Public bug reported:
The Key Manger for Barbican, implemented in Nova and Cinder, caches a value of
barbican_client to save extra
calls to Keystone for authentication. However, the cached value of
barbican_client is only valid for the current
context. A check needs to be made to ensure the context has not changed before
using the saved value.
The symptoms for using a stale cache value include getting the following error
message when creating
an encrypted volume.
>From CLI:
---------------
openstack volume create --size 1 --type LUKS encrypted_volume
The server has either erred or is incapable of performing the requested
operation. (HTTP 500) (Request-ID: req-aea6be92-020e-41ed-ba88-44a1f5235ab0)
In cinder.log
-------------------
2015-12-03 09:09:03.648 TRACE cinder.volume.api Traceback (most recent call
last):
2015-12-03 09:09:03.648 TRACE cinder.volume.api File
"/usr/lib/python2.7/site-packages/taskflow/engines/action_engine/executor.py",
line 82, in _exe
cute_task
2015-12-03 09:09:03.648 TRACE cinder.volume.api result =
task.execute(**arguments)
2015-12-03 09:09:03.648 TRACE cinder.volume.api File
"/opt/stack/cinder/cinder/volume/flows/api/create_volume.py", line 409, in
execute
2015-12-03 09:09:03.648 TRACE cinder.volume.api source_volume)
2015-12-03 09:09:03.648 TRACE cinder.volume.api File
"/opt/stack/cinder/cinder/volume/flows/api/create_volume.py", line 338, in
_get_encryption_key_
id
2015-12-03 09:09:03.648 TRACE cinder.volume.api encryption_key_id =
key_manager.create_key(context)
2015-12-03 09:09:03.648 TRACE cinder.volume.api File
"/opt/stack/cinder/cinder/keymgr/barbican.py", line 147, in create_key
2015-12-03 09:09:03.648 TRACE cinder.volume.api LOG.exception(_LE("Error
creating key."))
….
2015-12-03 09:09:03.648 TRACE cinder.volume.api File
"/usr/lib/python2.7/site-packages/keystoneclient/session.py", line 502, in post
2015-12-03 09:09:03.648 TRACE cinder.volume.api return self.request(url,
'POST', **kwargs)
2015-12-03 09:09:03.648 TRACE cinder.volume.api File
"/usr/lib/python2.7/site-packages/keystoneclient/utils.py", line 337, in inner
2015-12-03 09:09:03.648 TRACE cinder.volume.api return func(*args, **kwargs)
2015-12-03 09:09:03.648 TRACE cinder.volume.api File
"/usr/lib/python2.7/site-packages/keystoneclient/session.py", line 402, in
request
2015-12-03 09:09:03.648 TRACE cinder.volume.api raise
exceptions.from_response(resp, method, url)
2015-12-03 09:09:03.648 TRACE cinder.volume.api Unauthorized: The request you
have made requires authentication. (Disable debug mode to suppress these
details.) (HTTP 401) (Request-ID: req-d2c52e0b-c16d-43ec-a7a0-7611113f1270)
** Affects: cinder
Importance: Undecided
Assignee: Dave McCowan (dave-mccowan)
Status: In Progress
** Affects: nova
Importance: Undecided
Assignee: Dave McCowan (dave-mccowan)
Status: In Progress
** Also affects: nova
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1523646
Title:
Nova/Cinder Key Manager for Barbican Uses Stale Cache
Status in Cinder:
In Progress
Status in OpenStack Compute (nova):
In Progress
Bug description:
The Key Manger for Barbican, implemented in Nova and Cinder, caches a value
of barbican_client to save extra
calls to Keystone for authentication. However, the cached value of
barbican_client is only valid for the current
context. A check needs to be made to ensure the context has not changed
before using the saved value.
The symptoms for using a stale cache value include getting the following
error message when creating
an encrypted volume.
From CLI:
---------------
openstack volume create --size 1 --type LUKS encrypted_volume
The server has either erred or is incapable of performing the requested
operation. (HTTP 500) (Request-ID: req-aea6be92-020e-41ed-ba88-44a1f5235ab0)
In cinder.log
-------------------
2015-12-03 09:09:03.648 TRACE cinder.volume.api Traceback (most recent call
last):
2015-12-03 09:09:03.648 TRACE cinder.volume.api File
"/usr/lib/python2.7/site-packages/taskflow/engines/action_engine/executor.py",
line 82, in _exe
cute_task
2015-12-03 09:09:03.648 TRACE cinder.volume.api result =
task.execute(**arguments)
2015-12-03 09:09:03.648 TRACE cinder.volume.api File
"/opt/stack/cinder/cinder/volume/flows/api/create_volume.py", line 409, in
execute
2015-12-03 09:09:03.648 TRACE cinder.volume.api source_volume)
2015-12-03 09:09:03.648 TRACE cinder.volume.api File
"/opt/stack/cinder/cinder/volume/flows/api/create_volume.py", line 338, in
_get_encryption_key_
id
2015-12-03 09:09:03.648 TRACE cinder.volume.api encryption_key_id =
key_manager.create_key(context)
2015-12-03 09:09:03.648 TRACE cinder.volume.api File
"/opt/stack/cinder/cinder/keymgr/barbican.py", line 147, in create_key
2015-12-03 09:09:03.648 TRACE cinder.volume.api LOG.exception(_LE("Error
creating key."))
….
2015-12-03 09:09:03.648 TRACE cinder.volume.api File
"/usr/lib/python2.7/site-packages/keystoneclient/session.py", line 502, in post
2015-12-03 09:09:03.648 TRACE cinder.volume.api return self.request(url,
'POST', **kwargs)
2015-12-03 09:09:03.648 TRACE cinder.volume.api File
"/usr/lib/python2.7/site-packages/keystoneclient/utils.py", line 337, in inner
2015-12-03 09:09:03.648 TRACE cinder.volume.api return func(*args,
**kwargs)
2015-12-03 09:09:03.648 TRACE cinder.volume.api File
"/usr/lib/python2.7/site-packages/keystoneclient/session.py", line 402, in
request
2015-12-03 09:09:03.648 TRACE cinder.volume.api raise
exceptions.from_response(resp, method, url)
2015-12-03 09:09:03.648 TRACE cinder.volume.api Unauthorized: The request you
have made requires authentication. (Disable debug mode to suppress these
details.) (HTTP 401) (Request-ID: req-d2c52e0b-c16d-43ec-a7a0-7611113f1270)
To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1523646/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
