Ask Your Question
0

Deprecated_auth does not seem to be working

asked 2012-02-23 22:46:09 -0500

stuart-stent gravatar image

Deprecated auth does not seem to working.

Users were created using nova-manage. Even a default user can see all other project's instances and terminate them.

Tested using both eucatools and hybridfox

#Packages -- From Grid Dymanics

openstack-nova.noarch 1:2011.3-b2083 openstack-nova-api.noarch 1:2011.3-b2083 openstack-nova-objectstore.noarch 1:2011.3-b2083 openstack-nova-scheduler.noarch 1:2011.3-b2083 openstack-nova-vncproxy.noarch 1:2011.3-b2083

#nova.conf

--verbose=true --ec2_url=http://10.5.115.31:8773/services/Cloud --s3_host=10.5.115.31 --rabbit_host=10.5.115.31 --sql_connection=mysql://XXXX:XXXX@10.5.115.33/nova --use_s3=true --libvirt_type=kvm --use_syslog=false --node_availability_zone=nova --logdir=/var/log/nova --logging_context_format_string=%(asctime)s %(name)s: %(levelname)s [%(request_id)s %(user_id)s %(project_id)s] %(message)s --logging_default_format_string=%(asctime)s %(name)s: %(message)s --logging_debug_format_suffix=from (pid=%(process)d) %(funcName)s %(pathname)s:%(lineno)d --use_cow_images=true --auth_driver=nova.auth.dbdriver.DbDriver --compute_scheduler_driver=nova.scheduler.simple.SimpleScheduler --volume_scheduler_driver=nova.scheduler.simple.SimpleScheduler --glance_api_servers=10.5.115.43:9292 --image_service=nova.image.glance.GlanceImageService --use_ipv6=false --ca_path=/var/lib/nova/CA --keys_path=/var/lib/nova/keys --images_path=/var/lib/nova/images --buckets_path=/var/lib/nova/buckets --instances_path=/var/lib/nova/instances --networks_path=/var/lib/nova/networks --injected_network_template_dir=/usr/share/nova/interfaces/ --libvirt_xml_template=/usr/share/nova/libvirt.xml.template --vpn_client_template=/usr/share/nova/client.ovpn.template --credentials_template=/usr/share/nova/novarc.template --state_path=/var/lib/nova --lock_path=/var/lib/nova/tmp --vnc_enabled=true --vncproxy_url=http://10.5.96.31:6080 --vncserver_host=10.5.96.31 --vnc_token_ttl=300 --dhcpbridge_flagfile=/etc/nova/nova.conf --dhcpbridge=/usr/bin/nova-dhcpbridge --public_interface=br96 --network_manager=nova.network.manager.FlatDHCPManager --flat_network_bridge=br100 --volume_manager=nova.volume.manager.VolumeManager --multi_host=T --fixed_range=10.100.0.0/20 --network_size=4094 --my_ip=10.5.115.31 --multi_host=T --floating_range=10.5.96.0/20 --iscsi_ip_prefix=10.100.16 --routing_source_ip=10.5.96.31 --noallow_same_net_traffic --send_arp_for_ha --use_deprecated_auth=true

edit retag flag offensive close merge delete
add a comment

4 answers

Sort by ยป oldest newest most voted
0

answered 2012-02-23 23:53:27 -0500

stuart-stent gravatar image

Fixed. Had a space in front of the 2 lies that threw the error

edit flag offensive delete link more
add a comment
0

answered 2012-02-23 23:10:02 -0500

vishvananda gravatar image

a) you might have more luck using [no] for flags instead of =true =false --use_deprecated_auth --nouse_syslog .... b) you have to switch the middleware stack in the api-paste.ini to use deprecated auth as well

otherwise you are actually using noauth

Vish

On Feb 23, 2012, at 2:50 PM, Stuart Stent wrote:

New question #188683 on OpenStack Compute (nova): https://answers.launchpad.net/nova/+q...

Deprecated auth does not seem to working.

Users were created using nova-manage. Even a default user can see all other project's instances and terminate them.

