Unauthorized via SHA1 but works with plain text

asked 2015-01-27 20:03:16 -0500

arnchakr gravatar image

updated 2015-01-28 14:08:37 -0500

Hi, I was trying to configure the compute service by following the instructions @ http://docs.openstack.org/juno/install-guide/install/yum/content/ch_nova.html#nova-compute-install (http://docs.openstack.org/juno/instal...) but on the verification stage is gave me an unauthorized access when trying to run

nova service-list

I tried to then break it down from the curl level and found the culprit . The following curl command give me

curl -i -v 'http://controller:8774/v2/8e091793529d4e97a98e03dd614ea053/os-services' -X GET -H "Accept: application/json" -H "User-Agent: python-novaclient" -H "X-Auth-Project-Id: admin" -H "X-Auth-Token: 419d15ae4a5c4503b0312a934bcd131f" * Hostname was NOT found in DNS cache * Trying 10.9.78.21... * Connected to controller (10.9.78.21) port 8774 (#0)

GET /v2/8e091793529d4e97a98e03dd614ea053/os-services HTTP/1.1 Host: controller:8774 Accept: application/json User-Agent: python-novaclient X-Auth-Project-Id: admin X-Auth-Token: 419d15ae4a5c4503b0312a934bcd131f

< HTTP/1.1 401 Unauthorized HTTP/1.1 401 Unauthorized < Www-Authenticate: Keystone uri='http://controller:5000/v2.0' Www-Authenticate: Keystone uri='http://controller:5000/v2.0' < Content-Type: text/plain Content-Type: text/plain < X-Compute-Request-Id: req-2c29961c-e423-4f07-93ff-04d7e8aba537 X-Compute-Request-Id: req-2c29961c-e423-4f07-93ff-04d7e8aba537 < Content-Length: 23 Content-Length: 23 < Date: Wed, 28 Jan 2015 20:05:11 GMT Date: Wed, 28 Jan 2015 20:05:11 GMT

< * Connection #0 to host controller left intact Authentication required

what configuration may me wrong and what should I check?

edit retag flag offensive close merge delete

Comments

did you try this command and what is the output?

nova --d service-list
9lives gravatar image9lives ( 2015-01-27 20:56:11 -0500 )edit

Hostname was NOT found in DNS cache

This error might be related to curl bug. http://sourceforge.net/p/curl/bugs/1319/

Ranjit gravatar imageRanjit ( 2015-01-29 00:56:10 -0500 )edit

1 answer

Sort by ยป oldest newest most voted
0

answered 2015-01-28 01:59:29 -0500

Ranjit gravatar image

updated 2015-01-28 02:02:44 -0500

Reporting and logging of password as SHA1 encryption is just to make sure that from logs no one can know the original password.

You can not use the encypted password in your curl request.

From novaclient side, there is a method called _redact who will format the curl request/response for logging and this method is used for encrypting the password while logging the curl details.

File : novaclient/client.py

def _redact(self, target, path, text=None):
        key = path.pop()

        # move to the most nested dict
        for p in path:
            try:
                target = target[p]
            except KeyError:
                return

        if key in target:
            if text:
                target[key] = text
            else:
                # because in python3 byte string handling is ... ug
                value = target[key].encode('utf-8')
                sha1sum = hashlib.sha1(value)
                target[key] = "{SHA1}%s" % sha1sum.hexdigest()

you can verify the sha1 key reported by logs using below code by using the original password.

import hashlib
hash_object = hashlib.sha1(b'Hello World')
hex_dig = hash_object.hexdigest()
print(hex_dig)
edit flag offensive delete link more

Comments

Thanks Ranjit for the explanation on the masked password in curl , verified that sha1 unfortunately matches my password with your python code. i will try and dig around but please feel free to let me know for any pointers which can

arnchakr gravatar imagearnchakr ( 2015-01-28 12:23:35 -0500 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

2 followers

Stats

Asked: 2015-01-27 20:03:16 -0500

Seen: 813 times

Last updated: Jan 28 '15