python-novaclient

Token based authentication in Client class does not work

Bug #1654183 reported by Istvan Imre
50
This bug affects 10 people
Affects Status Importance Assigned to Milestone
OpenStack DBaaS (Trove)
Fix Released
Undecided
Andriy Kurilin
OpenStack Dashboard (Horizon)
Invalid
Undecided
Unassigned
python-novaclient
Fix Released
Critical
Andriy Kurilin
tripleo
Fix Released
Critical
Emilien Macchi
tripleo ocata-rc1 "ocata-rc1"
tripleo-quickstart
Fix Released
Undecided
Martin André

Bug Description

With newly released novaclient (7.0.0) it seems that token base authentication does not work in novaclient.client.Clinet.

I have get back the following response from Nova server:

Malformed request URL: URL's project_id 'e0beb44615f34d54b8a9a9203a3e5a1c' doesn't match Context's project_id 'None' (HTTP 400)

I just created the Nova client in following way:
Client(
    2,
    endpoint_type="public",
    service_type='compute',
    auth_token=auth_token,
    tenant_id="devel",
    region_name="RegionOne",
    auth_url=keystone_url,
    insecure=True,
    endpoint_override=nova_endpoint #https://.../v2/e0beb44615f34d54b8a9a9203a3e5a1c
)

After it nova client performs a new token based authentication without project_id (tenant_id) and it causes that the new token does not belong to any project. Anyway if we have a token already why novaclient requests a new one from keystone? (Other clients like Heat and Neutron for example does not requests any token from keystone if it is already provided for client class)

The bug is introduced by follwoig commit:
https://github.com/openstack/python-novaclient/commit/8409e006c5f362922baae9470f14c12e0443dd70

+ if not auth and auth_token:
+ auth = identity.Token(auth_url=auth_url,
+ token=auth_token)

When project_id is also passed into Token authentication than everything works fine. So newly requested token belongs to right project/tenant.

Note: Originally this problem appears in Mistral project of OpenStack, which is using the client classes directly from their actions with token based authentication.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to python-novaclient (master)

Fix proposed to branch: master
Review: https://review.openstack.org/419441

Changed in python-novaclient:
assignee: nobody → Istvan Imre (istvan.imre)
status: New → In Progress
Andriy Kurilin (andreykurilin)
Changed in python-novaclient:
importance: Undecided → High
OpenStack Infra (hudson-openstack)
Changed in python-novaclient:
assignee: Istvan Imre (istvan.imre) → Andrey Kurilin (andreykurilin)
Andriy Kurilin (andreykurilin)
Changed in python-novaclient:
assignee: Andrey Kurilin (andreykurilin) → Istvan Imre (istvan.imre)
OpenStack Infra (hudson-openstack)
Changed in python-novaclient:
assignee: Istvan Imre (istvan.imre) → Andrey Kurilin (andreykurilin)
OpenStack Infra (hudson-openstack)
Changed in python-novaclient:
assignee: Andrey Kurilin (andreykurilin) → Istvan Imre (istvan.imre)
OpenStack Infra (hudson-openstack)
Changed in python-novaclient:
assignee: Istvan Imre (istvan.imre) → Andrey Kurilin (andreykurilin)
OpenStack Infra (hudson-openstack)
Changed in python-novaclient:
assignee: Andrey Kurilin (andreykurilin) → Radomir Dopieralski (deshipu)
OpenStack Infra (hudson-openstack)
Changed in python-novaclient:
assignee: Radomir Dopieralski (deshipu) → Andrey Kurilin (andreykurilin)
Andriy Kurilin (andreykurilin)
Changed in python-novaclient:
importance: High → Critical
Revision history for this message
Sylvain Bauza (sylvain-bauza) wrote :

That bug seems impacting mostly all other projects that use novaclient for their own purpose, like Horizon, Trove, Murano-dashboard, TripleO.

Sylvain Bauza (sylvain-bauza)
Changed in python-novaclient:
importance: Critical → High
Revision history for this message
John Garbutt (johngarbutt) wrote :

Seems fairly critical to those project we fix this "broken" release, particularly before we hit the client release freeze.

Revision history for this message
John Garbutt (johngarbutt) wrote :

Note this requirement bump has make this a blocking bug: https://review.openstack.org/#/c/414170/

Changed in python-novaclient:
importance: High → Critical
Revision history for this message
Sylvain Bauza (sylvain-bauza) wrote :

In fact, the issue popped up to other projects only after we merged the u-c change on 19th.
https://review.openstack.org/#/c/414170/

So, yeah that's a critical bug, let's try to fix that before we cut the library.

