OpenStack-Ansible

Neutron Metadata Agent on Kilo is misconfigured for authentication parameters (user, password, tenant)

Series kilo
Bug #1591282

Bug #1591282 reported by Ian Cordasco on 2016-06-10

This bug affects 1 person

	Status	Importance	Assigned to
OpenStack-Ansible	Invalid	Undecided	Unassigned
Kilo	Fix Committed	Undecided	Ian Cordasco
Liberty	Fix Committed	Undecided	Ian Cordasco

Bug Description

metadata-agent.ini is expecting different configuration values for Keystone v2.0 than what is being provided: https://github.com/openstack/neutron/blob/363eeb06104662ee38aeed04af043899379f6ab8/neutron/agent/metadata/agent.py#L90 versus https://github.com/openstack/openstack-ansible/blob/kilo/playbooks/roles/os_neutron/templates/metadata_agent.ini.j2#L12 this causes failback from RPC to HTTP to fail because the configuration parameters do not exist as expected.

https://github.com/openstack/openstack-ansible/blob/liberty/playbooks/roles/os_neutron/templates/metadata_agent.ini.j2#L12

Note that Mitaka removes the HTTP fallback so this does not affect mitaka and onwards.

Ian Cordasco (icordasc) on 2016-06-10

Changed in openstack-ansible:
status:	New → Invalid

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-06-10: Fix proposed to openstack-ansible (liberty)

Fix proposed to branch: liberty
Review: https://review.openstack.org/328430

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-06-10: Fix proposed to openstack-ansible (kilo)

Fix proposed to branch: kilo
Review: https://review.openstack.org/328432

Revision history for this message

Paul Halmos (paul-halmos) wrote on 2016-06-10:

Using the neutron service user and tenant resulted in 401 errors[1]. I confirmed via a manual curl, that the admin user, password, and tenant is required[0]. Not the neutron service user.

[0]
curl -i http://172.22.192.250:35357/v2.0/tokens -X POST -H "User-Agent: python-neutronclient" -d '{"auth": {"tenantName": "admin", "passwordCredentials": {"username": "admin", "password": "99a1b1ff0f8ce
root@infra-node4_neutron_agents_container-644e8f83:/usr/local/lib/python2.7/dist-packages/oslo_messaging/_drivers# curl -i http://172.22.192.250:35357/v2.0/tokens -X POST -H "User-Agent: python-neutronclient" -H "Content-Type: application/json" -d '{"auth": {"tenantName": "admin", "passwordCredentials": {"username"
: "admin", "password": "REDACTED"}}}'
HTTP/1.1 200 OK
Date: Fri, 10 Jun 2016 17:42:25 GMT
Server: Apache
Vary: X-Auth-Token
x-openstack-request-id: req-875f321a-8a01-49c4-a4fd-209061561e2d
Content-Length: 4487
Content-Type: application/json

[1]
root@infra-node4_neutron_agents_container-644e8f83:/usr/local/lib/python2.7/dist-packages/oslo_messaging/_drivers# curl -i http://172.22.192.250:35357/v2.0/tokens -X POST -H "User-Agent: python-neutronclient" -H "Content-Type: application/json" -d '{"auth": {"tenantName": "service", "passwordCredentials": {"username": "neutron", "password": "REDACTED"}}}'
HTTP/1.1 401 Unauthorized
Date: Fri, 10 Jun 2016 17:43:21 GMT
Server: Apache
Vary: X-Auth-Token
x-openstack-request-id: req-513aca0b-ec2a-4603-82e3-286969203b6e
WWW-Authenticate: Keystone uri="http://172.22.192.250:35357"
Content-Length: 114
Content-Type: application/json

{"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}

Revision history for this message

Ian Cordasco (icordasc) wrote on 2016-06-10:

Paul, you said that the upstream config reference wasn't using the admin URL for Keystone, right? I wonder if we need to change that as a result of this too. Thoughts?

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-06-14: Fix merged to openstack-ansible (liberty)

Reviewed: https://review.openstack.org/328430
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible/commit/?id=b271778e16a83aefb0e704a9aca0ef09f405084c
Submitter: Jenkins
Branch: liberty

commit b271778e16a83aefb0e704a9aca0ef09f405084c
Author: Ian Cordasco <email address hidden>
Date: Fri Jun 10 12:35:41 2016 -0500

Use correct keystone auth parameters

    Neutron Metadata Agent uses the authentication parameters as a fallback
    method in the event that communication with Neutron API over RPC fails.
    In the fallback case, it looks for Keystone v2.0 authentication
    credentials but looks for them under the names:

    - admin_user
    - admin_password
    - admin_tenant_name

    Which can be the service user information. We were previously
    configuring Keystone v3 authentication parameters in this space and this
    causes 400 Bad Request responses from Keystone (since the Agent has null
    values for those config options).

    Further, the metadata agent does not need to use the admin URL to
    authenticate. Instead, it can use the internal URL to retrieve its token
    and then authenticate to Neutron API over HTTP.

    Change-Id: Ib413d3f3f3351bef29b0e68a2cfb96b7f3dff3c3
    Closes-bug: 1591282
    Closes-bug: 1590957

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-06-14: Fix merged to openstack-ansible (kilo)

Reviewed: https://review.openstack.org/328432
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible/commit/?id=75deb166c8922f7ceb120d3892ae1ac4fa4702bb
Submitter: Jenkins
Branch: kilo

commit 75deb166c8922f7ceb120d3892ae1ac4fa4702bb
Author: Ian Cordasco <email address hidden>
Date: Fri Jun 10 12:35:41 2016 -0500

Use correct keystone auth parameters

    - admin_user
    - admin_password
    - admin_tenant_name

    Further, the metadata agent does not need to use the admin URL to
    authenticate. Instead, it can use the internal URL to retrieve its token
    and then authenticate to Neutron API over HTTP.

    Change-Id: Ib413d3f3f3351bef29b0e68a2cfb96b7f3dff3c3
    Closes-bug: 1591282
    Closes-bug: 1590957
    (cherry picked from commit b271778e16a83aefb0e704a9aca0ef09f405084c)