yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1592612] Re: LBaaS TLS is not working with non-admin tenant

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Michael Johnson <johnsomor@xxxxxxxxx>
Date: Thu, 01 Dec 2016 22:22:23 -0000
Reply-to: Bug 1592612 <1592612@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
To my knowledge we can grant ACL access to just the container the user is requesting we use for the listener creation, so we would not be granting the LBaaS service account access to all of the user's secrets, but just the ones that user is requesting we use for the listener.
Is that a mis-understanding?

** Changed in: octavia
       Status: New => Confirmed

** No longer affects: neutron

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1592612

Title:
  LBaaS TLS is not working with non-admin tenant

Status in Barbican:
  New
Status in octavia:
  Confirmed

Bug description:
  I went through https://wiki.openstack.org/wiki/Network/LBaaS/docs/how-
  to-create-tls-loadbalancer with devstack. And all my branches were set
  to stable/mitaka.

  If I set my user and tenant as "admin admin", the workflow passed.
  But it failed if I set the user and tenant to "admin demo" and rerun all the steps.

  Steps to reproduce:
  1. source ~/devstack/openrc admin demo
  2. barbican secret store --payload-content-type='text/plain' --name='certificate' --payload="$(cat server.crt)"
  3. barbican secret store --payload-content-type='text/plain' --name='private_key' --payload="$(cat server.key)"
  4 .barbican secret container create --name='tls_container' --type='certificate' --secret="certificate=$(barbican secret list | awk '/ certificate / {print $2}')" --secret="private_key=$(barbican secret list | awk '/ private_key / {print $2}')"
  5. neutron lbaas-loadbalancer-create $(neutron subnet-list | awk '/ private-subnet / {print $2}') --name lb1
  6. neutron lbaas-listener-create --loadbalancer lb1 --protocol-port 443 --protocol TERMINATED_HTTPS --name listener1 --default-tls-container=$(barbican secret container list | awk '/ tls_container / {print $2}')

  
  The error msg I got is 
  $ neutron lbaas-listener-create --loadbalancer 738689bd-b54e-485e-b742-57bd6e812270 --protocol-port 443 --protocol TERMINATED_HTTPS --name listener2 --default-tls-container=$(barbican secret container list | awk '/ tls_container / {print $2}')
  WARNING:barbicanclient.barbican:This Barbican CLI interface has been deprecated and will be removed in the O release. Please use the openstack unified client instead.
  DEBUG:stevedore.extension:found extension EntryPoint.parse('table = cliff.formatters.table:TableFormatter')
  DEBUG:stevedore.extension:found extension EntryPoint.parse('json = cliff.formatters.json_format:JSONFormatter')
  DEBUG:stevedore.extension:found extension EntryPoint.parse('csv = cliff.formatters.commaseparated:CSVLister')
  DEBUG:stevedore.extension:found extension EntryPoint.parse('value = cliff.formatters.value:ValueFormatter')
  DEBUG:stevedore.extension:found extension EntryPoint.parse('yaml = cliff.formatters.yaml_format:YAMLFormatter')