Emilien Macchi (emilienm)
Changed in tripleo:
importance: Undecided → High
milestone: none → ocata-rc1
tags: added: promotion-blocker
Changed in tripleo:
status: New → Triaged
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to python-novaclient (master)

Reviewed: https://review.openstack.org/419441
Committed: https://git.openstack.org/cgit/openstack/python-novaclient/commit/?id=9940e3fe0e47ff5f2f6d05c9564d17fc19ca0f5c
Submitter: Jenkins
Branch: master

commit 9940e3fe0e47ff5f2f6d05c9564d17fc19ca0f5c
Author: Istvan Imre <email address hidden>
Date: Thu Jan 12 13:18:25 2017 +0100

    Pass relevant parameters to Token based authentication

    In case of token authentication is used pass relevant parameters
    to Token authenticator.

    Co-Authored-By: Andrey Kurilin <email address hidden>
    Change-Id: I9a04d89016a834fe96f1b77e91011f7fa4fdda51
    Closes-Bug: #1654183

Changed in python-novaclient:
status: In Progress → Fix Released
Revision history for this message
Dr. Jens Harbott (j-harbott) wrote :

I verified that the issue is resolved for Horizon in devstack/master with LIBS_FROM_GIT=python-novaclient. For when is the pypi release of the fix scheduled?

Revision history for this message
Andriy Kurilin (andreykurilin) wrote :

@j-rosenboom-j: In several days(today or tomorrow)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/python-novaclient 7.1.0

This issue was fixed in the openstack/python-novaclient 7.1.0 release.

Revision history for this message
Gabriele Cerami (gcerami) wrote :

This is still happening in tripleo, using release 7.1.0:

http://logs.openstack.org/31/426231/3/check-tripleo/gate-tripleo-ci-centos-7-ovb-ha/6015c34/logs/undercloud/var/log/undercloud_install.txt.gz#_2017-01-31_18_25_17_000

Revision history for this message
Matt Riedemann (mriedem) wrote :

(5:12:30 PM) andreykurilin: ok, it looks like I know the reason
(5:12:35 PM) andreykurilin: of failure
(5:13:58 PM) andreykurilin: it is about that commit - https://github.com/openstack/python-novaclient/commit/9bbe5a87b7df62a7962debba5db7c96555da6761
(5:13:58 PM) panda: andreykurilin: anything we should check on our side ?
(5:14:17 PM) andreykurilin: panda: fix should be simple
(5:14:26 PM) andreykurilin: just +1;-1
(5:15:00 PM) andreykurilin: the problem is that projectid argument of novaclient had different meaning in different cases
(5:15:16 PM) andreykurilin: we fix that
(5:15:29 PM) andreykurilin: and now projectid means Project ID in case of keystone termas
(5:15:33 PM) mriedem: andreykurilin: where do you see that from the logs?
(5:15:56 PM) andreykurilin: there is nothing in logs:)
(5:16:01 PM) mriedem: heh
(5:16:09 PM) andreykurilin: I checked the code
(5:16:09 PM) mriedem: so it's your gut
(5:16:29 PM) andreykurilin: https://github.com/openstack/instack-undercloud/blob/master/instack_undercloud/undercloud.py#L1239-L1240
(5:16:42 PM) panda: +1;-1 ok, and they said that math wasn't useful at school.
(5:16:43 PM) andreykurilin: https://github.com/openstack/instack-undercloud/blob/master/instack_undercloud/undercloud.py#L1099
(5:16:57 PM) andreykurilin: tenant is a tenant_name
(5:17:03 PM) andreykurilin: but we expects tenant name
(5:17:10 PM) andreykurilin: *but we expect tenand id
(5:17:14 PM) andreykurilin: *tenant

OpenStack Infra (hudson-openstack)
Changed in tripleo:
assignee: nobody → Andrey Kurilin (andreykurilin)
status: Triaged → In Progress
Revision history for this message
Andriy Kurilin (andreykurilin) wrote :

7.1.0 should fix an issue with horizon.

