Cinder

Barbican, encrypted volume cannot be deleted

Bug #1501780 reported by Ollie Leahy
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Cinder
Fix Released
Undecided
John Griffith

Bug Description

If the cloud admin defines a encryption_api_url without the keymanager version, eg:

encryption_api_url = http://10.0.0.40:9311/

Then they will be able to create encrypted volumes, but they won't be able to delete them. The attempt to delete will result in the following stack trace in the cinder-api log:

2015-10-01 13:06:59.668 ERROR cinder.keymgr.barbican [req-e94a54da-a170-43e7-b5eb-022dfaf87ee6 d8b320d13b954dbb8226f4dfc4fa4d22 f1a9a9b1cff94a37ab879679fa 5b4c10] Error deleting key.
2015-10-01 13:06:59.668 TRACE cinder.keymgr.barbican Traceback (most recent call last):
2015-10-01 13:06:59.668 TRACE cinder.keymgr.barbican File "/opt/stack/cinder/cinder/keymgr/barbican.py", line 303, in delete_key
2015-10-01 13:06:59.668 TRACE cinder.keymgr.barbican barbican_client.secrets.delete(secret_ref)
2015-10-01 13:06:59.668 TRACE cinder.keymgr.barbican File "/opt/stack/python-barbicanclient/barbicanclient/secrets.py", line 531, in delete
2015-10-01 13:06:59.668 TRACE cinder.keymgr.barbican self._api.delete(secret_ref)
2015-10-01 13:06:59.668 TRACE cinder.keymgr.barbican File "/usr/local/lib/python2.7/dist-packages/keystoneclient/adapter.py", line 185, in delete
2015-10-01 13:06:59.668 TRACE cinder.keymgr.barbican return self.request(url, 'DELETE', **kwargs)
2015-10-01 13:06:59.668 TRACE cinder.keymgr.barbican File "/opt/stack/python-barbicanclient/barbicanclient/client.py", line 65, in request
2015-10-01 13:06:59.668 TRACE cinder.keymgr.barbican self._check_status_code(resp)
2015-10-01 13:06:59.668 TRACE cinder.keymgr.barbican File "/opt/stack/python-barbicanclient/barbicanclient/client.py", line 109, in _check_status_code
2015-10-01 13:06:59.668 TRACE cinder.keymgr.barbican status
2015-10-01 13:06:59.668 TRACE cinder.keymgr.barbican HTTPClientError: <html>
2015-10-01 13:06:59.668 TRACE cinder.keymgr.barbican <head>
2015-10-01 13:06:59.668 TRACE cinder.keymgr.barbican <title>404 Not Found</title>
2015-10-01 13:06:59.668 TRACE cinder.keymgr.barbican </head>
2015-10-01 13:06:59.668 TRACE cinder.keymgr.barbican <body>
2015-10-01 13:06:59.668 TRACE cinder.keymgr.barbican <h1>404 Not Found</h1>
2015-10-01 13:06:59.668 TRACE cinder.keymgr.barbican The resource could not be found.<br /><br />
2015-10-01 13:06:59.668 TRACE cinder.keymgr.barbican
2015-10-01 13:06:59.668 TRACE cinder.keymgr.barbican
2015-10-01 13:06:59.668 TRACE cinder.keymgr.barbican
2015-10-01 13:06:59.668 TRACE cinder.keymgr.barbican </body>
2015-10-01 13:06:59.668 TRACE cinder.keymgr.barbican </html>
2015-10-01 13:06:59.668 TRACE cinder.keymgr.barbican
2015-10-01 13:06:59.668 ERROR cinder.api.middleware.fault [req-e94a54da-a170-43e7-b5eb-022dfaf87ee6 d8b320d13b954dbb8226f4dfc4fa4d22 f1a9a9b1cff94a37ab879 679fa5b4c10] Caught error: <html>
 <head>
  <title>404 Not Found</title>
 </head>
 <body>
  <h1>404 Not Found</h1>
  The resource could not be found.<br /><br />

 </body>
</html>

The problem is evident a few lines earlier in the log:
2015-10-01 13:06:59.664 DEBUG keystoneclient.session [req-e94a54da-a170-43e7-b5eb-022dfaf87ee6 d8b320d13b954dbb8226f4dfc4fa4d22 f1a9a9b1cff94a37ab879679fa 5b4c10] REQ: curl -g -i -X DELETE http://10.0.0.40:9311//secrets/3c7298e3-a87f-423f-91e7-3b0e65ba674a -H "User-Agent: python-keystoneclient" -H "X-Auth-To ken: {SHA1}041658a6f9a99eef64d8d1a344cf241374afd027" from (pid=16381) _http_log_request /usr/local/lib/python2.7/dist-packages/keystoneclient/session.py:198

The url in this request is incorrect, because it is missing the version,
http://10.0.0.40:9311//secrets/3c7298e3-a87f-423f-91e7-3b0e65ba674a

Should be:
http://10.0.0.40:9311/v1/secrets/3c7298e3-a87f-423f-91e7-3b0e65ba674a

The commands to reproduce this:
$ cinder create --volume-type LUKS 1
+---------------------------------------+--------------------------------------+
| Property | Value |
+---------------------------------------+--------------------------------------+
| attachments | [] |
| availability_zone | nova |
| bootable | false |
| consistencygroup_id | None |
| created_at | 2015-10-01T13:05:29.000000 |
| description | None |
| encrypted | True |
| id | ada451a5-205b-402c-8c21-e78f21d0614c |
| metadata | {} |
| migration_status | None |
| multiattach | False |
| name | None |
| os-vol-host-attr:host | None |
| os-vol-mig-status-attr:migstat | None |
| os-vol-mig-status-attr:name_id | None |
| os-vol-tenant-attr:tenant_id | f1a9a9b1cff94a37ab879679fa5b4c10 |
| os-volume-replication:driver_data | None |
| os-volume-replication:extended_status | None |
| replication_status | disabled |
| size | 1 |
| snapshot_id | None |
| source_volid | None |
| status | creating |
| user_id | d8b320d13b954dbb8226f4dfc4fa4d22 |
| volume_type | LUKS |
+---------------------------------------+--------------------------------------+
$
$ cinder delete ada451a5-205b-402c-8c21-e78f21d0614c
Delete for volume ada451a5-205b-402c-8c21-e78f21d0614c failed: The server has either erred or is incapable of performing the requested operation. (HTTP 500) (Request-ID: req-e94a54da-a170-43e7-b5eb-022dfaf87ee6)
ERROR: Unable to delete any of the specified volumes.

Cinder conf:
[keymgr]
api_class = cinder.keymgr.barbican.BarbicanKeyManager
encryption_api_url = http://10.0.0.40:9311/

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to cinder (master)

Fix proposed to branch: master
Review: https://review.openstack.org/230031

Changed in cinder:
assignee: nobody → Ollie Leahy (oliver-leahy-l)
status: New → In Progress
OpenStack Infra (hudson-openstack)
Changed in cinder:
assignee: Ollie Leahy (oliver-leahy-l) → John Griffith (john-griffith)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to cinder (master)

Reviewed: https://review.openstack.org/230031
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=f16d13e4cad21f8039c604b8683bd321b824a786
Submitter: Jenkins
Branch: master

commit f16d13e4cad21f8039c604b8683bd321b824a786
Author: Ollie Leahy <email address hidden>
Date: Thu Oct 1 18:21:52 2015 +0100

    encryption_api_url requires a version

    If the value configured for encryption_api_url does not include the
    barbican API version, then some calls from cinder will fail. This can
    mean that encrypted volumes cannot be deleted. To prevent this happening
    raise an exception if the configured value for encryption_api_url does not
    include the barbican version.

    Change-Id: I1a4c9b9e93d7d189a3cdf1469e8bb87817473da5
    Closes-Bug: #1501780

Changed in cinder:
status: In Progress → Fix Committed
Revision history for this message
Thierry Carrez (ttx) wrote : Fix included in openstack/cinder 8.0.0.0b1

This issue was fixed in the openstack/cinder 8.0.0.0b1 development milestone.

Thierry Carrez (ttx)
Changed in cinder:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.