Tested using both eucatools and hybridfox

#Packages -- From Grid Dymanics

openstack-nova.noarch 1:2011.3-b2083 openstack-nova-api.noarch 1:2011.3-b2083 openstack-nova-objectstore.noarch 1:2011.3-b2083 openstack-nova-scheduler.noarch 1:2011.3-b2083 openstack-nova-vncproxy.noarch 1:2011.3-b2083

#nova.conf

--verbose=true --ec2_url=http://10.5.115.31:8773/services/Cloud --s3_host=10.5.115.31 --rabbit_host=10.5.115.31 --sql_connection=mysql://XXXX:XXXX@10.5.115.33/nova --use_s3=true --libvirt_type=kvm --use_syslog=false --node_availability_zone=nova --logdir=/var/log/nova --logging_context_format_string=%(asctime)s %(name)s: %(levelname)s [%(request_id)s %(user_id)s %(project_id)s] %(message)s --logging_default_format_string=%(asctime)s %(name)s: %(message)s --logging_debug_format_suffix=from (pid=%(process)d) %(funcName)s %(pathname)s:%(lineno)d --use_cow_images=true --auth_driver=nova.auth.dbdriver.DbDriver --compute_scheduler_driver=nova.scheduler.simple.SimpleScheduler --volume_scheduler_driver=nova.scheduler.simple.SimpleScheduler --glance_api_servers=10.5.115.43:9292 --image_service=nova.image.glance.GlanceImageService --use_ipv6=false --ca_path=/var/lib/nova/CA --keys_path=/var/lib/nova/keys --images_path=/var/lib/nova/images --buckets_path=/var/lib/nova/buckets --instances_path=/var/lib/nova/instances --networks_path=/var/lib/nova/networks --injected_network_template_dir=/usr/share/nova/interfaces/ --libvirt_xml_template=/usr/share/nova/libvirt.xml.template --vpn_client_template=/usr/share/nova/client.ovpn.template --credentials_template=/usr/share/nova/novarc.template --state_path=/var/lib/nova --lock_path=/var/lib/nova/tmp --vnc_enabled=true --vncproxy_url=http://10.5.96.31:6080 --vncserver_host=10.5.96.31 --vnc_token_ttl=300 --dhcpbridge_flagfile=/etc/nova/nova.conf --dhcpbridge=/usr/bin/nova-dhcpbridge --public_interface=br96 --network_manager=nova.network.manager.FlatDHCPManager --flat_network_bridge=br100 --volume_manager=nova.volume.manager.VolumeManager --multi_host=T --fixed_range=10.100.0.0/20 --network_size=4094 --my_ip=10.5.115.31 --multi_host=T --floating_range=10.5.96.0/20 --iscsi_ip_prefix=10.100.16 --routing_source_ip=10.5.96.31 --noallow_same_net_traffic --send_arp_for_ha --use_deprecated_auth=true

You received this question notification because you are a member of Nova Core, which is an answer contact for OpenStack Compute (nova).

edit flag offensive delete link more
add a comment
0

answered 2012-02-23 23:43:34 -0500

stuart-stent gravatar image

Making the change to api-paste.ini throws the following:

2012-02-23 18:35:49,746 nova: File contains parsing errors: /etc/nova/api-paste.ini [line 82]: ' pipeline = faultwrap auth ratelimit osapiapp10\n' [line 87]: ' pipeline = faultwrap auth ratelimit extensions osapiapp11\n' (nova): TRACE: Traceback (most recent call last): (nova): TRACE: File "/usr/bin/nova-api", line 51, in <module> (nova): TRACE: servers.append(service.WSGIService(api)) (nova): TRACE: File "/usr/lib/python2.6/site-packages/nova/service.py", line 294, in __init__ (nova): TRACE: self.app = self.loader.load_app(name) (nova): TRACE: File "/usr/lib/python2.6/site-packages/nova/wsgi.py", line 411, in load_app (nova): TRACE: return deploy.loadapp("config:%s" % self.config_path, name=name) (nova): TRACE: File "/usr/lib/python2.6/site-packages/paste/deploy/loadwsgi.py", line 204, in loadapp (nova): TRACE: return loadobj(APP, uri, name=name, **kw) (nova): TRACE: File "/usr/lib/python2.6/site-packages/paste/deploy/loadwsgi.py", line 224, in loadobj (nova): TRACE: global_conf=global_conf) (nova): TRACE: File "/usr/lib/python2.6/site-packages/paste/deploy/loadwsgi.py", line 248, in loadcontext (nova): TRACE: global_conf=global_conf) (nova): TRACE: File "/usr/lib/python2.6/site-packages/paste/deploy/loadwsgi.py", line 275, in _loadconfig (nova): TRACE: loader = ConfigLoader(path) (nova): TRACE: File "/usr/lib/python2.6/site-packages/paste/deploy/loadwsgi.py", line 345, in __init__ (nova): TRACE: self.parser.read(filename) (nova): TRACE: File "/usr/lib64/python2.6/ConfigParser.py", line 286, in read (nova): TRACE: self._read(fp, filename) (nova): TRACE: File "/usr/lib64/python2.6/ConfigParser.py", line 510, in _read (nova): TRACE: raise e (nova): TRACE: ParsingError: File contains parsing errors: /etc/nova/api-paste.ini (nova): TRACE: [line 82]: ' pipeline = faultwrap auth ratelimit osapiapp10\n' (nova): TRACE: [line 87]: ' pipeline = faultwrap auth ratelimit extensions osapiapp11\n' (nova): TRACE:

