yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #44719
[Bug 1523646] Re: Nova/Cinder Key Manager for Barbican Uses Stale Cache
Reviewed: https://review.openstack.org/254358
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=676a53ce44a5624a553e80bcff339300802d5494
Submitter: Jenkins
Branch: master
commit 676a53ce44a5624a553e80bcff339300802d5494
Author: Dave McCowan <dmccowan@xxxxxxxxx>
Date: Mon Dec 7 14:28:52 2015 -0500
Check context before returning cached value
The key manager caches the value of barbican client to be reused,
saving an extra call to keystone. The cached value is only
applicable to the current context, so the context must be checked
before returning the cached value.
Closes-Bug: #1523646
Change-Id: I7cd7f1ba8a749b230c611e4fb20ccf4127354c35
** Changed in: nova
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1523646
Title:
Nova/Cinder Key Manager for Barbican Uses Stale Cache
Status in castellan:
Fix Released
Status in Cinder:
Fix Released
Status in OpenStack Compute (nova):
Fix Released
Status in OpenStack Security Notes:
Confirmed
Bug description:
The Key Manger for Barbican, implemented in Nova and Cinder, caches a value of barbican_client to save extra
calls to Keystone for authentication. However, the cached value of barbican_client is only valid for the current
context. A check needs to be made to ensure the context has not changed before using the saved value.
The symptoms for using a stale cache value include getting the following error message when creating
an encrypted volume.
From CLI:
---------------
openstack volume create --size 1 --type LUKS encrypted_volume
The server has either erred or is incapable of performing the requested operation. (HTTP 500) (Request-ID: req-aea6be92-020e-41ed-ba88-44a1f5235ab0)
In cinder.log
-------------------
2015-12-03 09:09:03.648 TRACE cinder.volume.api Traceback (most recent call last):
2015-12-03 09:09:03.648 TRACE cinder.volume.api File "/usr/lib/python2.7/site-packages/taskflow/engines/action_engine/executor.py", line 82, in _exe
cute_task
2015-12-03 09:09:03.648 TRACE cinder.volume.api result = task.execute(**arguments)
2015-12-03 09:09:03.648 TRACE cinder.volume.api File "/opt/stack/cinder/cinder/volume/flows/api/create_volume.py", line 409, in execute
2015-12-03 09:09:03.648 TRACE cinder.volume.api source_volume)
2015-12-03 09:09:03.648 TRACE cinder.volume.api File "/opt/stack/cinder/cinder/volume/flows/api/create_volume.py", line 338, in _get_encryption_key_
id
2015-12-03 09:09:03.648 TRACE cinder.volume.api encryption_key_id = key_manager.create_key(context)
2015-12-03 09:09:03.648 TRACE cinder.volume.api File "/opt/stack/cinder/cinder/keymgr/barbican.py", line 147, in create_key
2015-12-03 09:09:03.648 TRACE cinder.volume.api LOG.exception(_LE("Error creating key."))
….
2015-12-03 09:09:03.648 TRACE cinder.volume.api File "/usr/lib/python2.7/site-packages/keystoneclient/session.py", line 502, in post
2015-12-03 09:09:03.648 TRACE cinder.volume.api return self.request(url, 'POST', **kwargs)
2015-12-03 09:09:03.648 TRACE cinder.volume.api File "/usr/lib/python2.7/site-packages/keystoneclient/utils.py", line 337, in inner
2015-12-03 09:09:03.648 TRACE cinder.volume.api return func(*args, **kwargs)
2015-12-03 09:09:03.648 TRACE cinder.volume.api File "/usr/lib/python2.7/site-packages/keystoneclient/session.py", line 402, in request
2015-12-03 09:09:03.648 TRACE cinder.volume.api raise exceptions.from_response(resp, method, url)
2015-12-03 09:09:03.648 TRACE cinder.volume.api Unauthorized: The request you have made requires authentication. (Disable debug mode to suppress these details.) (HTTP 401) (Request-ID: req-d2c52e0b-c16d-43ec-a7a0-7611113f1270)
To manage notifications about this bug go to:
https://bugs.launchpad.net/castellan/+bug/1523646/+subscriptions
References