Changed in horizon:
status: New → Incomplete
status: Incomplete → Invalid
Changed in trove:
status: New → Fix Released
assignee: nobody → Andrey Kurilin (andreykurilin)
Emilien Macchi (emilienm)
tags: added: alert ci
Changed in tripleo:
importance: High → Critical
Revision history for this message
Michele Baldessari (michele) wrote :

So the reason for https://review.openstack.org/#/c/427515/ to be failing on the puppet 4 jobs seem to be due to this change in puppet itself: https://github.com/puppetlabs/puppet/commit/e9eda7ed56fddcf185fc155d7e0ae054ea327504 aka it deprecates ruby 2.0.0. Am running a small test here to disable that deprecation warning here https://review.openstack.org/#/c/427618/. If that is green I think we will need to find a more generic place where to put it.

Revision history for this message
Michele Baldessari (michele) wrote :

I have opened https://bugs.launchpad.net/tripleo/+bug/1660943 to track this puppet deprecation error

OpenStack Infra (hudson-openstack)
Changed in tripleo:
assignee: Andrey Kurilin (andreykurilin) → Emilien Macchi (emilienm)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to instack-undercloud (master)

Reviewed: https://review.openstack.org/427515
Committed: https://git.openstack.org/cgit/openstack/instack-undercloud/commit/?id=0b02f1478abfad29d787174ca956e1ebdc9a385c
Submitter: Jenkins
Branch: master

commit 0b02f1478abfad29d787174ca956e1ebdc9a385c
Author: Andrey Kurilin <email address hidden>
Date: Wed Feb 1 01:52:16 2017 +0200

    Fix initialization of novaclient

    projectid argument of novaclient's(< 7.0) entry-point had several meaning
    in case of different cases. It is not a user-friendly behaviour, so it was
    fixed in 7.0 . Now projectid means project/tenant id in terms of keystone,
    like it should be from the beginning.

    tenant/project name should be transmitted viaa project_name or tenant_name
    keyword argument.

    Closes-Bug: #1654183
    Change-Id: I106ee603e0853bbc2da4b99724e83587de3cb4ba

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-quickstart (master)

Fix proposed to branch: master
Review: https://review.openstack.org/428105

Changed in tripleo-quickstart:
assignee: nobody → Martin André (mandre)
status: New → In Progress
OpenStack Infra (hudson-openstack)
Changed in tripleo-quickstart:
assignee: Martin André (mandre) → wes hayutin (weshayutin)
OpenStack Infra (hudson-openstack)
Changed in tripleo-quickstart:
assignee: wes hayutin (weshayutin) → Martin André (mandre)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-quickstart (master)

Reviewed: https://review.openstack.org/428105
Committed: https://git.openstack.org/cgit/openstack/tripleo-quickstart/commit/?id=be99f58ab0c24cc1a0b4fe6a1644805c91ae8c2b
Submitter: Jenkins
Branch: master

commit be99f58ab0c24cc1a0b4fe6a1644805c91ae8c2b
Author: Martin André <email address hidden>
Date: Thu Feb 2 12:48:22 2017 +0100

    Fix initialization of novaclient

    This commit applies fix from I106ee603e0853bbc2da4b99724e83587de3cb4ba
    in oooq.

    projectid argument of novaclient's(< 7.0) entry-point had several meaning
    in case of different cases. It is not a user-friendly behaviour, so it was
    fixed in 7.0 . Now projectid means project/tenant id in terms of keystone,
    like it should be from the beginning.

    tenant/project name should be transmitted viaa project_name or tenant_name
    keyword argument.

    Change-Id: If76afe56f3ff851089732748693f7d2dbd06e59e
    Closes-Bug: #1654183

Changed in tripleo-quickstart:
status: In Progress → Fix Released
Revision history for this message
Dr. Jens Harbott (j-harbott) wrote :

This issue is still present for Horizon in Newton, any chance to backport the Horizon fixes there?

To reproduce:

- Install devstack from stable/newton
- Run stack.sh
- sudo -H pip install -U python-openstackclient
- sudo systemctl restart apache2

=> All nova related tabs like Admin/Flavors log out the Session with auth failure.

Doing "sudo -H pip install python-novaclient==6.0.0 -U" and apache2 restart resolves the issue.

Changed in horizon:
status: Invalid → Confirmed
Revision history for this message
Rob Cresswell (robcresswell-deactivatedaccount) wrote :

You're forcing an upgrade on a client to a version that is above upper-constraints for Newton. Of course it doesnt work. Just use the targeted version for Newton please.

Changed in horizon:
status: Confirmed → Invalid
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/instack-undercloud 6.0.0.0rc1

This issue was fixed in the openstack/instack-undercloud 6.0.0.0rc1 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-quickstart 2.0.0

This issue was fixed in the openstack/tripleo-quickstart 2.0.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.