Ask Your Question
0

Deprecated_auth does not seem to be working

asked 2012-02-23 22:46:09 -0500

stuart-stent gravatar image

Deprecated auth does not seem to working.

Users were created using nova-manage. Even a default user can see all other project's instances and terminate them.

Tested using both eucatools and hybridfox

#Packages -- From Grid Dymanics

openstack-nova.noarch 1:2011.3-b2083 openstack-nova-api.noarch 1:2011.3-b2083 openstack-nova-objectstore.noarch 1:2011.3-b2083 openstack-nova-scheduler.noarch 1:2011.3-b2083 openstack-nova-vncproxy.noarch 1:2011.3-b2083

#nova.conf

--verbose=true --ec2_url=http://10.5.115.31:8773/services/Cloud --s3_host=10.5.115.31 --rabbit_host=10.5.115.31 --sql_connection=mysql://XXXX:XXXX@10.5.115.33/nova --use_s3=true --libvirt_type=kvm --use_syslog=false --node_availability_zone=nova --logdir=/var/log/nova --logging_context_format_string=%(asctime)s %(name)s: %(levelname)s [%(request_id)s %(user_id)s %(project_id)s] %(message)s --logging_default_format_string=%(asctime)s %(name)s: %(message)s --logging_debug_format_suffix=from (pid=%(process)d) %(funcName)s %(pathname)s:%(lineno)d --use_cow_images=true --auth_driver=nova.auth.dbdriver.DbDriver --compute_scheduler_driver=nova.scheduler.simple.SimpleScheduler --volume_scheduler_driver=nova.scheduler.simple.SimpleScheduler --glance_api_servers=10.5.115.43:9292 --image_service=nova.image.glance.GlanceImageService --use_ipv6=false --ca_path=/var/lib/nova/CA --keys_path=/var/lib/nova/keys --images_path=/var/lib/nova/images --buckets_path=/var/lib/nova/buckets --instances_path=/var/lib/nova/instances --networks_path=/var/lib/nova/networks --injected_network_template_dir=/usr/share/nova/interfaces/ --libvirt_xml_template=/usr/share/nova/libvirt.xml.template --vpn_client_template=/usr/share/nova/client.ovpn.template --credentials_template=/usr/share/nova/novarc.template --state_path=/var/lib/nova --lock_path=/var/lib/nova/tmp --vnc_enabled=true --vncproxy_url=http://10.5.96.31:6080 --vncserver_host=10.5.96.31 --vnc_token_ttl=300 --dhcpbridge_flagfile=/etc/nova/nova.conf --dhcpbridge=/usr/bin/nova-dhcpbridge --public_interface=br96 --network_manager=nova.network.manager.FlatDHCPManager --flat_network_bridge=br100 --volume_manager=nova.volume.manager.VolumeManager --multi_host=T --fixed_range=10.100.0.0/20 --network_size=4094 --my_ip=10.5.115.31 --multi_host=T --floating_range=10.5.96.0/20 --iscsi_ip_prefix=10.100.16 --routing_source_ip=10.5.96.31 --noallow_same_net_traffic --send_arp_for_ha --use_deprecated_auth=true

edit retag flag offensive close merge delete
add a comment

4 answers

Sort by ยป oldest newest most voted
0

answered 2012-02-23 23:53:27 -0500

stuart-stent gravatar image

Fixed. Had a space in front of the 2 lies that threw the error

edit flag offensive delete link more
add a comment
0

answered 2012-02-23 23:10:02 -0500

vishvananda gravatar image

a) you might have more luck using [no] for flags instead of =true =false --use_deprecated_auth --nouse_syslog .... b) you have to switch the middleware stack in the api-paste.ini to use deprecated auth as well

otherwise you are actually using noauth

Vish

On Feb 23, 2012, at 2:50 PM, Stuart Stent wrote:

New question #188683 on OpenStack Compute (nova): https://answers.launchpad.net/nova/+q...

Deprecated auth does not seem to working.

Users were created using nova-manage. Even a default user can see all other project's instances and terminate them.

