yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #00512
[Bug 1031372] Re: keystone-manage pki_setup creates certs owned by root
** Changed in: keystone
Status: Fix Committed => Fix Released
** Changed in: keystone
Milestone: None => grizzly-3
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1031372
Title:
keystone-manage pki_setup creates certs owned by root
Status in OpenStack Identity (Keystone):
Fix Released
Status in OpenStack Manuals:
Triaged
Bug description:
Most users are going to run 'keystone-manage pki_setup' as root. This
generates a set of certificates and keys in /etc/keystone/ssl* which
is owned by root:root.
This is problematic when trying to then run the Keystone daemon under
the 'keystone' user account (nologin) when trying to run PKI. Unless
you manually chown the files keystone:keystone you'll get an error
like this:
2012-07-31 11:10:53 ERROR [keystone.common.cms] Error opening signing key file /etc/keystone/ssl/private/signing_key.pem
140380567730016:error:0200100D:system library:fopen:Permission denied:bss_file.c:398:fopen('/etc/keystone/ssl/private/signing_key.pem','r')
140380567730016:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
unable to load signing key file
-----
Is there anything we could/should do to make configuring PKI certs a
bit more streamlined?
Until then I suppose we should make sure our documentation mentions
the certs need to be readable by the keystone daemon user.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1031372/+subscriptions