wrong password set in api-paste.ini, but still pass the auth

asked 2013-06-20 03:53:51 -0500

chen-li gravatar image

I'm working on Grizzly, and I saw a really strange phenomenon in keystone log.

When I run command "nova list", I get two INFO output: 2013-06-19 15:01:26 INFO [access] - - [19/Jun/2013:07:01:26 +0000] "POST http://keystone:5000/v2.0/tokens HTTP/1.0" 200 5143 2013-06-19 15:01:26 INFO [access] - - [19/Jun/2013:07:01:26 +0000] "GET http://keystone:35357/v2.0/tokens/revoked HTTP/1.0" 200 504

I think this matches my understanding about how auth work, although I have questions about the "revoked". First, user get a new token, then nova verify the token.

Then, suddenly, the second log disappeared, I can only get: 2013-06-20 16:35:45 INFO [access] - - [20/Jun/2013:08:35:45 +0000] "POST http://keystone:5000/v2.0/tokens HTTP/1.0" 200 5143

This come to me a question, how nova-api verify user's token ? So, I edited /etc/nova/api-paste.ini, changed admin_password to a wrong number, and cleaned all tokens in keystone, and restart nova-api. I suppose this will cause "nova list" failed in auth. But, I still get my instance list.

How could this happen ?

edit retag flag offensive close merge delete


just want to check that you do not have a [keystone_authtoken] section in nova.conf which would take precedence.

darragh-oreilly gravatar imagedarragh-oreilly ( 2013-06-20 06:02:11 -0500 )edit

I have set "auth_strategy = keystone" in nova.conf. And I checked the revoke query in keystone log, it contains tokens for both user and nova.

chen-li gravatar imagechen-li ( 2013-06-20 07:09:39 -0500 )edit

I tried that: changed admin_password in the keystone_authtoken section of nova.conf (this is where it is in my particular installation) and restarted nova-api, then 'nova list' gives 'ERROR: Unauthorized (HTTP 401)' as expected.

darragh-oreilly gravatar imagedarragh-oreilly ( 2013-06-20 09:37:18 -0500 )edit

yes .I get the error after a night let /etc/nova/api-paste.ini stay in the wrong password. Looks like, This change do not work directly if I was in a correct auth before.

chen-li gravatar imagechen-li ( 2013-06-20 22:39:15 -0500 )edit

"after a night" - maybe your 'nova list' is reusing an existing token, and nova-api only verifies it keystone the first time and caches it for subsequent calls within the valid period. I don't know, just theorising...

darragh-oreilly gravatar imagedarragh-oreilly ( 2013-06-21 04:20:55 -0500 )edit

I have the same suspicion, so I checked keystone's database. I found nova create only one new token one day. Then, I cleaned keystone's token table. I assume this will caused nova request a new token, but this not happened.

chen-li gravatar imagechen-li ( 2013-06-21 07:02:32 -0500 )edit

I have checked cinder and glance, all of them have the same phenomenon as nova. I try to read code to find out how this works, but I'm really a new bird to python, didn't find where I should start. Any suggestions ?

chen-li gravatar imagechen-li ( 2013-06-21 07:06:30 -0500 )edit

Go through the blueprints and questions on the keystone launchpad page. Keep googling for stuff - I found this https://www.ibm.com/developerworks/community/blogs/e93514d3-c4f0-4aa0-8844-497f370090f5/entry/openstack_keystone_workflow_token_scoping?lang=en Maybe check youtube too for presentations.

darragh-oreilly gravatar imagedarragh-oreilly ( 2013-06-21 07:45:53 -0500 )edit

I think I have read this before, and what I'm facing now looks like the step4 which illustrated at the beginning picture is missing.

chen-li gravatar imagechen-li ( 2013-06-21 10:05:34 -0500 )edit

Looks like it is designed by keystone PKI mode. I haven't fully understand, but more information can be find here : http://blog.chmouel.com/2013/05/02/keystone-pki-tokens-overview/

chen-li gravatar imagechen-li ( 2013-06-22 21:07:30 -0500 )edit

1 answer

Sort by ยป oldest newest most voted

answered 2013-07-29 04:11:31 -0500

Check your environment variables presents on your machine.

when you executes command "nova list" from command, system get the arguments from env such as: --os-username = env[OS_USERNAME]. --os-password = env[OS_PASSWORD] , etc...

and pass to command nova list , then send to nova-api service to get result.

Hope this information useful to you!!

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools


Asked: 2013-06-20 03:53:51 -0500

Seen: 449 times

Last updated: Jul 29 '13