Fuel for OpenStack

After changing nailgun password astute.yaml wasn't updated

Bug #1555262 reported by Vladimir Khlyunev on 2016-03-09

This bug affects 2 people

	Status	Importance	Assigned to	Milestone
Fuel for OpenStack	Fix Committed	High	Julia Aranovich	Fuel for OpenStack 10.0
7.0.x	Won't Fix	High	MOS Maintenance	Fuel for OpenStack 7.0-updates
8.0.x	Won't Fix	High	MOS Maintenance	Fuel for OpenStack 8.0-updates
Mitaka	Fix Released	High	Vitaly Kramskikh	Fuel for OpenStack 9.0

Bug Description

Detailed bug description:
Changing fuel user's password does not updates astute.yaml:FUEL_ACCESS:password field. It leads to broken manifests - https://github.com/openstack/fuel-library/search?utf8=%E2%9C%93&q=FUEL_ACCESS .
Steps to reproduce:
1 Deploy 7.0 Fuel
2 Change password for "admin" user using "fuel user change-password" command
3 Apply host-only manifest
OR
3 Apply maintenance update old way (using bootstrap_admin_node.sh flow)
Expected results:
No errors, fuel is operable
Actual result:
Manifest set up wrong password into environment variable which leads to "Unauthorized" error at "fuel rel --sync-deployment-tasks --dir /etc/puppet/" command
http://puu.sh/nAx98/52bfa395f0.png
(trace http://paste.openstack.org/show/489888/ )
Reproducibility:
Any run
Workaround:
Fix astute.yaml manually then apply a manifest/MU
Impact:
Real-world maintenance update.
Description of the environment:
Versions of components: Fuel 7.0 Release ISO (#301), Fuel 8.0 Release ISO (#570)

Tags:

Vladimir Khlyunev (vkhlyunev) on 2016-03-09

summary:

- After cnahging nailgun password astute.yaml wasn't updated
+ After changing nailgun password astute.yaml wasn't updated

Bogdan Dobrelya (bogdando) on 2016-03-10

tags:

added: area-python

Revision history for this message

Matthew Mosesohn (raytrac3r) wrote on 2016-03-21:

This can be solved by one of two ways:
1 - We can change the "fuel rel --sync-deployment-tasks --dir /etc/puppet/" command to use the admin token which isn't changed.
2 - Make a documentation update and inform the user that he or she should update ~/.config/fuel/fuel_client.yaml

As a follow up, the error message to update /etc/fuel/client/config.yaml is not very helpful since we don't write to that file any more.

Revision history for this message

Matthew Mosesohn (raytrac3r) wrote on 2016-03-21:

After some discussion, I will update the following:
1 - update mos-docs information about changing passwords and performing Fuel Master patching to include changes to /etc/fuel/astute.yaml and ~/.config/fuel/fuel_client.yaml
2 - update python-fuelclient to advise user to update fuel_client.yaml located in home dir, not in /etc
3 - Update Fuel UI feedback about updating /etc/fuel/astute.yaml and ~/.config/fuel/fuel_client.yaml
4 - Update bootstrap_admin_node.sh to fail if fuelclient credentials fail before starting puppet.

Note on #2: We will not add info about /etc/fuel/astute.yaml to fuelclient because it may be run on a separate host than Fuel Master

OpenStack Infra (hudson-openstack) on 2016-03-22

Changed in fuel:
status:	Confirmed → In Progress

Revision history for this message

Oleg S. Gelbukh (gelbuhos) wrote on 2016-03-25:

I'm not sure that's exactly the expected behavior here. The file 'astute.yaml' serves as a source for deployment information only. It must not be used by any application (including plugin) as a source of actual auth information for the Nailgun API.

Actual auth credentials are intended to be kept in $HOME/.config/fuel/fuel_client.yaml file, or set as an env variable (KEYSTONE_PASS or OS_PASSWORD), orpassed via command line option every time. All applications that want to authenticate for the Nailgun API should rely on those 3 mechanisms.

