yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #07651
[Bug 1239894] Re: insecure=True not documented outside of keystoneclient.middleware.auth_token
** No longer affects: nova
** Tags added: sec-guide
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1239894
Title:
insecure=True not documented outside of
keystoneclient.middleware.auth_token
Status in OpenStack Identity (Keystone):
Triaged
Status in OpenStack Manuals:
Triaged
Status in Python client library for Keystone:
Invalid
Bug description:
We use self signed certificate with all openstack services. It all
worked so far, but break once keystoneclient v0.4.0 was released last
week.
As per this commit, keystoneclient by default use insecure=False.
https://github.com/openstack/python-keystoneclient/commit/20e166fd8a943ee3f91ba362a47e9c14c7cc5f4c
This break self-signed instances. The openstack components {nova,
glance, neutron} are unable to communicate with keystone. We don't use
horion or swift. I presume they are broken as well. The keystone
client is happy though if we use --insecure flag, while using it
directly.
Ideally, we should introduce new config parameter
keystone_api_insecure. The insecure flag in keystoneclient should be
defined based on this parameter. This should be fixed in all openstack
services, nova, glance & neutron.
[barumugam@build tempest]$ keystone --insecure tenant-list
+----------------------------+----------------------------+---------+
| id | name | enabled |
+----------------------------+----------------------------+---------+
| csi-tenant-tempest | csi-tenant-tempest | True |
+----------------------------+----------------------------+---------+
[barumugam@build tempest]$ nova --insecure list
ERROR: Unauthorized (HTTP 401)
Nova log:
2013-10-13 00:01:56,680 (keystoneclient.middleware.auth_token): ERROR auth_token _http_request HTTP connection exception: [Errno 1] _ssl.c:490: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
2013-10-13 00:01:56,682 (keystoneclient.middleware.auth_token): DEBUG auth_token _validate_user_token Token validation failure.
Traceback (most recent call last):
File "/usr/local/csi/share/csi-nova.venv/lib/python2.6/site-packages/keystoneclient/middleware/auth_token.py", line 808, in _validate_user_token
verified = self.verify_signed_token(user_token)
File "/usr/local/csi/share/csi-nova.venv/lib/python2.6/site-packages/keystoneclient/middleware/auth_token.py", line 1165, in verify_signed_token
if self.is_signed_token_revoked(signed_text):
File "/usr/local/csi/share/csi-nova.venv/lib/python2.6/site-packages/keystoneclient/middleware/auth_token.py", line 1127, in is_signed_token_revoked
revocation_list = self.token_revocation_list
File "/usr/local/csi/share/csi-nova.venv/lib/python2.6/site-packages/keystoneclient/middleware/auth_token.py", line 1217, in token_revocation_list
self.token_revocation_list = self.fetch_revocation_list()
File "/usr/local/csi/share/csi-nova.venv/lib/python2.6/site-packages/keystoneclient/middleware/auth_token.py", line 1235, in fetch_revocation_list
additional_headers=headers)
File "/usr/local/csi/share/csi-nova.venv/lib/python2.6/site-packages/keystoneclient/middleware/auth_token.py", line 739, in _json_request
response = self._http_request(method, path, **kwargs)
File "/usr/local/csi/share/csi-nova.venv/lib/python2.6/site-packages/keystoneclient/middleware/auth_token.py", line 704, in _http_request
raise NetworkError('Unable to communicate with keystone')
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1239894/+subscriptions
