yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #55903
[Bug 1619758] Re: Credential Encryption breaks deployments without Fernet
I'm adding TripleO because we need to automate the process of upgrade regarding:
http://docs.openstack.org/releasenotes/keystone/unreleased.html#upgrade-notes
"Keystone now supports encrypted credentials at rest. In order to
upgrade successfully to Newton, deployers must encrypt all credentials
currently stored before contracting the database. Deployers must run
keystone-manage credential_setup in order to use the credential API
within Newton, or finish the upgrade from Mitaka to Newton. This will
result in a service outage for the credential API where credentials will
be read-only for the duration of the upgrade process. Once the database
is contracted credentials will be writeable again. Database contraction
phases only apply to rolling upgrades."
So I'm going to try to make it transparent in puppet-keystone but for
sure TripleO will have to run the command in the upgrade scripts.
** Also affects: tripleo
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1619758
Title:
Credential Encryption breaks deployments without Fernet
Status in OpenStack Identity (keystone):
New
Status in tripleo:
New
Bug description:
A recent change to encrypt credetials broke RDO/Tripleo deployments:
2016-09-02 17:16:55.074 17619 ERROR keystone.common.fernet_utils [req-31d60075-7e0e-401e-a93f-58297cd5439b f2caffbaf10d4e3da294c6366fe19a36 fd71b607cfa84539bf0440915ea2d94b - default default] Either [fernet_tokens] key_repository does not exist or Keystone does not have sufficient permission to access it: /etc/keystone/credential-keys/
2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi [req-31d60075-7e0e-401e-a93f-58297cd5439b f2caffbaf10d4e3da294c6366fe19a36 fd71b607cfa84539bf0440915ea2d94b - default default] MultiFernet requires at least one Fernet instance
2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi Traceback (most recent call last):
2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/common/wsgi.py", line 225, in __call__
2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi result = method(req, **params)
2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/common/controller.py", line 164, in inner
2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi return f(self, request, *args, **kwargs)
2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/credential/controllers.py", line 69, in create_credential
2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi ref = self.credential_api.create_credential(ref['id'], ref)
2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/common/manager.py", line 124, in wrapped
2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi __ret_val = __f(*args, **kwargs)
2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/credential/core.py", line 106, in create_credential
2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi credential_copy = self._encrypt_credential(credential)
2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/credential/core.py", line 72, in _encrypt_credential
2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi json.dumps(credential['blob'])
2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/credential/providers/fernet/core.py", line 68, in encrypt
2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi crypto, keys = get_multi_fernet_keys()
2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/credential/providers/fernet/core.py", line 49, in get_multi_fernet_keys
2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi crypto = fernet.MultiFernet(fernet_keys)
2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi File "/usr/lib64/python2.7/site-packages/cryptography/fernet.py", line 128, in __init__
2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi "MultiFernet requires at least one Fernet instance"
2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi ValueError: MultiFernet requires at least one Fernet instance
2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1619758/+subscriptions
References