yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #26829
[Bug 1410259] [NEW] Keystone works with empty signing certificates
Public bug reported:
Hello,
While trying out few things around signing certificate, i found that the keystone is working with empty signing certificates.
Is this expected behavior ? Isn't it mandatory to have valid signing certificate for proper keystone functioning ?
I was trying following when i found this behavior :
Created empty files for signing certificate.
Created the user, tenant and role using admin_token.
Assigned admin role to one of the user in one of the tenant using the admin_token.
After adding role of admin, removed the admin_token and restarted the keystone service.
Now using admin user i was able to do all possible operation with the
keystone using keystone client.
---------------------- Execution Log --------------
/etc/keystone/keystone.conf
----------
[DEFAULT]
[assignment]
driver = keystone.assignment.backends.sql.Assignment
[auth]
[cache]
[catalog]
[credential]
[database]
connection = mysql://keystone:Passw0rd@vmnode3/keystone
[ec2]
[endpoint_filter]
[endpoint_policy]
[federation]
[identity]
driver = keystone.identity.backends.sql.Identity
[identity_mapping]
[kvs]
[ldap]
[matchmaker_redis]
[matchmaker_ring]
[memcache]
[oauth1]
[os_inherit]
[paste_deploy]
[policy]
[revoke]
[saml]
[signing]
certfile = /etc/keystone/ssl/certs/signing_cert.pem
keyfile = /etc/keystone/ssl/private/signing_key.pem
ca_certs = /etc/keystone/ssl/certs/signing_cacert.pem
[ssl]
enable = False
certfile = /etc/keystone/ssl/certs/ssl_cert.pem
keyfile = /etc/keystone/ssl/private/ssl_key.pem
ca_certs = /etc/keystone/ssl/certs/ssl_cacert.pem
cert_subject=/C=US/ST=Unset/L=Unset/O=Unset/CN=vmnode
[stats]
[token]
[trust]
----------------------------------------------------------------
Empty signing certificates
[root@vmnode3 ~]# cat /etc/keystone/ssl/certs/signing_cert.pem
[root@vmnode3 ~]# cat /etc/keystone/ssl/private/signing_key.pem
[root@vmnode3 ~]# cat /etc/keystone/ssl/certs/signing_cacert.pem
[root@vmnode3 ~]#
[root@vmnode3 ~]# ls -ld /etc/keystone/ssl/certs/signing_cert.pem
-rw-r--r-- 1 root root 0 Jan 13 18:37 /etc/keystone/ssl/certs/signing_cert.pem
[root@vmnode3 ~]# ls -ld /etc/keystone/ssl/private/signing_key.pem
-rw-r----- 1 keystone keystone 0 Jan 13 18:38 /etc/keystone/ssl/private/signing_key.pem
[root@vmnode3 ~]# ls -ld /etc/keystone/ssl/certs/signing_cacert.pem
-rw-r--r-- 1 keystone keystone 0 Jan 13 18:38 /etc/keystone/ssl/certs/signing_cacert.pem
[root@vmnode3 ~]#
----------------------------------------------------------------
User,tenant, role, etc creation with admin_token
/usr/bin/keystone --os-token 0fb8d21c3cb944141a04 --os-endpoint http://vmnode:35357/v2.0 --insecure service-create --name keystone --type identity --description Keystone-Service
/usr/bin/keystone --os-token 0fb8d21c3cb944141a04 --os-endpoint
http://vmnode:35357/v2.0 --insecure endpoint-create --service keystone
--publicurl http://vmnode:5000/v2.0 --internalurl
http://vmnode:35357/v2.0 --adminurl http://vmnode:35357/v2.0
/usr/bin/keystone --os-token 0fb8d21c3cb944141a04 --os-endpoint
http://vmnode:35357/v2.0 --insecure user-create --name admin --pass
Passw0rd
/usr/bin/keystone --os-token 0fb8d21c3cb944141a04 --os-endpoint
http://vmnode:35357/v2.0 --insecure tenant-create --name service
/usr/bin/keystone --os-token 0fb8d21c3cb944141a04 --os-endpoint
http://vmnode:35357/v2.0 --insecure role-create --name admin
/usr/bin/keystone --os-token 0fb8d21c3cb944141a04 --os-endpoint http://vmnode:35357/v2.0 --insecure user-role-add --user admin --tenant service --role admin
----------------------------------------------------------------
