yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #03315
[Bug 1192873] Re: wrong password set in api-paste.ini, but still pass the auth
Looks like it is designed by keystone PKI mode.
More information is here:
http://blog.chmouel.com/2013/05/02/keystone-pki-tokens-overview/
** Changed in: nova
Status: New => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1192873
Title:
wrong password set in api-paste.ini, but still pass the auth
Status in OpenStack Compute (Nova):
Invalid
Bug description:
I'm working on Grizzly, and I saw a really strange phenomenon in
keystone log.
When I run command "nova list", I get two INFO output:
2013-06-19 15:01:26 INFO [access] 192.168.11.12 - - [19/Jun/2013:07:01:26 +0000] "POST http://keystone:5000/v2.0/tokens HTTP/1.0" 200 5143
2013-06-19 15:01:26 INFO [access] 192.168.11.11 - - [19/Jun/2013:07:01:26 +0000] "GET http://keystone:35357/v2.0/tokens/revoked HTTP/1.0" 200 504
I think this matches my understanding about how auth work, although I have questions about the "revoked".
First, user get a new token, then nova verify the token.
Then, suddenly, the second log disappeared, I can only get:
2013-06-20 16:35:45 INFO [access] 192.168.11.12 - - [20/Jun/2013:08:35:45 +0000] "POST http://keystone:5000/v2.0/tokens HTTP/1.0" 200 5143
This come to me a question, how nova-api verify user's token ?
So, I edited /etc/nova/api-paste.ini, changed admin_password to a wrong number, and cleaned all tokens in keystone, and restart nova-api.
I suppose this will cause "nova list" failed in auth.
But, I still get my instance list.
How could this happen ?
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1192873/+subscriptions