yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1758359] Re: nova set-password fails if password already set

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Matt Riedemann <mriedem.os@xxxxxxxxx>
Date: Tue, 27 Mar 2018 00:34:35 -0000
Reply-to: Bug 1758359 <1758359@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

These APIs have been this way it seems since they were added (a long
time ago):

https://blueprints.launchpad.net/nova/+spec/get-password

It looks like the only way you can POST a new password for the instance
via the metadata API is if you first reset the password using the DELETE
method via the compute REST API (not the metadata service).

Presumably clearing the password is admin-only by default for security
purposes, i.e. so some other tenant user can't reset the password for
your instance and then post a new password for your guest to hack into
it.

** Changed in: nova
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1758359

Title:
  nova set-password fails if password already set

Status in OpenStack Compute (nova):
  Invalid

Bug description:
  If the nova password has been set, trying to set it again (with the
  purpose of re-setting the password) fails. Both the nova set-password
  command (couldn't find the counterpart in the openstack server help)
  as posting the password from inside the instance.

  This code seems to not have a retry, if the password is set it returns
  an error

          if meta_data.password:
              raise exc.HTTPConflict()

  https://github.com/openstack/nova/blob/master/nova/api/metadata/password.py#L65

  I'm running libvirt with KVM/qemu on Ocata. This bug is not related:
  https://bugs.launchpad.net/nova/+bug/1757061, that is the effect that
  happens after a password set fails.

  Could this be changed to allow password changing/resetting if a
  password has already been set? For example by accepting an HTTP DELETE
  request or allowing an empty password to trigger the reset? ('')

  The api does have such an endpoint but it's admin-only by default:
  https://developer.openstack.org/api-ref/compute/#clear-admin-password

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1758359/+subscriptions

References

[Bug 1758359] [NEW] nova set-password fails if password already set
From: Remy van Elst, 2018-03-23