vnc_api: connection refused traceback when no auth_token supplied
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenContrail |
Fix Committed
|
Undecided
|
Prakash Bailkeri | ||
Bug Description
My python looks like:
import keystoneclient.
import novaclient.
import quantumclient.
from vnc_api import vnc_api
keystone = keystoneclient.
username = 'admin',
password = 'admin',
tenant_name = 'tenant1',
auth_url = 'http://
# Create nova client for computing management.
nova = novaclient.
username = 'admin',
api_key = 'admin',
project_id = 'tenant1',
auth_url = 'http://
# Create VNC client for networking management.
vnc = vnc_api.VncApi(
username = 'admin',
password = 'admin',
tenant_name = 'tenant1',
And I get the following traceback:
root@contrail:~# python -i contrail_test.py
Traceback (most recent call last):
File "contrail_test.py", line 28, in <module>
api_server_host = '10.164.96.5')
File "/usr/lib/
retry_
File "/usr/lib/
self._headers = self._authentic
File "/usr/lib/
headers=
File "/usr/lib/
return request('post', url, data=data, **kwargs)
File "/usr/lib/
return session.
File "/usr/lib/
resp = self.send(prep, stream=stream, timeout=timeout, verify=verify, cert=cert, proxies=proxies)
File "/usr/lib/
r = adapter.
File "/usr/lib/
raise ConnectionError
requests.
Digging into the code a bit, it seems like it's trying to authenticate to 127.0.0.1 (maybe the api is meant to be running on the contrail controller only?), and since keystone is not running locally, the connection is being refused.
I got a hint from our Juniper guy that I need to pass on auth_token, and this did indeed solve the problem. However, getting a traceback for trying to auth based on strange default values, seems broken to me. There's got to be a better way to test auth, and give a more user-friendly error message like:
"No auth_token supplied"
The contrail-api I'm using is: contrail-
| Prakash Bailkeri (prakashmb) wrote | #1 |
| Changed in opencontrail: | |
| assignee: | nobody → Prakash Bailkeri (prakashmb) |
| Changed in opencontrail: | |
| status: | New → Fix Committed |
| tags: | added: config |
My analysis:
VncApi can be invoked with a “conf_file” option(when not specified default
is /etc/contrail/
information from this file.
When auth token is not specified in parameter or authentication can’t be
done with given auth-token, VncApi fetches the auth_token from keystone.
In your case, the conf_file is not specified And /etc/contrail/
Solution:
1. If the auth token is not specified, call to fetch auth token from keystone should be done in try catch. In case of exception, give an error message “unable to authenticate”
2. If auth token is specified, and authentication fails, not attempt should be made to fetch token again. Instead return error.