  DEBUG:barbicanclient.client:Creating Client object
  DEBUG:barbicanclient.containers:Listing containers - offset 0 limit 10 name None type None
  DEBUG:keystoneclient.auth.identity.v2:Making authentication request to http://192.168.100.148:5000/v2.0/tokens
  INFO:requests.packages.urllib3.connectionpool:Starting new HTTP connection (1): 192.168.100.148
  Starting new HTTP connection (1): 192.168.100.148
  DEBUG:requests.packages.urllib3.connectionpool:"POST /v2.0/tokens HTTP/1.1" 200 3924
  DEBUG:keystoneclient.session:REQ: curl -g -i -X GET http://192.168.100.148:9311 -H "Accept: application/json" -H "User-Agent: python-keystoneclient"
  INFO:requests.packages.urllib3.connectionpool:Starting new HTTP connection (1): 192.168.100.148
  Starting new HTTP connection (1): 192.168.100.148
  DEBUG:requests.packages.urllib3.connectionpool:"GET / HTTP/1.1" 300 353
  DEBUG:keystoneclient.session:RESP: [300] Content-Length: 353 Content-Type: application/json; charset=UTF-8 Connection: close
  RESP BODY: {"versions": {"values": [{"status": "stable", "updated": "2015-04-28T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.key-manager-v1+json"}], "id": "v1", "links": [{"href": "http://192.168.100.148:9311/v1/";, "rel": "self"}, {"href": "http://docs.openstack.org/";, "type": "text/html", "rel": "describedby"}]}]}}
  DEBUG:keystoneclient.session:REQ: curl -g -i -X GET http://192.168.100.148:9311/v1/containers -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}203d7de65f6cfb1fb170437ae2da98fef35f0942"
  INFO:requests.packages.urllib3.connectionpool:Resetting dropped connection: 192.168.100.148
  Resetting dropped connection: 192.168.100.148
  DEBUG:requests.packages.urllib3.connectionpool:"GET /v1/containers?limit=10&offset=0 HTTP/1.1" 200 585
  DEBUG:keystoneclient.session:RESP: [200] Connection: close Content-Type: application/json; charset=UTF-8 Content-Length: 585 x-openstack-request-id: req-aa4bb861-3d1d-42c6-be3d-5d3935622043
  RESP BODY: {"total": 1, "containers": [{"status": "ACTIVE", "updated": "2016-06-10T01:14:45", "name": "tls_container", "consumers": [], "created": "2016-06-10T01:14:45", "container_ref": "http://192.168.100.148:9311/v1/containers/4ca420a1-ed23-4e91-a08a-311dad3df801";, "creator_id": "9ee7d4959bc74d2988d50e0e3a965c64", "secret_refs": [{"secret_ref": "http://192.168.100.148:9311/v1/secrets/c96944b3-174e-418f-8598-8979eafaa537";, "name": "certificate"}, {"secret_ref": "http://192.168.100.148:9311/v1/secrets/2e25ad05-ecd6-43bd-95fa-046b9cbe2600";, "name": "private_key"}], "type": "certificate"}]}
  DEBUG:barbicanclient.client:Response status 200
  DEBUG:barbicanclient.secrets:Getting secret - Secret href: http://192.168.100.148:9311/v1/secrets/2e25ad05-ecd6-43bd-95fa-046b9cbe2600
  DEBUG:barbicanclient.secrets:Getting secret - Secret href: http://192.168.100.148:9311/v1/secrets/c96944b3-174e-418f-8598-8979eafaa537
  TLS container http://192.168.100.148:9311/v1/containers/4ca420a1-ed23-4e91-a08a-311dad3df801 could not be found
  Neutron server returns request_ids: ['req-82d53607-3596-4eeb-b4ac-b96d9f861dc0']


  ============================

  
  The related barbican-svc log:
  2016-06-10 12:25:26.135 INFO barbican.api.controllers.containers [req-e7b592d4-376a-4729-ad20-5dfe9e93b6a4 d2d0cb2842eb450ebe032d70bcae
  eb3b 9b07426f96574e27a18e596fb15ee5ec] Retrieved container list for project: 9b07426f96574e27a18e596fb15ee5ec
  2016-06-10 12:25:26.137 INFO barbican.api.middleware.context [req-e7b592d4-376a-4729-ad20-5dfe9e93b6a4 d2d0cb2842eb450ebe032d70bcaeeb3b
   9b07426f96574e27a18e596fb15ee5ec] Processed request: 200 OK - GET http://192.168.100.149:9311/v1/containers?limit=10&offset=0
  {address space usage: 215629824 bytes/205MB} {rss usage: 100933632 bytes/96MB} [pid: 4671|app: 0|req: 117/117] 192.168.100.149 () {30 v
  ars in 465 bytes} [Fri Jun 10 12:25:25 2016] GET /v1/containers?limit=10&offset=0 => generated 585 bytes in 155 msecs (HTTP/1.1 200) 4
  headers in 172 bytes (1 switches on core 0) 
  2016-06-10 12:25:28.183 ERROR barbican.model.repositories [req-4aebc499-b92d-4ab1-8b0e-52f12ddabdd2 d2d0cb2842eb450ebe032d70bcaeeb3b d2
  4f00aff0b24f4ea7f37d193129d532] Not found for 8daec3a0-1582-4d59-ba04-be11d0c2d036
  2016-06-10 12:25:28.183 TRACE barbican.model.repositories Traceback (most recent call last):
  2016-06-10 12:25:28.183 TRACE barbican.model.repositories   File "/opt/stack/barbican/barbican/model/repositories.py", line 358, in get
  2016-06-10 12:25:28.183 TRACE barbican.model.repositories     entity = query.one()
  2016-06-10 12:25:28.183 TRACE barbican.model.repositories   File "/usr/local/lib/python2.7/dist-packages/sqlalchemy/orm/query.py", line
   2699, in one
  2016-06-10 12:25:28.183 TRACE barbican.model.repositories     raise orm_exc.NoResultFound("No row was found for one()")
  2016-06-10 12:25:28.183 TRACE barbican.model.repositories NoResultFound: No row was found for one()
  2016-06-10 12:25:28.183 TRACE barbican.model.repositories
  2016-06-10 12:25:28.184 ERROR barbican.api.controllers [req-4aebc499-b92d-4ab1-8b0e-52f12ddabdd2 d2d0cb2842eb450ebe032d70bcaeeb3b d24f00aff0b24f4ea7f37d193129d532] Webob error seen
  2016-06-10 12:25:28.184 TRACE barbican.api.controllers Traceback (most recent call last):
  2016-06-10 12:25:28.184 TRACE barbican.api.controllers   File "/opt/stack/barbican/barbican/api/controllers/__init__.py", line 102, in handler
  2016-06-10 12:25:28.184 TRACE barbican.api.controllers     return fn(inst, *args, **kwargs)
  2016-06-10 12:25:28.184 TRACE barbican.api.controllers   File "/opt/stack/barbican/barbican/api/controllers/__init__.py", line 88, in enforcer
  2016-06-10 12:25:28.184 TRACE barbican.api.controllers     return fn(inst, *args, **kwargs)
  2016-06-10 12:25:28.184 TRACE barbican.api.controllers   File "/opt/stack/barbican/barbican/api/controllers/__init__.py", line 144, in content_types_enforcer
  2016-06-10 12:25:28.184 TRACE barbican.api.controllers     return fn(inst, *args, **kwargs)
  2016-06-10 12:25:28.184 TRACE barbican.api.controllers   File "/opt/stack/barbican/barbican/api/controllers/consumers.py", line 143, in on_post
  2016-06-10 12:25:28.184 TRACE barbican.api.controllers     controllers.containers.container_not_found()
  2016-06-10 12:25:28.184 TRACE barbican.api.controllers   File "/opt/stack/barbican/barbican/api/controllers/containers.py", line 36, in container_not_found
  2016-06-10 12:25:28.184 TRACE barbican.api.controllers     pecan.abort(404, u._('Not Found. Sorry but your container is in '
  2016-06-10 12:25:28.184 TRACE barbican.api.controllers   File "/usr/local/lib/python2.7/dist-packages/pecan/core.py", line 141, in abort
  2016-06-10 12:25:28.184 TRACE barbican.api.controllers     exec('raise webob_exception, None, traceback')
  2016-06-10 12:25:28.184 TRACE barbican.api.controllers   File "/opt/stack/barbican/barbican/api/controllers/consumers.py", line 141, in on_post
  2016-06-10 12:25:28.184 TRACE barbican.api.controllers     external_project_id)
  2016-06-10 12:25:28.184 TRACE barbican.api.controllers   File "/opt/stack/barbican/barbican/model/repositories.py", line 364, in get
  2016-06-10 12:25:28.184 TRACE barbican.api.controllers     _raise_entity_not_found(self._do_entity_name(), entity_id)
  2016-06-10 12:25:28.184 TRACE barbican.api.controllers   File "/opt/stack/barbican/barbican/model/repositories.py", line 2250, in _raise_entity_not_found
  2016-06-10 12:25:28.184 TRACE barbican.api.controllers     id=entity_id))
  2016-06-10 12:25:28.184 TRACE barbican.api.controllers HTTPNotFound: Not Found. Sorry but your container is in another castle.
  2016-06-10 12:25:28.184 TRACE barbican.api.controllers
  2016-06-10 12:25:28.187 INFO barbican.api.middleware.context [req-4aebc499-b92d-4ab1-8b0e-52f12ddabdd2 d2d0cb2842eb450ebe032d70bcaeeb3b d24f00aff0b24f4ea7f37d193129d532] Processed request: 404 Not Found - POST http://192.168.100.149:9311/v1/containers/8daec3a0-1582-4d59-ba04-be11d0c2d036/consumers/

To manage notifications about this bug go to:
https://bugs.launchpad.net/barbican/+bug/1592612/+subscriptions
References

[Bug 1592612] [NEW] TLS container could not be found
From: Jiahao liang, 2016-06-15