Public bug reported: The Key Manger for Barbican, implemented in Nova and Cinder, caches a value of barbican_client to save extra calls to Keystone for authentication. However, the cached value of barbican_client is only valid for the current context. A check needs to be made to ensure the context has not changed before using the saved value.
The symptoms for using a stale cache value include getting the following error message when creating an encrypted volume. >From CLI: --------------- openstack volume create --size 1 --type LUKS encrypted_volume The server has either erred or is incapable of performing the requested operation. (HTTP 500) (Request-ID: req-aea6be92-020e-41ed-ba88-44a1f5235ab0) In cinder.log ------------------- 2015-12-03 09:09:03.648 TRACE cinder.volume.api Traceback (most recent call last): 2015-12-03 09:09:03.648 TRACE cinder.volume.api File "/usr/lib/python2.7/site-packages/taskflow/engines/action_engine/executor.py", line 82, in _exe cute_task 2015-12-03 09:09:03.648 TRACE cinder.volume.api result = task.execute(**arguments) 2015-12-03 09:09:03.648 TRACE cinder.volume.api File "/opt/stack/cinder/cinder/volume/flows/api/create_volume.py", line 409, in execute 2015-12-03 09:09:03.648 TRACE cinder.volume.api source_volume) 2015-12-03 09:09:03.648 TRACE cinder.volume.api File "/opt/stack/cinder/cinder/volume/flows/api/create_volume.py", line 338, in _get_encryption_key_ id 2015-12-03 09:09:03.648 TRACE cinder.volume.api encryption_key_id = key_manager.create_key(context) 2015-12-03 09:09:03.648 TRACE cinder.volume.api File "/opt/stack/cinder/cinder/keymgr/barbican.py", line 147, in create_key 2015-12-03 09:09:03.648 TRACE cinder.volume.api LOG.exception(_LE("Error creating key.")) …. 2015-12-03 09:09:03.648 TRACE cinder.volume.api File "/usr/lib/python2.7/site-packages/keystoneclient/session.py", line 502, in post 2015-12-03 09:09:03.648 TRACE cinder.volume.api return self.request(url, 'POST', **kwargs) 2015-12-03 09:09:03.648 TRACE cinder.volume.api File "/usr/lib/python2.7/site-packages/keystoneclient/utils.py", line 337, in inner 2015-12-03 09:09:03.648 TRACE cinder.volume.api return func(*args, **kwargs) 2015-12-03 09:09:03.648 TRACE cinder.volume.api File "/usr/lib/python2.7/site-packages/keystoneclient/session.py", line 402, in request 2015-12-03 09:09:03.648 TRACE cinder.volume.api raise exceptions.from_response(resp, method, url) 2015-12-03 09:09:03.648 TRACE cinder.volume.api Unauthorized: The request you have made requires authentication. (Disable debug mode to suppress these details.) (HTTP 401) (Request-ID: req-d2c52e0b-c16d-43ec-a7a0-7611113f1270) ** Affects: cinder Importance: Undecided Assignee: Dave McCowan (dave-mccowan) Status: In Progress ** Affects: nova Importance: Undecided Assignee: Dave McCowan (dave-mccowan) Status: In Progress ** Also affects: nova Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1523646 Title: Nova/Cinder Key Manager for Barbican Uses Stale Cache Status in Cinder: In Progress Status in OpenStack Compute (nova): In Progress Bug description: The Key Manger for Barbican, implemented in Nova and Cinder, caches a value of barbican_client to save extra calls to Keystone for authentication. However, the cached value of barbican_client is only valid for the current context. A check needs to be made to ensure the context has not changed before using the saved value. The symptoms for using a stale cache value include getting the following error message when creating an encrypted volume. From CLI: --------------- openstack volume create --size 1 --type LUKS encrypted_volume The server has either erred or is incapable of performing the requested operation. (HTTP 500) (Request-ID: req-aea6be92-020e-41ed-ba88-44a1f5235ab0) In cinder.log ------------------- 2015-12-03 09:09:03.648 TRACE cinder.volume.api Traceback (most recent call last): 2015-12-03 09:09:03.648 TRACE cinder.volume.api File "/usr/lib/python2.7/site-packages/taskflow/engines/action_engine/executor.py", line 82, in _exe cute_task 2015-12-03 09:09:03.648 TRACE cinder.volume.api result = task.execute(**arguments) 2015-12-03 09:09:03.648 TRACE cinder.volume.api File "/opt/stack/cinder/cinder/volume/flows/api/create_volume.py", line 409, in execute 2015-12-03 09:09:03.648 TRACE cinder.volume.api source_volume) 2015-12-03 09:09:03.648 TRACE cinder.volume.api File "/opt/stack/cinder/cinder/volume/flows/api/create_volume.py", line 338, in _get_encryption_key_ id 2015-12-03 09:09:03.648 TRACE cinder.volume.api encryption_key_id = key_manager.create_key(context) 2015-12-03 09:09:03.648 TRACE cinder.volume.api File "/opt/stack/cinder/cinder/keymgr/barbican.py", line 147, in create_key 2015-12-03 09:09:03.648 TRACE cinder.volume.api LOG.exception(_LE("Error creating key.")) …. 2015-12-03 09:09:03.648 TRACE cinder.volume.api File "/usr/lib/python2.7/site-packages/keystoneclient/session.py", line 502, in post 2015-12-03 09:09:03.648 TRACE cinder.volume.api return self.request(url, 'POST', **kwargs) 2015-12-03 09:09:03.648 TRACE cinder.volume.api File "/usr/lib/python2.7/site-packages/keystoneclient/utils.py", line 337, in inner 2015-12-03 09:09:03.648 TRACE cinder.volume.api return func(*args, **kwargs) 2015-12-03 09:09:03.648 TRACE cinder.volume.api File "/usr/lib/python2.7/site-packages/keystoneclient/session.py", line 402, in request 2015-12-03 09:09:03.648 TRACE cinder.volume.api raise exceptions.from_response(resp, method, url) 2015-12-03 09:09:03.648 TRACE cinder.volume.api Unauthorized: The request you have made requires authentication. (Disable debug mode to suppress these details.) (HTTP 401) (Request-ID: req-d2c52e0b-c16d-43ec-a7a0-7611113f1270) To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1523646/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp