Canonical Juju

RAX provider does not support api-key based auth

Bug #1617394 reported by Jose L. VG on 2016-08-26

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Canonical Juju	Triaged	Low	Unassigned

Bug Description

When using juju 2's rackspace cloud provider if you set access-key auth like this

credentials:
  rackspace:
    rax-creds:
      auth-type: access-key
      access-key: {username}
      secret-key: {apikey}
      tenant-name: "{tenant number}"

It won't work, you'll get:
"ERROR authentication failed.
..."

Instead you are forced to use the userpass auth-type and expose your website account password:

credentials:
  rackspace:
    rax-creds:
      auth-type: userpass
      password: {rack website account password}
      tenant-name: "{tenant number}"
      username: {username}

One would expect the default auth-type access-key to work, specially being more secure, as it uses the apikey, not the account password directly.

Tags:

Alexis Bruemmer (alexis-bruemmer) on 2016-08-29

Changed in juju:
status:	New → Triaged
importance:	Undecided → High
assignee:	nobody → Alexis Bruemmer (alexis-bruemmer)
milestone:	none → 2.0-beta18

Curtis Hovey (sinzui) on 2016-09-09

Changed in juju:
milestone:	2.0-beta18 → 2.0-beta19

Anastasia (anastasia-macmood) on 2016-09-11

Changed in juju:
milestone:	2.0-beta19 → 2.0-rc1

Richard Harding (rharding) on 2016-09-20

Changed in juju:
milestone:	2.0-rc1 → 2.0-rc2

Richard Harding (rharding) on 2016-09-29

Changed in juju:
assignee:	Alexis Bruemmer (alexis-bruemmer) → Richard Harding (rharding)

Revision history for this message

Nate Finch (natefinch) wrote on 2016-09-29:

Rackspace expects the name of the key to be "apiKey" and openstack is sending "access-key" which is the problem, I think.

Changed in juju:
assignee:	Richard Harding (rharding) → Nate Finch (natefinch)
status:	Triaged → In Progress

Revision history for this message

Nate Finch (natefinch) wrote on 2016-09-29:

PR here: https://github.com/juju/juju/pull/6357

Revision history for this message

Richard Harding (rharding) wrote on 2016-09-29:

We need to fully support the api-key method of auth and don't currently. Since much of the Rackspacee provider was copied from the OpenStack provider the access/secret-key auth doesn't apply.

We'll update to support api-key in a future release.

summary:	- RAX provider access-key auth-type does not work + RAX provider does not support api-key based auth
Changed in juju:
milestone:	2.0-rc2 → 2.1.0

Revision history for this message

Nate Finch (natefinch) wrote on 2016-09-29:

Rackspace has its own "username + apiKey" authentication that is different and special, and does not support openstack's access-key style authentication. See here: https://developer.rackspace.com/docs/cloud-identity/v2/general-api-info/authentication-info/sample-auth-req-response/#sample-request

For now we have disabled access-key as an authentication method, and we'll add support for the apiKey later.

Changed in juju:
status:	In Progress → Triaged
assignee:	Nate Finch (natefinch) → Richard Harding (rharding)

Anastasia (anastasia-macmood) on 2017-02-02

Changed in juju:
assignee:	Richard Harding (rharding) → nobody

Revision history for this message

Anastasia (anastasia-macmood) wrote on 2017-02-14:

Removing 2.1 milestone as we will not be addressing this issue in 2.1.

Changed in juju:
milestone:	2.1.0 → none

Anastasia (anastasia-macmood) on 2019-06-20

Changed in juju:
assignee:	nobody → Anastasia (anastasia-macmood)
status:	Triaged → In Progress

Anastasia (anastasia-macmood) on 2019-06-20

Changed in juju:
assignee:	Anastasia (anastasia-macmood) → nobody
status:	In Progress → Triaged

Anastasia (anastasia-macmood) on 2019-06-20

Changed in juju:
status:	Triaged → In Progress
assignee:	nobody → Anastasia (anastasia-macmood)

Revision history for this message

Anastasia (anastasia-macmood) wrote on 2019-06-20:

Rackspace provider does indeed have more than one authentication mechanism that are different from what Openstack provider supports. In addition to an already mentioned apiKey one, there is also a token one as well as the one that supports multi-factor authentication \o/
For detailed description, see https://developer.rackspace.com/docs/cloud-identity/v2/api-reference/token-operations/

In addition, even though at a first glance, it looks like both providers support userpass mechanism similarly, in reality it is different since Rackspace allows to provide optional tenantId and Openstack does not.

In other words, in order for us to support Rackspace mechanisms, we need to have a different identity implementation than what Openstack's goose library provide.

Changed in juju:
assignee:	Anastasia (anastasia-macmood) → nobody
status:	In Progress → Triaged

Heather Lanigan (hmlanigan) on 2021-10-21

Changed in juju:
importance:	High → Medium
tags:	added: rackspace

Revision history for this message

Canonical Juju QA Bot (juju-qa-bot) wrote on 2022-11-03:

This Medium-priority bug has not been updated in 60 days, so we're marking it Low importance. If you believe this is incorrect, please update the importance.

Changed in juju:
importance:	Medium → Low
tags:	added: expirebugs-bot

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.