yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1152303] Re: nova.compute ImageNotAuthorized when using strategy keystone

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Sean Dague <sean@xxxxxxxxx>
Date: Wed, 17 Sep 2014 11:59:20 -0000
Reply-to: Bug 1152303 <1152303@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
** Changed in: nova
       Status: Incomplete => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1152303

Title:
  nova.compute ImageNotAuthorized when using strategy keystone

Status in OpenStack Compute (Nova):
  Invalid

Bug description:
  This compute node is running the latest code from: 
  http://ubuntu-cloud.archive.canonical.com/ubuntu precise-updates/folsom main


  When glance is secured with keystone then nova-compute is not
  authorized to deploy an image from glance. This is a problem specific
  to the context of the token.

  per this question:
  https://answers.launchpad.net/nova/+question/218145

  I am getting the same error.

  http://codepad.org/jYi5GZ72

  I have updated the code in nova.image.glance to this:

  def _create_glance_client(context, host, port, use_ssl, version=1):
      """Instantiate a new glanceclient.Client object"""
      if use_ssl:
          scheme = 'https'
      else:
          scheme = 'http'
      params = {}
      params['insecure'] = FLAGS.glance_api_insecure
      if FLAGS.auth_strategy == 'keystone':
          dicttoken = context.to_dict().get('auth_token')
          contexttoken = context.auth_token
          LOG.error("### dict token is %s" % dicttoken)
          LOG.error("### context token is %s" % contexttoken)
          params['token'] = context.auth_token
      endpoint = '%s://%s:%s' % (scheme, host, port)
      return glanceclient.Client(str(version), endpoint, **params)

  And as you can see from the paste

  The params['token'] code is being called twice.

  The second time the context.auth_token call is failing.

  root@server12:~# grep req-f66255ef-13fe-4791-b137-f76855197aa4 /var/log/nova/nova-compute.log | grep ERROR
  2013-03-07 11:07:44 ERROR nova.image.glance [req-f66255ef-13fe-4791-b137-f76855197aa4 5e363b8f0665443d89ca9d9787a19a81 eb4f9252e66843b3b7eaa6662d6062c8] ### dict token is fff534d1a18c4b4a816c076d4fce0e70

  2013-03-07 11:07:44 ERROR nova.image.glance [req-f66255ef-
  13fe-4791-b137-f76855197aa4 5e363b8f0665443d89ca9d9787a19a81
  eb4f9252e66843b3b7eaa6662d6062c8] ### context token is
  fff534d1a18c4b4a816c076d4fce0e70

  2013-03-07 11:07:49 ERROR nova.image.glance [req-f66255ef-
  13fe-4791-b137-f76855197aa4 5e363b8f0665443d89ca9d9787a19a81
  eb4f9252e66843b3b7eaa6662d6062c8] ### dict token is
  fff534d1a18c4b4a816c076d4fce0e70

  2013-03-07 11:07:49 ERROR nova.image.glance [req-f66255ef-
  13fe-4791-b137-f76855197aa4 5e363b8f0665443d89ca9d9787a19a81
  eb4f9252e66843b3b7eaa6662d6062c8] ### context token is None

  2013-03-07 11:07:49 ERROR nova.compute.manager [req-f66255ef-
  13fe-4791-b137-f76855197aa4 5e363b8f0665443d89ca9d9787a19a81
  eb4f9252e66843b3b7eaa6662d6062c8] [instance: 3e89c0a7-11c8-4b4f-8b4b-
  b04ea97a9d88] Instance failed to spawn

  If I use the dict option the token works and I am no longer blocked.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1152303/+subscriptions