Tested using both eucatools and hybridfox

#Packages -- From Grid Dymanics

openstack-nova.noarch 1:2011.3-b2083 openstack-nova-api.noarch 1:2011.3-b2083 openstack-nova-objectstore.noarch 1:2011.3-b2083 openstack-nova-scheduler.noarch 1:2011.3-b2083 openstack-nova-vncproxy.noarch 1:2011.3-b2083

#nova.conf

--verbose=true --ec2_url=http://10.5.115.31:8773/services/Cloud --s3_host=10.5.115.31 --rabbit_host=10.5.115.31 --sql_connection=mysql://XXXX:XXXX@10.5.115.33/nova --use_s3=true --libvirt_type=kvm --use_syslog=false --node_availability_zone=nova --logdir=/var/log/nova --logging_context_format_string=%(asctime)s %(name)s: %(levelname)s [%(request_id)s %(user_id)s %(project_id)s] %(message)s --logging_default_format_string=%(asctime)s %(name)s: %(message)s --logging_debug_format_suffix=from (pid=%(process)d) %(funcName)s %(pathname)s:%(lineno)d --use_cow_images=true --auth_driver=nova.auth.dbdriver.DbDriver --compute_scheduler_driver=nova.scheduler.simple.SimpleScheduler --volume_scheduler_driver=nova.scheduler.simple.SimpleScheduler --glance_api_servers=10.5.115.43:9292 --image_service=nova.image.glance.GlanceImageService --use_ipv6=false --ca_path=/var/lib/nova/CA --keys_path=/var/lib/nova/keys --images_path=/var/lib/nova/images --buckets_path=/var/lib/nova/buckets --instances_path=/var/lib/nova/instances --networks_path=/var/lib/nova/networks --injected_network_template_dir=/usr/share/nova/interfaces/ --libvirt_xml_template=/usr/share/nova/libvirt.xml.template --vpn_client_template=/usr/share/nova/client.ovpn.template --credentials_template=/usr/share/nova/novarc.template --state_path=/var/lib/nova --lock_path=/var/lib/nova/tmp --vnc_enabled=true --vncproxy_url=http://10.5.96.31:6080 --vncserver_host=10.5.96.31 --vnc_token_ttl=300 --dhcpbridge_flagfile=/etc/nova/nova.conf --dhcpbridge=/usr/bin/nova-dhcpbridge --public_interface=br96 --network_manager=nova.network.manager.FlatDHCPManager --flat_network_bridge=br100 --volume_manager=nova.volume.manager.VolumeManager --multi_host=T --fixed_range=10.100.0.0/20 --network_size=4094 --my_ip=10.5.115.31 --multi_host=T --floating_range=10.5.96.0/20 --iscsi_ip_prefix=10.100.16 --routing_source_ip=10.5.96.31 --noallow_same_net_traffic --send_arp_for_ha --use_deprecated_auth=true

You received this question notification because you are a member of Nova Core, which is an answer contact for OpenStack Compute (nova).

edit flag offensive delete link more
add a comment
0

answered 2012-02-23 23:43:34 -0500

stuart-stent gravatar image

Making the change to api-paste.ini throws the following:

2012-02-23 18:35:49,746 nova: File contains parsing errors: /etc/nova/api-paste.ini [line 82]: ' pipeline = faultwrap auth ratelimit osapiapp10\n' [line 87]: ' pipeline = faultwrap auth ratelimit extensions osapiapp11\n' (nova): TRACE: Traceback (most recent call last): (nova): TRACE: File "/usr/bin/nova-api", line 51, in <module> (nova): TRACE: servers.append(service.WSGIService(api)) (nova): TRACE: File "/usr/lib/python2.6/site-packages/nova/service.py", line 294, in __init__ (nova): TRACE: self.app = self.loader.load_app(name) (nova): TRACE: File "/usr/lib/python2.6/site-packages/nova/wsgi.py", line 411, in load_app (nova): TRACE: return deploy.loadapp("config:%s" % self.config_path, name=name) (nova): TRACE: File "/usr/lib/python2.6/site-packages/paste/deploy/loadwsgi.py", line 204, in loadapp (nova): TRACE: return loadobj(APP, uri, name=name, **kw) (nova): TRACE: File "/usr/lib/python2.6/site-packages/paste/deploy/loadwsgi.py", line 224, in loadobj (nova): TRACE: global_conf=global_conf) (nova): TRACE: File "/usr/lib/python2.6/site-packages/paste/deploy/loadwsgi.py", line 248, in loadcontext (nova): TRACE: global_conf=global_conf) (nova): TRACE: File "/usr/lib/python2.6/site-packages/paste/deploy/loadwsgi.py", line 275, in _loadconfig (nova): TRACE: loader = ConfigLoader(path) (nova): TRACE: File "/usr/lib/python2.6/site-packages/paste/deploy/loadwsgi.py", line 345, in __init__ (nova): TRACE: self.parser.read(filename) (nova): TRACE: File "/usr/lib64/python2.6/ConfigParser.py", line 286, in read (nova): TRACE: self._read(fp, filename) (nova): TRACE: File "/usr/lib64/python2.6/ConfigParser.py", line 510, in _read (nova): TRACE: raise e (nova): TRACE: ParsingError: File contains parsing errors: /etc/nova/api-paste.ini (nova): TRACE: [line 82]: ' pipeline = faultwrap auth ratelimit osapiapp10\n' (nova): TRACE: [line 87]: ' pipeline = faultwrap auth ratelimit extensions osapiapp11\n' (nova): TRACE:

///////////////////////////////////////////////////////////////////////////// api-paste.ini ////////////////////////////////////

#######

EC2

#######

[composite:ec2] use = egg:Paste#urlmap /: ec2versions /services/Cloud: ec2cloud /services/Admin: ec2admin /latest: ec2metadata /2007-01-19: ec2metadata /2007-03-01: ec2metadata /2007-08-29: ec2metadata /2007-10-10: ec2metadata /2007-12-15: ec2metadata /2008-02-01: ec2metadata /2008-09-01: ec2metadata /2009-04-04: ec2metadata /1.0: ec2metadata

[pipeline:ec2cloud] #pipeline = logrequest ec2noauth cloudrequest authorizer ec2executor

NOTE(vish): use the following pipeline for deprecated auth

pipeline = logrequest authenticate cloudrequest authorizer ec2executor

[pipeline:ec2admin] #pipeline = logrequest ec2noauth adminrequest authorizer ec2executor

NOTE(vish): use the following pipeline for deprecated auth

pipeline = logrequest authenticate adminrequest authorizer ec2executor

[pipeline:ec2metadata] pipeline = logrequest ec2md

[pipeline:ec2versions] pipeline = logrequest ec2ver

[filter:logrequest] paste.filter_factory = nova.api.ec2:RequestLogging.factory

[filter:ec2lockout] paste.filter_factory = nova.api.ec2:Lockout.factory

[filter:ec2noauth] paste.filter_factory = nova.api.ec2:NoAuth.factory

[filter:authenticate] paste.filter_factory = nova.api.ec2:Authenticate.factory

[filter:cloudrequest] controller = nova.api.ec2.cloud.CloudController paste.filter_factory = nova.api.ec2:Requestify.factory

[filter:adminrequest] controller = nova.api.ec2.admin.AdminController paste.filter_factory = nova.api.ec2:Requestify.factory

[filter:authorizer] paste.filter_factory = nova.api.ec2:Authorizer.factory

[app:ec2executor] paste.app_factory = nova.api.ec2:Executor.factory

[app:ec2ver] paste.app_factory = nova.api.ec2:Versions.factory

[app:ec2md] paste.app_factory = nova.api.ec2.metadatarequesthandler:MetadataRequestHandler.factory

#############

Openstack

#############

[composite:osapi] use = egg:Paste#urlmap /: osversions /v1.0: openstackapi10 /v1.1 ... (more)

edit flag offensive delete link more
add a comment
0

answered 2012-02-24 03:17:29 -0500

vishvananda gravatar image

Not sure why it isn't parsing properly. Perhaps delete the commented lines?

On Feb 23, 2012, at 3:45 PM, Stuart Stent wrote:

Question #188683 on OpenStack Compute (nova) changed: https://answers.launchpad.net/nova/+q...

Stuart Stent posted a new comment: Making the change to api-paste.ini throws the following:

2012-02-23 18:35:49,746 nova: File contains parsing errors: /etc/nova/api-paste.ini [line 82]: ' pipeline = faultwrap auth ratelimit osapiapp10\n' [line 87]: ' pipeline = faultwrap auth ratelimit extensions osapiapp11\n' (nova): TRACE: Traceback (most recent call last): (nova): TRACE: File "/usr/bin/nova-api", line 51, in <module> (nova): TRACE: servers.append(service.WSGIService(api)) (nova): TRACE: File "/usr/lib/python2.6/site-packages/nova/service.py", line 294, in __init__ (nova): TRACE: self.app = self.loader.load_app(name) (nova): TRACE: File "/usr/lib/python2.6/site-packages/nova/wsgi.py", line 411, in load_app (nova): TRACE: return deploy.loadapp("config:%s" % self.config_path, name=name) (nova): TRACE: File "/usr/lib/python2.6/site-packages/paste/deploy/loadwsgi.py", line 204, in loadapp (nova): TRACE: return loadobj(APP, uri, name=name, **kw) (nova): TRACE: File "/usr/lib/python2.6/site-packages/paste/deploy/loadwsgi.py", line 224, in loadobj (nova): TRACE: global_conf=global_conf) (nova): TRACE: File "/usr/lib/python2.6/site-packages/paste/deploy/loadwsgi.py", line 248, in loadcontext (nova): TRACE: global_conf=global_conf) (nova): TRACE: File "/usr/lib/python2.6/site-packages/paste/deploy/loadwsgi.py", line 275, in _loadconfig (nova): TRACE: loader = ConfigLoader(path) (nova): TRACE: File "/usr/lib/python2.6/site-packages/paste/deploy/loadwsgi.py", line 345, in __init__ (nova): TRACE: self.parser.read(filename) (nova): TRACE: File "/usr/lib64/python2.6/ConfigParser.py", line 286, in read (nova): TRACE: self._read(fp, filename) (nova): TRACE: File "/usr/lib64/python2.6/ConfigParser.py", line 510, in _read (nova): TRACE: raise e (nova): TRACE: ParsingError: File contains parsing errors: /etc/nova/api-paste.ini (nova): TRACE: [line 82]: ' pipeline = faultwrap auth ratelimit osapiapp10\n' (nova): TRACE: [line 87]: ' pipeline = faultwrap auth ratelimit extensions osapiapp11\n' (nova): TRACE:

///////////////////////////////////////////////////////////////////////////// api-paste.ini ////////////////////////////////////

#######

EC2

#######

[composite:ec2] use = egg:Paste#urlmap /: ec2versions /services/Cloud: ec2cloud /services/Admin: ec2admin /latest: ec2metadata /2007-01-19: ec2metadata /2007-03-01: ec2metadata /2007-08-29: ec2metadata /2007-10-10: ec2metadata /2007-12-15: ec2metadata /2008-02-01: ec2metadata /2008-09-01: ec2metadata /2009-04-04: ec2metadata /1.0: ec2metadata

[pipeline:ec2cloud] #pipeline = logrequest ec2noauth cloudrequest authorizer ec2executor

NOTE(vish): use the following pipeline for deprecated auth

pipeline = logrequest authenticate cloudrequest authorizer ec2executor

[pipeline:ec2admin] #pipeline = logrequest ec2noauth adminrequest authorizer ec2executor

NOTE(vish): use the following pipeline for deprecated auth

pipeline = logrequest authenticate adminrequest authorizer ec2executor

[pipeline:ec2metadata] pipeline = logrequest ec2md

[pipeline:ec2versions] pipeline = logrequest ec2ver

[filter:logrequest] paste.filter_factory = nova.api.ec2:RequestLogging.factory

[filter:ec2lockout] paste.filter_factory = nova.api.ec2:Lockout.factory

[filter:ec2noauth] paste.filter_factory = nova.api.ec2:NoAuth.factory

[filter:authenticate] paste.filter_factory = nova.api.ec2:Authenticate.factory

[filter:cloudrequest] controller = nova.api.ec2.cloud.CloudController paste.filter_factory = nova.api.ec2:Requestify.factory

[filter:adminrequest] controller = nova.api.ec2.admin.AdminController paste.filter_factory = nova.api.ec2:Requestify.factory

[filter:authorizer] paste.filter_factory = nova.api.ec2 ...

(more)
edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2012-02-23 22:46:09 -0500

Seen: 27 times

Last updated: Feb 24 '12

Related questions

Security group no effect in r1215

instance_faults table

Failed to add image...

Validation on flavor name

Multiple resize problem on XenSever6

Used Quotas are Incorrect

Ensure the NAT rules have been added to iptables.?

Instance can not get metadata..........

cannot run a VM on the compute node

nova-docker setup in devstack