yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1815635] [NEW] Horizon is unable to retrieve Cinder API versions when it has a self-signed SSL certificate

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: David Moreau Simard <dms@xxxxxxxxxx>
Date: Tue, 12 Feb 2019 16:12:44 -0000
Reply-to: Bug 1815635 <1815635@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Public bug reported:

With "OPENSTACK_SSL_NO_VERIFY = True" in local_settings.py, Horizon is
able to communicate with a Cinder API instance that is using a self-
signed certificate.

However, before communicating with the Cinder API, it first uses
cinderclient to retrieve available API versions:
https://github.com/openstack/horizon/blob/d5b7feb5d4bf622905d717cd20fc83fd136c8a8c/openstack_dashboard/api/cinder.py#L263

The get_server_version method from cinderclient doesn't support an
"insecure" or "verify" argument and the request it does to retrieve the
API versions is currently always secure: https://github.com/openstack
/python-
cinderclient/blob/63b36a901bfaf2508a9c3cda1d8dafb8769f2340/cinderclient/client.py#L75-L109

Even with DEBUG logging enabled, it was not trivial to understand what
was going on because the only thing that gets written to the logs is
something that looks like this:

=====
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): 172.29.236.100:8776
Call to list enabled services failed. This is likely due to a problem communicating with the Cinder endpoint. Consistency Group panel will not be displayed.
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): 172.29.236.100:8776
Call to list enabled services failed. This is likely due to a problem communicating with the Cinder endpoint. Consistency Group Snapshot panel will not be displayed.
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): 172.29.236.100:8776
Call to list enabled services failed. This is likely due to a problem communicating with the Cinder endpoint. Volume Group panel will not be displayed.
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): 172.29.236.100:8776
Call to list enabled services failed. This is likely due to a problem communicating with the Cinder endpoint. Volume Group Snapshot panel will not be displayed.
=====

I had to manually add some tracing to get the actual exception:

=====
Traceback (most recent call last):
  File "/openstack/venvs/horizon-18.1.3/lib/python2.7/site-packages/openstack_dashboard/dashboards/project/volumes/views.py", line 63, in _get_volumes
    sort_dir=sort_dir, paginate=True)
  File "/openstack/venvs/horizon-18.1.3/lib/python2.7/site-packages/openstack_dashboard/api/cinder.py", line 319, in volume_list_paged
    c_client = _cinderclient_with_generic_groups(request)
  File "/openstack/venvs/horizon-18.1.3/lib/python2.7/site-packages/openstack_dashboard/api/cinder.py", line 271, in _cinderclient_with_generic_groups
    version = get_microversion(request, 'groups')
  File "/openstack/venvs/horizon-18.1.3/lib/python2.7/site-packages/openstack_dashboard/api/cinder.py", line 265, in get_microversion
    min_ver, max_ver = cinder_client.get_server_version(cinder_url)
  File "/openstack/venvs/horizon-18.1.3/lib/python2.7/site-packages/cinderclient/client.py", line 109, in get_server_version
    response = requests.get(version_url)
  File "/openstack/venvs/horizon-18.1.3/lib/python2.7/site-packages/requests/api.py", line 72, in get
    return request('get', url, params=params, **kwargs)
  File "/openstack/venvs/horizon-18.1.3/lib/python2.7/site-packages/requests/api.py", line 58, in request
    return session.request(method=method, url=url, **kwargs)
  File "/openstack/venvs/horizon-18.1.3/lib/python2.7/site-packages/requests/sessions.py", line 512, in request
    resp = self.send(prep, **send_kwargs)
  File "/openstack/venvs/horizon-18.1.3/lib/python2.7/site-packages/requests/sessions.py", line 622, in send
    r = adapter.send(request, **kwargs)
  File "/openstack/venvs/horizon-18.1.3/lib/python2.7/site-packages/requests/adapters.py", line 511, in send
    raise SSLError(e, request=request)
SSLError: HTTPSConnectionPool(host='172.29.236.100', port=8776): Max retries exceeded with url: / (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))
=====

It seems like the fix would be to add an "insecure" parameter to
cinderclient's get_server_version method and then use that parameter
from Horizon's "get_microversion" method for the Cinder API.

