Nova/Cinder Key Manager for Barbican Uses Stale Cache
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Cinder |
Fix Released
|
High
|
Dave McCowan | ||
Liberty |
Fix Released
|
High
|
Dave McCowan | ||
OpenStack Compute (nova) |
Fix Released
|
High
|
Dave McCowan | ||
Liberty |
Fix Released
|
High
|
Matt Riedemann | ||
OpenStack Security Notes |
Fix Released
|
Medium
|
Dave McCowan | ||
castellan |
Fix Released
|
Undecided
|
Dave McCowan |
Bug Description
The Key Manger for Barbican, implemented in Nova and Cinder, caches a value of barbican_client to save extra
calls to Keystone for authentication. However, the cached value of barbican_client is only valid for the current
context. A check needs to be made to ensure the context has not changed before using the saved value.
The symptoms for using a stale cache value include getting the following error message when creating
an encrypted volume.
From CLI:
---------------
openstack volume create --size 1 --type LUKS encrypted_volume
The server has either erred or is incapable of performing the requested operation. (HTTP 500) (Request-ID: req-aea6be92-
In cinder.log
-------------------
2015-12-03 09:09:03.648 TRACE cinder.volume.api Traceback (most recent call last):
2015-12-03 09:09:03.648 TRACE cinder.volume.api File "/usr/lib/
cute_task
2015-12-03 09:09:03.648 TRACE cinder.volume.api result = task.execute(
2015-12-03 09:09:03.648 TRACE cinder.volume.api File "/opt/stack/
2015-12-03 09:09:03.648 TRACE cinder.volume.api source_volume)
2015-12-03 09:09:03.648 TRACE cinder.volume.api File "/opt/stack/
id
2015-12-03 09:09:03.648 TRACE cinder.volume.api encryption_key_id = key_manager.
2015-12-03 09:09:03.648 TRACE cinder.volume.api File "/opt/stack/
2015-12-03 09:09:03.648 TRACE cinder.volume.api LOG.exception(
….
2015-12-03 09:09:03.648 TRACE cinder.volume.api File "/usr/lib/
2015-12-03 09:09:03.648 TRACE cinder.volume.api return self.request(url, 'POST', **kwargs)
2015-12-03 09:09:03.648 TRACE cinder.volume.api File "/usr/lib/
2015-12-03 09:09:03.648 TRACE cinder.volume.api return func(*args, **kwargs)
2015-12-03 09:09:03.648 TRACE cinder.volume.api File "/usr/lib/
2015-12-03 09:09:03.648 TRACE cinder.volume.api raise exceptions.
2015-12-03 09:09:03.648 TRACE cinder.volume.api Unauthorized: The request you have made requires authentication. (Disable debug mode to suppress these details.) (HTTP 401) (Request-ID: req-d2c52e0b-
tags: | added: liberty-backport-potential |
Changed in nova: | |
importance: | Undecided → High |
Changed in nova: | |
assignee: | yuntongjin (yuntongjin) → Dave McCowan (dave-mccowan) |
Changed in ossn: | |
assignee: | nobody → Dave McCowan (dave-mccowan) |
Changed in castellan: | |
assignee: | nobody → Dave McCowan (dave-mccowan) |
Changed in ossn: | |
status: | New → Confirmed |
importance: | Undecided → Medium |
tags: | removed: liberty-backport-potential |
Changed in cinder: | |
importance: | Undecided → High |
Fix proposed to branch: master /review. openstack. org/254357
Review: https:/