yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #81474
[Bug 1861493] [NEW] Nova sends an "X-Service-Token" header when "send_service_user_token" is disabled
Public bug reported:
Description
===========
In the interaction between nova-api and cinder, it is possible to enable the required check of service_user tokens.
When I try to explicitly turn off the sending of the user’s service token and enable the mandatory check of its availability on the receiving side, I do not get the expected error because the X-Service-Token header is still sent by nova-api.
Steps to reproduce
==================
cinder includes required token checking:
[keystone_authtoken]
...
service_token_roles = admin
service_token_roles_required = true
in nova, token sending is explicitly disabled and the user service is not set:
[service_user]
send_service_user_token = false
verification is performed on the example of the operation of volume attach:
openstack server add volume 0801102f-f9ba-42c5-b32a-85b4a7465122 a7fd514c-c871-4f69-a89f-bd44864a5814 --device /dev/vdb
Expected result
===============
with this configuration, error 401 is expected
Actual result
=============
no errors occur and the attach operation is successful.
multiple checks were made including the option to completely restart the servers
Environment
===========
CentOS 7
release: train
nova: 15.1.0
cinder: 5.0.0
Logs & Configs
==============
we intercept requests that go to the cinder port (8776) and we see that 192.168.50.81.49226 (which is the nova-api process) sends requests with the X-Service-Token header (which we previously disabled in nova.conf). Full log (req/res) of adding volume in attachment.
[root@centos ~]# tcpdump -i enp2s0f0 -n -S -s 1024 -A 'tcp dst port
8776'
06:20:21.870330 IP 192.168.50.81.49226 > 192.168.50.80.8776: Flags [P.], seq 1696694971:1696695677, ack 922604522, win 58, options [nop,nop,TS val 3747722 ecr 3644290], length 706
E....5@.@.....2Q..2P.J"He!..6......:.......
.9/..7..GET /v3/27c47772a3f442e4a81decb6b68e8376/volumes/a7fd514c-c871-4f69-a89f-bd44864a5814 HTTP/1.1
Host: 192.168.50.80:8776
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: application/json
User-Agent: python-cinderclient
X-Service-Token: gAAAAABeMrv1SxDwllx8lrDYiP6o0kMlr1hJu34q2N7WgTcsQ15GXU7s2EDG91DX0XOUz0YTS9Q-_nxuRJ5lbZfWDBgk2spJr9csJ1VhNWQhrZUZWhkBk3KMU6GwgC0X3kO5o4dIw41rj1VmH4TfIdV9bSEWjA3qMLjVYKdryyUzhCN1gZQISl0
X-Auth-Token: gAAAAABeMrv0vSJ6P8pLF7BDLimZ_LxhvKYCvEzWk_TZ62hIaDNnlFHRMx1rrIvDNl6Z78mv6C-EYWRqvURHCP6x9FCuhd16-i25gO4AUVi2Qo2-N-wpxO6dnbOHuuI6G8gtYu3ZPMuaHkn3uk-aaf7zh3PZ__OQy4mtZir6Qt7b5xqPb4QJcGg
X-OpenStack-Request-ID: req-a4ad6f8b-3f49-44d0-99b4-b7fa026017c6
06:20:22.184182 IP 192.168.50.81.49226 > 192.168.50.80.8776: Flags [.], ack 922606483, win 65, options [nop,nop,TS val 3748036 ecr 3644604], length 0
E..4.6@.@.....2Q..2P.J"He!.}6......A.......
.90..7..
06:20:22.547486 IP 192.168.50.81.49226 > 192.168.50.80.8776: Flags [P.], seq 1696695677:1696696271, ack 922606483, win 65, options [nop,nop,TS val 3748399 ecr 3644604], length 594
E....7@.@..H..2Q..2P.J"He!.}6......AG......
.92/.7..GET / HTTP/1.1
Host: 192.168.50.80:8776
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: nova-api keystoneauth1/3.17.1 python-requests/2.21.0 CPython/2.7.5
X-Service-Token: gAAAAABeMrv1SxDwllx8lrDYiP6o0kMlr1hJu34q2N7WgTcsQ15GXU7s2EDG91DX0XOUz0YTS9Q-_nxuRJ5lbZfWDBgk2spJr9csJ1VhNWQhrZUZWhkBk3KMU6GwgC0X3kO5o4dIw41rj1VmH4TfIdV9bSEWjA3qMLjVYKdryyUzhCN1gZQISl0
X-Auth-Token: gAAAAABeMrv0vSJ6P8pLF7BDLimZ_LxhvKYCvEzWk_TZ62hIaDNnlFHRMx1rrIvDNl6Z78mv6C-EYWRqvURHCP6x9FCuhd16-i25gO4AUVi2Qo2-N-wpxO6dnbOHuuI6G8gtYu3ZPMuaHkn3uk-aaf7zh3PZ__OQy4mtZir6Qt7b5xqPb4QJcGg
06:20:22.553939 IP 192.168.50.81.49226 > 192.168.50.80.8776: Flags [.], ack 922607474, win 71, options [nop,nop,TS val 3748405 ecr 3644974], length 0
E..4.8@.@.....2Q..2P.J"He!..6..r...G.......
