CFN signal URLs don't work when trusts is enabled
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Heat |
Fix Released
|
High
|
Steven Hardy |
Bug Description
We're testing signal URLs using HARestarter with trusts enabled. When hitting the URL, we're getting the following traceback in the engine:
[-] Exception during message handling
Traceback (most recent call last):
File "/opt/stack/
**args)
File "/opt/stack/
result = getattr(proxyobj, method)(ctxt, **kwargs)
File "/opt/stack/
return func(self, ctx, *args, **kwargs)
File "/opt/stack/
stack_context = self._load_
File "/opt/stack/
kc = hkc.KeystoneCli
File "/opt/stack/
self.client_v3 = self._v3_
File "/opt/stack/
if not client_
File "/opt/stack/
resp, body = self.get_
File "/opt/stack/
trust_
File "/opt/stack/
resp, body = self.request(url, 'POST', body=body, headers=headers)
File "/opt/stack/
**request_
File "/opt/stack/
raise exceptions.
Unauthorized: Invalid username or password (HTTP 401)
The keystone client is created with:
{'username': 'heat', 'password': '<PASSWORD>', 'project_name': 'service', 'auth_url': 'http://<IP>:5000/v3', 'trust_id': '<TRUST_ID>'}
After investigation, it seems that we're making 2 authenticate calls: the first one retrieves a token with the user/password and the trust, impersonating the user. The second one is requesting a new token, which is forbidden by keystone (token obtained via trusts can't request other tokens).
If we prevent the second authenticate calls, the v2_client created just after fails in a similar fashion.
Changed in heat: | |
status: | New → Triaged |
Changed in heat: | |
assignee: | nobody → Steven Hardy (shardy) |
Changed in heat: | |
status: | Triaged → In Progress |
Changed in heat: | |
assignee: | Steven Hardy (shardy) → Bartosz Górski (bartosz-gorski) |
Changed in heat: | |
assignee: | Bartosz Górski (bartosz-gorski) → Steven Hardy (shardy) |
Changed in heat: | |
status: | Fix Committed → Fix Released |
Changed in heat: | |
milestone: | havana-rc1 → 2013.2 |
We've been hacking around this a bit, and it seems that the best solution would be *not* call authenticate unconditionally. We need to call it when we only have a trust, but it shouldn't be necessary otherwise. We can get the catalog and other authentication info from the keystone middleware. The "auth_ref" attribute then provide enough information to do what we need without talking to keystone again.
We may need to change KeystoneClient. create_ trust_context to use auth_ref attributes instead of poking into the dictionnary (which is different between v2 and v3).