OpenStack Compute (Nova)

adminPass should not be returned to client if it isn't set.

Reported by Vish Ishaya on 2012-01-25
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
High
Mike Pittaro

Bug Description

When you launch a new server, it always returns adminPass, even if the adminPass is not actually used or set in the backend. This should be disabled via a flag or a check to see if the backend supports it. Right now it is very confusing for a user to receive a password back that does not work.

Changed in nova:
importance: Undecided → High
milestone: none → essex-4
Brian Waldon (bcwaldon) on 2012-01-26
Changed in nova:
status: New → Triaged
Brian Waldon (bcwaldon) wrote :
Mike Pittaro (mikeyp-3) on 2012-02-02
Changed in nova:
assignee: nobody → Mike Pittaro (mikeyp-3)
Mike Pittaro (mikeyp-3) on 2012-02-03
Changed in nova:
status: Triaged → In Progress
Mike Pittaro (mikeyp-3) wrote :

We discussed this on bugsquash day...some observations:

- The create call is asynchronous. At the time of the call, there
is no way for the API node to determine whether the backend(s) even
support adminPass, so a check isn't viable.

- if adminPass _is_ specified, it might be ignored depending on the
hypervisor configurations.

- if adminPass is not specified, a generated one is returned, although
  it too might be ignored.

The strawman proposal for a fix is:

1) Add a new bool configuration flag 'enable_instance_password'
2) Change the API to return an error when a password is passed in,
   unless the flag is set.

The intent is to indicate that additional configuration is needed to
support adminPass. This would affect create, and probably the rebuild
and change_password calls as well.

This would be a stopgap until https://bugs.launchpad.net/nova/+bug/767202
is fixed.

, and at
- Theres no obvious way to indicate the returned password may not be valide

tags: added: api consistency
Vish Ishaya (vishvananda) wrote :

That works for me, although I don't think exposing an error to the user is right, It should just return blank or some obvious value like <not_set> as adminPassword

Reviewed: https://review.openstack.org/3779
Committed: http://github.com/openstack/nova/commit/229221ec9780112981aedfc8849272aa49a9b25b
Submitter: Jenkins
Branch: master

commit 229221ec9780112981aedfc8849272aa49a9b25b
Author: Mike Pittaro <email address hidden>
Date: Fri Feb 3 15:46:01 2012 -0800

    Fix bug 921814 changes handling of adminPass in API.

    Add a new nova configuration flag, boolean, enable_instance_password.

    When the flag is True (default), existing behavior is unchanged.

    When the flag is False, responses from the create or
    rebuild API calls don't include the adminPass attribute.

    Change-Id: Icb2bd703770f3a39bb1e458dc31e1489d48da7c1

Changed in nova:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2012-02-29
Changed in nova:
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2012-04-05
Changed in nova:
milestone: essex-4 → 2012.1
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers