From 381ada9b079c775eb57ea7e5c95b656937755061 Mon Sep 17 00:00:00 2001 From: Alex Figueiredo Date: Tue, 15 Oct 2024 14:19:58 -0300 Subject: [PATCH] Enable nova proxy conf without keystone middleware MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The keystone midleware is the one responsible for adding the headers HTTP_X_USER and HTTP_X_TENANT to the "environ" dict while handling requests in the nova-api-proxy [1]. Currently, some log statements inside the APIController class of the nova-api-proxy is accessing the "environ" dict keys directly, without using environ.get(key, val). Because of this, a KeyError exception is launched and nova requests fail when the nova-api-proxy pipeline is configured without using the keystone middleware. Since Nova requests will be authenticated at the final nova endpoints, the usage of keystone middleware in the request handling pipeline of nova-api-proxy should not be mandatory. Actually, the user is already allowed to setup the pipeline without keystone middleware by applying a custom user override to the nova-api-proxy chart at "conf.paste.pipeline:nova-api-proxy.pipeline". Although this scenario wasn't being explored so far, it's now required by [2] to fix an issue related to intermittent failures on Nova actions. To enable the setup of nova-api-proxy paste pipeline without the keystone middleware, the access to HTTP_X_USER and HTTP_X_TENANT keys of the "environ" dict was changed to use environ.get(key, val) with "val=UNDEFINED". Since Nova requests will be authenticated at the final nova endpoints, the usage of keystone middleware in the request handling pipeline of nova-api-proxy should not be mandatory. [1] https://docs.openstack.org/keystonemiddleware/latest/api/keystonemiddleware.auth_token.html [2] https://review.opendev.org/c/starlingx/openstack-armada-app/+/932607 Test Plan: nova-api-proxy setup using the keystone middleware: - PASS: Build and upload nova-api-proxy image to a duplex system - PASS: Override the openstack app to use the custom image and apply it - PASS: Use openstack CLI to perform instance actions (suspend/resume) nova-api-proxy setup without the keystone middleware: - PASS: Override the nova-api-proxy chart to remove keystone middleware - PASS: Re-apply the app and send instance actions (suspend/resume) Related-Bug: #2083934 Related-Bug: #2083608 Change-Id: Iec3b92fc5fd85b594b6c3eac3fd97b045e7c8e0c Signed-off-by: Alex Figueiredo Co-authored-by: José Pires Co-authored-by: Romulo Leite --- .../nova_api_proxy/apps/acceptor.py | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/nova-api-proxy/nova-api-proxy/nova_api_proxy/apps/acceptor.py b/nova-api-proxy/nova-api-proxy/nova_api_proxy/apps/acceptor.py index a9f151bd..b07f72a1 100644 --- a/nova-api-proxy/nova-api-proxy/nova_api_proxy/apps/acceptor.py +++ b/nova-api-proxy/nova-api-proxy/nova_api_proxy/apps/acceptor.py @@ -1,5 +1,5 @@ # -# Copyright (c) 2015-2023 Wind River Systems, Inc. +# Copyright (c) 2015-2024 Wind River Systems, Inc. # # SPDX-License-Identifier: Apache-2.0 # @@ -76,13 +76,13 @@ class APIController(Middleware): remote_addr = environ.get('HTTP_X_FORWARDED_FOR', environ['REMOTE_ADDR']) LOG.info("%s request issued by user (%s) tenant (%s) remote address " - "(%s)" - " \"%s %s\"" % (environ['REQUEST_METHOD'], - environ['HTTP_X_USER'], - environ['HTTP_X_TENANT'], - remote_addr, - environ['REQUEST_METHOD'], - construct_url(environ))) + "(%s) \"%s %s\"" % + (environ.get('REQUEST_METHOD', 'UNDEFINED'), + environ.get('HTTP_X_USER', 'Keystone middleware disabled'), + environ.get('HTTP_X_TENANT', 'Keystone middleware disabled'), + remote_addr, + environ.get('REQUEST_METHOD', 'UNDEFINED'), + construct_url(environ))) def _generate_log(self, req): environ = req.environ