OpenStack Heat

WaitCondition notification breaks in-instance credentials

Bug #1144996 reported by Steven Hardy
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Heat
Fix Released
High
Angus Salkeld
OpenStack Heat 2013.1 "grizzly"

Bug Description

Since https://review.openstack.org/#/c/23156/ got merged, we have a problem where after a WaitCondition notification happens, we break the /etc/cfn/cfn-credentials file contents

This happens because the keystone user associated with the WaitCondition doesn't have permission to read the secret key of the user associated with the cfn-credentials file

So e.g in the the nested loadbalancer resource template, the Fn::GetAtt CfnLBAccessKey resolves to the error value of "000-000-000", so after the next cfn-hup all communication from inside the instance is broken permanently.

I'm not sure of the best way to fix this yet - possible options:

1 - Store the secret key in our DB (e.g encoded as part of the logical resource ID for the AccessKey resource), this is what I was trying to avoid with the current AccessKey implementation, so I'm not keen on this, and has the added disadvantage that it opens up access to the secret key to any user who has access to the stack (whereas currently only admin users or the actual in-instance user can read it)

2 - Use the stored admin context to refresh the per-resource metadata after the WaitCondition notification arrives (the new refresh logic in service.py::metadata_update()) - I guess this is the way to go, but it doesn't seem that nice to allow the (deliberately unprivileged) WaitCondition user to trigger actions in the admin context.

Any other ideas?

See original description
Steven Hardy (shardy)
Changed in heat:
status: New → Triaged
importance: Undecided → High
assignee: nobody → Steven Hardy (shardy)
milestone: none → grizzly-rc1
assignee: Steven Hardy (shardy) → nobody
description: updated
Angus Salkeld (asalkeld)
Changed in heat:
assignee: nobody → Angus Salkeld (asalkeld)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to heat (master)

Fix proposed to branch: master
Review: https://review.openstack.org/23545

Changed in heat:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/23546

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to heat (master)

Reviewed: https://review.openstack.org/23545
Committed: http://github.com/openstack/heat/commit/431456d08e7d7409539f787052a08d872a7e079e
Submitter: Jenkins
Branch: master

commit 431456d08e7d7409539f787052a08d872a7e079e
Author: Angus Salkeld <email address hidden>
Date: Tue Mar 5 22:46:06 2013 +1100

    Prevent shadowing of the "context" module/parameter

    Keep the module name true.
    part of bug 1144996

    Change-Id: Idb8c5a8190bbb7f81d70c1a95bf5352791f87693
    Signed-off-by: Angus Salkeld <email address hidden>

Changed in heat:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/23546
Committed: http://github.com/openstack/heat/commit/dcb3f2aa81e94036ca24f79ac1cdbc8d3bad3207
Submitter: Jenkins
Branch: master

commit dcb3f2aa81e94036ca24f79ac1cdbc8d3bad3207
Author: Angus Salkeld <email address hidden>
Date: Wed Mar 6 09:45:56 2013 +1100

    When updating the metadata load the stack with the stored context

    bug 1144996
    Signed-off-by: Angus Salkeld <email address hidden>

    Change-Id: I2b0547f4867f19f8319e2c4b79ac325ae8cd6bd8

Thierry Carrez (ttx)
Changed in heat:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in heat:
milestone: grizzly-rc1 → 2013.1
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.