Bug 970308

Summary: Heat CFN API should support v4 signature format
Product: Red Hat OpenStack Reporter: Steven Hardy <shardy>
Component: openstack-heatAssignee: Steven Hardy <shardy>
Status: CLOSED ERRATA QA Contact: Kevin Whitney <kwhitney>
Severity: high Docs Contact:
Priority: high    
Version: 3.0CC: ajeain, apevec, mlopes, sbaker, sclewis, sdake, shardy, srevivo
Target Milestone: Upstream M3Keywords: OtherQA
Target Release: 4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-heat-2013.2-0.8.b3.el6ost Doc Type: Bug Fix
Doc Text:
Due to differences in signature formats, connections from recent versions of python-boto based clients were unable to connect to the cloudformation-compatible API. The updated python-boto client library used the AWS v4 signature by default, which was not supported by the Orchestration API. With this update, Orchestration now supports the AWS v4 signature format, and python-boto based clients can authenticate to the cloudformation-compatible API.
 Story Points: ---
Clone Of:
: 1000540 (view as bug list) Environment:
Last Closed: 2013-12-20 00:04:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 968246, 970134    
Bug Blocks: 1000540    

Description Steven Hardy 2013-06-03 22:07:19 UTC 
Description of problem:

- We require boto, primarily for our in-instance tools (heat-cfntools) without which several of our core features don't work.
- Recent (>=2.6.0) boto versions move to AWS v4 signatures by default, with no way to specify the previous (v2) signature format.  This means that grizzly/RHOS Heat won't work with any distro with a newer than 2.5.x boto version (which means F18, F19, and crucially soon RHEL ref bz #968247 won't work, also recent versions of Ubuntu won't work etc etc)

The plan is to propose this as a backport to the upstream Heat stable/grizzly branch, but we've been waiting on a python-keystoneclient release containing the fix discussed in this bz.  This happened a couple of days ago (0.2.4 contains this patch), ref bz #970134

Backport proposed:

https://review.openstack.org/#/c/31568/

Version-Release number of selected component (if applicable):

How reproducible:
Always

Steps to Reproduce:
1. Install python-boto >= 2.6.0
2. Note that heat-cfntools, heat-watch and heat-cfn don't work

Actual results:
Heat doesn't work with distros containing boto >= 2.6.0

Expected results:
Heat should work with as many distros as possible (particularly important as this affects compatibility with guest images)

Additional info:
Comment 5 Ami Jeain 2013-10-27 13:36:21 UTC 
a agreed by Perry, Heat and Ceilometer will be tested upstream by Tempest
Comment 9 errata-xmlrpc 2013-12-20 00:04:26 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2013-1859.html