ironicclient fails with token auth when ironic-api endpoint is using virtual hosts
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
python-ironicclient |
Fix Released
|
High
|
Pavlo Shchelokovskyy |
Bug Description
using fresh devstack master, ironicclient from master, with ironic-api deployed under apache.
when passing --ironic-url and --os-auth-token to 'ironic' command, it fails to access ironic API:
$ # show ironic endpoint
$ openstack --os-cloud devstack-admin catalog show baremetal -f value -c endpoints
RegionOne
public: https:/
$ # get a token
$ openstack --os-cloud devstack admin token issue -f value -c id
<TOKEN_REDACTED>
$ # issue ironicclient command
$ ironic --debug --insecure --os-auth-token "<TOKEN_REDACTED>" --ironic-url "https:/
You are using the default API version of the 'ironic' command. This is currently API version 1.9. In the future, the default will be the latest API version understood by both A
PI and CLI. You can preserve the current behavior by passing the --ironic-
DEBUG (http:278) curl -i -X GET -H 'X-OpenStack-
H 'Accept: application/json' -H 'User-Agent: python-
DEBUG (connectionpool
/usr/local/
y advised. See: https:/
InsecureReque
DEBUG (connectionpool
DEBUG (http:292)
HTTP/1.1 404 Not Found
Date: Thu, 05 Oct 2017 16:55:28 GMT
Server: Apache/2.4.18 (Ubuntu)
Content-Length: 286
Content-Type: text/html; charset=iso-8859-1
Connection: close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /v1/nodes was not found on this server.</p>
<hr>
<address>
</body></html>
Not Found (HTTP 404)
Notice how ironicclient tries to access "https://<IP>/v1/nodes" instead of "https://<IP>/baremetal/
This is happening due to the fact that when given token and endpoint, ironicclient is not using the SessionClient based on keystoneauth Adapter, but instead is using a legacy HTTPClient [0], where the endpoint and API path get joined thru urlparse.urljoin [1], which swallows the vhost in the endpoint.
In particular, this breaks ironic-inspector when ironic API is deployed under web server + WSGI (e.g. Apache) since inspector might use an incoming token to create ironicclient [2] exactly in the same manner as described above.
[0] http://
[1] http://
[2] http://
tags: | added: backport-potential |
Changed in python-ironicclient: | |
assignee: | nobody → Pavlo Shchelokovskyy (pshchelo) |
Changed in python-ironicclient: | |
importance: | Undecided → High |
Fix proposed to branch: master /review. openstack. org/509851
Review: https:/