Glance installation fails if password contains '@' symbol

Bug #1695299 reported by Rahul Sharma on 2017-06-02
38
This bug affects 5 people
Affects Status Importance Assigned to Milestone
Glance
High
Ian Wienand
Rocky
High
Ian Wienand

Bug Description

I was doing a fresh installation of devstack today and had set the admin password as "Test@321" in local.conf file. The installation started failing for Glance and when I had a look at the backtrace, it looks like it converts '@' to '%40' and starts failing.

Either this needs to be fixed or proper note needs to be added in devstack setup stating that one cannot use '@' symbol in passwords.

ubuntu@openstack:~/devstack$ glance --version
2.6.0
ubuntu@openstack:~/devstack$

CRITICAL glance [-] Unhandled error: ValueError: invalid interpolation syntax in 'mysql+pymysql://root:Test%40321@127.0.0.1/glance?charset=utf8' at position 27
ERROR glance Traceback (most recent call last):
ERROR glance File "/usr/local/bin/glance-manage", line 10, in <module>
ERROR glance sys.exit(main())
ERROR glance File "/opt/stack/glance/glance/cmd/manage.py", line 452, in main
ERROR glance return CONF.command.action_fn()
ERROR glance File "/opt/stack/glance/glance/cmd/manage.py", line 291, in sync
ERROR glance self.command_object.sync(CONF.command.version)
ERROR glance File "/opt/stack/glance/glance/cmd/manage.py", line 117, in sync
ERROR glance alembic_migrations.place_database_under_alembic_control()
ERROR glance File "/opt/stack/glance/glance/db/sqlalchemy/alembic_migrations/__init__.py", line 73, in place_database_under_alembic_control
ERROR glance a_config = get_alembic_config()
ERROR glance File "/opt/stack/glance/glance/db/sqlalchemy/alembic_migrations/__init__.py", line 37, in get_alembic_config
ERROR glance config.set_main_option('sqlalchemy.url', str(engine.url))
ERROR glance File "/usr/local/lib/python2.7/dist-packages/alembic/config.py", line 218, in set_main_option
ERROR glance self.set_section_option(self.config_ini_section, name, value)
ERROR glance File "/usr/local/lib/python2.7/dist-packages/alembic/config.py", line 245, in set_section_option
ERROR glance self.file_config.set(section, name, value)
ERROR glance File "/usr/lib/python2.7/ConfigParser.py", line 752, in set
ERROR glance "position %d" % (value, tmp_value.find('%')))
ERROR glance ValueError: invalid interpolation syntax in 'mysql+pymysql://root:Test%40321@127.0.0.1/glance?charset=utf8' at position 27
ERROR glance
+lib/glance:init_glance:1 exit_trap
+./stack.sh:exit_trap:492 local r=1
++./stack.sh:exit_trap:493 jobs -p
+./stack.sh:exit_trap:493 jobs=
+./stack.sh:exit_trap:496 [[ -n '' ]]
+./stack.sh:exit_trap:502 kill_spinner
+./stack.sh:kill_spinner:388 '[' '!' -z '' ']'
+./stack.sh:exit_trap:504 [[ 1 -ne 0 ]]
+./stack.sh:exit_trap:505 echo 'Error on exit'
Error on exit
+./stack.sh:exit_trap:506 generate-subunit 1496417170 632 fail
+./stack.sh:exit_trap:507 [[ -z /opt/stack/logs ]]
+./stack.sh:exit_trap:510 /home/ubuntu/devstack/tools/worlddump.py -d /opt/stack/logs
World dumping... see /opt/stack/logs/worlddump-2017-06-02-153642.txt for details
+./stack.sh:exit_trap:516 exit 1
ubuntu@openstack:~/devstack$

Tiago Farias (tgoboards) wrote :

same problem here when tried to install devstack and using a password with '@'.

Gleb Zimin (gzimin) wrote :

So, also when password or login have '/' symbol glance throw error.

Aizuddin Zali (mymzbe) wrote :

Seems like this hit interpolation on ConfigParser. Are you able to escape using `%%`?

One possible solution is to set:

config = ConfigParser(strict=False, interpolation=None)

Changed in glance:
assignee: nobody → Aizuddin Zali (mymzbe)
status: New → Confirmed
Aizuddin Zali (mymzbe) wrote :

correction '%@' as example to escapte @.

Aizuddin Zali (mymzbe) on 2017-08-22
Changed in devstack:
status: New → Invalid
Aizuddin Zali (mymzbe) wrote :

From https://git.launchpad.net/glance/tree/glance/db/sqlalchemy/alembic_migrations/__init__.py master bracnh line 37.

config.set_main_option('sqlalchemy.url', str(engine.url))

This indeed an expected behaviour, quoting to alembic documentation (http://alembic.zzzcomputing.com/en/latest/api/config.html).

 set_main_option(name, value)

    Set an option programmatically within the ‘main’ section.

    This overrides whatever was in the .ini file.
    Parameters:

        name – name of the value
        value¶ – the value. Note that this value is passed to ConfigParser.set, which supports variable interpolation using pyformat (e.g. %(some_value)s). A raw percent sign not part of an interpolation symbol must therefore be escaped, e.g. %%. The given value may refer to another value already in the file using the interpolation format.