After removing the admin_token and restarting the keystone service
[root@vmnode3 ~]# /usr/bin/keystone --os-username admin --os-password Passw0rd --os-tenant-name service --os-auth-url http://vmnode:35357/v2.0 token-get
+-----------+----------------------------------+
| Property | Value |
+-----------+----------------------------------+
| expires | 2015-01-13T14:16:12Z |
| id | 4c84b45c8e934031b86cf1f6f313422b |
| tenant_id | 6e4488e949404ff78d66d785d6eadd9c |
| user_id | 1debdd4f623d495e8a5694482278ed8f |
+-----------+----------------------------------+
[root@vmnode3 ~]# /usr/bin/keystone --os-username admin --os-password Passw0rd --os-tenant-name service --os-auth-url http://vmnode:35357/v2.0 token-get
+-----------+----------------------------------+
| Property | Value |
+-----------+----------------------------------+
| expires | 2015-01-13T14:16:23Z |
| id | cd2639863a0e41638ddb7e37fc547166 |
| tenant_id | 6e4488e949404ff78d66d785d6eadd9c |
| user_id | 1debdd4f623d495e8a5694482278ed8f |
+-----------+----------------------------------+
[root@vmnode3 ~]# ssh vmnode4
Last login: Tue Jan 13 11:52:17 2015 from vmnode3
[root@vmnode4 ~]# /usr/bin/keystone --os-username admin --os-password Passw0rd --os-tenant-name service --os-auth-url http://vmnode:35357/v2.0 token-get
+-----------+----------------------------------+
| Property | Value |
+-----------+----------------------------------+
| expires | 2015-01-13T14:16:31Z |
| id | fd7fc5db4c87436dafa3aa1c03409e5a |
| tenant_id | 6e4488e949404ff78d66d785d6eadd9c |
| user_id | 1debdd4f623d495e8a5694482278ed8f |
+-----------+----------------------------------+
[root@vmnode4 ~]#
I was able to add new user as an admin and do all keystone operation
using the new admin even from different client.
** Affects: keystone
Importance: Undecided
Status: New
** Tags: keystone
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1410259
Title:
Keystone works with empty signing certificates
Status in OpenStack Identity (Keystone):
New
Bug description:
Hello,
While trying out few things around signing certificate, i found that the keystone is working with empty signing certificates.
Is this expected behavior ? Isn't it mandatory to have valid signing certificate for proper keystone functioning ?
I was trying following when i found this behavior :
Created empty files for signing certificate.
Created the user, tenant and role using admin_token.
Assigned admin role to one of the user in one of the tenant using the admin_token.
After adding role of admin, removed the admin_token and restarted the keystone service.
Now using admin user i was able to do all possible operation with the
keystone using keystone client.
---------------------- Execution Log --------------
/etc/keystone/keystone.conf
----------
[DEFAULT]
[assignment]
driver = keystone.assignment.backends.sql.Assignment
[auth]
[cache]
[catalog]
[credential]
[database]
connection = mysql://keystone:Passw0rd@vmnode3/keystone
[ec2]
[endpoint_filter]
[endpoint_policy]
[federation]
[identity]
driver = keystone.identity.backends.sql.Identity
[identity_mapping]
[kvs]
[ldap]
[matchmaker_redis]
[matchmaker_ring]
[memcache]
[oauth1]
[os_inherit]
[paste_deploy]
[policy]
[revoke]
[saml]
[signing]
certfile = /etc/keystone/ssl/certs/signing_cert.pem
keyfile = /etc/keystone/ssl/private/signing_key.pem
ca_certs = /etc/keystone/ssl/certs/signing_cacert.pem
[ssl]
enable = False
certfile = /etc/keystone/ssl/certs/ssl_cert.pem
keyfile = /etc/keystone/ssl/private/ssl_key.pem
ca_certs = /etc/keystone/ssl/certs/ssl_cacert.pem
cert_subject=/C=US/ST=Unset/L=Unset/O=Unset/CN=vmnode
[stats]
[token]
[trust]
----------------------------------------------------------------
Empty signing certificates
