Bug #965826 “python-novaclient doesn't handle misconfigured 'aut...” : Bugs : python-novaclient

Joe Gordon (jogo) on 2012-03-27

description:

updated

Revision history for this message

yong sheng gong (gongysh) wrote on 2012-03-27:

#1

Download full text (4.0 KiB)

It seems
https://review.openstack.org/#change,5801 meets your requirements.

After that patch, if there are some erros in
[filter:authtoken]
paste.filter_factory = keystone.middleware.auth_token:filter_factory
service_protocol = http
service_host = 127.0.0.1
service_port = 5000
auth_host = localhost1
auth_port = 35357
auth_protocol = http
auth_uri = http://localhost:5000/
admin_tenant_name = admin
admin_user = admin
admin_password = password

the commands like nova list will get output like this:
[root@robinlinux eclipse]# nova --debug list
connect: (localhost, 35357)
connect fail: ('localhost', 35357)
connect: (localhost, 35357)
send: 'POST /v2.0/tokens HTTP/1.1\r\nHost: localhost:35357\r\nContent-Length: 103\r\ncontent-type: application/json\r\naccept-encoding: gzip, deflate\r\naccept: application/json\r\nuser-agent: python-novaclient\r\n\r\n'
send: '{"auth": {"tenantName": "admin", "passwordCredentials": {"username": "admin", "password": "password"}}}'
reply: 'HTTP/1.1 200 OK\r\n'
header: Content-Type: application/json
header: Vary: X-Auth-Token
header: Content-Length: 1965
header: Date: Tue, 27 Mar 2012 02:01:17 GMT
connect: (localhost, 8774)
connect fail: (u'localhost', 8774)
connect: (localhost, 8774)
send: u'GET /v1.1/36cf36c3972a437890e5df7bf9805097/servers/detail HTTP/1.1\r\nHost: localhost:8774\r\nx-auth-project-id: admin\r\nx-auth-token: 1e831f77b86d45f7af6dff6f405b9afe\r\naccept-encoding: gzip, deflate\r\naccept: application/json\r\nuser-agent: python-novaclient\r\n\r\n'
reply: 'HTTP/1.1 401 Unauthorized\r\n'
header: Content-Length: 54
header: Content-Type: text/plain; charset=UTF-8
header: Date: Tue, 27 Mar 2012 02:01:17 GMT
xxxxxxx &{u'error': {u'message': u'Unable to obtain admin token'}}
send: 'POST /v2.0/tokens HTTP/1.1\r\nHost: localhost:35357\r\nContent-Length: 103\r\ncontent-type: application/json\r\naccept-encoding: gzip, deflate\r\naccept: application/json\r\nuser-agent: python-novaclient\r\n\r\n'
send: '{"auth": {"tenantName": "admin", "passwordCredentials": {"username": "admin", "password": "password"}}}'
reply: 'HTTP/1.1 200 OK\r\n'
header: Content-Type: application/json
header: Vary: X-Auth-Token
header: Content-Length: 1965
header: Date: Tue, 27 Mar 2012 02:01:17 GMT
send: u'GET /v1.1/36cf36c3972a437890e5df7bf9805097/servers/detail HTTP/1.1\r\nHost: localhost:8774\r\nx-auth-project-id: admin\r\nx-auth-token: 1e831f77b86d45f7af6dff6f405b9afe\r\naccept-encoding: gzip, deflate\r\naccept: application/json\r\nuser-agent: python-novaclient\r\n\r\n'
reply: 'HTTP/1.1 401 Unauthorized\r\n'
header: Content-Length: 54
header: Content-Type: text/plain; charset=UTF-8
header: Date: Tue, 27 Mar 2012 02:01:18 GMT
xxxxxxx &{u'error': {u'message': u'Unable to obtain admin token'}}
DEBUG (shell:415) Unable to obtain admin token (HTTP 401)
Traceback (most recent call last):
  File "/usr/lib/python2.6/site-packages/python_novaclient-2012.2-py2.6.egg/novaclient/shell.py", line 412, in main
    OpenStackComputeShell().main(sys.argv[1:])
  File "/usr/lib/python2.6/site-packages/python_novaclient-2012.2-py2.6.egg/novaclient/shell.py", line 363, in main
    args.func(self.cs, args)
  File "/usr/lib/python2.6/site-packages/python_novaclient-...

