTTP 401)

The call trace in cinder:
.
.
.
File "/usr/lib/python2.7/dist-packages/cinder/compute/nova.py", line 241, in has_extension
2017-04-26 15:08:59.465 8141 ERROR cinder.scheduler.manager nova_exts = novaclient(context).list_extensions.show_all()
2017-04-26 15:08:59.465 8141 ERROR cinder.scheduler.manager File "/usr/lib/python2.7/dist-packages/novaclient/v2/list_extensions.py", line 36, in show_all
2017-04-26 15:08:59.465 8141 ERROR cinder.scheduler.manager return self._list("/extensions", 'extensions')
2017-04-26 15:08:59.465 8141 ERROR cinder.scheduler.manager File "/usr/lib/python2.7/dist-packages/novaclient/base.py", line 254, in _list
2017-04-26 15:08:59.465 8141 ERROR cinder.scheduler.manager resp, body = self.api.client.get(url)
.
.
.

So the extension listing throws the error.

The problem is in cinder/compute/nova.py:

It tries to create a Keystone Password auth plugin with the user context, but this context doesn't have a password, only a token. So there should be two cases:
1. create a Password plugin when the privileged user is requested (would be nice to have a [nova] section for this, like in other components. The current settings are obscure, and does not cover all the Keystone v3 settings).
2. create a Token plugin when the user context is used.

wangxiyuan (wangxiyuan) on 2017-04-27

Changed in cinder:
status:	New → Confirmed
assignee:	nobody → wangxiyuan (wangxiyuan)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-04-27: Fix proposed to cinder (master)

Fix proposed to branch: master
Review: https://review.openstack.org/460541

Changed in cinder:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-04-27:

Fix proposed to branch: master
Review: https://review.openstack.org/460640

Changed in cinder:
assignee:	wangxiyuan (wangxiyuan) → György Szombathelyi (gyurco)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-05-08: Fix merged to cinder (master)

Reviewed: https://review.openstack.org/460640
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=da93e11794d2a7479b037f96fc5aef83f98be8dd
Submitter: Jenkins
Branch: master

commit da93e11794d2a7479b037f96fc5aef83f98be8dd
Author: Gyorgy Szombathelyi <email address hidden>
Date: Thu Apr 27 17:25:49 2017 +0200

Modernize the nova client in cinder

    The nova client (used by the InstanceLocalityFilter for example)
    seems to have obscure config options (compared to other projects),
    and seems it is buggy too. Fix this by introducing a [nova] section,
    where the usual auth parameters can be put (auth_type, auth_url,
    username, password, etc...), and deprecate the old options.
    Also doesn't play with the Service Catalog, the authentication plugins
    can handle it, use a Token authentication plugin when using
    the user context, and removed the separate usage of the admin endpoint.

    Change-Id: I55613793c8f525a36ac74636f47d7ab76f5c7e39
    Closes-bug: #1686616
    DocImpact: to use a Nova connection (e.g. for InstanceLocalityFilter),
    one has to configure the [nova] section.

Changed in cinder:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-05-08: Change abandoned on cinder (master)

Change abandoned by wangxiyuan (<email address hidden>) on branch: master
Review: https://review.openstack.org/460541

Revision history for this message

Jakub Jursa (bubo47) wrote on 2017-05-29:

Hello. Any plans of backporting this into stable/ocata branch?

Revision history for this message

György Szombathelyi (gyurco) wrote on 2017-05-29:

Well, the fix is a bit too intrusive, I fear in its current form cannot be backported.

Revision history for this message

Jakub Jursa (bubo47) wrote on 2017-05-29:

Ouch, not happy to hear that. Thanks for the quick response though.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-06-08: Fix included in openstack/cinder 11.0.0.0b2

This issue was fixed in the openstack/cinder 11.0.0.0b2 development milestone.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.