normal user authorization failed
This bug report was converted into a question: question #140239: normal user authorization failed.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Upgrade Openstack to 2011.1~
$ euca-authorize default -P tcp -p 22 -s 0.0.0.0/0
Warning: failed to parse error message from AWS: <unknown>:1:0: syntax error
EC2ResponseError: 401 Unauthorized
401 Unauthorized
This server could not verify that you are authorized to access the document you requested. Either you supplied the wrong credentials (e.g., bad password), or your browser does not understand how to supply the credentials required.
Thanks,
Anping
Anping Liu (aliu-alcf) wrote : | #1 |
affects: | openstack-common → nova |
Vish Ishaya (vishvananda) wrote : Re: [Bug 695504] [NEW] normal user authorization failed | #2 |
By default, you need the netadmin role to authorize security groups
and associate public ips. Use BOTH of the following to give the user
the netadmin access to a project:
nova-manage role add (user) netadmin
nova-manage role add (user) netadmin (project)
Vish
On Thursday, December 30, 2010, Launchpad Bug Tracker
<email address hidden> wrote:
> You have been subscribed to a public bug:
>
> Upgrade Openstack to 2011.1~
> problems to run jobs. Normal users can bundle, upload and register
> images but cannot run jobs.
>
> $ euca-authorize default -P tcp -p 22 -s 0.0.0.0/0
> Warning: failed to parse error message from AWS: <unknown>:1:0: syntax error
> EC2ResponseError: 401 Unauthorized
> 401 Unauthorized
>
> This server could not verify that you are authorized to access the document you requested. Either you supplied the wrong credentials (e.g., bad password), or your browser does not understand how to supply the credentials required.
>
>
> Thanks,
>
> Anping
>
> ** Affects: nova
> Importance: Undecided
> Status: New
>
> --
> normal user authorization failed
> https:/
> You received this bug notification because you are a member of Nova Bug Team, which is subscribed to OpenStack Compute (nova).
>
Anping Liu (aliu-mcs) wrote : | #3 |
Hi Vish,
Thank you very much for your response. Does a normal user need to have the netadmin role?
After I did bundle/
Anping
----- Original Message -----
From: "Vish Ishaya" <email address hidden>
To: <email address hidden>
Sent: Thursday, December 30, 2010 12:01:07 PM
Subject: Re: [Bug 695504] [NEW] normal user authorization failed
By default, you need the netadmin role to authorize security groups
and associate public ips. Use BOTH of the following to give the user
the netadmin access to a project:
nova-manage role add (user) netadmin
nova-manage role add (user) netadmin (project)
Vish
On Thursday, December 30, 2010, Launchpad Bug Tracker
<email address hidden> wrote:
> You have been subscribed to a public bug:
>
> Upgrade Openstack to 2011.1~
> problems to run jobs. Normal users can bundle, upload and register
> images but cannot run jobs.
>
> $ euca-authorize default -P tcp -p 22 -s 0.0.0.0/0
> Warning: failed to parse error message from AWS: <unknown>:1:0: syntax error
> EC2ResponseError: 401 Unauthorized
> 401 Unauthorized
>
> This server could not verify that you are authorized to access the document you requested. Either you supplied the wrong credentials (e.g., bad password), or your browser does not understand how to supply the credentials required.
>
>
> Thanks,
>
> Anping
>
> ** Affects: nova
> Importance: Undecided
> Status: New
>
> --
> normal user authorization failed
> https:/
> You received this bug notification because you are a member of Nova Bug Team, which is subscribed to OpenStack Compute (nova).
>
--
You received this bug notification because you are a direct subscriber
of the bug.
https:/
Title:
normal user authorization failed
Status in OpenStack Compute (Nova):
New
Bug description:
Upgrade Openstack to 2011.1~
$ euca-authorize default -P tcp -p 22 -s 0.0.0.0/0
Warning: failed to parse error message from AWS: <unknown>:1:0: syntax error
EC2ResponseError: 401 Unauthorized
401 Unauthorized
This server could not verify that you are authorized to access the document you requested. Either you supplied the wrong credentials (e.g., bad password), or your browser does not understand how to supply the credentials required.
Thanks,
Anping
To unsubscribe from this bug, go to:
https:/
Anping Liu (aliu-mcs) wrote : | #4 |
Hi Vish,
I created a normal user anna and registered images. when I ran jobs, I got
# euca-describe-
IMAGE ami-paqlq8l5 anna/ttylinux-
IMAGE ami-xy70vc7p anna/ttylinux-
IMAGE ami-unwifk1z anna/ttylinux-
root@user07:
NotAuthorized: None
-Anping
----- Original Message -----
From: "Anping Liu" <email address hidden>
To: "Bug 695504" <email address hidden>
Cc: <email address hidden>
Sent: Thursday, December 30, 2010 12:57:30 PM
Subject: Re: [Bug 695504] [NEW] normal user authorization failed
Hi Vish,
Thank you very much for your response. Does a normal user need to have the netadmin role?
After I did bundle/
Anping
----- Original Message -----
From: "Vish Ishaya" <email address hidden>
To: <email address hidden>
Sent: Thursday, December 30, 2010 12:01:07 PM
Subject: Re: [Bug 695504] [NEW] normal user authorization failed
By default, you need the netadmin role to authorize security groups
and associate public ips. Use BOTH of the following to give the user
the netadmin access to a project:
nova-manage role add (user) netadmin
nova-manage role add (user) netadmin (project)
Vish
On Thursday, December 30, 2010, Launchpad Bug Tracker
<email address hidden> wrote:
> You have been subscribed to a public bug:
>
> Upgrade Openstack to 2011.1~
> problems to run jobs. Normal users can bundle, upload and register
> images but cannot run jobs.
>
> $ euca-authorize default -P tcp -p 22 -s 0.0.0.0/0
> Warning: failed to parse error message from AWS: <unknown>:1:0: syntax error
> EC2ResponseError: 401 Unauthorized
> 401 Unauthorized
>
> This server could not verify that you are authorized to access the document you requested. Either you supplied the wrong credentials (e.g., bad password), or your browser does not understand how to supply the credentials required.
>
>
> Thanks,
>
> Anping
>
> ** Affects: nova
> Importance: Undecided
> Status: New
>
> --
> normal user authorization failed
> https:/
> You received this bug notification because you are a member of Nova Bug Team, which is subscribed to OpenStack Compute (nova).
>
--
You received this bug notification because you are a direct subscriber
of the bug.
https:/
Title:
normal user authorization failed
Status in OpenStack Compute (Nova):
New
Bug description:
Upgrade Openstack to 2011.1~
$ euca-authoriz...
Anping Liu (aliu-mcs) wrote : | #5 |
I did
nova-manage role add anna netadmin
nova-namage role add anna netadmin anna
I can now do "euca-authorize", but still cannot run jobs
euca-run-instances ami-unwifk1z --kernel ami-paqlq8l5 --ramdisk ami-xy70vc7p -t m1.tiny
NotAuthorized: None
-Anping
----- Original Message -----
From: "Anping Liu" <email address hidden>
To: "Bug 695504" <email address hidden>
Cc: <email address hidden>
Sent: Thursday, December 30, 2010 2:59:43 PM
Subject: Re: [Bug 695504] [NEW] normal user authorization failed
Hi Vish,
I created a normal user anna and registered images. when I ran jobs, I got
# euca-describe-
IMAGE ami-paqlq8l5 anna/ttylinux-
IMAGE ami-xy70vc7p anna/ttylinux-
IMAGE ami-unwifk1z anna/ttylinux-
root@user07:
NotAuthorized: None
-Anping
----- Original Message -----
From: "Anping Liu" <email address hidden>
To: "Bug 695504" <email address hidden>
Cc: <email address hidden>
Sent: Thursday, December 30, 2010 12:57:30 PM
Subject: Re: [Bug 695504] [NEW] normal user authorization failed
Hi Vish,
Thank you very much for your response. Does a normal user need to have the netadmin role?
After I did bundle/
Anping
----- Original Message -----
From: "Vish Ishaya" <email address hidden>
To: <email address hidden>
Sent: Thursday, December 30, 2010 12:01:07 PM
Subject: Re: [Bug 695504] [NEW] normal user authorization failed
By default, you need the netadmin role to authorize security groups
and associate public ips. Use BOTH of the following to give the user
the netadmin access to a project:
nova-manage role add (user) netadmin
nova-manage role add (user) netadmin (project)
Vish
On Thursday, December 30, 2010, Launchpad Bug Tracker
<email address hidden> wrote:
> You have been subscribed to a public bug:
>
> Upgrade Openstack to 2011.1~
> problems to run jobs. Normal users can bundle, upload and register
> images but cannot run jobs.
>
> $ euca-authorize default -P tcp -p 22 -s 0.0.0.0/0
> Warning: failed to parse error message from AWS: <unknown>:1:0: syntax error
> EC2ResponseError: 401 Unauthorized
> 401 Unauthorized
>
> This server could not verify that you are authorized to access the document you requested. Either you supplied the wrong credentials (e.g., bad password), or your browser does not understand how to supply the credentials required.
>
>
> Thanks,
>
> Anping
>
> ** Affects: nova
> Importance: Undecided
> Status: New
>
> --
> normal user authorization failed
> https:/
> You received this bug notification because...
Anping Liu (aliu-mcs) wrote : | #6 |
in nova-api.log:
Thu, 30 Dec 2010 22:21:52 GMT
/_images/
nova-api(boto): DEBUG Method: GET
nova-api(boto): DEBUG Path: /_images/
nova-api(boto): DEBUG Data:
nova-api(boto): DEBUG Headers: {'Date': 'Thu, 30 Dec 2010 22:21:52 GMT', 'Content-Length': '0', 'Authorization': 'AWS 96bb3b1e-
nova-api(boto): DEBUG Host: 172.16.60.250:3333
nova-api(boto): DEBUG establishing HTTP connection
nova-api(root): DEBUG Going to run 1 instances...
nova-api(root): ERROR NotAuthorized: None
----- Original Message -----
From: "Anping Liu" <email address hidden>
To: "Bug 695504" <email address hidden>
Cc: <email address hidden>
Sent: Thursday, December 30, 2010 3:17:04 PM
Subject: Re: [Bug 695504] [NEW] normal user authorization failed
I did
nova-manage role add anna netadmin
nova-namage role add anna netadmin anna
I can now do "euca-authorize", but still cannot run jobs
euca-run-instances ami-unwifk1z --kernel ami-paqlq8l5 --ramdisk ami-xy70vc7p -t m1.tiny
NotAuthorized: None
-Anping
----- Original Message -----
From: "Anping Liu" <email address hidden>
To: "Bug 695504" <email address hidden>
Cc: <email address hidden>
Sent: Thursday, December 30, 2010 2:59:43 PM
Subject: Re: [Bug 695504] [NEW] normal user authorization failed
Hi Vish,
I created a normal user anna and registered images. when I ran jobs, I got
# euca-describe-
IMAGE ami-paqlq8l5 anna/ttylinux-
IMAGE ami-xy70vc7p anna/ttylinux-
IMAGE ami-unwifk1z anna/ttylinux-
root@user07:
NotAuthorized: None
-Anping
----- Original Message -----
From: "Anping Liu" <email address hidden>
To: "Bug 695504" <email address hidden>
Cc: <email address hidden>
Sent: Thursday, December 30, 2010 12:57:30 PM
Subject: Re: [Bug 695504] [NEW] normal user authorization failed
Hi Vish,
Thank you very much for your response. Does a normal user need to have the netadmin role?
After I did bundle/
Anping
----- Original Message -----
From: "Vish Ishaya" <email address hidden>
To: <email address hidden>
Sent: Thursday, December 30, 2010 12:01:07 PM
Subject: Re: [Bug 695504] [NEW] normal user authorization failed
By default, you need the netadmin role to authorize security groups
and associate public ips. Use BOTH of the following to give the user
the netadmin access to a project:
nova-manage role add (user) netadmin
nova-manage role add (user) netadmin (project)
Vish
On Thursday, December 30, 2010, Launchpad Bug Tracker
<email address hidden> wrote:
> You have been subscribed to a public bug:...
Thierry Carrez (ttx) wrote : | #7 |
This is not a bug, but a question.
Changed in nova: | |
status: | New → Invalid |
Anping Liu (aliu-mcs) wrote : Re: [Bug 695504] Re: normal user authorization failed | #8 |
Hi Thierry,
I still think it is a bug. Although adding the netadmin role to a normal user (projectmanager) and the user can use euca-authorize to add the iptable rules for the security groups, the user still cannot run jobs, i.e. euca-run-instances still produces "NotAuthorized" in nova-api.log. If I change is_admin to 1 in the users table, the user can do everything, or if adding the user to the admin project, the user can also do everything.
Thanks,
Anping
----- Original Message -----
From: "Thierry Carrez" <email address hidden>
To: <email address hidden>
Sent: Wednesday, January 5, 2011 4:16:42 AM
Subject: [Bug 695504] Re: normal user authorization failed
This is not a bug, but a question.
** Changed in: nova
Status: New => Invalid
** Converted to question:
https:/
--
You received this bug notification because you are a direct subscriber
of the bug.
https:/
Title:
normal user authorization failed
Status in OpenStack Compute (Nova):
Invalid
Bug description:
Upgrade Openstack to 2011.1~
$ euca-authorize default -P tcp -p 22 -s 0.0.0.0/0
Warning: failed to parse error message from AWS: <unknown>:1:0: syntax error
EC2ResponseError: 401 Unauthorized
401 Unauthorized
This server could not verify that you are authorized to access the document you requested. Either you supplied the wrong credentials (e.g., bad password), or your browser does not understand how to supply the credentials required.
Thanks,
Anping
To unsubscribe from this bug, go to:
https:/
Thierry Carrez (ttx) wrote : | #9 |
See my answer at https:/
To be able to run instances, a user needs to have "projectmanager" or "sysadmin" roles. If you only grant him "netmanager", it's normal he can't run instances.
If you still think there's a bug, could you describe it ? "Normal users should be able to run instances" ?
Anping Liu (aliu-mcs) wrote : | #10 |
HI Thierry,
Thanks for your response.
By "normal user" I meant a projectmanager not a sysadmin. I created a user by "nova-manage user create anna" and a project owned by anna "nova-manage project create anna anna". the user anna can upload and register images and modify the images from private to public, but couldn't run jobs, even after adding netadmin role to anna. By default, a projectmanager should be able to run jobs, right?
# nova-manage user list
INFO:root:backend <module 'nova.db.
admin
aliu
anna
root@user07:~/bin# nova-manage project list
INFO:root:backend <module 'nova.db.
admin-project
aliu
anna
nova-api.log
nova-api(root): INFO Looking up user: u'96bb3b1e-
nova-api(root): INFO user: User('anna', 'anna', '96bb3b1e-
4364b09', False)
nova-api(root): DEBUG using _calc_signature_2
nova-api(root): DEBUG query string: AWSAccessKeyId=
geId=ami-
up.1=anna&
nova-api(root): DEBUG string_to_sign: POST
172.16.60.250:8773
/services/Cloud/
AWSAccessKeyId=
all&KernelId=
nova-api(root): DEBUG len(b64)=44
nova-api(root): DEBUG base64 encoded digest: 9yM0IOrm9JyNyBz
nova-api(root): DEBUG user.secret: f9c918e9-
nova-api(root): DEBUG expected_signature: 9yM0IOrm9JyNyBz
nova-api(root): DEBUG signature: 9yM0IOrm9JyNyBz
nova-api(api): DEBUG action: RunInstances
nova-api(api): DEBUG arg: SecurityGroup.1 val: anna
nova-api(api): DEBUG arg: ImageId val: ami-unwifk1z
nova-api(api): DEBUG arg: KernelId val: ami-paqlq8l5
nova-api(api): DEBUG arg: RamdiskId val: ami-xy70vc7p
nova-api(api): DEBUG arg: MaxCount val: 1
nova-api(api): DEBUG arg: MinCount val: 1
nova-api(api): DEBUG arg: InstanceType val: m1.small
nova-api(boto): DEBUG Canonical: GET
..............
Tue, 04 Jan 2011 19:55:23 GMT
/_images/
nova-api(boto): DEBUG Method: GET
nova-api(boto): DEBUG Path: /_images/
nova-api(boto): DEBUG Data:
nova-api(boto): DEBUG Headers: {'Date': 'Tue, 04 Jan 2011 19:55:23 GMT', 'Content-Length': '0', 'Authorization': 'AWS 96bb3b1e-
nova-api(boto): DEBUG Host: 172.16.60.250:3333
nova-api(boto): DEBUG establishing HTTP connection
nova-api(root): DEBUG Going to run 1 instances...
nova-...
Vish Ishaya (vishvananda) wrote : | #11 |
It looks like anna doesn't have permission to access one or more of the images you are trying to run. Please make sure that the images are public by setting "isPublic" to true directly in images/
euca-modify-
as an admin or the user that uploaded the image.
Make sure to do it for all three of your images:
nova-api(api): DEBUG arg: ImageId val: ami-unwifk1z
nova-api(api): DEBUG arg: KernelId val: ami-paqlq8l5
nova-api(api): DEBUG arg: RamdiskId val: ami-xy70vc7p
Vish
On Jan 5, 2011, at 9:21 AM, Anping Liu wrote:
> HI Thierry,
>
> Thanks for your response.
> By "normal user" I meant a projectmanager not a sysadmin. I created a user by "nova-manage user create anna" and a project owned by anna "nova-manage project create anna anna". the user anna can upload and register images and modify the images from private to public, but couldn't run jobs, even after adding netadmin role to anna. By default, a projectmanager should be able to run jobs, right?
>
> # nova-manage user list
> INFO:root:backend <module 'nova.db.
> admin
> aliu
> anna
>
> root@user07:~/bin# nova-manage project list
> INFO:root:backend <module 'nova.db.
> admin-project
> aliu
> anna
>
>
> nova-api.log
>
> nova-api(root): INFO Looking up user: u'96bb3b1e-
> nova-api(root): INFO user: User('anna', 'anna', '96bb3b1e-
> 4364b09', False)
> nova-api(root): DEBUG using _calc_signature_2
> nova-api(root): DEBUG query string: AWSAccessKeyId=
> geId=ami-
> up.1=anna&
> nova-api(root): DEBUG string_to_sign: POST
> 172.16.60.250:8773
> /services/Cloud/
> AWSAccessKeyId=
> all&KernelId=
> nova-api(root): DEBUG len(b64)=44
> nova-api(root): DEBUG base64 encoded digest: 9yM0IOrm9JyNyBz
> nova-api(root): DEBUG user.secret: f9c918e9-
> nova-api(root): DEBUG expected_signature: 9yM0IOrm9JyNyBz
> nova-api(root): DEBUG signature: 9yM0IOrm9JyNyBz
> nova-api(api): DEBUG action: RunInstances
> nova-api(api): DEBUG arg: SecurityGroup.1 val: anna
> nova-api(api): DEBUG arg: ImageId val: ami-unwifk1z
> nova-api(api): DEBUG arg: KernelId val: ami-paqlq8l5
> nova-api(api): DEBUG arg: RamdiskId val: ami-xy70vc7p
> nova-api(api): DEBUG arg: ...
Anping Liu (aliu-mcs) wrote : | #12 |
Thanks, Vish.
I did. even anna could modify her images. I also changed the admin's image to public. The log I sent is for running these public images. by the way "euca-modify-
# euca-describe-
IMAGE ami-dfm4sow5 mybucket/
IMAGE ami-2j7g8j3k mybucket/
IMAGE ami-o92h00h5 mybucket/
IMAGE ami-d0itumio mybucket/
IMAGE ami-paqlq8l5 anna/ttylinux-
IMAGE ami-xy70vc7p anna/ttylinux-
IMAGE ami-unwifk1z anna/ttylinux-
-Anping
----- Original Message -----
From: "Vish Ishaya" <email address hidden>
To: <email address hidden>
Sent: Wednesday, January 5, 2011 6:52:25 PM
Subject: Re: [Bug 695504] Re: normal user authorization failed
It looks like anna doesn't have permission to access one or more of the images you are trying to run. Please make sure that the images are public by setting "isPublic" to true directly in images/
euca-modify-
as an admin or the user that uploaded the image.
Make sure to do it for all three of your images:
nova-api(api): DEBUG arg: ImageId val: ami-unwifk1z
nova-api(api): DEBUG arg: KernelId val: ami-paqlq8l5
nova-api(api): DEBUG arg: RamdiskId val: ami-xy70vc7p
Vish
On Jan 5, 2011, at 9:21 AM, Anping Liu wrote:
> HI Thierry,
>
> Thanks for your response.
> By "normal user" I meant a projectmanager not a sysadmin. I created a user by "nova-manage user create anna" and a project owned by anna "nova-manage project create anna anna". the user anna can upload and register images and modify the images from private to public, but couldn't run jobs, even after adding netadmin role to anna. By default, a projectmanager should be able to run jobs, right?
>
> # nova-manage user list
> INFO:root:backend <module 'nova.db.
> admin
> aliu
> anna
>
> root@user07:~/bin# nova-manage project list
> INFO:root:backend <module 'nova.db.
> admin-project
> aliu
> anna
>
>
> nova-api.log
>
> nova-api(root): INFO Looking up user: u'96bb3b1e-
> nova-api(root): INFO user: User('anna', 'anna', '96bb3b1e-
> 4364b09', False)
> nova-api(root): DEBUG using _calc_signature_2
> nova-api(root): DEBUG query string: AWSAccessKeyId=
> geId=ami-
the bug had been filed as Question #139287. cab5-4d68- b5af-47592bb3df e7' cab5-4d68- b5af-47592bb3df e7', 'f9c918e9- cde4-42e5- 8689-bfe3d4364b 09', False) 96bb3b1e- cab5-4d68- b5af-47592bb3df e7%3Aanna& Action= AuthorizeSecuri tyGroupIngress& CidrIp= 0.0.0.0% 2F0&FromPort= 22&GroupName= default& IpProtocol= tcp&SignatureMe thod=HmacSHA256 &SignatureVersi on=2&Timestamp= 2010-12- 29T21%3A18% 3A20&ToPort= 22&Version= 2009-11- 30 96bb3b1e- cab5-4d68- b5af-47592bb3df e7%3Aanna& Action= AuthorizeSecuri tyGroupIngress& CidrIp= 0.0.0.0% 2F0&FromPort= 22&GroupName= default& IpProtocol= tcp&SignatureMe thod=HmacSHA256 &SignatureVersi on=2&Timestamp= 2010-12- 29T21%3A18% 3A20&ToPort= 22&Version= 2009-11- 30 Zckh33Qg0ijMEf3 nJw6du00eTcls= cde4-42e5- 8689-bfe3d4364b 09 Zckh33Qg0ijMEf3 nJw6du00eTcls= Zckh33Qg0ijMEf3 nJw6du00eTcls= tyGroupIngress
in nova-api.log
nova-api(root): INFO Looking up user: '96bb3b1e-
nova-api(root): INFO user: User('anna', 'anna', '96bb3b1e-
nova-api(root): DEBUG using _calc_signature_2
nova-api(root): DEBUG query string: AWSAccessKeyId=
nova-api(root): DEBUG string_to_sign: GET
172.16.60.250:8773
/services/Cloud/
AWSAccessKeyId=
nova-api(root): DEBUG len(b64)=44
nova-api(root): DEBUG base64 encoded digest: wgzv+Jo8NaLBw9g
nova-api(root): DEBUG user.secret: f9c918e9-
nova-api(root): DEBUG expected_signature: wgzv+Jo8NaLBw9g
nova-api(root): DEBUG signature: wgzv+Jo8NaLBw9g
nova-api(api): DEBUG action: AuthorizeSecuri
nova-api(api): DEBUG arg: GroupName val: default
nova-api(api): DEBUG arg: CidrIp val: 0.0.0.0/0
nova-api(api): DEBUG arg: FromPort val: 22
nova-api(api): DEBUG arg: ToPort val: 22
nova-api(api): DEBUG arg: IpProtocol val: tcp