[openstack-dev] [nova] reckoning time for nova ec2 stack
mriedem at linux.vnet.ibm.com
Thu Jan 15 22:49:37 UTC 2015
On 1/15/2015 11:40 AM, Matt Riedemann wrote:
> On 1/13/2015 9:27 PM, Matt Riedemann wrote:
>> On 1/13/2015 12:11 PM, Steven Hardy wrote:
>>> On Tue, Jan 13, 2015 at 10:00:04AM -0600, Matt Riedemann wrote:
>>>> Looks like the fix we merged didn't actually fix the problem. I have
>>>> a patch
>>>>  to uncap the boto requirement on master and it's failing the ec2
>>>> in tempest the same as before.
>>> FWIW, I just re-tested and boto 2.35.1 works fine for me locally, if you
>>> revert my patch it breaks again with "Signature not provided" errors
>>> all ec2 API requests).
>>> If you look at the failures in the log, it actually looks like a
>>> EC2ResponseError: EC2ResponseError: 401 Unauthorized
>>> This is not the same as the original error which rejected any request
>>> inside the nova API before even calling keystone with a message like
>>> AuthFailure: Signature not provided
>>> AFAICT this means my patch is working, and there's a different problem
>>> affecting only a subset of the ec2 boto tests.
>>> OpenStack Development Mailing List (not for usage questions)
>>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> Yeah, new bug reported, looks like we're hitting 401 Unauthorized errors
>> when trying to create security groups in the test:
> I have a debug patch up here to try and recreate the tempest failures
> with latest boto but using a nova debug change also to get more
> information when we fail.
I finally narrowed this down to some code in keystone where it generates
a signature and compares that to what nova is passing in on the request
for ec2 credentials and they are different so keystone is rejecting the
request with a 401.
I'm assuming something needs to change in keystone to support the
version 4 format?
More information about the OpenStack-dev