** Affects: horizon
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1815635

Title:
  Horizon is unable to retrieve Cinder API versions when it has a self-
  signed SSL certificate

Status in OpenStack Dashboard (Horizon):
  New

Bug description:
  With "OPENSTACK_SSL_NO_VERIFY = True" in local_settings.py, Horizon is
  able to communicate with a Cinder API instance that is using a self-
  signed certificate.

  However, before communicating with the Cinder API, it first uses
  cinderclient to retrieve available API versions:
  https://github.com/openstack/horizon/blob/d5b7feb5d4bf622905d717cd20fc83fd136c8a8c/openstack_dashboard/api/cinder.py#L263

  The get_server_version method from cinderclient doesn't support an
  "insecure" or "verify" argument and the request it does to retrieve
  the API versions is currently always secure:
  https://github.com/openstack/python-
  cinderclient/blob/63b36a901bfaf2508a9c3cda1d8dafb8769f2340/cinderclient/client.py#L75-L109

  Even with DEBUG logging enabled, it was not trivial to understand what
  was going on because the only thing that gets written to the logs is
  something that looks like this:

  =====
  DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): 172.29.236.100:8776
  Call to list enabled services failed. This is likely due to a problem communicating with the Cinder endpoint. Consistency Group panel will not be displayed.
  DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): 172.29.236.100:8776
  Call to list enabled services failed. This is likely due to a problem communicating with the Cinder endpoint. Consistency Group Snapshot panel will not be displayed.
  DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): 172.29.236.100:8776
  Call to list enabled services failed. This is likely due to a problem communicating with the Cinder endpoint. Volume Group panel will not be displayed.
  DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): 172.29.236.100:8776
  Call to list enabled services failed. This is likely due to a problem communicating with the Cinder endpoint. Volume Group Snapshot panel will not be displayed.
  =====

  I had to manually add some tracing to get the actual exception:

  =====
  Traceback (most recent call last):
    File "/openstack/venvs/horizon-18.1.3/lib/python2.7/site-packages/openstack_dashboard/dashboards/project/volumes/views.py", line 63, in _get_volumes
      sort_dir=sort_dir, paginate=True)
    File "/openstack/venvs/horizon-18.1.3/lib/python2.7/site-packages/openstack_dashboard/api/cinder.py", line 319, in volume_list_paged
      c_client = _cinderclient_with_generic_groups(request)
    File "/openstack/venvs/horizon-18.1.3/lib/python2.7/site-packages/openstack_dashboard/api/cinder.py", line 271, in _cinderclient_with_generic_groups
      version = get_microversion(request, 'groups')
    File "/openstack/venvs/horizon-18.1.3/lib/python2.7/site-packages/openstack_dashboard/api/cinder.py", line 265, in get_microversion
      min_ver, max_ver = cinder_client.get_server_version(cinder_url)
    File "/openstack/venvs/horizon-18.1.3/lib/python2.7/site-packages/cinderclient/client.py", line 109, in get_server_version
      response = requests.get(version_url)
    File "/openstack/venvs/horizon-18.1.3/lib/python2.7/site-packages/requests/api.py", line 72, in get
      return request('get', url, params=params, **kwargs)
    File "/openstack/venvs/horizon-18.1.3/lib/python2.7/site-packages/requests/api.py", line 58, in request
      return session.request(method=method, url=url, **kwargs)
    File "/openstack/venvs/horizon-18.1.3/lib/python2.7/site-packages/requests/sessions.py", line 512, in request
      resp = self.send(prep, **send_kwargs)
    File "/openstack/venvs/horizon-18.1.3/lib/python2.7/site-packages/requests/sessions.py", line 622, in send
      r = adapter.send(request, **kwargs)
    File "/openstack/venvs/horizon-18.1.3/lib/python2.7/site-packages/requests/adapters.py", line 511, in send
      raise SSLError(e, request=request)
  SSLError: HTTPSConnectionPool(host='172.29.236.100', port=8776): Max retries exceeded with url: / (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))
  =====

  It seems like the fix would be to add an "insecure" parameter to
  cinderclient's get_server_version method and then use that parameter
  from Horizon's "get_microversion" method for the Cinder API.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1815635/+subscriptions
Follow ups

[Bug 1815635] Re: Horizon is unable to retrieve Cinder API versions when it has a self-signed SSL certificate
From: Mark Goddard, 2020-06-19