OpenStack Compute (nova)

Deprecated_auth does not seem to be working

Asked by Stuart Stent

Deprecated auth does not seem to working.

Users were created using nova-manage. Even a default user can see all other project's instances and terminate them.

Tested using both eucatools and hybridfox

-------------------------------
#Packages -- From Grid Dymanics

openstack-nova.noarch 1:2011.3-b2083
openstack-nova-api.noarch 1:2011.3-b2083
openstack-nova-objectstore.noarch 1:2011.3-b2083
openstack-nova-scheduler.noarch 1:2011.3-b2083
openstack-nova-vncproxy.noarch 1:2011.3-b2083

--------------------

#nova.conf

--verbose=true
--ec2_url=http://10.5.115.31:8773/services/Cloud
--s3_host=10.5.115.31
--rabbit_host=10.5.115.31
--sql_connection=mysql://XXXX:XXXX@10.5.115.33/nova
--use_s3=true
--libvirt_type=kvm
--use_syslog=false
--node_availability_zone=nova
--logdir=/var/log/nova
--logging_context_format_string=%(asctime)s %(name)s: %(levelname)s [%(request_id)s %(user_id)s %(project_id)s] %(message)s
--logging_default_format_string=%(asctime)s %(name)s: %(message)s
--logging_debug_format_suffix=from (pid=%(process)d) %(funcName)s %(pathname)s:%(lineno)d
--use_cow_images=true
--auth_driver=nova.auth.dbdriver.DbDriver
--compute_scheduler_driver=nova.scheduler.simple.SimpleScheduler
--volume_scheduler_driver=nova.scheduler.simple.SimpleScheduler
--glance_api_servers=10.5.115.43:9292
--image_service=nova.image.glance.GlanceImageService
--use_ipv6=false
--ca_path=/var/lib/nova/CA
--keys_path=/var/lib/nova/keys
--images_path=/var/lib/nova/images
--buckets_path=/var/lib/nova/buckets
--instances_path=/var/lib/nova/instances
--networks_path=/var/lib/nova/networks
--injected_network_template_dir=/usr/share/nova/interfaces/
--libvirt_xml_template=/usr/share/nova/libvirt.xml.template
--vpn_client_template=/usr/share/nova/client.ovpn.template
--credentials_template=/usr/share/nova/novarc.template
--state_path=/var/lib/nova
--lock_path=/var/lib/nova/tmp
--vnc_enabled=true
--vncproxy_url=http://10.5.96.31:6080
--vncserver_host=10.5.96.31
--vnc_token_ttl=300
--dhcpbridge_flagfile=/etc/nova/nova.conf
--dhcpbridge=/usr/bin/nova-dhcpbridge
--public_interface=br96
--network_manager=nova.network.manager.FlatDHCPManager
--flat_network_bridge=br100
--volume_manager=nova.volume.manager.VolumeManager
--multi_host=T
--fixed_range=10.100.0.0/20
--network_size=4094
--my_ip=10.5.115.31
--multi_host=T
--floating_range=10.5.96.0/20
--iscsi_ip_prefix=10.100.16
--routing_source_ip=10.5.96.31
--noallow_same_net_traffic
--send_arp_for_ha
--use_deprecated_auth=true

Question information

Language:
English Edit question
Status:
Answered
For:
OpenStack Compute (nova) Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Vish Ishaya (vishvananda) said : 		#1

a) you might have more luck using [no] for flags instead of =true =false
--use_deprecated_auth
--nouse_syslog
....
b) you have to switch the middleware stack in the api-paste.ini to use deprecated auth as well

otherwise you are actually using noauth

Vish

On Feb 23, 2012, at 2:50 PM, Stuart Stent wrote:

