OpenStack Compute (nova)

"Passing insecure dynamic vendordata requests because of missing or incorrect service account configuration." warnings all over n-api logs

Bug #1665693 reported by Matt Riedemann on 2017-02-17

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Fix Released	Medium	Matt Riedemann
	Ocata	Fix Committed	Medium	Matt Riedemann

Bug Description

I'm seeing these warnings all over the n-api logs in an ocata CI job run:

http://logs.openstack.org/11/349011/3/check/gate-tempest-dsvm-neutron-full-ubuntu-xenial-ocata/bee08f9/logs/screen-n-api.txt.gz?level=TRACE#_2017-02-14_22_13_03_345

2017-02-14 22:15:27.415 2678 WARNING nova.api.metadata.vendordata_dynamic [req-eb314972-d29e-436c-a2a7-fb189effb5c4 - -] Passing insecure dynamic vendordata requests because of missing or incorrect service account configuration.

It's coming from here:

http://git.openstack.org/cgit/openstack/nova/tree/nova/api/metadata/vendordata_dynamic.py#n52

We should probably only log that once the first time we hit it since I don't think you can fix it without fixing the [vendordata] credentials in nova.conf and restarting nova-api.

Tags:

Revision history for this message

Matt Riedemann (mriedem) wrote on 2017-02-17:

sdague pointed out that dynamic vendordata is optional so we might not want to be logging this at all. Maybe we can tell from the config if we should care.

Matt Riedemann (mriedem) on 2017-02-17

Changed in nova:
assignee:	nobody → Matt Riedemann (mriedem)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-02-17: Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/435563

Changed in nova:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-03-03: Fix merged to nova (master)

Reviewed: https://review.openstack.org/435563
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=97e14fa3f39839491ff6c7de9572d277bec8f885
Submitter: Jenkins
Branch: master

commit 97e14fa3f39839491ff6c7de9572d277bec8f885
Author: Matt Riedemann <email address hidden>
Date: Fri Feb 17 13:31:41 2017 -0500

Only create vendordata_dynamic ksa session if needed

    We're logging a warning about vendordata dynamic auth
    not being configured every time we create a server with
    a config drive. The dynamic vendordata v2 stuff is all
    optional and controlled via configuring:

CONF.api.vendordata_dynamic_targets

    This change only attempts to create the ksa session
    when we try to make a request, which would only happen
    if CONF.api.vendordata_dynamic_targets is configured.

Change-Id: I1a6f6776670a2fa1439782d10d2e0777df2683ae
Closes-Bug: #1665693

Changed in nova:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-03-03: Fix proposed to nova (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/441224

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-03-08: Fix merged to nova (stable/ocata)

Reviewed: https://review.openstack.org/441224
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=c40d4f37d4e245713902c61456a3bfdcf3ef93c3
Submitter: Jenkins
Branch: stable/ocata

commit c40d4f37d4e245713902c61456a3bfdcf3ef93c3
Author: Matt Riedemann <email address hidden>
Date: Fri Feb 17 13:31:41 2017 -0500

Only create vendordata_dynamic ksa session if needed

CONF.api.vendordata_dynamic_targets

    This change only attempts to create the ksa session
    when we try to make a request, which would only happen
    if CONF.api.vendordata_dynamic_targets is configured.

    Change-Id: I1a6f6776670a2fa1439782d10d2e0777df2683ae
    Closes-Bug: #1665693
    (cherry picked from commit 97e14fa3f39839491ff6c7de9572d277bec8f885)