.925.7..
06:20:22.564940 IP 192.168.50.81.49226 > 192.168.50.80.8776: Flags [P.], seq 1696696271:1696697181, ack 922607474, win 71, options [nop,nop,TS val 3748416 ecr 3644974], length 910
E....9@.@..
..2Q..2P.J"He!..6..r...G.......
.92@xxxxxxxx /v3/27c47772a3f442e4a81decb6b68e8376/attachments HTTP/1.1
Host: 192.168.50.80:8776
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: application/json
User-Agent: python-cinderclient
X-Service-Token: gAAAAABeMrv1SxDwllx8lrDYiP6o0kMlr1hJu34q2N7WgTcsQ15GXU7s2EDG91DX0XOUz0YTS9Q-_nxuRJ5lbZfWDBgk2spJr9csJ1VhNWQhrZUZWhkBk3KMU6GwgC0X3kO5o4dIw41rj1VmH4TfIdV9bSEWjA3qMLjVYKdryyUzhCN1gZQISl0
X-Auth-Token: gAAAAABeMrv0vSJ6P8pLF7BDLimZ_LxhvKYCvEzWk_TZ62hIaDNnlFHRMx1rrIvDNl6Z78mv6C-EYWRqvURHCP6x9FCuhd16-i25gO4AUVi2Qo2-N-wpxO6dnbOHuuI6G8gtYu3ZPMuaHkn3uk-aaf7zh3PZ__OQy4mtZir6Qt7b5xqPb4QJcGg
OpenStack-API-Version: volume 3.44
Content-Type: application/json
X-OpenStack-Request-ID: req-a4ad6f8b-3f49-44d0-99b4-b7fa026017c6
Content-Length: 147
** Affects: nova
Importance: Undecided
Status: New
** Attachment added: "with_disabled_service_user.log"
https://bugs.launchpad.net/bugs/1861493/+attachment/5324405/+files/with_disabled_service_user.log
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1861493
Title:
Nova sends an "X-Service-Token" header when "send_service_user_token"
is disabled
Status in OpenStack Compute (nova):
New
Bug description:
Description
===========
In the interaction between nova-api and cinder, it is possible to enable the required check of service_user tokens.
When I try to explicitly turn off the sending of the user’s service token and enable the mandatory check of its availability on the receiving side, I do not get the expected error because the X-Service-Token header is still sent by nova-api.
Steps to reproduce
==================
cinder includes required token checking:
[keystone_authtoken]
...
service_token_roles = admin
service_token_roles_required = true
in nova, token sending is explicitly disabled and the user service is not set:
[service_user]
send_service_user_token = false
verification is performed on the example of the operation of volume attach:
openstack server add volume 0801102f-f9ba-42c5-b32a-85b4a7465122 a7fd514c-c871-4f69-a89f-bd44864a5814 --device /dev/vdb
Expected result
===============
with this configuration, error 401 is expected
Actual result
=============
no errors occur and the attach operation is successful.
multiple checks were made including the option to completely restart the servers
Environment
===========
CentOS 7
release: train
nova: 15.1.0
cinder: 5.0.0
Logs & Configs
==============
we intercept requests that go to the cinder port (8776) and we see that 192.168.50.81.49226 (which is the nova-api process) sends requests with the X-Service-Token header (which we previously disabled in nova.conf). Full log (req/res) of adding volume in attachment.
[root@centos ~]# tcpdump -i enp2s0f0 -n -S -s 1024 -A 'tcp dst port
8776'
06:20:21.870330 IP 192.168.50.81.49226 > 192.168.50.80.8776: Flags [P.], seq 1696694971:1696695677, ack 922604522, win 58, options [nop,nop,TS val 3747722 ecr 3644290], length 706
E....5@.@.....2Q..2P.J"He!..6......:.......
