"Passing insecure dynamic vendordata requests because of missing or incorrect service account configuration." warnings all over n-api logs

Bug #1665693 reported by Matt Riedemann on 2017-02-17
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Medium
Matt Riedemann
Ocata
Medium
Matt Riedemann

Bug Description

I'm seeing these warnings all over the n-api logs in an ocata CI job run:

http://logs.openstack.org/11/349011/3/check/gate-tempest-dsvm-neutron-full-ubuntu-xenial-ocata/bee08f9/logs/screen-n-api.txt.gz?level=TRACE#_2017-02-14_22_13_03_345

2017-02-14 22:15:27.415 2678 WARNING nova.api.metadata.vendordata_dynamic [req-eb314972-d29e-436c-a2a7-fb189effb5c4 - -] Passing insecure dynamic vendordata requests because of missing or incorrect service account configuration.

It's coming from here:

http://git.openstack.org/cgit/openstack/nova/tree/nova/api/metadata/vendordata_dynamic.py#n52

We should probably only log that once the first time we hit it since I don't think you can fix it without fixing the [vendordata] credentials in nova.conf and restarting nova-api.

Matt Riedemann (mriedem) wrote :

sdague pointed out that dynamic vendordata is optional so we might not want to be logging this at all. Maybe we can tell from the config if we should care.

Matt Riedemann (mriedem) on 2017-02-17
Changed in nova:
assignee: nobody → Matt Riedemann (mriedem)

Fix proposed to branch: master
Review: https://review.openstack.org/435563

Changed in nova:
status: Confirmed → In Progress

Reviewed: https://review.openstack.org/435563
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=97e14fa3f39839491ff6c7de9572d277bec8f885
Submitter: Jenkins
Branch: master

commit 97e14fa3f39839491ff6c7de9572d277bec8f885
Author: Matt Riedemann <email address hidden>
Date: Fri Feb 17 13:31:41 2017 -0500

    Only create vendordata_dynamic ksa session if needed

    We're logging a warning about vendordata dynamic auth
    not being configured every time we create a server with
    a config drive. The dynamic vendordata v2 stuff is all
    optional and controlled via configuring:

    CONF.api.vendordata_dynamic_targets

    This change only attempts to create the ksa session
    when we try to make a request, which would only happen
    if CONF.api.vendordata_dynamic_targets is configured.

    Change-Id: I1a6f6776670a2fa1439782d10d2e0777df2683ae
    Closes-Bug: #1665693

Changed in nova:
status: In Progress → Fix Released

Reviewed: https://review.openstack.org/441224
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=c40d4f37d4e245713902c61456a3bfdcf3ef93c3
Submitter: Jenkins
Branch: stable/ocata

commit c40d4f37d4e245713902c61456a3bfdcf3ef93c3
Author: Matt Riedemann <email address hidden>
Date: Fri Feb 17 13:31:41 2017 -0500

    Only create vendordata_dynamic ksa session if needed

    We're logging a warning about vendordata dynamic auth
    not being configured every time we create a server with
    a config drive. The dynamic vendordata v2 stuff is all
    optional and controlled via configuring:

    CONF.api.vendordata_dynamic_targets

    This change only attempts to create the ksa session
    when we try to make a request, which would only happen
    if CONF.api.vendordata_dynamic_targets is configured.

    Change-Id: I1a6f6776670a2fa1439782d10d2e0777df2683ae
    Closes-Bug: #1665693
    (cherry picked from commit 97e14fa3f39839491ff6c7de9572d277bec8f885)

This issue was fixed in the openstack/nova 15.0.1 release.

This issue was fixed in the openstack/nova 16.0.0.0b1 development milestone.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers