On 1/9/2015 10:17 AM, Steven Hardy wrote:
On Fri, Jan 09, 2015 at 09:11:50AM -0500, Sean Dague wrote:
boto 2.35.0 just released, and makes hmac-v4 authentication mandatory
for EC2 end points (it has been optionally supported for a long time).
Nova's EC2 implementation does not do this.
The short term approach is to pin boto -
https://review.openstack.org/#/c/146049/, which I think is a fine long
term fix for stable/, but in master not supporting new boto, which
people are likely to deploy, doesn't really seem like an option.
https://bugs.launchpad.net/tempest/+bug/1408987 is the bug.
I don't think shipping an EC2 API in Kilo that doesn't work with recent
boto is a thing Nova should do. Do we have volunteers to step up and fix
this, or do we need to get more aggressive about deprecating this interface?
I'm not stepping up to maintain the EC2 API, but the auth part of it is
very similar to heat's auth (which does support hmac-v4), so I hacked on
the nova API a bit to align with the way heat does things:
https://review.openstack.org/#/c/146124/ (WIP)
This needs some more work, but AFAICS solves the actual auth part which is
quite simply fixed by reusing some code we have in heat's ec2token middleware.
If this is used, we could extract the common parts and/or use a common auth
middleware in future, assuming the EC2 implementation as a whole isn't
deemed unmaintained and removed that is.
Steve
_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Looks like the fix we merged didn't actually fix the problem. I have a
patch [1] to uncap the boto requirement on master and it's failing the
ec2 tests in tempest the same as before.
I went back to the nova fix on master and checked patch set 9 which had
the version uncapped in nova's requirements.txt file, and the tests were
passing but they were running against boto 2.34 [2].
Unfortunately the cherry pick of the ec2 fix was also backported and
merged to stable/juno which looks like it was probably a waste of time
right now since we still have a bug.
Therefore we still probably need to cap boto on stable/juno for now. [3]
[1] https://review.openstack.org/#/c/146592/
[2]
http://logs.openstack.org/24/146124/9/check/check-tempest-dsvm-full/950581d/logs/pip-freeze.txt.gz
[3] https://review.openstack.org/#/c/146344/
--
Thanks,
Matt Riedemann
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
