insecure=True not documented outside of keystoneclient.middleware.auth_token
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Invalid
|
Low
|
Unassigned | ||
openstack-manuals |
Fix Released
|
High
|
Andreas Jaeger | ||
python-keystoneclient |
Invalid
|
Undecided
|
Unassigned |
Bug Description
We use self signed certificate with all openstack services. It all worked so far, but break once keystoneclient v0.4.0 was released last week.
As per this commit, keystoneclient by default use insecure=False.
https:/
This break self-signed instances. The openstack components {nova, glance, neutron} are unable to communicate with keystone. We don't use horion or swift. I presume they are broken as well. The keystone client is happy though if we use --insecure flag, while using it directly.
Ideally, we should introduce new config parameter keystone_
[barumugam@build tempest]$ keystone --insecure tenant-list
+------
| id | name | enabled |
+------
| csi-tenant-tempest | csi-tenant-tempest | True |
+------
[barumugam@build tempest]$ nova --insecure list
ERROR: Unauthorized (HTTP 401)
Nova log:
2013-10-13 00:01:56,680 (keystoneclient
2013-10-13 00:01:56,682 (keystoneclient
Traceback (most recent call last):
File "/usr/local/
verified = self.verify_
File "/usr/local/
if self.is_
File "/usr/local/
revocation_list = self.token_
File "/usr/local/
self.
File "/usr/local/
additional_
File "/usr/local/
response = self._http_
File "/usr/local/
raise NetworkError(
tags: |
added: documentation removed: certificate keystoneclient self-signed |
summary: |
- openstack services unable to reach to self-signed keystone + insecure=True not documented outside of + keystoneclient.middleware.auth_token |
Changed in openstack-manuals: | |
status: | New → Confirmed |
importance: | Undecided → High |
milestone: | none → havana |
status: | Confirmed → Triaged |
no longer affects: | nova |
tags: | added: sec-guide |
Changed in openstack-manuals: | |
assignee: | nobody → chandankumar (chandankumar-093047) |
Changed in openstack-manuals: | |
assignee: | chandankumar (chandankumar-093047) → Andreas Jaeger (jaegerandi) |
Mailing List Thread: http:// lists.openstack .org/pipermail/ openstack- dev/2013- October/ 016627. html