← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1410259] Re: Keystone works with empty signing certificates

 

[Expired for Keystone because there has been no activity for 60 days.]

** Changed in: keystone
       Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1410259

Title:
  Keystone works with empty signing certificates

Status in OpenStack Identity (Keystone):
  Expired

Bug description:
  Hello,
          While trying out few things around signing certificate, i found that the keystone is working with empty signing certificates.
  Is this expected behavior ? Isn't it mandatory to have valid signing certificate for proper keystone functioning ?

  I was trying following when i found this behavior :

  Created empty files for signing certificate.
  Created the user, tenant and role using admin_token. 
  Assigned admin role to one of the user in one of the tenant using the admin_token. 
  After adding role of admin, removed the admin_token and restarted the keystone service.

  Now using admin user i was able to do all possible operation with the
  keystone using keystone client.

  
  ---------------------- Execution Log --------------
  /etc/keystone/keystone.conf
  ----------
  [DEFAULT]
  [assignment]
  driver = keystone.assignment.backends.sql.Assignment
  [auth]
  [cache]
  [catalog]
  [credential]
  [database]
  connection = mysql://keystone:Passw0rd@vmnode3/keystone
  [ec2]
  [endpoint_filter]
  [endpoint_policy]
  [federation]
  [identity]
  driver = keystone.identity.backends.sql.Identity
  [identity_mapping]
  [kvs]
  [ldap]
  [matchmaker_redis]
  [matchmaker_ring]
  [memcache]
  [oauth1]
  [os_inherit]
  [paste_deploy]
  [policy]
  [revoke]
  [saml]
  [signing]
  certfile = /etc/keystone/ssl/certs/signing_cert.pem
  keyfile = /etc/keystone/ssl/private/signing_key.pem
  ca_certs = /etc/keystone/ssl/certs/signing_cacert.pem
  [ssl]
  enable = False
  certfile = /etc/keystone/ssl/certs/ssl_cert.pem
  keyfile = /etc/keystone/ssl/private/ssl_key.pem
  ca_certs = /etc/keystone/ssl/certs/ssl_cacert.pem
  cert_subject=/C=US/ST=Unset/L=Unset/O=Unset/CN=vmnode
  [stats]
  [token]
  [trust]

  ----------------------------------------------------------------

  Empty signing certificates

  [root@vmnode3 ~]# cat /etc/keystone/ssl/certs/signing_cert.pem
  [root@vmnode3 ~]# cat /etc/keystone/ssl/private/signing_key.pem
  [root@vmnode3 ~]# cat /etc/keystone/ssl/certs/signing_cacert.pem
  [root@vmnode3 ~]# 
  [root@vmnode3 ~]# ls -ld /etc/keystone/ssl/certs/signing_cert.pem
  -rw-r--r-- 1 root root 0 Jan 13 18:37 /etc/keystone/ssl/certs/signing_cert.pem
  [root@vmnode3 ~]# ls -ld /etc/keystone/ssl/private/signing_key.pem
  -rw-r----- 1 keystone keystone 0 Jan 13 18:38 /etc/keystone/ssl/private/signing_key.pem
  [root@vmnode3 ~]# ls -ld /etc/keystone/ssl/certs/signing_cacert.pem
  -rw-r--r-- 1 keystone keystone 0 Jan 13 18:38 /etc/keystone/ssl/certs/signing_cacert.pem
  [root@vmnode3 ~]# 

  ----------------------------------------------------------------
  User,tenant, role, etc creation with admin_token
  /usr/bin/keystone --os-token 0fb8d21c3cb944141a04 --os-endpoint http://vmnode:35357/v2.0 --insecure service-create --name keystone --type identity --description Keystone-Service

  /usr/bin/keystone --os-token 0fb8d21c3cb944141a04 --os-endpoint
  http://vmnode:35357/v2.0 --insecure endpoint-create --service keystone
  --publicurl http://vmnode:5000/v2.0 --internalurl
  http://vmnode:35357/v2.0 --adminurl http://vmnode:35357/v2.0

  /usr/bin/keystone --os-token 0fb8d21c3cb944141a04 --os-endpoint
  http://vmnode:35357/v2.0 --insecure user-create --name admin --pass
  Passw0rd

  /usr/bin/keystone --os-token 0fb8d21c3cb944141a04 --os-endpoint
  http://vmnode:35357/v2.0 --insecure tenant-create --name service

  /usr/bin/keystone --os-token 0fb8d21c3cb944141a04 --os-endpoint
  http://vmnode:35357/v2.0 --insecure role-create --name admin

  /usr/bin/keystone --os-token 0fb8d21c3cb944141a04 --os-endpoint http://vmnode:35357/v2.0 --insecure user-role-add --user admin --tenant service --role admin
  ----------------------------------------------------------------
  After removing the admin_token and restarting the keystone service
  [root@vmnode3 ~]# /usr/bin/keystone  --os-username admin --os-password Passw0rd  --os-tenant-name service --os-auth-url http://vmnode:35357/v2.0  token-get
  +-----------+----------------------------------+
  |  Property |              Value               |
  +-----------+----------------------------------+
  |  expires  |       2015-01-13T14:16:12Z       |
  |     id    | 4c84b45c8e934031b86cf1f6f313422b |
  | tenant_id | 6e4488e949404ff78d66d785d6eadd9c |
  |  user_id  | 1debdd4f623d495e8a5694482278ed8f |
  +-----------+----------------------------------+
  [root@vmnode3 ~]# /usr/bin/keystone  --os-username admin --os-password Passw0rd  --os-tenant-name service --os-auth-url http://vmnode:35357/v2.0  token-get
  +-----------+----------------------------------+
  |  Property |              Value               |
  +-----------+----------------------------------+
  |  expires  |       2015-01-13T14:16:23Z       |
  |     id    | cd2639863a0e41638ddb7e37fc547166 |
  | tenant_id | 6e4488e949404ff78d66d785d6eadd9c |
  |  user_id  | 1debdd4f623d495e8a5694482278ed8f |
  +-----------+----------------------------------+
  [root@vmnode3 ~]# ssh vmnode4
  Last login: Tue Jan 13 11:52:17 2015 from vmnode3
  [root@vmnode4 ~]# /usr/bin/keystone  --os-username admin --os-password Passw0rd  --os-tenant-name service --os-auth-url http://vmnode:35357/v2.0  token-get

  +-----------+----------------------------------+
  |  Property |              Value               |
  +-----------+----------------------------------+
  |  expires  |       2015-01-13T14:16:31Z       |
  |     id    | fd7fc5db4c87436dafa3aa1c03409e5a |
  | tenant_id | 6e4488e949404ff78d66d785d6eadd9c |
  |  user_id  | 1debdd4f623d495e8a5694482278ed8f |
  +-----------+----------------------------------+
  [root@vmnode4 ~]# 

  I was able to add new user as an admin and do all keystone operation
  using the  new admin even from different client.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1410259/+subscriptions


References