> New question #188683 on OpenStack Compute (nova):
> https://answers.launchpad.net/nova/+question/188683
>
> Deprecated auth does not seem to working.
>
> Users were created using nova-manage. Even a default user can see all other project's instances and terminate them.
>
> Tested using both eucatools and hybridfox
>
> -------------------------------
> #Packages -- From Grid Dymanics
>
> openstack-nova.noarch 1:2011.3-b2083
> openstack-nova-api.noarch 1:2011.3-b2083
> openstack-nova-objectstore.noarch 1:2011.3-b2083
> openstack-nova-scheduler.noarch 1:2011.3-b2083
> openstack-nova-vncproxy.noarch 1:2011.3-b2083
>
>
> --------------------
>
> #nova.conf
>
>
> --verbose=true
> --ec2_url=http://10.5.115.31:8773/services/Cloud
> --s3_host=10.5.115.31
> --rabbit_host=10.5.115.31
> --sql_connection=mysql://XXXX:XXXX@10.5.115.33/nova
> --use_s3=true
> --libvirt_type=kvm
> --use_syslog=false
> --node_availability_zone=nova
> --logdir=/var/log/nova
> --logging_context_format_string=%(asctime)s %(name)s: %(levelname)s [%(request_id)s %(user_id)s %(project_id)s] %(message)s
> --logging_default_format_string=%(asctime)s %(name)s: %(message)s
> --logging_debug_format_suffix=from (pid=%(process)d) %(funcName)s %(pathname)s:%(lineno)d
> --use_cow_images=true
> --auth_driver=nova.auth.dbdriver.DbDriver
> --compute_scheduler_driver=nova.scheduler.simple.SimpleScheduler
> --volume_scheduler_driver=nova.scheduler.simple.SimpleScheduler
> --glance_api_servers=10.5.115.43:9292
> --image_service=nova.image.glance.GlanceImageService
> --use_ipv6=false
> --ca_path=/var/lib/nova/CA
> --keys_path=/var/lib/nova/keys
> --images_path=/var/lib/nova/images
> --buckets_path=/var/lib/nova/buckets
> --instances_path=/var/lib/nova/instances
> --networks_path=/var/lib/nova/networks
> --injected_network_template_dir=/usr/share/nova/interfaces/
> --libvirt_xml_template=/usr/share/nova/libvirt.xml.template
> --vpn_client_template=/usr/share/nova/client.ovpn.template
> --credentials_template=/usr/share/nova/novarc.template
> --state_path=/var/lib/nova
> --lock_path=/var/lib/nova/tmp
> --vnc_enabled=true
> --vncproxy_url=http://10.5.96.31:6080
> --vncserver_host=10.5.96.31
> --vnc_token_ttl=300
> --dhcpbridge_flagfile=/etc/nova/nova.conf
> --dhcpbridge=/usr/bin/nova-dhcpbridge
> --public_interface=br96
> --network_manager=nova.network.manager.FlatDHCPManager
> --flat_network_bridge=br100
> --volume_manager=nova.volume.manager.VolumeManager
> --multi_host=T
> --fixed_range=10.100.0.0/20
> --network_size=4094
> --my_ip=10.5.115.31
> --multi_host=T
> --floating_range=10.5.96.0/20
> --iscsi_ip_prefix=10.100.16
> --routing_source_ip=10.5.96.31
> --noallow_same_net_traffic
> --send_arp_for_ha
> --use_deprecated_auth=true
>
>
> --
> You received this question notification because you are a member of Nova
> Core, which is an answer contact for OpenStack Compute (nova).

Revision history for this message
Stuart Stent (stuart-stent) said : 		#2

Making the change to api-paste.ini throws the following:

2012-02-23 18:35:49,746 nova: File contains parsing errors: /etc/nova/api-paste.ini
    [line 82]: ' pipeline = faultwrap auth ratelimit osapiapp10\n'
    [line 87]: ' pipeline = faultwrap auth ratelimit extensions osapiapp11\n'
(nova): TRACE: Traceback (most recent call last):
(nova): TRACE: File "/usr/bin/nova-api", line 51, in <module>
(nova): TRACE: servers.append(service.WSGIService(api))
(nova): TRACE: File "/usr/lib/python2.6/site-packages/nova/service.py", line 294, in __init__
(nova): TRACE: self.app = self.loader.load_app(name)
(nova): TRACE: File "/usr/lib/python2.6/site-packages/nova/wsgi.py", line 411, in load_app
(nova): TRACE: return deploy.loadapp("config:%s" % self.config_path, name=name)
(nova): TRACE: File "/usr/lib/python2.6/site-packages/paste/deploy/loadwsgi.py", line 204, in loadapp
(nova): TRACE: return loadobj(APP, uri, name=name, **kw)
(nova): TRACE: File "/usr/lib/python2.6/site-packages/paste/deploy/loadwsgi.py", line 224, in loadobj
(nova): TRACE: global_conf=global_conf)
(nova): TRACE: File "/usr/lib/python2.6/site-packages/paste/deploy/loadwsgi.py", line 248, in loadcontext
(nova): TRACE: global_conf=global_conf)
(nova): TRACE: File "/usr/lib/python2.6/site-packages/paste/deploy/loadwsgi.py", line 275, in _loadconfig
(nova): TRACE: loader = ConfigLoader(path)
(nova): TRACE: File "/usr/lib/python2.6/site-packages/paste/deploy/loadwsgi.py", line 345, in __init__
(nova): TRACE: self.parser.read(filename)
(nova): TRACE: File "/usr/lib64/python2.6/ConfigParser.py", line 286, in read
(nova): TRACE: self._read(fp, filename)
(nova): TRACE: File "/usr/lib64/python2.6/ConfigParser.py", line 510, in _read
(nova): TRACE: raise e
(nova): TRACE: ParsingError: File contains parsing errors: /etc/nova/api-paste.ini
(nova): TRACE: [line 82]: ' pipeline = faultwrap auth ratelimit osapiapp10\n'
(nova): TRACE: [line 87]: ' pipeline = faultwrap auth ratelimit extensions osapiapp11\n'
(nova): TRACE:

/////////////////////////////////////////////////////////////////////////////
api-paste.ini
////////////////////////////////////

#######
# EC2 #
#######

[composite:ec2]
use = egg:Paste#urlmap
/: ec2versions
/services/Cloud: ec2cloud
/services/Admin: ec2admin
/latest: ec2metadata
/2007-01-19: ec2metadata
/2007-03-01: ec2metadata
/2007-08-29: ec2metadata
/2007-10-10: ec2metadata
/2007-12-15: ec2metadata
/2008-02-01: ec2metadata
/2008-09-01: ec2metadata
/2009-04-04: ec2metadata
/1.0: ec2metadata

[pipeline:ec2cloud]
#pipeline = logrequest ec2noauth cloudrequest authorizer ec2executor
# NOTE(vish): use the following pipeline for deprecated auth
pipeline = logrequest authenticate cloudrequest authorizer ec2executor

[pipeline:ec2admin]
#pipeline = logrequest ec2noauth adminrequest authorizer ec2executor
# NOTE(vish): use the following pipeline for deprecated auth
pipeline = logrequest authenticate adminrequest authorizer ec2executor

[pipeline:ec2metadata]
pipeline = logrequest ec2md

[pipeline:ec2versions]
pipeline = logrequest ec2ver

[filter:logrequest]
paste.filter_factory = nova.api.ec2:RequestLogging.factory

[filter:ec2lockout]
paste.filter_factory = nova.api.ec2:Lockout.factory

[filter:ec2noauth]
paste.filter_factory = nova.api.ec2:NoAuth.factory

[filter:authenticate]
paste.filter_factory = nova.api.ec2:Authenticate.factory

[filter:cloudrequest]
controller = nova.api.ec2.cloud.CloudController
paste.filter_factory = nova.api.ec2:Requestify.factory

[filter:adminrequest]
controller = nova.api.ec2.admin.AdminController
paste.filter_factory = nova.api.ec2:Requestify.factory

[filter:authorizer]
paste.filter_factory = nova.api.ec2:Authorizer.factory

[app:ec2executor]
paste.app_factory = nova.api.ec2:Executor.factory

[app:ec2ver]
paste.app_factory = nova.api.ec2:Versions.factory

[app:ec2md]
paste.app_factory = nova.api.ec2.metadatarequesthandler:MetadataRequestHandler.factory

#############
# Openstack #
#############

[composite:osapi]
use = egg:Paste#urlmap
/: osversions
/v1.0: openstackapi10
/v1.1: openstackapi11

[pipeline:openstackapi10]
#pipeline = faultwrap noauth ratelimit osapiapp10
# NOTE(vish): use the following pipeline for deprecated auth
 pipeline = faultwrap auth ratelimit osapiapp10

[pipeline:openstackapi11]
#pipeline = faultwrap noauth ratelimit extensions osapiapp11
# NOTE(vish): use the following pipeline for deprecated auth
 pipeline = faultwrap auth ratelimit extensions osapiapp11

