Public bug reported: Description =========== In the interaction between nova-api and cinder, it is possible to enable the required check of service_user tokens. When I try to explicitly turn off the sending of the user’s service token and enable the mandatory check of its availability on the receiving side, I do not get the expected error because the X-Service-Token header is still sent by nova-api.
Steps to reproduce ================== cinder includes required token checking: [keystone_authtoken] ... service_token_roles = admin service_token_roles_required = true in nova, token sending is explicitly disabled and the user service is not set: [service_user] send_service_user_token = false verification is performed on the example of the operation of volume attach: openstack server add volume 0801102f-f9ba-42c5-b32a-85b4a7465122 a7fd514c-c871-4f69-a89f-bd44864a5814 --device /dev/vdb Expected result =============== with this configuration, error 401 is expected Actual result ============= no errors occur and the attach operation is successful. multiple checks were made including the option to completely restart the servers Environment =========== CentOS 7 release: train nova: 15.1.0 cinder: 5.0.0 Logs & Configs ============== we intercept requests that go to the cinder port (8776) and we see that 192.168.50.81.49226 (which is the nova-api process) sends requests with the X-Service-Token header (which we previously disabled in nova.conf). Full log (req/res) of adding volume in attachment. [root@centos ~]# tcpdump -i enp2s0f0 -n -S -s 1024 -A 'tcp dst port 8776' 06:20:21.870330 IP 192.168.50.81.49226 > 192.168.50.80.8776: Flags [P.], seq 1696694971:1696695677, ack 922604522, win 58, options [nop,nop,TS val 3747722 ecr 3644290], length 706 E....5@[email protected]"He!..6......:....... .9/..7..GET /v3/27c47772a3f442e4a81decb6b68e8376/volumes/a7fd514c-c871-4f69-a89f-bd44864a5814 HTTP/1.1 Host: 192.168.50.80:8776 Connection: keep-alive Accept-Encoding: gzip, deflate Accept: application/json User-Agent: python-cinderclient X-Service-Token: gAAAAABeMrv1SxDwllx8lrDYiP6o0kMlr1hJu34q2N7WgTcsQ15GXU7s2EDG91DX0XOUz0YTS9Q-_nxuRJ5lbZfWDBgk2spJr9csJ1VhNWQhrZUZWhkBk3KMU6GwgC0X3kO5o4dIw41rj1VmH4TfIdV9bSEWjA3qMLjVYKdryyUzhCN1gZQISl0 X-Auth-Token: gAAAAABeMrv0vSJ6P8pLF7BDLimZ_LxhvKYCvEzWk_TZ62hIaDNnlFHRMx1rrIvDNl6Z78mv6C-EYWRqvURHCP6x9FCuhd16-i25gO4AUVi2Qo2-N-wpxO6dnbOHuuI6G8gtYu3ZPMuaHkn3uk-aaf7zh3PZ__OQy4mtZir6Qt7b5xqPb4QJcGg X-OpenStack-Request-ID: req-a4ad6f8b-3f49-44d0-99b4-b7fa026017c6 06:20:22.184182 IP 192.168.50.81.49226 > 192.168.50.80.8776: Flags [.], ack 922606483, win 65, options [nop,nop,TS val 3748036 ecr 3644604], length 0 E..4.6@[email protected]"He!.}6......A....... .90..7.. 06:20:22.547486 IP 192.168.50.81.49226 > 192.168.50.80.8776: Flags [P.], seq 1696695677:1696696271, ack 922606483, win 65, options [nop,nop,TS val 3748399 ecr 3644604], length 594 E....7@[email protected]"He!.