.9/..7..GET /v3/27c47772a3f442e4a81decb6b68e8376/volumes/a7fd514c-c871-4f69-a89f-bd44864a5814 HTTP/1.1
Host: 192.168.50.80:8776
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: application/json
User-Agent: python-cinderclient
X-Service-Token: gAAAAABeMrv1SxDwllx8lrDYiP6o0kMlr1hJu34q2N7WgTcsQ15GXU7s2EDG91DX0XOUz0YTS9Q-_nxuRJ5lbZfWDBgk2spJr9csJ1VhNWQhrZUZWhkBk3KMU6GwgC0X3kO5o4dIw41rj1VmH4TfIdV9bSEWjA3qMLjVYKdryyUzhCN1gZQISl0
X-Auth-Token: gAAAAABeMrv0vSJ6P8pLF7BDLimZ_LxhvKYCvEzWk_TZ62hIaDNnlFHRMx1rrIvDNl6Z78mv6C-EYWRqvURHCP6x9FCuhd16-i25gO4AUVi2Qo2-N-wpxO6dnbOHuuI6G8gtYu3ZPMuaHkn3uk-aaf7zh3PZ__OQy4mtZir6Qt7b5xqPb4QJcGg
X-OpenStack-Request-ID: req-a4ad6f8b-3f49-44d0-99b4-b7fa026017c6
06:20:22.184182 IP 192.168.50.81.49226 > 192.168.50.80.8776: Flags [.], ack 922606483, win 65, options [nop,nop,TS val 3748036 ecr 3644604], length 0
E..4.6@.@.....2Q..2P.J"He!.}6......A.......
.90..7..
06:20:22.547486 IP 192.168.50.81.49226 > 192.168.50.80.8776: Flags [P.], seq 1696695677:1696696271, ack 922606483, win 65, options [nop,nop,TS val 3748399 ecr 3644604], length 594
E....7@.@..H..2Q..2P.J"He!.}6......AG......
.92/.7..GET / HTTP/1.1
Host: 192.168.50.80:8776
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: nova-api keystoneauth1/3.17.1 python-requests/2.21.0 CPython/2.7.5
X-Service-Token: gAAAAABeMrv1SxDwllx8lrDYiP6o0kMlr1hJu34q2N7WgTcsQ15GXU7s2EDG91DX0XOUz0YTS9Q-_nxuRJ5lbZfWDBgk2spJr9csJ1VhNWQhrZUZWhkBk3KMU6GwgC0X3kO5o4dIw41rj1VmH4TfIdV9bSEWjA3qMLjVYKdryyUzhCN1gZQISl0
X-Auth-Token: gAAAAABeMrv0vSJ6P8pLF7BDLimZ_LxhvKYCvEzWk_TZ62hIaDNnlFHRMx1rrIvDNl6Z78mv6C-EYWRqvURHCP6x9FCuhd16-i25gO4AUVi2Qo2-N-wpxO6dnbOHuuI6G8gtYu3ZPMuaHkn3uk-aaf7zh3PZ__OQy4mtZir6Qt7b5xqPb4QJcGg
06:20:22.553939 IP 192.168.50.81.49226 > 192.168.50.80.8776: Flags [.], ack 922607474, win 71, options [nop,nop,TS val 3748405 ecr 3644974], length 0
E..4.8@.@.....2Q..2P.J"He!..6..r...G.......
.925.7..
06:20:22.564940 IP 192.168.50.81.49226 > 192.168.50.80.8776: Flags [P.], seq 1696696271:1696697181, ack 922607474, win 71, options [nop,nop,TS val 3748416 ecr 3644974], length 910
E....9@.@..
..2Q..2P.J"He!..6..r...G.......
.92@xxxxxxxx /v3/27c47772a3f442e4a81decb6b68e8376/attachments HTTP/1.1
Host: 192.168.50.80:8776
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: application/json
User-Agent: python-cinderclient
X-Service-Token: gAAAAABeMrv1SxDwllx8lrDYiP6o0kMlr1hJu34q2N7WgTcsQ15GXU7s2EDG91DX0XOUz0YTS9Q-_nxuRJ5lbZfWDBgk2spJr9csJ1VhNWQhrZUZWhkBk3KMU6GwgC0X3kO5o4dIw41rj1VmH4TfIdV9bSEWjA3qMLjVYKdryyUzhCN1gZQISl0
X-Auth-Token: gAAAAABeMrv0vSJ6P8pLF7BDLimZ_LxhvKYCvEzWk_TZ62hIaDNnlFHRMx1rrIvDNl6Z78mv6C-EYWRqvURHCP6x9FCuhd16-i25gO4AUVi2Qo2-N-wpxO6dnbOHuuI6G8gtYu3ZPMuaHkn3uk-aaf7zh3PZ__OQy4mtZir6Qt7b5xqPb4QJcGg
OpenStack-API-Version: volume 3.44
Content-Type: application/json
X-OpenStack-Request-ID: req-a4ad6f8b-3f49-44d0-99b4-b7fa026017c6
Content-Length: 147
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1861493/+subscriptions
