Bug 751212

Summary: builds fail after changing conductor's admin password
Product: [Retired] CloudForms Cloud Engine Reporter: Dave Maley <dmaley>
Component: rubygem-aeolus-cliAssignee: Martyn Taylor <mtaylor>
Status: CLOSED CURRENTRELEASE QA Contact: wes hayutin <whayutin>
Severity: high Docs Contact:
Priority: high    
Version: 1.0.0CC: matt.wagner, slinaber, ssachdev
Target Milestone: rcKeywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-30 17:14:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Dave Maley 2011-11-03 21:10:16 UTC 
Description of problem:
I was hitting the below build failure, which matches what's reported in bug 749088.  However after adding the <rootpw> parameter to my template as described in the bz the build failures continued.  After some poking I found the problem is due to having changed the conductor admin password -- change it back to "password" and the builds succeed.


[root@sideshowbob]# aeolus-image build --target ec2 --template F15.xml 
/usr/lib/ruby/gems/1.8/gems/activeresource-3.0.10/lib/active_resource/connection.rb:131:in `handle_response': Failed.  Response code = 401.  Response message = Unauthorized. (ActiveResource::UnauthorizedAccess)
        from /usr/lib/ruby/gems/1.8/gems/activeresource-3.0.10/lib/active_resource/connection.rb:114:in `request'
        from /usr/lib/ruby/gems/1.8/gems/activeresource-3.0.10/lib/active_resource/connection.rb:97:in `post'
        from /usr/lib/ruby/gems/1.8/gems/activeresource-3.0.10/lib/active_resource/connection.rb:217:in `with_auth'
        from /usr/lib/ruby/gems/1.8/gems/activeresource-3.0.10/lib/active_resource/connection.rb:97:in `post'
        from /usr/lib/ruby/gems/1.8/gems/activeresource-3.0.10/lib/active_resource/base.rb:1314:in `create_without_notifications'
        from /usr/lib/ruby/gems/1.8/gems/activeresource-3.0.10/lib/active_resource/observing.rb:11:in `create'
        from /usr/lib/ruby/gems/1.8/gems/activeresource-3.0.10/lib/active_resource/base.rb:1117:in `save_without_validation'
        from /usr/lib/ruby/gems/1.8/gems/activeresource-3.0.10/lib/active_resource/validations.rb:87:in `save_without_notifications'
        from /usr/lib/ruby/gems/1.8/gems/activeresource-3.0.10/lib/active_resource/observing.rb:11:in `save'
        from /usr/lib/ruby/gems/1.8/gems/activeresource-3.0.10/lib/active_resource/base.rb:1134:in `save!'
        from /usr/lib/ruby/gems/1.8/gems/aeolus-cli-0.1.0/lib/aeolus_cli/command/build_command.rb:37:in `run'
        from /usr/lib/ruby/gems/1.8/gems/aeolus-cli-0.1.0/lib/aeolus_cli/command/config_parser.rb:220:in `build'
        from /usr/lib/ruby/gems/1.8/gems/aeolus-cli-0.1.0/lib/aeolus_cli/command/config_parser.rb:38:in `send'
        from /usr/lib/ruby/gems/1.8/gems/aeolus-cli-0.1.0/lib/aeolus_cli/command/config_parser.rb:38:in `process'
        from /usr/lib/ruby/gems/1.8/gems/aeolus-cli-0.1.0/bin/aeolus-image:20
        from /usr/bin/aeolus-image:19:in `load'
        from /usr/bin/aeolus-image:19


Version-Release number of selected component (if applicable):
rubygem-aeolus-cli-0.1.0-3.el6
aeolus-conductor-0.5.0-1.el6


How reproducible:
always


Steps to Reproduce:
1. change conductor admin password
2. run aeolus-image build

  
Actual results:
build fails w/ above error


Expected results:
build succeeds


Additional info:
Comment 1 Matt Wagner 2011-11-03 21:26:09 UTC 
Any aeolus-image command should fail in this case, not just the build commands.

The command reads your ~/.aeolus-cli file, which is most likely written with the default admin/password pair the first time it's run.

This also seems to tie into the related task for cleaning up error messages -- we should show a helpful error, not raise the 401 response as an exception to the user.
Comment 2 Dave Maley 2011-11-04 13:24:29 UTC 
(In reply to comment #1)

> The command reads your ~/.aeolus-cli file, which is most likely written with
> the default admin/password pair the first time it's run.

Yep that was it.  Is storing the aeolus admin creds in plaintext just a temporary thing?
Comment 3 Matt Wagner 2011-11-04 14:45:43 UTC 
Is this bug intended to be private, or can I mark it public?