}6......AG...... .92/.7..GET / HTTP/1.1 Host: 192.168.50.80:8776 Connection: keep-alive Accept-Encoding: gzip, deflate Accept: */* User-Agent: nova-api keystoneauth1/3.17.1 python-requests/2.21.0 CPython/2.7.5 X-Service-Token: gAAAAABeMrv1SxDwllx8lrDYiP6o0kMlr1hJu34q2N7WgTcsQ15GXU7s2EDG91DX0XOUz0YTS9Q-_nxuRJ5lbZfWDBgk2spJr9csJ1VhNWQhrZUZWhkBk3KMU6GwgC0X3kO5o4dIw41rj1VmH4TfIdV9bSEWjA3qMLjVYKdryyUzhCN1gZQISl0 X-Auth-Token: gAAAAABeMrv0vSJ6P8pLF7BDLimZ_LxhvKYCvEzWk_TZ62hIaDNnlFHRMx1rrIvDNl6Z78mv6C-EYWRqvURHCP6x9FCuhd16-i25gO4AUVi2Qo2-N-wpxO6dnbOHuuI6G8gtYu3ZPMuaHkn3uk-aaf7zh3PZ__OQy4mtZir6Qt7b5xqPb4QJcGg 06:20:22.553939 IP 192.168.50.81.49226 > 192.168.50.80.8776: Flags [.], ack 922607474, win 71, options [nop,nop,TS val 3748405 ecr 3644974], length 0 E..4.8@[email protected]"He!..6..r...G....... .925.7.. 06:20:22.564940 IP 192.168.50.81.49226 > 192.168.50.80.8776: Flags [P.], seq 1696696271:1696697181, ack 922607474, win 71, options [nop,nop,TS val 3748416 ecr 3644974], length 910 E....9@.@.. ..2Q..2P.J"He!..6..r...G....... [email protected] /v3/27c47772a3f442e4a81decb6b68e8376/attachments HTTP/1.1 Host: 192.168.50.80:8776 Connection: keep-alive Accept-Encoding: gzip, deflate Accept: application/json User-Agent: python-cinderclient X-Service-Token: gAAAAABeMrv1SxDwllx8lrDYiP6o0kMlr1hJu34q2N7WgTcsQ15GXU7s2EDG91DX0XOUz0YTS9Q-_nxuRJ5lbZfWDBgk2spJr9csJ1VhNWQhrZUZWhkBk3KMU6GwgC0X3kO5o4dIw41rj1VmH4TfIdV9bSEWjA3qMLjVYKdryyUzhCN1gZQISl0 X-Auth-Token: gAAAAABeMrv0vSJ6P8pLF7BDLimZ_LxhvKYCvEzWk_TZ62hIaDNnlFHRMx1rrIvDNl6Z78mv6C-EYWRqvURHCP6x9FCuhd16-i25gO4AUVi2Qo2-N-wpxO6dnbOHuuI6G8gtYu3ZPMuaHkn3uk-aaf7zh3PZ__OQy4mtZir6Qt7b5xqPb4QJcGg OpenStack-API-Version: volume 3.44 Content-Type: application/json X-OpenStack-Request-ID: req-a4ad6f8b-3f49-44d0-99b4-b7fa026017c6 Content-Length: 147 ** Affects: nova Importance: Undecided Status: New ** Attachment added: "with_disabled_service_user.log" https://bugs.launchpad.net/bugs/1861493/+attachment/5324405/+files/with_disabled_service_user.log -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1861493 Title: Nova sends an "X-Service-Token" header when "send_service_user_token" is disabled Status in OpenStack Compute (nova): New Bug description: Description =========== In the interaction between nova-api and cinder, it is possible to enable the required check of service_user tokens. When I try to explicitly turn off the sending of the user’s service token and enable the mandatory check of its availability on the receiving side, I do not get the expected error because the X-Service-Token header is still sent by nova-api. Steps to reproduce ================== cinder includes required token checking: [keystone_authtoken] ... service_token_roles = admin service_token_roles_required = true in nova, token sending is explicitly disabled and the user service is not set: [service_user] send_service_user_token = false verification is performed on the example of the operation of volume attach: openstack server add volume 0801102f-f9ba-42c5-b32a-85b4a7465122 a7fd514c-c871-4f69-a89f-bd44864a5814 --device /dev/vdb Expected result =============== with this configuration, error 401 is expected Actual result ============= no errors occur and the attach operation is successful. multiple checks were made including the option to completely restart the servers Environment =========== CentOS 7 release: train nova: 15.1.0 cinder: 5.0.0 Logs & Configs ============== we intercept requests that go to the cinder port (8776) and we see that 192.168.50.81.49226 (which is the nova-api process) sends requests with the X-Service-Token header (which we previously disabled in nova.conf). Full log (req/res) of adding volume in attachment. [root@centos ~]# tcpdump -i enp2s0f0 -n -S -s 1024 -A 'tcp dst port 8776' 06:20:21.870330 IP 192.168.50.81.49226 > 192.168.50.80.8776: Flags [P.], seq 1696694971:1696695677, ack 922604522, win 58, options [nop,nop,TS val 3747722 ecr 3644290], length 706 E....5@[email protected]"He!..6......:....... .9/..7..GET /v3/27c47772a3f442e4a81decb6b68e8376/volumes/a7fd514c-c871-4f69-a89f-bd44864a5814 HTTP/1.1 Host: 192.168.50.80:8776 Connection: keep-alive Accept-Encoding: gzip, deflate Accept: application/json User-Agent: python-cinderclient X-Service-Token: gAAAAABeMrv1SxDwllx8lrDYiP6o0kMlr1hJu34q2N7WgTcsQ15GXU7s2EDG91DX0XOUz0YTS9Q-_nxuRJ5lbZfWDBgk2spJr9csJ1VhNWQhrZUZWhkBk3KMU6GwgC0X3kO5o4dIw41rj1VmH4TfIdV9bSEWjA3qMLjVYKdryyUzhCN1gZQISl0 X-Auth-Token: gAAAAABeMrv0vSJ6P8pLF7BDLimZ_LxhvKYCvEzWk_TZ62hIaDNnlFHRMx1rrIvDNl6Z78mv6C-EYWRqvURHCP6x9FCuhd16-i25gO4AUVi2Qo2-N-wpxO6dnbOHuuI6G8gtYu3ZPMuaHkn3uk-aaf7zh3PZ__OQy4mtZir6Qt7b5xqPb4QJcGg X-OpenStack-Request-ID: req-a4ad6f8b-3f49-44d0-99b4-b7fa026017c6 06:20:22.184182 IP 192.168.50.81.49226 > 192.168.50.80.8776: Flags [.], ack 922606483, win 65, options [nop,nop,TS val 3748036 ecr 3644604], length 0 E..4.6@[email protected]"He!.}6......A....... .90..7.. 06:20:22.547486 IP 192.168.50.81.49226 > 192.168.50.80.8776: Flags [P.], seq 1696695677:1696696271, ack 922606483, win 65, options [nop,nop,TS val 3748399 ecr 3644604], length 594 E....7@[email protected]"He!.}6......AG...... .92/.7..GET / HTTP/1.1 Host: 192.168.50.80:8776 Connection: keep-alive Accept-Encoding: gzip, deflate Accept: */* User-Agent: nova-api keystoneauth1/3.17.1 python-requests/2.21.0 CPython/2.7.5 X-Service-Token: gAAAAABeMrv1SxDwllx8lrDYiP6o0kMlr1hJu34q2N7WgTcsQ15GXU7s2EDG91DX0XOUz0YTS9Q-_nxuRJ5lbZfWDBgk2spJr9csJ1VhNWQhrZUZWhkBk3KMU6GwgC0X3kO5o4dIw41rj1VmH4TfIdV9bSEWjA3qMLjVYKdryyUzhCN1gZQISl0 X-Auth-Token: gAAAAABeMrv0vSJ6P8pLF7BDLimZ_LxhvKYCvEzWk_TZ62hIaDNnlFHRMx1rrIvDNl6Z78mv6C-EYWRqvURHCP6x9FCuhd16-i25gO4AUVi2Qo2-N-wpxO6dnbOHuuI6G8gtYu3ZPMuaHkn3uk-aaf7zh3PZ__OQy4mtZir6Qt7b5xqPb4QJcGg 06:20:22.553939 IP 192.168.50.81.49226 > 192.168.50.80.8776: Flags [.], ack 922607474, win 71, options [nop,nop,TS val 3748405 ecr 3644974], length 0 E..4.8@[email protected]"He!..6..r...G....... .925.7.. 06:20:22.564940 IP 192.168.50.81.49226 > 192.168.50.80.8776: Flags [P.], seq 1696696271:1696697181, ack 922607474, win 71, options [nop,nop,TS val 3748416 ecr 3644974], length 910 E....9@.@.. ..2Q..2P.J"He!..6..r...G....... [email protected] /v3/27c47772a3f442e4a81decb6b68e8376/attachments HTTP/1.1 Host: 192.168.50.80:8776 Connection: keep-alive Accept-Encoding: gzip, deflate Accept: application/json User-Agent: python-cinderclient X-Service-Token: gAAAAABeMrv1SxDwllx8lrDYiP6o0kMlr1hJu34q2N7WgTcsQ15GXU7s2EDG91DX0XOUz0YTS9Q-_nxuRJ5lbZfWDBgk2spJr9csJ1VhNWQhrZUZWhkBk3KMU6GwgC0X3kO5o4dIw41rj1VmH4TfIdV9bSEWjA3qMLjVYKdryyUzhCN1gZQISl0 X-Auth-Token: gAAAAABeMrv0vSJ6P8pLF7BDLimZ_LxhvKYCvEzWk_TZ62hIaDNnlFHRMx1rrIvDNl6Z78mv6C-EYWRqvURHCP6x9FCuhd16-i25gO4AUVi2Qo2-N-wpxO6dnbOHuuI6G8gtYu3ZPMuaHkn3uk-aaf7zh3PZ__OQy4mtZir6Qt7b5xqPb4QJcGg OpenStack-API-Version: volume 3.44 Content-Type: application/json X-OpenStack-Request-ID: req-a4ad6f8b-3f49-44d0-99b4-b7fa026017c6 Content-Length: 147 To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1861493/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