///////////////////////////////////////////////////////////////////////////// api-paste.ini ////////////////////////////////////

#######

EC2

#######

[composite:ec2] use = egg:Paste#urlmap /: ec2versions /services/Cloud: ec2cloud /services/Admin: ec2admin /latest: ec2metadata /2007-01-19: ec2metadata /2007-03-01: ec2metadata /2007-08-29: ec2metadata /2007-10-10: ec2metadata /2007-12-15: ec2metadata /2008-02-01: ec2metadata /2008-09-01: ec2metadata /2009-04-04: ec2metadata /1.0: ec2metadata

[pipeline:ec2cloud] #pipeline = logrequest ec2noauth cloudrequest authorizer ec2executor

NOTE(vish): use the following pipeline for deprecated auth

pipeline = logrequest authenticate cloudrequest authorizer ec2executor

[pipeline:ec2admin] #pipeline = logrequest ec2noauth adminrequest authorizer ec2executor

NOTE(vish): use the following pipeline for deprecated auth

pipeline = logrequest authenticate adminrequest authorizer ec2executor

[pipeline:ec2metadata] pipeline = logrequest ec2md

[pipeline:ec2versions] pipeline = logrequest ec2ver

[filter:logrequest] paste.filter_factory = nova.api.ec2:RequestLogging.factory

[filter:ec2lockout] paste.filter_factory = nova.api.ec2:Lockout.factory

[filter:ec2noauth] paste.filter_factory = nova.api.ec2:NoAuth.factory

[filter:authenticate] paste.filter_factory = nova.api.ec2:Authenticate.factory

[filter:cloudrequest] controller = nova.api.ec2.cloud.CloudController paste.filter_factory = nova.api.ec2:Requestify.factory

[filter:adminrequest] controller = nova.api.ec2.admin.AdminController paste.filter_factory = nova.api.ec2:Requestify.factory

[filter:authorizer] paste.filter_factory = nova.api.ec2:Authorizer.factory

[app:ec2executor] paste.app_factory = nova.api.ec2:Executor.factory

[app:ec2ver] paste.app_factory = nova.api.ec2:Versions.factory

[app:ec2md] paste.app_factory = nova.api.ec2.metadatarequesthandler:MetadataRequestHandler.factory

#############

Openstack

#############

[composite:osapi] use = egg:Paste#urlmap /: osversions /v1.0: openstackapi10 /v1.1 ... (more)

edit flag offensive delete link more
add a comment
0

answered 2012-02-24 03:17:29 -0500

vishvananda gravatar image

Not sure why it isn't parsing properly. Perhaps delete the commented lines?

On Feb 23, 2012, at 3:45 PM, Stuart Stent wrote:

Question #188683 on OpenStack Compute (nova) changed: https://answers.launchpad.net/nova/+q...

Stuart Stent posted a new comment: Making the change to api-paste.ini throws the following:

2012-02-23 18:35:49,746 nova: File contains parsing errors: /etc/nova/api-paste.ini [line 82]: ' pipeline = faultwrap auth ratelimit osapiapp10\n' [line 87]: ' pipeline = faultwrap auth ratelimit extensions osapiapp11\n' (nova): TRACE: Traceback (most recent call last): (nova): TRACE: File "/usr/bin/nova-api", line 51, in <module> (nova): TRACE: servers.append(service.WSGIService(api)) (nova): TRACE: File "/usr/lib/python2.6/site-packages/nova/service.py", line 294, in __init__ (nova): TRACE: self.app = self.loader.load_app(name) (nova): TRACE: File "/usr/lib/python2.6/site-packages/nova/wsgi.py", line 411, in load_app (nova): TRACE: return deploy.loadapp("config:%s" % self.config_path, name=name) (nova): TRACE: File "/usr/lib/python2.6/site-packages/paste/deploy/loadwsgi.py", line 204, in loadapp (nova): TRACE: return loadobj(APP, uri, name=name, **kw) (nova): TRACE: File "/usr/lib/python2.6/site-packages/paste/deploy/loadwsgi.py", line 224, in loadobj (nova): TRACE: global_conf=global_conf) (nova): TRACE: File "/usr/lib/python2.6/site-packages/paste/deploy/loadwsgi.py", line 248, in loadcontext (nova): TRACE: global_conf=global_conf) (nova): TRACE: File "/usr/lib/python2.6/site-packages/paste/deploy/loadwsgi.py", line 275, in _loadconfig (nova): TRACE: loader = ConfigLoader(path) (nova): TRACE: File "/usr/lib/python2.6/site-packages/paste/deploy/loadwsgi.py", line 345, in __init__ (nova): TRACE: self.parser.read(filename) (nova): TRACE: File "/usr/lib64/python2.6/ConfigParser.py", line 286, in read (nova): TRACE: self._read(fp, filename) (nova): TRACE: File "/usr/lib64/python2.6/ConfigParser.py", line 510, in _read (nova): TRACE: raise e (nova): TRACE: ParsingError: File contains parsing errors: /etc/nova/api-paste.ini (nova): TRACE: [line 82]: ' pipeline = faultwrap auth ratelimit osapiapp10\n' (nova): TRACE: [line 87]: ' pipeline = faultwrap auth ratelimit extensions osapiapp11\n' (nova): TRACE:

///////////////////////////////////////////////////////////////////////////// api-paste.ini ////////////////////////////////////

#######

EC2

#######

[composite:ec2] use = egg:Paste#urlmap /: ec2versions /services/Cloud: ec2cloud /services/Admin: ec2admin /latest: ec2metadata /2007-01-19: ec2metadata /2007-03-01: ec2metadata /2007-08-29: ec2metadata /2007-10-10: ec2metadata /2007-12-15: ec2metadata /2008-02-01: ec2metadata /2008-09-01: ec2metadata /2009-04-04: ec2metadata /1.0: ec2metadata

[pipeline:ec2cloud] #pipeline = logrequest ec2noauth cloudrequest authorizer ec2executor

NOTE(vish): use the following pipeline for deprecated auth

pipeline = logrequest authenticate cloudrequest authorizer ec2executor

[pipeline:ec2admin] #pipeline = logrequest ec2noauth adminrequest authorizer ec2executor

NOTE(vish): use the following pipeline for deprecated auth

pipeline = logrequest authenticate adminrequest authorizer ec2executor

[pipeline:ec2metadata] pipeline = logrequest ec2md

[pipeline:ec2versions] pipeline = logrequest ec2ver

[filter:logrequest] paste.filter_factory = nova.api.ec2:RequestLogging.factory

[filter:ec2lockout] paste.filter_factory = nova.api.ec2:Lockout.factory

[filter:ec2noauth] paste.filter_factory = nova.api.ec2:NoAuth.factory

[filter:authenticate] paste.filter_factory = nova.api.ec2:Authenticate.factory

[filter:cloudrequest] controller = nova.api.ec2.cloud.CloudController paste.filter_factory = nova.api.ec2:Requestify.factory

[filter:adminrequest] controller = nova.api.ec2.admin.AdminController paste.filter_factory = nova.api.ec2:Requestify.factory

[filter:authorizer] paste.filter_factory = nova.api.ec2 ...

(more)
edit flag offensive delete link more
add a comment

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2012-02-23 22:46:09 -0500

Seen: 35 times

Last updated: Feb 24 '12

Related questions

Attached nova-volumes does not show in VM target

Validation on flavor name

Adding a second compute node fails

Xenserver Guide

Can not create keypair

where "euca-describe-images" gets the AMI name from ?

Several question about Cactus :) plz

Which network to choose

Can't do live-migration on x86 rhel6.3 because the error "libvirtError: internal error unable to send file handle 'migrate': No file descriptor supplied via SCM_RIGHTS"

routing problem with floating ip addresses