Revision history for this message

Dmitriy Stremkovskiy (dstremkouski) wrote on 2016-03-25:

[root@fuel ~]# cat ~/.config/fuel/fuel_client.yaml
SERVER_ADDRESS: "10.20.0.2"
SERVER_PORT: "8000"
OS_USERNAME: "admin"
OS_PASSWORD: "admin"
OS_TENANT_NAME: "admin"
KEYSTONE_PORT: "5000"
[root@fuel ~]# env | grep KEYSTONE
[root@fuel ~]# env | grep PASSW

All that locations contain wrong credential as well.

My plugin needs to create new user in keystone to access api further. Vladimir Kuklin says we should use /etc/fuel/astute.yaml FUEL_ACCESS hash.

I cannot rely on ADMIN_TOKEN in /etc/keystone/keystone.conf, because customer can disable it.

Suppose, customer changes fuel admin password either from Fuel WebUI or fuelmenu (both methods are legal) and my plugin cannot access keystone. What should I do then, update database? The answer is NO, because my plugin code will not be merged afterthat

Revision history for this message

Dmitriy Stremkovskiy (dstremkouski) wrote on 2016-03-28:

This is not a bug also, please close.

Revision history for this message

Oleg S. Gelbukh (gelbuhos) wrote on 2016-03-28:

The fuel_client.yaml file and environment variable provide a way for the user to supply username/password to fuel client CLI without explicit option --password, that's all. By no means they are set automatically anywhere if the user changes the password.

The user should provide the plugin with an explicit configuration of the service account, created in a way that suits the user from the security, workflow and other standpoints. Users might provide the actual admin credentials if they prefer so.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-03-31: Fix merged to fuel-main (master)

Reviewed: https://review.openstack.org/295396
Committed: https://git.openstack.org/cgit/openstack/fuel-main/commit/?id=6a29a71266d0f3a01390567ed4fd05033a47319d
Submitter: Jenkins
Branch: master

commit 6a29a71266d0f3a01390567ed4fd05033a47319d
Author: Matthew Mosesohn <email address hidden>
Date: Mon Mar 21 19:32:59 2016 +0300

Fail bootstrap_admin_node if admin password is wrong

    This covers the scenario where a user changes the admin password,
    but fails to update /etc/fuel/astute.yaml and
    /root/.config/fuel/fuel_client.yaml. These files need to be
    updated to re-run bootstrap_admin_node for simple patching.

This fix is partial because it should include string updates
in fuel-ui, docs, and fuelclient.

Change-Id: I23f362524eab9649b58a8ba722e6fd6cb1d6b1ab
Partial-Bug: #1555262

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-04-08: Fix proposed to python-fuelclient (master)

Fix proposed to branch: master
Review: https://review.openstack.org/303318

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-04-13: Fix merged to python-fuelclient (master)

Reviewed: https://review.openstack.org/303318
Committed: https://git.openstack.org/cgit/openstack/python-fuelclient/commit/?id=b384bf90ec774dd8c67c49ba53ec74008f54e1c1
Submitter: Jenkins
Branch: master

commit b384bf90ec774dd8c67c49ba53ec74008f54e1c1
Author: Matthew Mosesohn <email address hidden>
Date: Fri Apr 8 12:34:11 2016 +0300

Add notice about updating fuel_client.yaml when updating pass

Users are advised to update their configuration after
changing their Fuel Admin password.

