Nova returns HTTP 400 for SignatureVersion=1 requests
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
Medium
|
Todd Willey |
Bug Description
Some Amazon EC2 clients like HybridFox and tAWS (http://
nova checks (implicitly?) assuming all requests are signed using SignatureVersion=2. The essential difference of version 1 and 2 is that version 1 requests do not contain SignatureMethod.
Thus, __call__ of class Requestify defined in NOVA_SRC/
I would suggest the following fix, but maybe it's better checking SignatureVersion and pop SignatureMethod from only version2 request string.
I checked the attached patch for nova 645, but the issue is alive in also trunk HEAD.
Signed-off-by: Masanori Itoh <email address hidden>
=== modified file 'nova/api/
--- nova/api/
+++ nova/api/
@@ -204,7 +204,8 @@
action = req.params[
for non_arg in non_args:
# Remove, but raise KeyError if omitted
- args.pop(non_arg)
+ if non_arg in args:
+ args.pop(non_arg)
except:
raise webob.exc.
Related branches
- Masanori Itoh (community): Approve
- Jay Pipes (community): Approve
- Devin Carlen (community): Approve
-
Diff: 16 lines (+6/-0)1 file modifiednova/api/ec2/__init__.py (+6/-0)
Changed in nova: | |
assignee: | nobody → Todd Willey (xtoddx) |
importance: | Undecided → Medium |
status: | New → In Progress |
Changed in nova: | |
status: | In Progress → Fix Committed |
Changed in nova: | |
milestone: | none → 2011.2 |
status: | Fix Committed → Fix Released |
I've linked a branch that fixes this now. I decided to be more explicit and only ignore the SignatureMethod if we are on SignatureVersion=1. This lets other keys still raise exceptions, so we can continue to catch bad requests early. Please let me know if this doesn't fix your issue.