[filter:faultwrap]
paste.filter_factory = nova.api.openstack:FaultWrapper.factory

[filter:auth]
paste.filter_factory = nova.api.openstack.auth:AuthMiddleware.factory

[filter:noauth]
paste.filter_factory = nova.api.openstack.auth:NoAuthMiddleware.factory

[filter:ratelimit]
paste.filter_factory = nova.api.openstack.limits:RateLimitingMiddleware.factory

[filter:extensions]
paste.filter_factory = nova.api.openstack.extensions:ExtensionMiddleware.factory

[app:osapiapp10]
paste.app_factory = nova.api.openstack:APIRouterV10.factory

[app:osapiapp11]
paste.app_factory = nova.api.openstack:APIRouterV11.factory

[pipeline:osversions]
pipeline = faultwrap osversionapp

[app:osversionapp]
paste.app_factory = nova.api.openstack.versions:Versions.factory

Revision history for this message
Stuart Stent (stuart-stent) said : 		#3

Fixed. Had a space in front of the 2 lies that threw the error

Revision history for this message
Vish Ishaya (vishvananda) said : 		#4

Not sure why it isn't parsing properly. Perhaps delete the commented lines?

On Feb 23, 2012, at 3:45 PM, Stuart Stent wrote:

> Question #188683 on OpenStack Compute (nova) changed:
> https://answers.launchpad.net/nova/+question/188683
>
> Stuart Stent posted a new comment:
> Making the change to api-paste.ini throws the following:
>
> 2012-02-23 18:35:49,746 nova: File contains parsing errors: /etc/nova/api-paste.ini
> [line 82]: ' pipeline = faultwrap auth ratelimit osapiapp10\n'
> [line 87]: ' pipeline = faultwrap auth ratelimit extensions osapiapp11\n'
> (nova): TRACE: Traceback (most recent call last):
> (nova): TRACE: File "/usr/bin/nova-api", line 51, in <module>
> (nova): TRACE: servers.append(service.WSGIService(api))
> (nova): TRACE: File "/usr/lib/python2.6/site-packages/nova/service.py", line 294, in __init__
> (nova): TRACE: self.app = self.loader.load_app(name)
> (nova): TRACE: File "/usr/lib/python2.6/site-packages/nova/wsgi.py", line 411, in load_app
> (nova): TRACE: return deploy.loadapp("config:%s" % self.config_path, name=name)
> (nova): TRACE: File "/usr/lib/python2.6/site-packages/paste/deploy/loadwsgi.py", line 204, in loadapp
> (nova): TRACE: return loadobj(APP, uri, name=name, **kw)
> (nova): TRACE: File "/usr/lib/python2.6/site-packages/paste/deploy/loadwsgi.py", line 224, in loadobj
> (nova): TRACE: global_conf=global_conf)
> (nova): TRACE: File "/usr/lib/python2.6/site-packages/paste/deploy/loadwsgi.py", line 248, in loadcontext
> (nova): TRACE: global_conf=global_conf)
> (nova): TRACE: File "/usr/lib/python2.6/site-packages/paste/deploy/loadwsgi.py", line 275, in _loadconfig
> (nova): TRACE: loader = ConfigLoader(path)
> (nova): TRACE: File "/usr/lib/python2.6/site-packages/paste/deploy/loadwsgi.py", line 345, in __init__
> (nova): TRACE: self.parser.read(filename)
> (nova): TRACE: File "/usr/lib64/python2.6/ConfigParser.py", line 286, in read
> (nova): TRACE: self._read(fp, filename)
> (nova): TRACE: File "/usr/lib64/python2.6/ConfigParser.py", line 510, in _read
> (nova): TRACE: raise e
> (nova): TRACE: ParsingError: File contains parsing errors: /etc/nova/api-paste.ini
> (nova): TRACE: [line 82]: ' pipeline = faultwrap auth ratelimit osapiapp10\n'
> (nova): TRACE: [line 87]: ' pipeline = faultwrap auth ratelimit extensions osapiapp11\n'
> (nova): TRACE:
>
>
> /////////////////////////////////////////////////////////////////////////////
> api-paste.ini
> ////////////////////////////////////
>
> #######
> # EC2 #
> #######
>
> [composite:ec2]
> use = egg:Paste#urlmap
