Expose insecure option of keystoneclient to avoid SSL cert validation
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ceilometer |
Fix Released
|
Wishlist
|
Julien Danjou | ||
Havana |
Fix Committed
|
Wishlist
|
Eoghan Glynn |
Bug Description
The Ceilometer fix commit bug #1194046 seems to bring another problem.
Let's asume you comment out os_cacert or leave it blank if you dont need ssl,
the SSL auth against keystone will be used anyways as default and fails against it because of no cert and throws this error message:
2013-09-28 01:12:50.328 8621 ERROR keystoneclient.
2013-09-28 01:12:50.328 8621 WARNING keystoneclient.
2013-09-28 01:12:50.328 8621 INFO keystoneclient.
Seems like it tries to connect through the Keystone auth uri with https:// instead of http:// which you can see here in the Debug output of the API Call:
root@openstack-
INFO (connectionpool
DEBUG (connectionpool
DEBUG (http:110) curl -i -X GET -H 'X-Auth-Token: CENSORED' -H 'Content-Type: application/json' -H 'Accept: application/json' -H 'User-Agent: python-
DEBUG (http:120)
HTTP/1.0 401 Unauthorized
date: Sat, 28 Sep 2013 13:00:36 GMT
content-length: 23
content-type: text/plain
www-authenticate: Keystone uri='https:/
server: WSGIServer/0.1 Python/2.7.3
Authentication required
WARNING (http:165) Request returned failure status.
Invalid OpenStack Identity credentials.
description: | updated |
description: | updated |
description: | updated |
Changed in ceilometer: | |
milestone: | none → icehouse-1 |
status: | Fix Committed → Fix Released |
tags: | added: havana-backport-potential |
Changed in ceilometer: | |
milestone: | icehouse-1 → 2014.1 |
I've read the keystoneclient code to understand this, and the problem seems actually to be that when using an https URL, the CA of the server is checked anyway. The CA cert just allows to provide the CA to use; if you don't, what's used is the default httplib2 cert. So since your HTTPS Keystone server certificate is likely unrecognized, this does not work.
The only way to fix this is that you either provide the right CA cert to validate, or use the insecure option to keystoneclient. We don't export this into Ceilometer yet, so fixing this "bug" could be doing that.
Either way it's not really a bug.