Nova returns HTTP 400 for SignatureVersion=1 requests
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Compute (nova) |
Fix Released
|
Medium
|
Todd Willey | ||
Bug Description
Some Amazon EC2 clients like HybridFox and tAWS (http://
nova checks (implicitly?) assuming all requests are signed using SignatureVersion=2. The essential difference of version 1 and 2 is that version 1 requests do not contain SignatureMethod.
Thus, __call__ of class Requestify defined in NOVA_SRC/
I would suggest the following fix, but maybe it's better checking SignatureVersion and pop SignatureMethod from only version2 request string.
I checked the attached patch for nova 645, but the issue is alive in also trunk HEAD.
Signed-off-by: Masanori Itoh <email address hidden>
=== modified file 'nova/api/
--- nova/api/
+++ nova/api/
@@ -204,7 +204,8 @@
action = req.params[
for non_arg in non_args:
# Remove, but raise KeyError if omitted
- args.pop(non_arg)
+ if non_arg in args:
+ args.pop(non_arg)
except:
raise webob.exc.
Related branches
- Masanori Itoh (community): Approve
- Jay Pipes (community): Approve
- Devin Carlen (community): Approve
-
Diff: 16 lines (+6/-0)1 file modifiednova/api/ec2/__init__.py (+6/-0)
| Masanori Itoh (itohm) wrote | #1 |
| Todd Willey (xtoddx) wrote | #2 |
| Changed in nova: | |
| assignee: | nobody → Todd Willey (xtoddx) |
| importance: | Undecided → Medium |
| status: | New → In Progress |
| Masanori Itoh (itohm) wrote | #3 |
| Thierry Carrez (ttx) wrote | #4 |
| Changed in nova: | |
| status: | In Progress → Fix Committed |
| Changed in nova: | |
| milestone: | none → 2011.2 |
| status: | Fix Committed → Fix Released |
I've linked a branch that fixes this now. I decided to be more explicit and only ignore the SignatureMethod if we are on SignatureVersion=1. This lets other keys still raise exceptions, so we can continue to catch bad requests early. Please let me know if this doesn't fix your issue.