It seems 
https://review.openstack.org/#change,5801 meets your requirements.

After that patch, if there are some erros in
[filter:authtoken]
paste.filter_factory = keystone.middleware.auth_token:filter_factory
service_protocol = http
service_host = 127.0.0.1
service_port = 5000
auth_host = localhost1
auth_port = 35357
auth_protocol = http
auth_uri = http://localhost:5000/
admin_tenant_name = admin
admin_user = admin
admin_password = password

the commands like nova list will get output like this:
[root@robinlinux eclipse]# nova --debug list
connect: (localhost, 35357)
connect fail: ('localhost', 35357)
connect: (localhost, 35357)
send: 'POST /v2.0/tokens HTTP/1.1\r\nHost: localhost:35357\r\nContent-Length: 103\r\ncontent-type: application/json\r\naccept-encoding: gzip, deflate\r\naccept: application/json\r\nuser-agent: python-novaclient\r\n\r\n'
send: '{"auth": {"tenantName": "admin", "passwordCredentials": {"username": "admin", "password": "password"}}}'
reply: 'HTTP/1.1 200 OK\r\n'
header: Content-Type: application/json
header: Vary: X-Auth-Token
header: Content-Length: 1965
header: Date: Tue, 27 Mar 2012 02:01:17 GMT
connect: (localhost, 8774)
connect fail: (u'localhost', 8774)
connect: (localhost, 8774)
send: u'GET /v1.1/36cf36c3972a437890e5df7bf9805097/servers/detail HTTP/1.1\r\nHost: localhost:8774\r\nx-auth-project-id: admin\r\nx-auth-token: 1e831f77b86d45f7af6dff6f405b9afe\r\naccept-encoding: gzip, deflate\r\naccept: application/json\r\nuser-agent: python-novaclient\r\n\r\n'
reply: 'HTTP/1.1 401 Unauthorized\r\n'
header: Content-Length: 54
header: Content-Type: text/plain; charset=UTF-8
header: Date: Tue, 27 Mar 2012 02:01:17 GMT
xxxxxxx &{u'error': {u'message': u'Unable to obtain admin token'}}
send: 'POST /v2.0/tokens HTTP/1.1\r\nHost: localhost:35357\r\nContent-Length: 103\r\ncontent-type: application/json\r\naccept-encoding: gzip, deflate\r\naccept: application/json\r\nuser-agent: python-novaclient\r\n\r\n'
send: '{"auth": {"tenantName": "admin", "passwordCredentials": {"username": "admin", "password": "password"}}}'
reply: 'HTTP/1.1 200 OK\r\n'
header: Content-Type: application/json
header: Vary: X-Auth-Token
header: Content-Length: 1965
header: Date: Tue, 27 Mar 2012 02:01:17 GMT
send: u'GET /v1.1/36cf36c3972a437890e5df7bf9805097/servers/detail HTTP/1.1\r\nHost: localhost:8774\r\nx-auth-project-id: admin\r\nx-auth-token: 1e831f77b86d45f7af6dff6f405b9afe\r\naccept-encoding: gzip, deflate\r\naccept: application/json\r\nuser-agent: python-novaclient\r\n\r\n'
reply: 'HTTP/1.1 401 Unauthorized\r\n'
header: Content-Length: 54
header: Content-Type: text/plain; charset=UTF-8
header: Date: Tue, 27 Mar 2012 02:01:18 GMT
xxxxxxx &{u'error': {u'message': u'Unable to obtain admin token'}}
DEBUG (shell:415) Unable to obtain admin token (HTTP 401)
Traceback (most recent call last):
  File "/usr/lib/python2.6/site-packages/python_novaclient-2012.2-py2.6.egg/novaclient/shell.py", line 412, in main
    OpenStackComputeShell().main(sys.argv[1:])
  File "/usr/lib/python2.6/site-packages/python_novaclient-2012.2-py2.6.egg/novaclient/shell.py", line 363, in main
    args.func(self.cs, args)
  File "/usr/lib/python2.6/site-packages/python_novaclient-2012.2-py2.6.egg/novaclient/v1_1/shell.py", line 520, in do_list
    utils.print_list(cs.servers.list(search_opts=search_opts), columns,
  File "/usr/lib/python2.6/site-packages/python_novaclient-2012.2-py2.6.egg/novaclient/v1_1/servers.py", line 279, in list
    return self._list("/servers%s%s" % (detail, query_string), "servers")
  File "/usr/lib/python2.6/site-packages/python_novaclient-2012.2-py2.6.egg/novaclient/base.py", line 71, in _list
    resp, body = self.api.client.get(url)
  File "/usr/lib/python2.6/site-packages/python_novaclient-2012.2-py2.6.egg/novaclient/client.py", line 136, in get
    return self._cs_request(url, 'GET', **kwargs)
  File "/usr/lib/python2.6/site-packages/python_novaclient-2012.2-py2.6.egg/novaclient/client.py", line 133, in _cs_request
    raise ex
Unauthorized: Unable to obtain admin token (HTTP 401)
ERROR: Unable to obtain admin token (HTTP 401)

Thierry Carrez (ttx) on 2012-03-27

tags:	added: python-novaclient
Changed in nova:
importance:	Undecided → Medium
status:	New → Confirmed

Thierry Carrez (ttx) on 2012-03-29

Changed in nova:
importance:	Medium → Low

Thierry Carrez (ttx) on 2012-04-03

tags:

removed: essex-rc-potential

Revision history for this message

Yuriy Taraday (yorik-sar) wrote on 2012-04-13:

#2

Somehow hook didn't work here.
I've proposed this change: https://review.openstack.org/6519 to cover this issue.

Revision history for this message

Aslan Carlos de Medeiros Ramos (aslancarlos) wrote on 2012-04-23:

#3

Download full text (3.9 KiB)

This bug has fixed?

more information to help with this problem.

export OS_USERNAME=nova
export OS_TENANT_NAME=openstackdemo
export OS_PASSWORD=nova
export OS_AUTH_URL=http://localhost:5000/v2.0/
export OS_REGION_NAME=RegionOne

My login and password are correct, but the nova dont work . :(
root@openstack01:/root# nova --debug list
connect: (localhost, 5000)
send: 'POST /v2.0/tokens HTTP/1.1\r\nHost: 200.160.3.96:5000\r\nContent-Length: 106\r\ncontent-type: application/json\r\naccept-encoding: gzip, deflate\r\naccept: application/json\r\nuser-agent: python-novaclient\r\n\r\n{"auth": {"tenantName": "openstackdemo", "passwordCredentials": {"username": "nova", "password": "nova"}}}'
reply: 'HTTP/1.1 200 OK\r\n'
header: Content-Type: application/json
header: Vary: X-Auth-Token
header: Date: Mon, 23 Apr 2012 13:31:39 GMT
header: Transfer-Encoding: chunked
connect: (localhost, 8774)
send: u'GET /v2/21a2b76f5312423d8b8006559ac5172a/servers/detail HTTP/1.1\r\nHost: localhost:8774\r\nx-auth-project-id: openstackdemo\r\nx-auth-token: 715b07bf8a1247c69d33f1ddb5c7d773\r\naccept-encoding: gzip, deflate\r\naccept: application/json\r\nuser-agent: python-novaclient\r\n\r\n'
reply: 'HTTP/1.1 401 Unauthorized\r\n'
header: Content-Length: 54
header: Content-Type: text/plain; charset=UTF-8
header: Date: Mon, 23 Apr 2012 13:31:39 GMT
send: 'POST /v2.0/tokens HTTP/1.1\r\nHost: localhost:5000\r\nContent-Length: 106\r\ncontent-type: application/json\r\naccept-encoding: gzip, deflate\r\naccept: application/json\r\nuser-agent: python-novaclient\r\n\r\n{"auth": {"tenantName": "openstackdemo", "passwordCredentials": {"username": "nova", "password": "nova"}}}'
reply: 'HTTP/1.1 200 OK\r\n'
header: Content-Type: application/json
header: Vary: X-Auth-Token
header: Date: Mon, 23 Apr 2012 13:31:39 GMT
header: Transfer-Encoding: chunked
send: u'GET /v2/21a2b76f5312423d8b8006559ac5172a/servers/detail HTTP/1.1\r\nHost: localhost:8774\r\nx-auth-project-id: openstackdemo\r\nx-auth-token: 715b07bf8a1247c69d33f1ddb5c7d773\r\naccept-encoding: gzip, deflate\r\naccept: application/json\r\nuser-agent: python-novaclient\r\n\r\n'
reply: 'HTTP/1.1 401 Unauthorized\r\n'
header: Content-Length: 54
header: Content-Type: text/plain; charset=UTF-8
header: Date: Mon, 23 Apr 2012 13:31:39 GMT
DEBUG (shell:416) Unable to obtain admin token (HTTP 401)
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/novaclient/shell.py", line 413, in main
    OpenStackComputeShell().main(sys.argv[1:])
  File "/usr/lib/python2.7/dist-packages/novaclient/shell.py", line 364, in main
    args.func(self.cs, args)
  Fi...

This bug has fixed?

more information to help with this problem.

export OS_USERNAME=nova
export OS_TENANT_NAME=openstackdemo
export OS_PASSWORD=nova
export OS_AUTH_URL=http://localhost:5000/v2.0/
export OS_REGION_NAME=RegionOne

My login and password are correct, but the nova dont work . :( 
root@openstack01:/root# nova --debug list
connect: (localhost, 5000)
send: 'POST /v2.0/tokens HTTP/1.1\r\nHost: 200.160.3.96:5000\r\nContent-Length: 106\r\ncontent-type: application/json\r\naccept-encoding: gzip, deflate\r\naccept: application/json\r\nuser-agent: python-novaclient\r\n\r\n{"auth": {"tenantName": "openstackdemo", "passwordCredentials": {"username": "nova", "password": "nova"}}}'
reply: 'HTTP/1.1 200 OK\r\n'
header: Content-Type: application/json
header: Vary: X-Auth-Token
header: Date: Mon, 23 Apr 2012 13:31:39 GMT
header: Transfer-Encoding: chunked
connect: (localhost, 8774)
send: u'GET /v2/21a2b76f5312423d8b8006559ac5172a/servers/detail HTTP/1.1\r\nHost: localhost:8774\r\nx-auth-project-id: openstackdemo\r\nx-auth-token: 715b07bf8a1247c69d33f1ddb5c7d773\r\naccept-encoding: gzip, deflate\r\naccept: application/json\r\nuser-agent: python-novaclient\r\n\r\n'
reply: 'HTTP/1.1 401 Unauthorized\r\n'
header: Content-Length: 54
header: Content-Type: text/plain; charset=UTF-8
header: Date: Mon, 23 Apr 2012 13:31:39 GMT
send: 'POST /v2.0/tokens HTTP/1.1\r\nHost: localhost:5000\r\nContent-Length: 106\r\ncontent-type: application/json\r\naccept-encoding: gzip, deflate\r\naccept: application/json\r\nuser-agent: python-novaclient\r\n\r\n{"auth": {"tenantName": "openstackdemo", "passwordCredentials": {"username": "nova", "password": "nova"}}}'
reply: 'HTTP/1.1 200 OK\r\n'
header: Content-Type: application/json
header: Vary: X-Auth-Token
header: Date: Mon, 23 Apr 2012 13:31:39 GMT
header: Transfer-Encoding: chunked
send: u'GET /v2/21a2b76f5312423d8b8006559ac5172a/servers/detail HTTP/1.1\r\nHost: localhost:8774\r\nx-auth-project-id: openstackdemo\r\nx-auth-token: 715b07bf8a1247c69d33f1ddb5c7d773\r\naccept-encoding: gzip, deflate\r\naccept: application/json\r\nuser-agent: python-novaclient\r\n\r\n'
reply: 'HTTP/1.1 401 Unauthorized\r\n'
header: Content-Length: 54
header: Content-Type: text/plain; charset=UTF-8
header: Date: Mon, 23 Apr 2012 13:31:39 GMT
DEBUG (shell:416) Unable to obtain admin token (HTTP 401)
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/novaclient/shell.py", line 413, in main
    OpenStackComputeShell().main(sys.argv[1:])
  File "/usr/lib/python2.7/dist-packages/novaclient/shell.py", line 364, in main
    args.func(self.cs, args)
  File "/usr/lib/python2.7/dist-packages/novaclient/v1_1/shell.py", line 520, in do_list
    utils.print_list(cs.servers.list(search_opts=search_opts), columns,
  File "/usr/lib/python2.7/dist-packages/novaclient/v1_1/servers.py", line 279, in list
    return self._list("/servers%s%s" % (detail, query_string), "servers")
  File "/usr/lib/python2.7/dist-packages/novaclient/base.py", line 71, in _list
    resp, body = self.api.client.get(url)
  File "/usr/lib/python2.7/dist-packages/novaclient/client.py", line 137, in get
    return self._cs_request(url, 'GET', **kwargs)
  File "/usr/lib/python2.7/dist-packages/novaclient/client.py", line 134, in _cs_request
    raise ex
Unauthorized: Unable to obtain admin token (HTTP 401)
ERROR: Unable to obtain admin token (HTTP 401)

Revision history for this message

Aslan Carlos de Medeiros Ramos (aslancarlos) wrote on 2012-04-23:

#4

Watching the process in deep depth.

I see on tcpdump the novaclient is doing this request:

{"auth": {"tenantName": "%SERVICE_TENANT_NAME%", "passwordCredentials": {"username": "%SERVICE_USER%", "password": "%SERVICE_PASSWORD%"}}}

do not changing the field value with the right values, just passing the variable names.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-04-30: Fix merged to python-novaclient (master)

#5

Reviewed: https://review.openstack.org/6519
Committed: http://github.com/openstack/python-novaclient/commit/bdccfbc88b7ca1cafe51ce39c58d18914a969dbb
Submitter: Jenkins
Branch: master

commit bdccfbc88b7ca1cafe51ce39c58d18914a969dbb
Author: Yuriy Taraday <email address hidden>
Date: Fri Apr 13 18:56:44 2012 +0400

Raise exception on all 4xx and 5xx responses.

Fixes bug 965826.

Change-Id: I44ce602176320b1e60e4c927e19a7eec232923b9

Changed in nova:
status:	Confirmed → Fix Committed

Devin Carlen (devcamcar) on 2012-05-22

Changed in nova:
milestone:	none → folsom-1

Thierry Carrez (ttx) on 2012-05-23

Changed in nova:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2012-07-04

affects:	nova → python-novaclient
Changed in python-novaclient:
milestone:	folsom-1 → none

Revision history for this message

Adrian Otto (aotto) wrote on 2012-07-23:

#6

Okay, so there was a minor bug here. Thanks or the one line fix. However, the reason people are having trouble here is because the actual problem causing the 503 is not being surfaced. In my case, the example asked me to have this in my config:

(ended up in /etc/nova/api-paste.ini)

