yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #41585
[Bug 1515485] Re: Heat CFN signals do not pass authorization
** Also affects: openstack-ansible/trunk
Importance: Medium
Status: Triaged
** Also affects: openstack-ansible/kilo
Importance: Undecided
Status: New
** Also affects: openstack-ansible/liberty
Importance: Undecided
Status: New
** Changed in: openstack-ansible/trunk
Status: Triaged => Invalid
** Changed in: openstack-ansible/liberty
Status: New => Invalid
** Changed in: openstack-ansible/kilo
Status: New => In Progress
** Changed in: openstack-ansible/kilo
Status: In Progress => Triaged
** Changed in: openstack-ansible/kilo
Milestone: None => 11.2.5
** Changed in: openstack-ansible/kilo
Assignee: (unassigned) => Jesse Pretorius (jesse-pretorius)
** Changed in: openstack-ansible/trunk
Milestone: 11.2.5 => None
** Changed in: openstack-ansible/kilo
Milestone: 11.2.5 => 11.2.6
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1515485
Title:
Heat CFN signals do not pass authorization
Status in OpenStack Identity (keystone):
Invalid
Status in OpenStack Identity (keystone) kilo series:
Incomplete
Status in openstack-ansible:
Invalid
Status in openstack-ansible kilo series:
Triaged
Status in openstack-ansible liberty series:
Invalid
Status in openstack-ansible trunk series:
Invalid
Bug description:
Note that this bug applies to the Kilo release. Master does not appear
to have this problem. I did not test liberty yet.
Heat templates that rely on CFN signals timeout because the API calls
that execute these signals return 403 errors. Heat signals, on the
other side, do work.
The problem was reported to me by Alex Cantu. I have verified it on
his multinode lab and have also reproduced on my own single-node
system hosted on a public cloud server. I suspect liberty/master
avoided the problem after Jesse and I reworked the Heat configuration
to use Keystone v3 the last day before the L release.
Example template, which can be executed in an AIO after running the
tempest playbook:
heat_template_version: 2013-05-23
resources:
wait_condition:
type: AWS::CloudFormation::WaitCondition
properties:
Handle: { get_resource: wait_handle }
Count: 1
Timeout: 600
wait_handle:
type: AWS::CloudFormation::WaitConditionHandle
my_instance:
type: OS::Nova::Server
properties:
image: cirros
flavor: m1.tiny
networks:
- network: "private"
user_data_format: RAW
user_data:
str_replace:
template: |
#!/bin/sh
echo "wc_notify"
curl -H "Content-Type:" -X PUT wc_notify --data-binary '{"status": "SUCCESS"}'
params:
wc_notify: { get_resource: wait_handle }
This template should end very quickly, as it starts a cirros instance
that just sends a signal back to heat. But instead, it timeouts. The
user data script dumps the signal URL to the console log, if you then
try to send the signal manually you will get a 403. The original 403
can also be seen in the heat-api-cfn.log file. Here is the log
snippet:
2015-11-12 05:13:34.491 1862 INFO heat.api.aws.ec2token [-] Checking AWS credentials..
2015-11-12 05:13:34.492 1862 INFO heat.api.aws.ec2token [-] AWS credentials found, checking against keystone.
2015-11-12 05:13:34.493 1862 INFO heat.api.aws.ec2token [-] Authenticating with http://172.29.236.100:5000/v3/ec2tokens
2015-11-12 05:13:34.533 1862 INFO heat.api.aws.ec2token [-] AWS authentication failure.
2015-11-12 05:13:34.534 1862 INFO eventlet.wsgi.server [-] 10.0.3.181,172.29.236.100 - - [12/Nov/2015 05:13:34] "PUT /v1/waitcondition/arn%3Aopenstack%3Aheat%3A%3A683acadf4d04489f8e991b44014e6fc1%3Astacks%2Fwc1%2Faa4083b6-ce6c-411f-9df9-d059abacf40c%2Fresources%2Fwait_handle?Timestamp=2015-11-12T05%3A12%3A27Z&SignatureMethod=HmacSHA256&AWSAccessKeyId=65657d1021e24e49ba4fb6f217ca4a22&SignatureVersion=2&Signature=aCG%2FO04MNLzSlf5gIBGw1hMcC7bQzB3pZXVKzXLLNSo%3D HTTP/1.1" 403 301 0.043961
For reference, the curl command to trigger the signal is: curl -H
"Content-Type:" -X PUT "<cfn-signal-url".
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1515485/+subscriptions