Changed in glance:
status: Confirmed → Invalid
Aizuddin Zali (mymzbe) on 2017-08-24
Changed in devstack:
assignee: nobody → Aizuddin Zali (mymzbe)

Fix proposed to branch: master
Review: https://review.openstack.org/498427

Changed in devstack:
assignee: Aizuddin Zali (mymzbe) → Gleb Zimin (glathor)
status: Invalid → In Progress

Fix proposed to branch: master
Review: https://review.openstack.org/498730

Change abandoned by Gleb Zimin (<email address hidden>) on branch: master
Review: https://review.openstack.org/498730

Ian Wienand (iwienand) wrote :

There's an unanswered question here ... how did

> "Test@321" in local.conf file.

end up being escaped to %40

> CRITICAL glance [-] Unhandled error: ValueError: invalid interpolation syntax
> in 'mysql+pymysql://root:Test%40321@127.0.0.1/glance?charset=utf8'

? afaict we don't do that anywhere

Ian Wienand (iwienand) wrote :

I've actually convinced myself this really is glance's fault. I have a suggested change incoming

Changed in glance:
status: Invalid → New
Gleb Zimin (gzimin) wrote :

So, we can delete devstack from affects.

Changed in devstack:
status: In Progress → Invalid
no longer affects: devstack
Erno Kuvaja (jokke) on 2017-09-26
Changed in glance:
status: New → In Progress
importance: Undecided → High

Unassigning, patches have been abandoned.

Changed in glance:
assignee: Aizuddin Zali (mymzbe) → nobody
no longer affects: glance/pike
no longer affects: glance/queens

Reviewed: https://review.openstack.org/499410
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=f601cfccf1d8e2e314a270943d91e8aa1932f2a4
Submitter: Zuul
Branch: master

commit f601cfccf1d8e2e314a270943d91e8aa1932f2a4
Author: Ian Wienand <email address hidden>
Date: Thu Aug 31 11:06:28 2017 +1000

    Support RFC1738 quoted chars in passwords

    In the bug, a user tried setting a devstack password with a "@" in it.

    As it turns out, sqlalchmey turns the connection-string into a
    sqlalchemy.engine.url.URL object [1] which returns a RFC1738 quoted
    string.

    However, alembic's set_main_option [2] uses python
    string-interpolation which interprets '%' characters. This means you
    end up with an interpolation traceback when using any quoted character
    (':@/') in a user/password (more likely password).

    Avoid this by ensuring the URL is safe for python interpolation in
    set_main_option by replacing '%' -> '%%'.

    I convinced myself this is safe because sqlalchemy correctly parses
    the quoted and unquoted versions just the same

    ---
     >>> str(sqlalchemy.engine.url.make_url('mysql+pymysql://foo:crazy:@/pw@/moo'))
     'mysql+pymysql://foo:crazy%3A%40%2Fpw@/moo'
     >>> str(sqlalchemy.engine.url.make_url('mysql+pymysql://foo:crazy%3A%40%2Fpw@/moo'))
     'mysql+pymysql://foo:crazy%3A%40%2Fpw@/moo'
    ---

    A test is added

    [1] https://github.com/zzzeek/sqlalchemy/blob/master/lib/sqlalchemy/engine/url.py
    [2] http://alembic.zzzcomputing.com/en/latest/api/config.html#alembic.config.Config.set_main_option

    Change-Id: I3ef7e3e539e35ce040573f2044ab6eb3c990200a
    Closes-Bug: #1695299

Changed in glance:
status: In Progress → Fix Released

Reviewed: https://review.openstack.org/592210
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=626018b991080c0706df8481e37addefd10c58fa
Submitter: Zuul
Branch: stable/rocky

commit 626018b991080c0706df8481e37addefd10c58fa
Author: Ian Wienand <email address hidden>
Date: Thu Aug 31 11:06:28 2017 +1000

    Support RFC1738 quoted chars in passwords

    In the bug, a user tried setting a devstack password with a "@" in it.

    As it turns out, sqlalchmey turns the connection-string into a
    sqlalchemy.engine.url.URL object [1] which returns a RFC1738 quoted
    string.

    However, alembic's set_main_option [2] uses python
    string-interpolation which interprets '%' characters. This means you
    end up with an interpolation traceback when using any quoted character
    (':@/') in a user/password (more likely password).

    Avoid this by ensuring the URL is safe for python interpolation in
    set_main_option by replacing '%' -> '%%'.

    I convinced myself this is safe because sqlalchemy correctly parses
    the quoted and unquoted versions just the same

    ---
     >>> str(sqlalchemy.engine.url.make_url('mysql+pymysql://foo:crazy:@/pw@/moo'))
     'mysql+pymysql://foo:crazy%3A%40%2Fpw@/moo'
     >>> str(sqlalchemy.engine.url.make_url('mysql+pymysql://foo:crazy%3A%40%2Fpw@/moo'))
     'mysql+pymysql://foo:crazy%3A%40%2Fpw@/moo'
    ---

    A test is added

    [1] https://github.com/zzzeek/sqlalchemy/blob/master/lib/sqlalchemy/engine/url.py
    [2] http://alembic.zzzcomputing.com/en/latest/api/config.html#alembic.config.Config.set_main_option

    Change-Id: I3ef7e3e539e35ce040573f2044ab6eb3c990200a
    Closes-Bug: #1695299
    (cherry picked from commit f601cfccf1d8e2e314a270943d91e8aa1932f2a4)

tags: added: in-stable-rocky

This issue was fixed in the openstack/glance 17.0.0.0rc2 release candidate.

This issue was fixed in the openstack/glance 18.0.0.0b1 development milestone.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers