OpenStack Compute (nova)

EC2_ACCESS_KEY improperly formed

Bug #849982 reported by truijllo
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Invalid
Undecided
Unassigned

Bug Description

Using nova revision 1558 ( even early )

If I use
nova-manage project zipfile 1234 joeuser
I obtain a zipfile with novarc formed like this:

NOVARC=$(readlink -f "${BASH_SOURCE:-${0}}" 2>/dev/null) ||
    NOVARC=$(python -c 'import os,sys; print os.path.abspath(os.path.realpath(sys.argv[1]))' "${BASH_SOURCE:-${0}}")
NOVA_KEY_DIR=${NOVARC%/*}
export EC2_ACCESS_KEY="joeuser:1234"
export EC2_SECRET_KEY="6c374b36-ad41-426d-8ddd-7c450b842fb6"
export EC2_URL="http://192.168.0.100:8773/services/Cloud"
export S3_URL="http://192.168.0.100:3333"
export EC2_USER_ID=42 # nova does not use user id, but bundling requires it
export EC2_PRIVATE_KEY=${NOVA_KEY_DIR}/pk.pem
export EC2_CERT=${NOVA_KEY_DIR}/cert.pem
export NOVA_CERT=${NOVA_KEY_DIR}/cacert.pem
export EUCALYPTUS_CERT=${NOVA_CERT} # euca-bundle-image seems to require this set
alias ec2-bundle-image="ec2-bundle-image --cert ${EC2_CERT} --privatekey ${EC2_PRIVATE_KEY} --user 42 --ec2cert ${NOVA_CERT}"
alias ec2-upload-bundle="ec2-upload-bundle -a ${EC2_ACCESS_KEY} -s ${EC2_SECRET_KEY} --url ${S3_URL} --ec2cert ${NOVA_CERT}"
export NOVA_API_KEY="joeuser"
export NOVA_USERNAME="joeuser"
export NOVA_PROJECT_ID="1234"
export NOVA_URL="http://192.168.0.100:8774/v1.1/"

I use keystone so I've substituted last row like this:
export NOVA_URL="http://192.168.0.100:5000/v2.0/"

and then
source novarc

well...

[root@hostname joeuser_bis]# euca-describe-images
Warning: failed to parse error message from AWS: <unknown>:1:0: syntax error
EC2ResponseError: 403 Forbidden
403 Forbidden

Access was denied to this resource.

but...
[root@hostname joeuser_bis]# export EC2_ACCESS_KEY=fdf50e55-8f02-4aac-ac02-0adcb088325d:1234
[root@hostname joeuser_bis]# euca-describe-images
IMAGE ami-00000009 None (prova_di_snapshot) creating private machine instance-store
IMAGE ami-00000008 None (centos-5.2) available public machine instance-store

it seems that nova-manage or authentication considers the wrong field in db

Revision history for this message
Vish Ishaya (vishvananda) wrote : Re: [Bug 849982] [NEW] nova-manage zipfile problem
Download full text (5.3 KiB)

If you use --use_deprecated_auth you will get the old style access key when you use nova-manage project zipfile. We should also add some sort of flag to add the nova url properly. Unfortunately when using keystone properly, nova doesn't know the access key for a user, so we probably will need to generate the rc file somewhere else.

It looks like you are using the keystone shim, so --use_deprecated_auth should solve your particular issue.

Vish
On Sep 14, 2011, at 6:43 AM, truijllo wrote:

> Public bug reported:
>
> Using nova revision 1558 ( even early )
>
> If I use
> nova-manage project zipfile 1234 joeuser
> I obtain a zipfile with novarc formed like this:
>
> NOVARC=$(readlink -f "${BASH_SOURCE:-${0}}" 2>/dev/null) ||
> NOVARC=$(python -c 'import os,sys; print os.path.abspath(os.path.realpath(sys.argv[1]))' "${BASH_SOURCE:-${0}}")
> NOVA_KEY_DIR=${NOVARC%/*}
> export EC2_ACCESS_KEY="joeuser:1234"
> export EC2_SECRET_KEY="6c374b36-ad41-426d-8ddd-7c450b842fb6"
> export EC2_URL="http://192.168.0.100:8773/services/Cloud"
> export S3_URL="http://192.168.0.100:3333"
> export EC2_USER_ID=42 # nova does not use user id, but bundling requires it
> export EC2_PRIVATE_KEY=${NOVA_KEY_DIR}/pk.pem
> export EC2_CERT=${NOVA_KEY_DIR}/cert.pem
> export NOVA_CERT=${NOVA_KEY_DIR}/cacert.pem
> export EUCALYPTUS_CERT=${NOVA_CERT} # euca-bundle-image seems to require this set
> alias ec2-bundle-image="ec2-bundle-image --cert ${EC2_CERT} --privatekey ${EC2_PRIVATE_KEY} --user 42 --ec2cert ${NOVA_CERT}"
> alias ec2-upload-bundle="ec2-upload-bundle -a ${EC2_ACCESS_KEY} -s ${EC2_SECRET_KEY} --url ${S3_URL} --ec2cert ${NOVA_CERT}"
> export NOVA_API_KEY="joeuser"
> export NOVA_USERNAME="joeuser"
> export NOVA_PROJECT_ID="1234"
> export NOVA_URL="http://192.168.0.100:8774/v1.1/"
>
> I use keystone so I've substituted last row like this:
> export NOVA_URL="http://192.168.0.100:5000/v2.0/"
>
> and then
> source novarc
>
> well...
>
> [root@hostname joeuser_bis]# euca-describe-images
> Warning: failed to parse error message from AWS: <unknown>:1:0: syntax error
> EC2ResponseError: 403 Forbidden
> 403 Forbidden
>
> Access was denied to this resource.
>
>
> but...
> [root@hostname joeuser_bis]# export EC2_ACCESS_KEY=fdf50e55-8f02-4aac-ac02-0adcb088325d:1234
> [root@hostname joeuser_bis]# euca-describe-images
> IMAGE ami-00000009 None (prova_di_snapshot) creating private machine instance-store
> IMAGE ami-00000008 None (centos-5.2) available public machine instance-store
>
> it seems that nova-manage or authentication considers the wrong field in
> db
>
> ** Affects: nova
> Importance: Undecided
> Status: New
>
>
> ** Tags: nova nova-manage zip
>
> --
> You received this bug notification because you are a member of Nova Bug
> Team, which is subscribed to OpenStack Compute (nova).
> https://bugs.launchpad.net/bugs/849982
>
> Title:
> nova-manage zipfile problem
>
> Status in OpenStack Compute (Nova):
> New
>
> Bug description:
> Using nova revision 1558 ( even early )
>
> If I use
> nova-manage project zipfile 1234...

Read more...

Revision history for this message
Anne Gentle (annegentle) wrote : Re: nova-manage zipfile problem

In this case a person on the Forum is reporting that the novarc is being created improperly though.

From http://forums.openstack.org/viewtopic.php?f=9&t=338&p=1074.

It had something like this:

EC2_ACCESS_KEY="user:project"

Changed to

EC2_ACCESS_KEY="userAccesKey:project"

and it worked.

Does this mean that the novarc file is generated incorrectly?

Revision history for this message
Vish Ishaya (vishvananda) wrote : Re: [Bug 849982] nova-manage zipfile problem

--use_deprecated_auth needs to be set. Then it will generate the old style access key.

Vish

On Sep 28, 2011, at 10:39 AM, Anne Gentle wrote:

> In this case a person on the Forum is reporting that the novarc is being
> created improperly though.
>
>> From http://forums.openstack.org/viewtopic.php?f=9&t=338&p=1074.
>
> It had something like this:
>
> EC2_ACCESS_KEY="user:project"
>
> Changed to
>
> EC2_ACCESS_KEY="userAccesKey:project"
>
> and it worked.
>
> Does this mean that the novarc file is generated incorrectly?
>
> --
> You received this bug notification because you are a member of Nova Bug
> Team, which is subscribed to OpenStack Compute (nova).
> https://bugs.launchpad.net/bugs/849982
>
> Title:
> nova-manage zipfile problem
>
> Status in OpenStack Compute (Nova):
> New
>
> Bug description:
> Using nova revision 1558 ( even early )
>
> If I use
> nova-manage project zipfile 1234 joeuser
> I obtain a zipfile with novarc formed like this:
>
> NOVARC=$(readlink -f "${BASH_SOURCE:-${0}}" 2>/dev/null) ||
> NOVARC=$(python -c 'import os,sys; print os.path.abspath(os.path.realpath(sys.argv[1]))' "${BASH_SOURCE:-${0}}")
> NOVA_KEY_DIR=${NOVARC%/*}
> export EC2_ACCESS_KEY="joeuser:1234"
> export EC2_SECRET_KEY="6c374b36-ad41-426d-8ddd-7c450b842fb6"
> export EC2_URL="http://192.168.0.100:8773/services/Cloud"
> export S3_URL="http://192.168.0.100:3333"
> export EC2_USER_ID=42 # nova does not use user id, but bundling requires it
> export EC2_PRIVATE_KEY=${NOVA_KEY_DIR}/pk.pem
> export EC2_CERT=${NOVA_KEY_DIR}/cert.pem
> export NOVA_CERT=${NOVA_KEY_DIR}/cacert.pem
> export EUCALYPTUS_CERT=${NOVA_CERT} # euca-bundle-image seems to require this set
> alias ec2-bundle-image="ec2-bundle-image --cert ${EC2_CERT} --privatekey ${EC2_PRIVATE_KEY} --user 42 --ec2cert ${NOVA_CERT}"
> alias ec2-upload-bundle="ec2-upload-bundle -a ${EC2_ACCESS_KEY} -s ${EC2_SECRET_KEY} --url ${S3_URL} --ec2cert ${NOVA_CERT}"
> export NOVA_API_KEY="joeuser"
> export NOVA_USERNAME="joeuser"
> export NOVA_PROJECT_ID="1234"
> export NOVA_URL="http://192.168.0.100:8774/v1.1/"
>
> I use keystone so I've substituted last row like this:
> export NOVA_URL="http://192.168.0.100:5000/v2.0/"
>
> and then
> source novarc
>
> well...
>
> [root@hostname joeuser_bis]# euca-describe-images
> Warning: failed to parse error message from AWS: <unknown>:1:0: syntax error
> EC2ResponseError: 403 Forbidden
> 403 Forbidden
>
> Access was denied to this resource.
>
>
> but...
> [root@hostname joeuser_bis]# export EC2_ACCESS_KEY=fdf50e55-8f02-4aac-ac02-0adcb088325d:1234
> [root@hostname joeuser_bis]# euca-describe-images
> IMAGE ami-00000009 None (prova_di_snapshot) creating private machine instance-store
> IMAGE ami-00000008 None (centos-5.2) available public machine instance-store
>
> it seems that nova-manage or authentication considers the wrong field
> in db
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/nova/+bug/849982/+subscriptions

Thierry Carrez (ttx)
summary: - nova-manage zipfile problem
+ EC2_ACCESS_KEY improperly formed
Changed in nova:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.