Fuel for OpenStack

Access to keystone is denied for requests outside Fuel master node in CentOS7 (Fuel 8 build 310)

Bug #1521955 reported by Mikhail Chernik on 2015-12-02

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Fuel for OpenStack	Fix Released	High	Ivan Suzdal	Fuel for OpenStack 8.0

Bug Description

Due to blocked access to keystone it is currently impossible to run e.g. scripts which use nailgun API from a host outside cluster on Fuel 8.0 build 310.

Following rules in keystone container blocks access:

26 48 2880 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport ports 5000 ADDRTYPE match src-type LOCAL /* 047 keystone_local */
27 11 660 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport ports 5000 /* 048 keystone_block_ext */ reject-with icmp-port-unreachable

Tags:

Dmitry Klenov (dklenov) on 2015-12-02

tags:	added: area-mos
Changed in fuel:
milestone:	none → 8.0
assignee:	nobody → MOS Keystone (mos-keystone)
importance:	Undecided → Medium

Revision history for this message

Alexander Makarov (amakarov) wrote on 2015-12-02:

It has nothing with keystone. Please reassign to proper team. For example to those, who develops those scripts.

Changed in fuel:
assignee:	MOS Keystone (mos-keystone) → Mikhail Chernik (mchernik)

Roman Podoliaka (rpodolyaka) on 2015-12-02

Changed in fuel:
assignee:	Mikhail Chernik (mchernik) → Fuel Library Team (fuel-library)
status:	New → Confirmed
tags:	added: area-library removed: area-mos

Revision history for this message

Aleksander Mogylchenko (amogylchenko) wrote on 2015-12-02:

By default access to keystone is blocked from all networks but admin:
https://github.com/openstack/fuel-library/blob/master/deployment/puppet/nailgun/manifests/iptables.pp#L200

What is your setup? How many networks? Can you provide iptables rules here?

Revision history for this message

Aleksander Mogylchenko (amogylchenko) wrote on 2015-12-02:

Sorry, correct link should be:
https://github.com/openstack/fuel-library/blob/master/deployment/puppet/nailgun/manifests/iptables.pp#L223

Revision history for this message

Mikhail Chernik (mchernik) wrote on 2015-12-02:

We have a Jenkins job which creates and deploys a cluster with script. It runs on Jenkins slave host and interacts with Fuel by means of Nailgun API, so the source of requests is outside the cluster network address space.

Revision history for this message

Matthew Mosesohn (raytrac3r) wrote on 2015-12-02:

What address are you interacting with? It should be on the same network as Fuel admin IP. We explictly block it to reduce threats. Your job could add an extra iptables rule.

Revision history for this message

Igor Marnat (imarnat) wrote on 2015-12-02:

Why is it medium? If this problem affects results of automated tests, it should be at least high. Raising to high.

Changed in fuel:
importance:	Medium → High

Revision history for this message

Mikhail Chernik (mchernik) wrote on 2015-12-02:

We use the public interface of Fuel master node, the same which serves Fuel UI.

Adding an iptables rule is not a problem, but does it mean there is no more automation API available from, say, an engneer's host?

Dmitry Pyzhov (dpyzhov) on 2015-12-02

tags:

added: regression-8.0

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-12-02: Fix proposed to fuel-library (master)

Fix proposed to branch: master
Review: https://review.openstack.org/252550

Changed in fuel:
assignee:	Fuel Library Team (fuel-library) → Ivan Suzdal (isuzdal)
status:	Confirmed → In Progress

Revision history for this message

Matthew Mosesohn (raytrac3r) wrote on 2015-12-03:

If swift tries to set up on /srv/node instead of /var/lib/glance/node ( https://github.com/openstack/fuel-library/blob/master/deployment/puppet/osnailyfacter/modular/swift/swift.pp#L53 ), then something is being configured wrong

OpenStack Infra (hudson-openstack) on 2015-12-03

Changed in fuel:
assignee:	Ivan Suzdal (isuzdal) → Dmitry Teselkin (teselkin-d)

OpenStack Infra (hudson-openstack) on 2015-12-03

Changed in fuel:
assignee:	Dmitry Teselkin (teselkin-d) → Ivan Suzdal (isuzdal)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-12-04: Fix merged to fuel-library (master)

#10

Reviewed: https://review.openstack.org/252550
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=916676b1e3d8b1b388ecfbb352114af5b99acc83
Submitter: Jenkins
Branch: master

commit 916676b1e3d8b1b388ecfbb352114af5b99acc83
Author: Ivan Suzdal <email address hidden>
Date: Wed Dec 2 21:47:47 2015 +0300

Allow access to keystone_port from anywhere.

Change-Id: I24ca56c709c26e79a63521f265534219a6322a1c
Closes-Bug: #1521955

Changed in fuel:
status:	In Progress → Fix Committed

Revision history for this message

Egor Kotko (ykotko) wrote on 2016-02-05:

#11

ISO #506

Changed in fuel:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.