OpenStack Compute (nova)

Migrating noauth to keystone auth changes user passwords

Bug #969208 reported by Mark McLoughlin
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Low
Mark McLoughlin
OpenStack Compute (nova) 2012.1 "essex"

Bug Description

I had a diablo Nova install which was using noauth and I upgraded to Essex and did:

 $> sudo nova-manage export auth > auth-export.json
 $> sudo keystone-manage import_nova_auth auth-export.json

and then changed auth_strategy to keystone

Attempting to do any operations with the existing credentials in a nova.zip/novarc fails with 401 Unauthorized

The issue is that this code in nova/auth/manager.py:

        # NOTE(vish): Deprecated auth uses an access key, no auth uses a
        # the user_id in place of it.
        if FLAGS.auth_strategy == 'deprecated':
            access = user.access
        else:
            access = user.id

means that the password exported to novarc with noauth is the user id

However, when you do 'nova-manage export auth' the password exported is a random UUID which the user knows nothing about

It seems obvious enough to me that, with noauth, 'nova-manage export auth' should also use the user id as the password

Mark McLoughlin (markmc)
Changed in nova:
assignee: nobody → Mark McLoughlin (markmc)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/5994

Vish Ishaya (vishvananda)
tags: added: essex-rc-potential
Changed in nova:
importance: Undecided → Low
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/5994
Committed: http://github.com/openstack/nova/commit/283ea4a16622287c476141736d373405119f3e79
Submitter: Jenkins
Branch: master

commit 283ea4a16622287c476141736d373405119f3e79
Author: Mark McLoughlin <email address hidden>
Date: Fri Mar 30 14:34:14 2012 +0100

    Export user id as password to keystone when using noauth

    Fixes bug #969208

    When using noauth, a user's password is her user id (e.g. in novarc).

    When we export to keystone, we should make sure the same credentials
    keep working rather than effectively switching all the passwords to
    random UUIDs which users would never have seen before.

    Change-Id: Ie77c622ce1952d03e836bb64167184022a02e902

Changed in nova:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (milestone-proposed)

Fix proposed to branch: milestone-proposed
Review: https://review.openstack.org/6029

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (milestone-proposed)

Reviewed: https://review.openstack.org/6029
Committed: http://github.com/openstack/nova/commit/6b8e9d6774f29e6728ccc5cbf4e89f1e868494ac
Submitter: Jenkins
Branch: milestone-proposed

commit 6b8e9d6774f29e6728ccc5cbf4e89f1e868494ac
Author: Mark McLoughlin <email address hidden>
Date: Fri Mar 30 14:34:14 2012 +0100

    Export user id as password to keystone when using noauth

    Fixes bug #969208

    When using noauth, a user's password is her user id (e.g. in novarc).

    When we export to keystone, we should make sure the same credentials
    keep working rather than effectively switching all the passwords to
    random UUIDs which users would never have seen before.

    Change-Id: Ie77c622ce1952d03e836bb64167184022a02e902

Changed in nova:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in nova:
milestone: none → 2012.1
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.