> /: ec2versions
> /services/Cloud: ec2cloud
> /services/Admin: ec2admin
> /latest: ec2metadata
> /2007-01-19: ec2metadata
> /2007-03-01: ec2metadata
> /2007-08-29: ec2metadata
> /2007-10-10: ec2metadata
> /2007-12-15: ec2metadata
> /2008-02-01: ec2metadata
> /2008-09-01: ec2metadata
> /2009-04-04: ec2metadata
> /1.0: ec2metadata
>
> [pipeline:ec2cloud]
> #pipeline = logrequest ec2noauth cloudrequest authorizer ec2executor
> # NOTE(vish): use the following pipeline for deprecated auth
> pipeline = logrequest authenticate cloudrequest authorizer ec2executor
>
> [pipeline:ec2admin]
> #pipeline = logrequest ec2noauth adminrequest authorizer ec2executor
> # NOTE(vish): use the following pipeline for deprecated auth
> pipeline = logrequest authenticate adminrequest authorizer ec2executor
>
> [pipeline:ec2metadata]
> pipeline = logrequest ec2md
>
> [pipeline:ec2versions]
> pipeline = logrequest ec2ver
>
> [filter:logrequest]
> paste.filter_factory = nova.api.ec2:RequestLogging.factory
>
> [filter:ec2lockout]
> paste.filter_factory = nova.api.ec2:Lockout.factory
>
> [filter:ec2noauth]
> paste.filter_factory = nova.api.ec2:NoAuth.factory
>
> [filter:authenticate]
> paste.filter_factory = nova.api.ec2:Authenticate.factory
>
> [filter:cloudrequest]
> controller = nova.api.ec2.cloud.CloudController
> paste.filter_factory = nova.api.ec2:Requestify.factory
>
> [filter:adminrequest]
> controller = nova.api.ec2.admin.AdminController
> paste.filter_factory = nova.api.ec2:Requestify.factory
>
> [filter:authorizer]
> paste.filter_factory = nova.api.ec2:Authorizer.factory
>
> [app:ec2executor]
> paste.app_factory = nova.api.ec2:Executor.factory
>
> [app:ec2ver]
> paste.app_factory = nova.api.ec2:Versions.factory
>
> [app:ec2md]
> paste.app_factory = nova.api.ec2.metadatarequesthandler:MetadataRequestHandler.factory
>
> #############
> # Openstack #
> #############
>
> [composite:osapi]
> use = egg:Paste#urlmap
> /: osversions
> /v1.0: openstackapi10
> /v1.1: openstackapi11
>
> [pipeline:openstackapi10]
> #pipeline = faultwrap noauth ratelimit osapiapp10
> # NOTE(vish): use the following pipeline for deprecated auth
> pipeline = faultwrap auth ratelimit osapiapp10
>
> [pipeline:openstackapi11]
> #pipeline = faultwrap noauth ratelimit extensions osapiapp11
> # NOTE(vish): use the following pipeline for deprecated auth
> pipeline = faultwrap auth ratelimit extensions osapiapp11
>
> [filter:faultwrap]
> paste.filter_factory = nova.api.openstack:FaultWrapper.factory
>
> [filter:auth]
> paste.filter_factory = nova.api.openstack.auth:AuthMiddleware.factory
>
> [filter:noauth]
> paste.filter_factory = nova.api.openstack.auth:NoAuthMiddleware.factory
>
> [filter:ratelimit]
> paste.filter_factory = nova.api.openstack.limits:RateLimitingMiddleware.factory
>
> [filter:extensions]
> paste.filter_factory = nova.api.openstack.extensions:ExtensionMiddleware.factory
>
> [app:osapiapp10]
> paste.app_factory = nova.api.openstack:APIRouterV10.factory
>
> [app:osapiapp11]
> paste.app_factory = nova.api.openstack:APIRouterV11.factory
>
> [pipeline:osversions]
> pipeline = faultwrap osversionapp
>
> [app:osversionapp]
> paste.app_factory = nova.api.openstack.versions:Versions.factory
>
> --
> You received this question notification because you are a member of Nova
> Core, which is an answer contact for OpenStack Compute (nova).

Can you help with this problem?

Provide an answer of your own, or ask Stuart Stent for more information if necessary.

To post a message you must log in.