OpenStack Compute (Nova)

Migrating noauth to keystone auth changes user passwords

Reported by Mark McLoughlin on 2012-03-30
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Low
Mark McLoughlin

Bug Description

I had a diablo Nova install which was using noauth and I upgraded to Essex and did:

 $> sudo nova-manage export auth > auth-export.json
 $> sudo keystone-manage import_nova_auth auth-export.json

and then changed auth_strategy to keystone

Attempting to do any operations with the existing credentials in a nova.zip/novarc fails with 401 Unauthorized

The issue is that this code in nova/auth/manager.py:

        # NOTE(vish): Deprecated auth uses an access key, no auth uses a
        # the user_id in place of it.
        if FLAGS.auth_strategy == 'deprecated':
            access = user.access
        else:
            access = user.id

means that the password exported to novarc with noauth is the user id

However, when you do 'nova-manage export auth' the password exported is a random UUID which the user knows nothing about

It seems obvious enough to me that, with noauth, 'nova-manage export auth' should also use the user id as the password

Mark McLoughlin (markmc) on 2012-03-30
Changed in nova:
assignee: nobody → Mark McLoughlin (markmc)
status: New → In Progress
tags: added: essex-rc-potential
Changed in nova:
importance: Undecided → Low

Reviewed: https://review.openstack.org/5994
Committed: http://github.com/openstack/nova/commit/283ea4a16622287c476141736d373405119f3e79
Submitter: Jenkins
Branch: master

commit 283ea4a16622287c476141736d373405119f3e79
Author: Mark McLoughlin <email address hidden>
Date: Fri Mar 30 14:34:14 2012 +0100

    Export user id as password to keystone when using noauth

    Fixes bug #969208

    When using noauth, a user's password is her user id (e.g. in novarc).

    When we export to keystone, we should make sure the same credentials
    keep working rather than effectively switching all the passwords to
    random UUIDs which users would never have seen before.

    Change-Id: Ie77c622ce1952d03e836bb64167184022a02e902

Changed in nova:
status: In Progress → Fix Committed

Reviewed: https://review.openstack.org/6029
Committed: http://github.com/openstack/nova/commit/6b8e9d6774f29e6728ccc5cbf4e89f1e868494ac
Submitter: Jenkins
Branch: milestone-proposed

commit 6b8e9d6774f29e6728ccc5cbf4e89f1e868494ac
Author: Mark McLoughlin <email address hidden>
Date: Fri Mar 30 14:34:14 2012 +0100

    Export user id as password to keystone when using noauth

    Fixes bug #969208

    When using noauth, a user's password is her user id (e.g. in novarc).

    When we export to keystone, we should make sure the same credentials
    keep working rather than effectively switching all the passwords to
    random UUIDs which users would never have seen before.

    Change-Id: Ie77c622ce1952d03e836bb64167184022a02e902

Changed in nova:
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2012-04-05
Changed in nova:
milestone: none → 2012.1
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers