yahoo-eng-team team mailing list archive

["li,chen" <chen.li@xxxxxxxxx>]

Looks like it is designed by keystone PKI mode.
More information is here: 
http://blog.chmouel.com/2013/05/02/keystone-pki-tokens-overview/

** Changed in: nova
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1192873

Title:
  wrong password set in api-paste.ini, but still pass the auth

Status in OpenStack Compute (Nova):
  Invalid

Bug description:
  I'm working on Grizzly, and I saw a really strange phenomenon in
  keystone log.

  When I run command "nova list", I get two INFO output:
  2013-06-19 15:01:26     INFO [access] 192.168.11.12 - - [19/Jun/2013:07:01:26 +0000] "POST http://keystone:5000/v2.0/tokens HTTP/1.0" 200 5143
  2013-06-19 15:01:26     INFO [access] 192.168.11.11 - - [19/Jun/2013:07:01:26 +0000] "GET http://keystone:35357/v2.0/tokens/revoked HTTP/1.0" 200 504

  I think this matches my understanding about how auth work, although I have questions about the "revoked".
  First, user get a new token, then nova verify the token. 

  Then, suddenly, the second log disappeared, I can only get:
  2013-06-20 16:35:45     INFO [access] 192.168.11.12 - - [20/Jun/2013:08:35:45 +0000] "POST http://keystone:5000/v2.0/tokens HTTP/1.0" 200 5143

  This come to me a question, how nova-api verify user's token ?
  So, I edited /etc/nova/api-paste.ini, changed admin_password to a wrong number, and cleaned all tokens in keystone, and restart nova-api.
  I suppose this will cause "nova list" failed in auth.
  But, I still get my instance list.

  How could this happen ?

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1192873/+subscriptions