OpenStack Identity (keystone)

PKI certs not readable by keystone user

Bug #1031372 reported by Dan Prince on 2012-07-31

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	High	Dirk Mueller	OpenStack Identity (keystone) 2013.1 "grizzly"
	openstack-manuals	Fix Released	High	Anne Gentle

Bug Description

Most users are going to run 'keystone-manage pki_setup' as root. This generates a set of certificates and keys in /etc/keystone/ssl* which is owned by root:root.

This is problematic when trying to then run the Keystone daemon under the 'keystone' user account (nologin) when trying to run PKI. Unless you manually chown the files keystone:keystone you'll get an error like this:

2012-07-31 11:10:53 ERROR [keystone.common.cms] Error opening signing key file /etc/keystone/ssl/private/signing_key.pem
140380567730016:error:0200100D:system library:fopen:Permission denied:bss_file.c:398:fopen('/etc/keystone/ssl/private/signing_key.pem','r')
140380567730016:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
unable to load signing key file

-----

Is there anything we could/should do to make configuring PKI certs a bit more streamlined?

Until then I suppose we should make sure our documentation mentions the certs need to be readable by the keystone daemon user.

Tags:

Joseph Heck (heckj) on 2012-08-21

tags:	added: documentation
Changed in keystone:
status:	New → Triaged
importance:	Undecided → High

Adam Young (ayoung) on 2012-08-24

Changed in keystone:
assignee:	nobody → Adam Young (ayoung)

Revision history for this message

Adam Young (ayoung) wrote on 2012-09-04:

Here is the issue: The certificates can be world readable, but the private key cannot be. It should only be readable by the account that is going to sign tokens.

The best option is to run keystone-manage pki_setup as the pki user.

Tom Fifield (fifieldt) on 2012-09-30

Changed in openstack-manuals:
status:	New → Triaged
importance:	Undecided → High

Revision history for this message

Adam Young (ayoung) wrote on 2012-10-04:

One option is to either pass in the PKI user to the command line or read them from a config file, and then do a chown of the files.

Tom Fifield (fifieldt) on 2012-12-06

tags:

added: keystone

Revision history for this message

Tom Fifield (fifieldt) wrote on 2012-12-06:

@DocTeam: I can't find a reference to pki in the openstack-manuals repo at all right now - so this bug might need a bit more work to add further instructions.

Revision history for this message

Tom Fifield (fifieldt) wrote on 2012-12-18:

https://bugs.launchpad.net/openstack-manuals/+bug/1032788 - Task: Document how to configure Keystone with SSL

tracks the lack of PKI support and should be done prior to/in conjunction with this bug

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-01-31: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/20913

Changed in keystone:
assignee:	Adam Young (ayoung) → Dirk Mueller (dmllr)
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-02-07: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/20913
Committed: http://github.com/openstack/keystone/commit/ca2b2cb4903aa1d8e6469b22e2022925ca413a9c
Submitter: Jenkins
Branch: master

commit ca2b2cb4903aa1d8e6469b22e2022925ca413a9c
Author: Dirk Mueller <email address hidden>
Date: Thu Jan 31 14:05:33 2013 +0100

Add --keystone-user/group to keystone-manage pki_setup

If called as root, --keystone-user and --keystone-group can be
used to set the username and group keystone is going to run under.

In that case, pki_setup is going to issue additional os.chown
calls to change ownership of the PK files accordingly.

Fixes LP Bug #1031372

Change-Id: If9250ca9d0d86eebb9ad7c95ade17132ffd5a36c

Changed in keystone:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2013-02-21

Changed in keystone:
milestone:	none → grizzly-3
status:	Fix Committed → Fix Released

Revision history for this message

Dan Reif (a-launchpad20130227) wrote on 2013-02-27: Re: keystone-manage pki_setup creates certs owned by root

Having just run into this one, it seems like pki_setup should require an affirmative option in order to create the certs as root. In every installation tutorial that I have come across, the keystone service runs as the keystone user, meaning that running pki_setup as root and intending the resulting files to be owned by root is very much the exception.

Consequently, I'd like to recommend that the keystone-user and keystone-group options be required for pki_setup if the command is being run as root. Note that this still allows you to specify "--keystone-user root --keystone-group root". Alternately, since we're still ahead of the release cycle, simply requiring those two options in all cases (rather than just when geteuid()==0) would also be acceptable.

Dolph Mathews (dolph) on 2013-03-13

summary:

- keystone-manage pki_setup creates certs owned by root
+ PKI certs not readable by keystone user

Anne Gentle (annegentle) on 2013-03-20

Changed in openstack-manuals:
assignee:	nobody → Anne Gentle (annegentle)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-03-21: Fix merged to openstack-manuals (master)

Reviewed: https://review.openstack.org/24928
Committed: http://github.com/openstack/openstack-manuals/commit/d49fcf47e12b7af43544c9651edb427d318280e2
Submitter: Jenkins
Branch: master

commit d49fcf47e12b7af43544c9651edb427d318280e2
Author: annegentle <email address hidden>
Date: Wed Mar 20 15:38:05 2013 -0500

Warn users about possible problems when creating pki certs.

Fix bug 1031372

Change-Id: I1902de5adb859e2d1d4eee27502e00b9d3d6dcff

Changed in openstack-manuals:
status:	Triaged → Fix Released

Thierry Carrez (ttx) on 2013-04-04

Changed in keystone:
milestone:	grizzly-3 → 2013.1

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-05-18: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/29644

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-06-07: Fix merged to keystone (master)

#10

Reviewed: https://review.openstack.org/29644
Committed: http://github.com/openstack/keystone/commit/f0a9affcaf25b5b53b465b96a5afddf560703d95
Submitter: Jenkins
Branch: master

commit f0a9affcaf25b5b53b465b96a5afddf560703d95
Author: Dirk Mueller <email address hidden>
Date: Sat May 18 16:10:10 2013 +0200

Require keystone-user/-group for pki_setup

    If pki_setup is run as root, require the keystone-user
    and keystone-group parameter to be set, to enforce
    the proper permissions to be created on the files.

This follows a suggestion in the Bugreport.

Fixes LP Bug #1031372

Change-Id: I00d9e0499d16716af3267914b6b78841f1ad1e0f

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.