OpenStack Heat

ec2 token authentication can't verify an SSL cert

Bug #1415223 reported by Steve McLellan
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Heat
Fix Released
Medium
Anant Patil
OpenStack Heat 2015.1.0 "kilo"
keystonemiddleware
Invalid
Undecided
Unassigned

Bug Description

With keystone is deployed behind SSL, the ec2_authtoken options don't have include the same SSL options that the various clients use so it's not possible to authenticate tokens - the authentication request is:

  requests.post(keystone_ec2_uri, data=creds_json,
                                 headers=headers)

If keystone_ec2_uri is an HTTPS endpoint that requires a CA cert for validation, the request fails, and the instance trying to retrieve metadata via heat-cfn-api will never manage to do so.

Anant Patil (ananta)
Changed in heat:
assignee: nobody → Anant Patil (ananta)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to heat (master)

Fix proposed to branch: master
Review: https://review.openstack.org/151222

Changed in heat:
status: New → In Progress
Revision history for this message
Jamie Lennox (jamielennox) wrote :

Is it just me or is this just completely broken in keystonemiddleware?

The __init__ function [1] doesn't match the signature of what is being passed by either of the paste factories[2][3] and it looks like the breaking commit[4] seems to be when the package was created.

Would anyone noticed if we simply deleted it?

[1] https://github.com/openstack/keystonemiddleware/blob/3e1bee7100d4214c6745a286601d338137a1cb3b/keystonemiddleware/ec2_token.py#L53
[2] https://github.com/openstack/keystonemiddleware/blob/3e1bee7100d4214c6745a286601d338137a1cb3b/keystonemiddleware/ec2_token.py#L123
[3] https://github.com/openstack/keystonemiddleware/blob/3e1bee7100d4214c6745a286601d338137a1cb3b/keystonemiddleware/ec2_token.py#L130
[4] https://github.com/openstack/keystonemiddleware/commit/ef4e828528b343bc3ea0e3dee25484a4125bc836

Angus Salkeld (asalkeld)
Changed in heat:
importance: Undecided → Medium
milestone: none → kilo-rc1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to heat (master)

Reviewed: https://review.openstack.org/151222
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=11d04c8d6a7bf3fb5d6de2bd47117cea3c9fe403
Submitter: Jenkins
Branch: master

commit 11d04c8d6a7bf3fb5d6de2bd47117cea3c9fe403
Author: Anant Patil <email address hidden>
Date: Thu Jan 29 13:08:46 2015 +0530

    Enable SSL for EC2Tokens.

    When keystone is deployed behind SSL, the ec2_authtoken options doesn't
    have a way to include the same SSL options that the various clients use,
    so it's not possible to authenticate tokens.

    Capability to handle SSL options is added. ec2token makes use of HTTP
    request object from httplib. Config options to specify CA file, client
    side certificate, key file and "verify server certificate option" will
    be listed under "ec2authtoken" group in conf file.

    Change-Id: Ibede73a17ae951cff00a7d9629a4c08f82208139
    Closes-Bug: #1415223

Changed in heat:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in heat:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in heat:
milestone: kilo-rc1 → 2015.1.0
Revision history for this message
Steve Martinelli (stevemar) wrote :

We've had several changes to keystonemiddleware since the original report, marking this as incomplete since this may no longer be an issue

Changed in keystonemiddleware:
status: New → Incomplete
Morgan Fainberg (mdrnstm)
Changed in keystonemiddleware:
status: Incomplete → Won't Fix
status: Won't Fix → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.