New instance imagecache doesn't work with keystone: get_admin_context() doesn't set a valid token/strategy

The context here comes from rom nova/service.py where Service.periodic_tasks() just calls context.get_admin_context(), so I think the imagecache code is just the lucky first victim. It seems like the right fix is to make sure that admin contexts work correctly with keystone in general.

Looks like we won't have a fix in time for E4

Vladimir -- I don't have a keystone test environment at the moment, and I don't want to hold up the fix while I build one. Can you confirm whether the attached patch fixes your problem? You'd need to specify an admin context token with the --admin_auth_token flag in nova.conf for this to work.

Thanks.

Michael,

It will almost work :-) It seems like it is required to set the strategy as
well.

In our local branch I changed the __init__ of RequestContext() like:
+ if is_admin:
+ if auth_token is None:
+ self.auth_token = FLAGS.admin_auth_token
+ if strategy == 'noauth':
+ self.strategy = FLAGS.admin_auth_strategy

But it is possible to add arguments within get_admin_context() as well.

Regards,
-Vladimir

-----Original Message-----
From: <email address hidden> [mailto:<email address hidden>] On Behalf Of
Michael Still
Sent: Sunday, March 04, 2012 7:48 PM
To: <email address hidden>
Subject: [Bug 934464] Re: New instance imagecache doesn't work with
keystone: get_admin_context() doesn't set a valid token/strategy

Vladimir -- I don't have a keystone test environment at the moment, and I
don't want to hold up the fix while I build one. Can you confirm whether the
attached patch fixes your problem? You'd need to specify an admin context
token with the --admin_auth_token flag in nova.conf for this to work.

Thanks.

** Patch added: "imc-admin-context.patch"
   https://bugs.launchpad.net/nova/+bug/934464/+attachment/2815292/+files/imc-admin-context.patch

--
You received this bug notification because you are subscribed to the bug
report.
https://bugs.launchpad.net/bugs/934464

Title:
  New instance imagecache doesn't work with keystone:
  get_admin_context() doesn't set a valid token/strategy

Status in OpenStack Compute (Nova):
  Confirmed

Bug description:
  Admin context generated by context.get_admin_context() doesn't set
  valid auth_token+strategy.

  Without these fields properly set different "internal" nova tasks
  (like periodic_tasks) are unable to access image_service when Keystone
  is used.

  As a result, new imagecache functionality added to Essex fails with ERROR:

  401 Unauthorized

  This server could not verify that you are authorized to access the
  document you requested. Either you supplied the wrong credentials
  (e.g., bad password), or your browser does not understand how to
  supply the credentials required.

  Authentication required

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/934464/+subscriptions

FYI, devstack installs keystone by default. Yes the strategy needs to be set as well.

I'm thinking an alternate solution is better for essex since we haven't nailed down adminstrative interactions between services. Imagecache is the only thing that tries to talk to glance directly as an admin. Lets just modify imagecache to not verify images with glance for now. We can revisit this in folsom.

I have just sent off a review which eliminates calls to glance in the image cache manager.

For reference: https://review.openstack.org/#change,5075

Reviewed: https://review.openstack.org/5075
Committed: http://github.com/openstack/nova/commit/ad53f91e623f05cfe994101d56d6d2cf54cd8412
Submitter: Jenkins
Branch: master

commit ad53f91e623f05cfe994101d56d6d2cf54cd8412
Author: Michael Still <email address hidden>
Date: Tue Mar 6 16:45:40 2012 +1100

    Don't use glance when verifying images.

    Using glance means that admin contexts need to know how to use
    keystone when that is enabled. Its safer to avoid calling glance
    at all from inside the periodic task.

    This should resolve bug 934464.

    Change-Id: Ib730e3f57721fca7080d90ae80b5f8916c1dc76c