OpenStack Compute (nova)

Merge lp:~dan-prince/nova/bug723897 into lp:~hudson-openstack/nova/trunk

  1. bug723897
  2. Merge into trunk
Proposed by Dan Prince
Status: Merged
Approved by: Paul Voccio
Approved revision: 721
Merged at revision: 727
Proposed branch: lp:~dan-prince/nova/bug723897
Merge into: lp:~hudson-openstack/nova/trunk
Diff against target: 71 lines (+7/-11)
3 files modified
nova/api/openstack/auth.py (+2/-2)
nova/tests/api/openstack/fakes.py (+2/-6)
nova/tests/api/openstack/test_auth.py (+3/-3)
To merge this branch: bzr merge lp:~dan-prince/nova/bug723897
Reviewer Review Type Date Requested Status
Paul Voccio (community) Approve
Ed Leafe (community) Approve
Vish Ishaya (community) Approve
justinsb (community) Disapprove
Rick Harris (community) Approve
Titan Pending
Review via email: mp+50987@code.launchpad.net

Description of the change

Revert commit 709. This fixes issues with the Openstack API causing 'No user for access key admin' errors.

To post a comment you must log in.
Revision history for this message
justinsb (justin-fathomdb) wrote :

As I posed on the bug report, I think this is just that the credentials in novarc are wrong. I'm working on a bugfix right now, should just be a few minutes.

Revision history for this message
Rick Harris (rconradharris) wrote :

Since r709 is a serious blocker at the moment, I'm voting to revert this immediately so that we can have a good back-and-forth debate on The Right Way without holding up continuing development against trunk.

review: Approve
Revision history for this message
justinsb (justin-fathomdb) wrote :

The OpenStack API and the EC2 API should have the same set of credentials. Nothing else makes sense from a user point of view: users should not need to know which API an app is written to in order to pick the correct set of credentials to use. That's what r709 does.

There is a very easy workaround (just use the EC2 credentials, removing the project name from the EC2 username) When my novarc patch lands, it becomes trivial (use the specified credentials). The OpenStack API is still unstable, so it's okay to break things now. Reverting r709 just postpones the pain of fixing OpenStack authentication.

To interested parties: there's lots more discussion on the linked bug :-)

review: Disapprove
Revision history for this message
Vish Ishaya (vishvananda) wrote :

reverting looks good for the moment, since that seems to be the option favored by the guys working most frequently with the os api.

review: Approve
Revision history for this message
Ed Leafe (ed-leafe) wrote :

Fix trunk first; fix code logic second. Makes sense to me.

review: Approve
Revision history for this message
justinsb (justin-fathomdb) wrote :

Trunk is not broken. The credentials that you have to use changed in r709, for the better.

I haven't seen anyone explain why this is a "serious blocker"... No offense to both people using the OpenStack API ;-)

Revision history for this message
Paul Voccio (pvo) wrote :

I agree with reverting. if we're going to change auth, we need to discuss this on the ML or have a BP before making the change. Don't disagree that it can't be changed but at the moment, this breaks quite a few environments that are depending on this to work as is.

review: Approve
Revision history for this message
justinsb (justin-fathomdb) wrote :

Which environments is it breaking? Why can't they apply the 60 second workaround?

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'nova/api/openstack/auth.py'
2--- nova/api/openstack/auth.py 2011-02-22 09:59:53 +0000
3+++ nova/api/openstack/auth.py 2011-02-23 20:04:29 +0000
4@@ -120,8 +120,8 @@
5 req - webob.Request object
6 """
7 ctxt = context.get_admin_context()
8- user = self.auth.get_user_from_access_key(username)
9- if user and user.secret == key:
10+ user = self.auth.get_user_from_access_key(key)
11+ if user and user.name == username:
12 token_hash = hashlib.sha1('%s%s%f' % (username, key,
13 time.time())).hexdigest()
14 token_dict = {}
15
16=== modified file 'nova/tests/api/openstack/fakes.py'
17--- nova/tests/api/openstack/fakes.py 2011-02-19 07:33:06 +0000
18+++ nova/tests/api/openstack/fakes.py 2011-02-23 20:04:29 +0000
19@@ -221,8 +221,7 @@
20 class FakeAuthManager(object):
21 auth_data = {}
22
23- def add_user(self, user):
24- key = user.id
25+ def add_user(self, key, user):
26 FakeAuthManager.auth_data[key] = user
27
28 def get_user(self, uid):
29@@ -235,10 +234,7 @@
30 return None
31
32 def get_user_from_access_key(self, key):
33- for k, v in FakeAuthManager.auth_data.iteritems():
34- if v.access == key:
35- return v
36- return None
37+ return FakeAuthManager.auth_data.get(key, None)
38
39
40 class FakeRateLimiter(object):
41
42=== modified file 'nova/tests/api/openstack/test_auth.py'
43--- nova/tests/api/openstack/test_auth.py 2011-02-19 07:33:06 +0000
44+++ nova/tests/api/openstack/test_auth.py 2011-02-23 20:04:29 +0000
45@@ -48,7 +48,7 @@
46
47 def test_authorize_user(self):
48 f = fakes.FakeAuthManager()
49- f.add_user(nova.auth.manager.User(1, 'herp', 'herp', 'derp', None))
50+ f.add_user('derp', nova.auth.manager.User(1, 'herp', None, None, None))
51
52 req = webob.Request.blank('/v1.0/')
53 req.headers['X-Auth-User'] = 'herp'
54@@ -62,7 +62,7 @@
55
56 def test_authorize_token(self):
57 f = fakes.FakeAuthManager()
58- f.add_user(nova.auth.manager.User(1, 'herp', 'herp', 'derp', None))
59+ f.add_user('derp', nova.auth.manager.User(1, 'herp', None, None, None))
60
61 req = webob.Request.blank('/v1.0/', {'HTTP_HOST': 'foo'})
62 req.headers['X-Auth-User'] = 'herp'
63@@ -144,7 +144,7 @@
64
65 def test_authorize_token(self):
66 f = fakes.FakeAuthManager()
67- f.add_user(nova.auth.manager.User(1, 'herp', 'herp', 'derp', None))
68+ f.add_user('derp', nova.auth.manager.User(1, 'herp', None, None, None))
69
70 req = webob.Request.blank('/v1.0/')
71 req.headers['X-Auth-User'] = 'herp'