[openstack-dev] [nova] reckoning time for nova ec2 stack

Steven Hardy shardy at redhat.com
Fri Jan 9 16:17:28 UTC 2015


On Fri, Jan 09, 2015 at 09:11:50AM -0500, Sean Dague wrote:
> boto 2.35.0 just released, and makes hmac-v4 authentication mandatory
> for EC2 end points (it has been optionally supported for a long time).
> 
> Nova's EC2 implementation does not do this.
> 
> The short term approach is to pin boto -
> https://review.openstack.org/#/c/146049/, which I think is a fine long
> term fix for stable/, but in master not supporting new boto, which
> people are likely to deploy, doesn't really seem like an option.
> 
> https://bugs.launchpad.net/tempest/+bug/1408987 is the bug.
> 
> I don't think shipping an EC2 API in Kilo that doesn't work with recent
> boto is a thing Nova should do. Do we have volunteers to step up and fix
> this, or do we need to get more aggressive about deprecating this interface?

I'm not stepping up to maintain the EC2 API, but the auth part of it is
very similar to heat's auth (which does support hmac-v4), so I hacked on
the nova API a bit to align with the way heat does things:

https://review.openstack.org/#/c/146124/ (WIP)

This needs some more work, but AFAICS solves the actual auth part which is
quite simply fixed by reusing some code we have in heat's ec2token middleware.

If this is used, we could extract the common parts and/or use a common auth
middleware in future, assuming the EC2 implementation as a whole isn't
deemed unmaintained and removed that is.

Steve



More information about the OpenStack-dev mailing list