OpenStack Compute (nova)

placement keystonemiddleware_authtoken ignores OS_PLACEMENT_CONFIG_DIR

Bug #1734491 reported by Chris Dent on 2017-11-25

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Fix Released	Low	Chris Dent

Bug Description

In placement master, late November 2017, the deploy.py file is responsible for building the WSGI middleware stack, including loading the keystonemiddleware.

auth_middleware = auth_token.filter_factory(
{}, oslo_config_project=project_name)

This mode of loading means that the middleware itself is responsible for finding and reading the project conf file (nova.conf for now).

Whereas the general the conf loading done in wsgi.py is aware of an OS_PLACEMENT_CONFIG_DIR env, the filter_factory loading above is not.

This can lead to some pretty confusing situations where custom config, for things like the database, from custom locations are visible in the placement service, but authtoken config is not.

Only after pulling all hair from head does it become clear what's happening.

So we should fix that. It _may_ be as simple as adding similar file handling as used in wsgi.py, but it's not clear if the arg will get passed through. Further experimentation required.

Tags:

Revision history for this message

Takashi Natsume (natsume-takashi) wrote on 2017-11-26:

Set the status to "In-Progress" because this report has an assignee.

Changed in nova:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-11-28: Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/523403

Chris Dent (cdent) on 2017-12-04

tags:

added: pike-backport-potential

melanie witt (melwitt) on 2017-12-06

Changed in nova:
importance:	Undecided → Low

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-12-07: Fix merged to nova (master)

Reviewed: https://review.openstack.org/523403
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=b2e02f5147d79eaf4fd935507590fec5a0ba7ccf
Submitter: Zuul
Branch: master

commit b2e02f5147d79eaf4fd935507590fec5a0ba7ccf
Author: Chris Dent <email address hidden>
Date: Tue Nov 28 12:44:44 2017 +0000

[placement] re-use existing conf with auth token middleware

    If 'oslo_config_project' is passed to the auth_token filter
    factory, the mechanism in nova.api.openstack.placement.wsgi for
    overriding the location of the configuration file is ignored
    meaning that expected custom configuration is also ignored.

Instead pass the already existing conf with 'olso_config_config'
parameter.

    The unit test in test_deploy.py shows that the configuration
    settings get passed to the middleware and used by testing the
    value of the 'WWW-Authenticate' header (which comes from a few
    different configuration settings, of which is 'auth_uri') in
    a response generated by the placement WSGI application.
    The same test against the previous deploy.py code fails.

Change-Id: I61d20c5d19797f7e66648c7864a632f3328be8ce
Closes-Bug: #1734491

Changed in nova:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-12-07: Fix proposed to nova (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/526351

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-12-07: Fix included in openstack/nova 17.0.0.0b2

This issue was fixed in the openstack/nova 17.0.0.0b2 development milestone.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-12-08: Related fix proposed to nova (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/526691

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-02-12: Related fix merged to nova (master)

Reviewed: https://review.openstack.org/526691
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=fc71fb891e55b2a870444650ed718c897c096edc
Submitter: Zuul
Branch: master

commit fc71fb891e55b2a870444650ed718c897c096edc
Author: Chris Dent <email address hidden>
Date: Fri Dec 8 14:40:59 2017 +0000

[placement] annotate loadapp as public interface

    When Change-Id: I61d20c5d19797f7e66648c7864a632f3328be8ce was under
    review there were questions about why the interface on deploy() was not
    changed to remove the no-longer used project_name kwarg. I mistakenly
    asserted that this was because it was a public interface for building
    a Placement WSGI application. That's not the case. loadapp() is the
    public interface.

This change annotates loadapp() as such, and removes the unused arg
deploy().

Change-Id: I9f3d03d964654ab1b9515ecd6fe35c518d5f496a
Related-Bug: #1734491

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-03-02: Fix merged to nova (stable/pike)

Reviewed: https://review.openstack.org/526351
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=5d76284261cbfedd3f8a6363e89be079db93eeae
Submitter: Zuul
Branch: stable/pike

commit 5d76284261cbfedd3f8a6363e89be079db93eeae
Author: Chris Dent <email address hidden>
Date: Tue Nov 28 12:44:44 2017 +0000

[placement] re-use existing conf with auth token middleware

Instead pass the already existing conf with 'olso_config_config'
parameter.

    Change-Id: I61d20c5d19797f7e66648c7864a632f3328be8ce
    Closes-Bug: #1734491
    (cherry picked from commit b2e02f5147d79eaf4fd935507590fec5a0ba7ccf)

tags:

added: in-stable-pike

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-04-02: Fix included in openstack/nova 16.1.1

This issue was fixed in the openstack/nova 16.1.1 release.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.