yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1031372] Re: keystone-manage pki_setup creates certs owned by root

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Thu, 21 Feb 2013 08:42:28 -0000
Reply-to: Bug 1031372 <1031372@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: keystone
       Status: Fix Committed => Fix Released

** Changed in: keystone
    Milestone: None => grizzly-3

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1031372

Title:
  keystone-manage pki_setup creates certs owned by root

Status in OpenStack Identity (Keystone):
  Fix Released
Status in OpenStack Manuals:
  Triaged

Bug description:
  Most users are going to run 'keystone-manage pki_setup' as root. This
  generates a set of certificates and keys in /etc/keystone/ssl* which
  is owned by root:root.

  This is problematic when trying to then run the Keystone daemon under
  the 'keystone' user account (nologin) when trying to run PKI. Unless
  you manually chown the files keystone:keystone you'll get an error
  like this:

  2012-07-31 11:10:53 ERROR [keystone.common.cms] Error opening signing key file /etc/keystone/ssl/private/signing_key.pem
  140380567730016:error:0200100D:system library:fopen:Permission denied:bss_file.c:398:fopen('/etc/keystone/ssl/private/signing_key.pem','r')
  140380567730016:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
  unable to load signing key file

  -----

  Is there anything we could/should do to make configuring PKI certs a
  bit more streamlined?

  Until then I suppose we should make sure our documentation mentions
  the certs need to be readable by the keystone daemon user.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1031372/+subscriptions