yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1619758] [NEW] Credential Encryption breaks deployments without Fernet

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Adam Young <1619758@xxxxxxxxxxxxxxxxxx>
Date: Fri, 02 Sep 2016 18:26:23 -0000
Reply-to: Bug 1619758 <1619758@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Public bug reported:

A recent change to encrypt credetials broke RDO/Tripleo deployments:


2016-09-02 17:16:55.074 17619 ERROR keystone.common.fernet_utils [req-31d60075-7e0e-401e-a93f-58297cd5439b f2caffbaf10d4e3da294c6366fe19a36 fd71b607cfa84539bf0440915ea2d94b - default default] Either [fernet_tokens] key_repository does not exist or Keystone does not have sufficient permission to access it: /etc/keystone/credential-keys/
2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi [req-31d60075-7e0e-401e-a93f-58297cd5439b f2caffbaf10d4e3da294c6366fe19a36 fd71b607cfa84539bf0440915ea2d94b - default default] MultiFernet requires at least one Fernet instance
2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi Traceback (most recent call last):
2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/common/wsgi.py", line 225, in __call__
2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi     result = method(req, **params)
2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/common/controller.py", line 164, in inner
2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi     return f(self, request, *args, **kwargs)
2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/credential/controllers.py", line 69, in create_credential
2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi     ref = self.credential_api.create_credential(ref['id'], ref)
2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/common/manager.py", line 124, in wrapped
2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi     __ret_val = __f(*args, **kwargs)
2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/credential/core.py", line 106, in create_credential
2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi     credential_copy = self._encrypt_credential(credential)
2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/credential/core.py", line 72, in _encrypt_credential
2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi     json.dumps(credential['blob'])
2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/credential/providers/fernet/core.py", line 68, in encrypt
2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi     crypto, keys = get_multi_fernet_keys()
2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/credential/providers/fernet/core.py", line 49, in get_multi_fernet_keys
2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi     crypto = fernet.MultiFernet(fernet_keys)
2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi   File "/usr/lib64/python2.7/site-packages/cryptography/fernet.py", line 128, in __init__
2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi     "MultiFernet requires at least one Fernet instance"
2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi ValueError: MultiFernet requires at least one Fernet instance
2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi

** Affects: keystone
     Importance: Undecided
         Status: New

** Affects: tripleo
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1619758

Title:
  Credential Encryption breaks deployments without Fernet

Status in OpenStack Identity (keystone):
  New
Status in tripleo:
  New

Bug description:
  A recent change to encrypt credetials broke RDO/Tripleo deployments:


  2016-09-02 17:16:55.074 17619 ERROR keystone.common.fernet_utils [req-31d60075-7e0e-401e-a93f-58297cd5439b f2caffbaf10d4e3da294c6366fe19a36 fd71b607cfa84539bf0440915ea2d94b - default default] Either [fernet_tokens] key_repository does not exist or Keystone does not have sufficient permission to access it: /etc/keystone/credential-keys/
  2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi [req-31d60075-7e0e-401e-a93f-58297cd5439b f2caffbaf10d4e3da294c6366fe19a36 fd71b607cfa84539bf0440915ea2d94b - default default] MultiFernet requires at least one Fernet instance
  2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi Traceback (most recent call last):
  2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/common/wsgi.py", line 225, in __call__
  2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi     result = method(req, **params)
  2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/common/controller.py", line 164, in inner
  2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi     return f(self, request, *args, **kwargs)
  2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/credential/controllers.py", line 69, in create_credential
  2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi     ref = self.credential_api.create_credential(ref['id'], ref)
  2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/common/manager.py", line 124, in wrapped
  2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi     __ret_val = __f(*args, **kwargs)
  2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/credential/core.py", line 106, in create_credential
  2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi     credential_copy = self._encrypt_credential(credential)
  2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/credential/core.py", line 72, in _encrypt_credential
  2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi     json.dumps(credential['blob'])
  2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/credential/providers/fernet/core.py", line 68, in encrypt
  2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi     crypto, keys = get_multi_fernet_keys()
  2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/credential/providers/fernet/core.py", line 49, in get_multi_fernet_keys
  2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi     crypto = fernet.MultiFernet(fernet_keys)
  2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi   File "/usr/lib64/python2.7/site-packages/cryptography/fernet.py", line 128, in __init__
  2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi     "MultiFernet requires at least one Fernet instance"
  2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi ValueError: MultiFernet requires at least one Fernet instance
  2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1619758/+subscriptions
Follow ups

[Bug 1619758] Re: Credential Encryption breaks deployments without Fernet
From: Emilien Macchi, 2016-09-12
[Bug 1619758] Related fix merged to keystone (master)
From: OpenStack Infra, 2016-09-08
[Bug 1619758] Re: Credential Encryption breaks deployments without Fernet
From: Emilien Macchi, 2016-09-02