NSD feature is using tacker auth token to access target NFVI

Bug #1661526 reported by yong sheng gong
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tacker
Fix Released
Medium
bharaththiruveedula

Bug Description

https://github.com/openstack/tacker/blob/master/tacker/nfvo/nfvo_plugin.py#L574:
        workflow = self._vim_drivers.invoke(driver_type,
                                         'prepare_and_create_workflow',
                                         resource='vnf',
                                         action='create',
                                         vim_auth=vim_res['vim_auth'],
                                         auth_token=context.auth_token,
                                         kwargs=kwargs)

https://github.com/openstack/tacker/blob/master/tacker/nfvo/drivers/vim/openstack_driver.py#L465:

    def prepare_and_create_workflow(self, resource, action, vim_auth,
                                    kwargs, auth_token=None):
        if not auth_token:
            LOG.warning(_("auth token required to create mistral workflows"))
            raise EnvironmentError('auth token required for'
                                   ' mistral workflow driver')
        mistral_client = MistralClient(
            self.keystone.initialize_client('2', **vim_auth),
            auth_token).get_client()

Changed in tacker:
assignee: nobody → bharaththiruveedula (bharath-ves)
Changed in tacker:
milestone: none → ocata-3
Revision history for this message
yong sheng gong (gongysh) wrote :

https://github.com/openstack/tacker/blob/master/tacker/nfvo/drivers/vim/openstack_driver.py#L474:
    def execute_workflow(self, workflow, vim_auth, auth_token=None):
        if not auth_token:
            LOG.warning(_("auth token required to create mistral workflows"))
            raise EnvironmentError('auth token required for'
                                   ' mistral workflow driver')
        mistral_client = MistralClient(
            self.keystone.initialize_client('2', **vim_auth),
            auth_token).get_client()
        return mistral_client.executions.create(
            workflow_identifier=workflow['id'],
            workflow_input=workflow['input'],
            wf_params={})

class MistralClient(object):
    """Mistral Client class for NSD"""

# we can see the workflowv2 is in VIM keystone
    def __init__(self, keystone, auth_token):
        endpoint = keystone.session.get_endpoint(
            service_type='workflowv2', region_name=None)
        self.client = mistral_client.client(auth_token=auth_token,
                                     mistral_url=endpoint)

    def get_client(self):
        return self.client

Revision history for this message
Sridhar Ramaswamy (srics-r) wrote :

@yong sheng - i think the current code is behaving as intended and we should mark this bug invalid. Here is my reasoning that I shared in a recent email ...

I caught up w/ the irc logs on this discussion on which auth context
to use for mistral. My understanding is workflow engine (mistral) is
associated with tacker controller and it should be sufficient if it
run only within the centralized tacker node. We shouldn't need mistral
installed in remote VIMs (that eases deployment requirement). Also,
our workflows only drivers VNFM api so they need to logically reside
only with tacker and hence should use tacker's auth context and not
target vim's auth.

Changed in tacker:
importance: Undecided → Wishlist
Revision history for this message
Sridhar Ramaswamy (srics-r) wrote :

Closing it for now, please re-open if you think this is a valid issue.

Changed in tacker:
status: New → Invalid
Revision history for this message
yong sheng gong (gongysh) wrote :
Download full text (4.2 KiB)

I have set up an tacker standalone env with local.conf:

ubuntu@testtackerinstall:~/devstack$ cat local.conf
[[local|localrc]]
HOST_IP=192.168.23.122
SERVICE_HOST=192.168.23.122
NOVNCPROXY_URL=http://192.168.23.122:6080/vnc_auto.html
LIBS_FROM_GIT=python-neutronclient
NEUTRON_CREATE_INITIAL_NETWORKS=False
GIT_BASE=http://git.trystack.cn
NOVNC_REPO=http://git.trystack.cn/kanaka/noVNC.git
SPICE_REPO=http://git.trystack.cn/git/spice/spice-html5.git
SERVICE_PASSWORD=devstack
ADMIN_PASSWORD=devstack
SERVICE_TOKEN=devstack
DATABASE_PASSWORD=root
RABBIT_PASSWORD=password
ENABLE_HTTPD_MOD_WSGI_SERVICES=True
LOGFILE=$DEST/logs/stack.sh.log
SCREEN_LOGDIR=$DEST/logs/screen
ENABLE_DEBUG_LOG_LEVEL=True
ENABLE_VERBOSE_LOG_LEVEL=True

TACKER_MODE=standalone
enable_plugin tacker https://github.com/openstack/tacker master
enable_plugin mistral https://github.com/openstack/mistral

