yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1654183] Re: Token based authentication in Client class does not work

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: "Dr. Jens Rosenboom" <j.rosenboom@xxxxxxxx>
Date: Thu, 09 Feb 2017 14:25:00 -0000
Reply-to: Bug 1654183 <1654183@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This issue is still present for Horizon in Newton, any chance to
backport the Horizon fixes there?

To reproduce:

- Install devstack from stable/newton
- Run stack.sh
- sudo -H pip install -U python-openstackclient
- sudo systemctl restart apache2

=> All nova related tabs like Admin/Flavors log out the Session with
auth failure.

Doing "sudo -H pip install python-novaclient==6.0.0 -U" and apache2
restart resolves the issue.

** Changed in: horizon
       Status: Invalid => Confirmed

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1654183

Title:
  Token based authentication in Client class does not work

Status in OpenStack Dashboard (Horizon):
  Confirmed
Status in python-novaclient:
  Fix Released
Status in tripleo:
  Fix Released
Status in tripleo-quickstart:
  Fix Released
Status in OpenStack DBaaS (Trove):
  Fix Released

Bug description:
  With newly released novaclient (7.0.0) it seems that token base
  authentication does not work in novaclient.client.Clinet.

  I have get back the following response from Nova server:

  Malformed request URL: URL's project_id
  'e0beb44615f34d54b8a9a9203a3e5a1c' doesn't match Context's project_id
  'None' (HTTP 400)

  I just created the Nova client in following way:
  Client(
      2,
      endpoint_type="public",
      service_type='compute',
      auth_token=auth_token,
      tenant_id="devel",
      region_name="RegionOne",
      auth_url=keystone_url,
      insecure=True,
      endpoint_override=nova_endpoint #https://.../v2/e0beb44615f34d54b8a9a9203a3e5a1c
  )

  After it nova client performs a new token based authentication without
  project_id (tenant_id) and it causes that the new token does not
  belong to any project. Anyway if we have a token already why
  novaclient requests a new one from keystone? (Other clients like Heat
  and Neutron for example does not requests any token from keystone if
  it is already provided for client class)

  The bug is introduced by follwoig commit:
  https://github.com/openstack/python-novaclient/commit/8409e006c5f362922baae9470f14c12e0443dd70

  +        if not auth and auth_token:
  +            auth = identity.Token(auth_url=auth_url,
  +                                  token=auth_token)

  When project_id is also passed into Token authentication than
  everything works fine. So newly requested token belongs to right
  project/tenant.

  Note: Originally this problem appears in Mistral project of OpenStack,
  which is using the client classes directly from their actions with
  token based authentication.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1654183/+subscriptions