We had a discussion about how to handle the credentials. I think having them in plaintext is preferable to the other obvious choice -- specifying your username and password on the command-line. We may want to do something with OAuth or whatnot.
Comment 4 Dave Maley 2011-11-04 15:06:04 UTC 
(In reply to comment #3)
> Is this bug intended to be private, or can I mark it public?

Just habit (GSS is instructed to open all customer reported bugs as private).  I've opened it up.

> We had a discussion about how to handle the credentials. I think having them in
> plaintext is preferable to the other obvious choice -- specifying your username
> and password on the command-line. We may want to do something with OAuth or
> whatnot.

I'd think storing the admin creds as plaintext would be considered a security issue.

Also having to manage the admin password in 2 different places for webui vs. cli is definitely problematic.
Comment 5 Martyn Taylor 2011-12-05 09:52:42 UTC 
Updated the help and man pages documentation to highlight ~/.aeolus-cli config file.

commit d721dc07162be97ab53afd58f156b1f2b00983c7
Author: Maros Zatko <mzatko>
Date:   Wed Nov 23 17:40:05 2011 +0100

    added mention of .aeolus-cli into default help



With regards to showing plain text passwords.  This is only a temporary solution.  The longer term plan is for aeolus-cli to access conductor API via OAuth.  However, this will not happen for 1.0; simple HTTP authentication will be used and passwords will be stored as plain text in user directory.
Comment 6 Steve Linabery 2012-01-10 19:15:05 UTC 
d721dc0 in rubygem-aeolus-cli-0.3.0-2
Comment 7 wes hayutin 2012-01-16 21:16:02 UTC 
[root@qeblade32 builders]# aeolus
Usage: aeolus [image] [subcommand] [general options] [command options]

    -h, --help                       Get usage information for this tool

URL with credentials to Conductor are set in ~/.aeolus-cli
Conductor URL should point to https://<host_where_conductor_runs>/conductor/api
[root@qeblade32 builders]# 
[root@qeblade32 builders]# 
[root@qeblade32 builders]# 
[root@qeblade32 builders]# 
[root@qeblade32 builders]# aeolus-image -h
Usage: aeolus-image [list|build|push|import|delete|status] [command options]
    -h, --help                       Get usage information for this tool
Aeolus Image Commands:
    list   : Lists Aeolus Image Resources
    build  : Builds a new Image
    push   : Pushes an Image to a particular Provider Account
    import : Imports an existing image
    delete : Delete an Aeolus Image Resource
    status : Check the status of a push or build
See `aeolus-image <command> -h


need to add it aeolus-image
Comment 8 wes hayutin 2012-01-16 21:16:18 UTC 
[root@qeblade32 builders]# rpm -qa | grep aeolus
aeolus-conductor-doc-0.8.0-5.el6.noarch
rubygem-aeolus-cli-0.3.0-3.el6.noarch
rubygem-aeolus-image-0.3.0-2.el6.noarch
aeolus-all-0.8.0-5.el6.noarch
aeolus-configure-2.5.0-4.el6.noarch
aeolus-conductor-0.8.0-5.el6.noarch
aeolus-conductor-daemons-0.8.0-5.el6.noarch
[root@qeblade32 builders]#
Comment 9 Martyn Taylor 2012-01-19 14:21:08 UTC 
Updated help message output to highlight credentials file.

commit ade2a901da0777ab5fe3daab610e74f6a2f77de4
Author: Martyn Taylor <mtaylor>
Date:   Wed Jan 18 10:11:20 2012 +0000

    BZ#751212 Added reference to ~/.aeolus-cli in help output
Comment 10 Steve Linabery 2012-01-31 22:15:33 UTC 
35c46dbd9ace5d008fc35237bcadaf2330feadc8 in rubygem-aeolus-cli-0.3.0-7
Comment 11 Shveta 2012-02-06 08:08:11 UTC 
[root@hp-xw9300-01 ~]# aeolus-image build --target ec2 --template fedora15.tpl 

ERROR:  Unauthorized => Invalid Credentials, please check ~/.aeolus-cli


Verified in 
rpm -qa|grep aeolus
aeolus-conductor-doc-0.8.0-20.el6.noarch
aeolus-configure-2.5.0-11.el6.noarch
aeolus-conductor-daemons-0.8.0-20.el6.noarch
rubygem-aeolus-image-0.3.0-7.el6.noarch
aeolus-all-0.8.0-20.el6.noarch
aeolus-conductor-0.8.0-20.el6.noarch
rubygem-aeolus-cli-0.3.0-7.el6.noarch