[filter:authtoken]
paste.filter_factory = keystone.middleware.auth_token:filter_factory
service_protocol = http
service_host = 127.0.0.1
service_port = 5000
auth_host = 127.0.0.1
auth_port = 35357
auth_protocol = http
auth_uri = http://127.0.0.1:5000/
admin_tenant_name = service
admin_user = nova
admin_password = servicepass

The admin_password does not match what I set as the admin password. So, when I try:

# nova list
ERROR: n/a (HTTP 503)

That error is not helpful at all. I had to strace the nova api service python process to learn:

recvfrom(11, "{\"error\": {\"message\": \"Invalid user / password\", \"code\": 401, \"title\": \"Not Authorized\"}}", 89, 0, NULL, NULL) = 89

looking back further, I found that it was sending:

sendto(11, "{\"auth\": {\"tenantName\": \"service\", \"passwordCredentials\": {\"username\": \"nova\", \"password\": \"servicepass\"}}}", 107, 0, NULL, 0) = 107

And that's definitely wrong. After fixing the contents of /etc/nova/api-paste.ini so that the admin_password was actually the correct password, and restart the openstack-nova-api service, I was then able to list stuff:

My point is that when openstack-nova-api processes the request, it does this:

recvfrom(11, "{\"error\": {\"message\": \"Invalid user / password\", \"code\": 401, \"title\": \"Not Authorized\"}}", 89, 0, NULL, NULL) = 89
close(11) = 0
sendto(10, "HTTP/1.1 503 Service Unavailable\r\nContent-Length: 100\r\nContent-Type: text/plain; charset=UTF-8\r\nDate: Mon, 23 Jul 2012 04:05:04 GMT\r\n\r\n503 Service Unavailable\n\nThe server is currently

And that's wrong. It should be raising the 401 error (and possibly a hint to check the admin_password setting) rather than raising a 503.

Okay, so there was a minor bug here. Thanks or the one line fix. However, the reason people are having trouble here is because the actual problem causing the 503 is not being surfaced. In my case, the example asked me to have this in my config:

(ended up in /etc/nova/api-paste.ini)

[filter:authtoken]
paste.filter_factory = keystone.middleware.auth_token:filter_factory
service_protocol = http
service_host = 127.0.0.1
service_port = 5000
auth_host = 127.0.0.1
auth_port = 35357
auth_protocol = http
auth_uri = http://127.0.0.1:5000/
admin_tenant_name = service
admin_user = nova
admin_password = servicepass

The admin_password does not match what I set as the admin password. So, when I try:

# nova list
ERROR: n/a (HTTP 503)

That error is not helpful at all. I had to strace the nova api service python process to learn:

recvfrom(11, "{\"error\": {\"message\": \"Invalid user / password\", \"code\": 401, \"title\": \"Not Authorized\"}}", 89, 0, NULL, NULL) = 89

looking back further, I found that it was sending:

sendto(11, "{\"auth\": {\"tenantName\": \"service\", \"passwordCredentials\": {\"username\": \"nova\", \"password\": \"servicepass\"}}}", 107, 0, NULL, 0) = 107

And that's definitely wrong. After fixing the contents of /etc/nova/api-paste.ini so that the admin_password was actually the correct password, and restart the openstack-nova-api service, I was then able to list stuff:

My point is that when openstack-nova-api processes the request, it does this:

recvfrom(11, "{\"error\": {\"message\": \"Invalid user / password\", \"code\": 401, \"title\": \"Not Authorized\"}}", 89, 0, NULL, NULL) = 89
close(11)                               = 0
sendto(10, "HTTP/1.1 503 Service Unavailable\r\nContent-Length: 100\r\nContent-Type: text/plain; charset=UTF-8\r\nDate: Mon, 23 Jul 2012 04:05:04 GMT\r\n\r\n503 Service Unavailable\n\nThe server is currently

And that's  wrong. It should be raising the 401 error (and possibly a hint to check the admin_password setting) rather than raising a 503.

python-novaclient

python-novaclient doesn't handle misconfigured 'auth_host'

Bug Description

Other bug subscribers

Remote bug watches