Change-Id: Ie4f7e29092002cb316829ef394e4c938ebf30766
Partial-Bug: #1555262

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2016-04-18: Fix proposed to mos/mos-docs (master)

#10

Fix proposed to branch: master
Change author: Matthew Mosesohn <email address hidden>
Review: https://review.fuel-infra.org/19784

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2016-04-18: Fix merged to mos/mos-docs (master)

#11

Reviewed: https://review.fuel-infra.org/19784
Submitter: Evgeny Konstantinov <email address hidden>
Branch: master

Commit: 391d3fd64154c3b88a0fcb53b1030a86206217e4
Author: Matthew Mosesohn <email address hidden>
Date: Mon Apr 18 15:59:56 2016

Add note for fuelclient config in patching notes

Change-Id: I892352f4ad63666e87d798b88ef330cd5dba1b3f
Partial-Bug: #1555262

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-04-18: Fix proposed to python-fuelclient (stable/mitaka)

#12

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/307378

Revision history for this message

Matthew Mosesohn (raytrac3r) wrote on 2016-04-18:

#13

UI team, can you please add similar notifications as described in https://review.openstack.org/303318 ?

Changed in fuel:
assignee:	Matthew Mosesohn (raytrac3r) → Fuel UI Team (fuel-ui)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-04-19: Fix merged to python-fuelclient (stable/mitaka)

#14

Reviewed: https://review.openstack.org/307378
Committed: https://git.openstack.org/cgit/openstack/python-fuelclient/commit/?id=fe194d85899a02fcb84f69fc08c98a19186a0417
Submitter: Jenkins
Branch: stable/mitaka

commit fe194d85899a02fcb84f69fc08c98a19186a0417
Author: Matthew Mosesohn <email address hidden>
Date: Fri Apr 8 12:34:11 2016 +0300

Add notice about updating fuel_client.yaml when updating pass

Users are advised to update their configuration after
changing their Fuel Admin password.

    Change-Id: Ie4f7e29092002cb316829ef394e4c938ebf30766
    Partial-Bug: #1555262
    (cherry picked from commit b384bf90ec774dd8c67c49ba53ec74008f54e1c1)

tags:

added: in-stable-mitaka

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-04-19: Fix proposed to fuel-ui (master)

#15

Fix proposed to branch: master
Review: https://review.openstack.org/307701

Changed in fuel:
assignee:	Fuel UI Team (fuel-ui) → Julia Aranovich (jkirnosova)

Dmitry Pyzhov (dpyzhov) on 2016-04-19

Changed in fuel:
milestone:	9.0 → 10.0

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-04-20: Fix proposed to fuel-ui (stable/mitaka)

#16

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/308321

Changed in fuel:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-04-20: Fix merged to fuel-ui (master)

#17

Reviewed: https://review.openstack.org/307701
Committed: https://git.openstack.org/cgit/openstack/fuel-ui/commit/?id=e0fe78cae0f282d5857e6b4833001ae20b7640bd
Submitter: Jenkins
Branch: master

commit e0fe78cae0f282d5857e6b4833001ae20b7640bd
Author: Julia Aranovich <email address hidden>
Date: Tue Apr 19 13:38:40 2016 +0300

Add changing password warning to Change Password dialog

Closes-Bug: #1555262

Change-Id: Icbbef6dfad859e3dd0856d73e77c3fb8621b1fd5

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-04-20: Fix merged to fuel-ui (stable/mitaka)

#18

Reviewed: https://review.openstack.org/308321
Committed: https://git.openstack.org/cgit/openstack/fuel-ui/commit/?id=113b4277dd761e94fe8aeff600a2ebfe9acf0350
Submitter: Jenkins
Branch: stable/mitaka

commit 113b4277dd761e94fe8aeff600a2ebfe9acf0350
Author: Julia Aranovich <email address hidden>
Date: Tue Apr 19 13:38:40 2016 +0300

Add changing password warning to Change Password dialog

Closes-Bug: #1555262

Change-Id: Icbbef6dfad859e3dd0856d73e77c3fb8621b1fd5

Dmitriy Kruglov (dkruglov) on 2016-06-02

tags:

added: on-verification

Revision history for this message

Dmitriy Kruglov (dkruglov) wrote on 2016-06-02:

#19

Verified on MOS 9.0, build 418.
The issue is fixed.

tags:

removed: on-verification

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

Bug #1561970

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.