[root@vmnode3 ~]# cat /etc/keystone/ssl/certs/signing_cert.pem
[root@vmnode3 ~]# cat /etc/keystone/ssl/private/signing_key.pem
[root@vmnode3 ~]# cat /etc/keystone/ssl/certs/signing_cacert.pem
[root@vmnode3 ~]#
[root@vmnode3 ~]# ls -ld /etc/keystone/ssl/certs/signing_cert.pem
-rw-r--r-- 1 root root 0 Jan 13 18:37 /etc/keystone/ssl/certs/signing_cert.pem
[root@vmnode3 ~]# ls -ld /etc/keystone/ssl/private/signing_key.pem
-rw-r----- 1 keystone keystone 0 Jan 13 18:38 /etc/keystone/ssl/private/signing_key.pem
[root@vmnode3 ~]# ls -ld /etc/keystone/ssl/certs/signing_cacert.pem
-rw-r--r-- 1 keystone keystone 0 Jan 13 18:38 /etc/keystone/ssl/certs/signing_cacert.pem
[root@vmnode3 ~]#
----------------------------------------------------------------
User,tenant, role, etc creation with admin_token
/usr/bin/keystone --os-token 0fb8d21c3cb944141a04 --os-endpoint http://vmnode:35357/v2.0 --insecure service-create --name keystone --type identity --description Keystone-Service
/usr/bin/keystone --os-token 0fb8d21c3cb944141a04 --os-endpoint
http://vmnode:35357/v2.0 --insecure endpoint-create --service keystone
--publicurl http://vmnode:5000/v2.0 --internalurl
http://vmnode:35357/v2.0 --adminurl http://vmnode:35357/v2.0
/usr/bin/keystone --os-token 0fb8d21c3cb944141a04 --os-endpoint
http://vmnode:35357/v2.0 --insecure user-create --name admin --pass
Passw0rd
/usr/bin/keystone --os-token 0fb8d21c3cb944141a04 --os-endpoint
http://vmnode:35357/v2.0 --insecure tenant-create --name service
/usr/bin/keystone --os-token 0fb8d21c3cb944141a04 --os-endpoint
http://vmnode:35357/v2.0 --insecure role-create --name admin
/usr/bin/keystone --os-token 0fb8d21c3cb944141a04 --os-endpoint http://vmnode:35357/v2.0 --insecure user-role-add --user admin --tenant service --role admin
----------------------------------------------------------------
After removing the admin_token and restarting the keystone service
[root@vmnode3 ~]# /usr/bin/keystone --os-username admin --os-password Passw0rd --os-tenant-name service --os-auth-url http://vmnode:35357/v2.0 token-get
+-----------+----------------------------------+
| Property | Value |
+-----------+----------------------------------+
| expires | 2015-01-13T14:16:12Z |
| id | 4c84b45c8e934031b86cf1f6f313422b |
| tenant_id | 6e4488e949404ff78d66d785d6eadd9c |
| user_id | 1debdd4f623d495e8a5694482278ed8f |
+-----------+----------------------------------+
[root@vmnode3 ~]# /usr/bin/keystone --os-username admin --os-password Passw0rd --os-tenant-name service --os-auth-url http://vmnode:35357/v2.0 token-get
+-----------+----------------------------------+
| Property | Value |
+-----------+----------------------------------+
| expires | 2015-01-13T14:16:23Z |
| id | cd2639863a0e41638ddb7e37fc547166 |
| tenant_id | 6e4488e949404ff78d66d785d6eadd9c |
| user_id | 1debdd4f623d495e8a5694482278ed8f |
+-----------+----------------------------------+
[root@vmnode3 ~]# ssh vmnode4
Last login: Tue Jan 13 11:52:17 2015 from vmnode3
[root@vmnode4 ~]# /usr/bin/keystone --os-username admin --os-password Passw0rd --os-tenant-name service --os-auth-url http://vmnode:35357/v2.0 token-get
+-----------+----------------------------------+
| Property | Value |
+-----------+----------------------------------+
| expires | 2015-01-13T14:16:31Z |
| id | fd7fc5db4c87436dafa3aa1c03409e5a |
| tenant_id | 6e4488e949404ff78d66d785d6eadd9c |
| user_id | 1debdd4f623d495e8a5694482278ed8f |
+-----------+----------------------------------+
[root@vmnode4 ~]#
I was able to add new user as an admin and do all keystone operation
using the new admin even from different client.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1410259/+subscriptions
Follow ups
References