[[post-config|/etc/neutron/plugins/ml2/ml2_conf.ini]]
[agent]
arp_responder=True

and target NFVI does not have Mistral installed.

and then I try to create the NS, the exception is:

2017-02-15 09:55:24.729 DEBUG tacker.common.log [req-e0c1c5db-89df-4db9-8075-940974817f51 admin admin] tacker.nfvo.nfvo_plugin.NfvoPlugin method _update_params called with arguments ({'network_name': {'get_input': 'vl2_name'}, 'vendor': 'tacker'}, {u'vl2_name': u'net0', u'vl1_name': u'net_mgmt'}) {} from (pid=8800) wrapper /opt/stack/tacker/tacker/common/log.py:34
2017-02-15 09:55:24.778 ERROR tacker.api.v1.resource [req-e0c1c5db-89df-4db9-8075-940974817f51 admin admin] create failed
2017-02-15 09:55:24.778 TRACE tacker.api.v1.resource Traceback (most recent call last):
2017-02-15 09:55:24.778 TRACE tacker.api.v1.resource File "/opt/stack/tacker/tacker/api/v1/resource.py", line 83, in resource
2017-02-15 09:55:24.778 TRACE tacker.api.v1.resource result = method(request=request, **args)
2017-02-15 09:55:24.778 TRACE tacker.api.v1.resource File "/opt/stack/tacker/tacker/api/v1/base.py", line 395, in create
2017-02-15 09:55:24.778 TRACE tacker.api.v1.resource obj = obj_creator(request.context, **kwargs)
2017-02-15 09:55:24.778 TRACE tacker.api.v1.resource File "/opt/stack/tacker/tacker/common/log.py", line 35, in wrapper
2017-02-15 09:55:24.778 TRACE tacker.api.v1.resource return method(*args, **kwargs)
2017-02-15 09:55:24.778 TRACE tacker.api.v1.resource File "/opt/stack/tacker/tacker/nfvo/nfvo_plugin.py", line 582, in create_ns
2017-02-15 09:55:24.778 TRACE tacker.api.v1.resource kwargs=kwargs)
2017-02-15 09:55:24.778 TRACE tacker.api.v1.resource File "/opt/stack/tacker/tacker/common/driver_manager.py", line 70, in invoke
2017-02-15 09:55:24.778 TRACE tacker.api.v1.resource return getattr(driver, method_name)(**kwargs)
2017-02-15 09:55:24.778 TRACE tacker.api.v1.resource File "/opt/stack/tacker/tacker/nfvo/drivers/vim/openstack_driver.py", line 467, in prepare_and_create_workflow
2017-02-15 09:55:24.778 TRACE tacker.api.v1.resource auth_token).get_client()
2017-02-15 09:55:24.778 TRACE tacker.api.v1.resource File "/opt/stack/tacker/tacker/nfvo/drivers/vim/openstack_driver.py", line 523, in __init__
2017-02-15 09:55:24.778 TRACE tacker.api.v1.resource service_...

Read more...

Changed in tacker:
status: Invalid → New
Revision history for this message
Sridhar Ramaswamy (srics-r) wrote :

Let's address this in Pike. I think actual problem is the opposite of what title says, instead of:

 "NSD feature is using tacker auth token to access target NFVI" .. it needs to be,
 "NSD feature is using NFVI/VIM auth token instead of tacker auth context"

Changed in tacker:
milestone: ocata-3 → pike-1
importance: Wishlist → Medium
Revision history for this message
Sridhar Ramaswamy (srics-r) wrote :

Until we have this fix (which we can hopefully cherrypick to stable/ocata), we need to have the deployers install mistral in target VIM / NFVI.

Changed in tacker:
status: New → Triaged
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tacker (master)

Fix proposed to branch: master
Review: https://review.openstack.org/438211

Changed in tacker:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tacker (master)

Reviewed: https://review.openstack.org/438211
Committed: https://git.openstack.org/cgit/openstack/tacker/commit/?id=a4f619119ecef68b20331259898859040b0e7e32
Submitter: Jenkins
Branch: master

commit a4f619119ecef68b20331259898859040b0e7e32
Author: Bharath Thiruveedula <email address hidden>
Date: Sun Feb 26 02:30:30 2017 +0530

    Access the controller's mistral endpoint instead of VIM

    Change-Id: I2093125aeecddd05fadd8b4a9df4d9dd74dfa61e
    Closes-Bug: #1661526

Changed in tacker:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tacker 0.8.0

This issue was fixed in the openstack/tacker 0.8.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.