Fuel for OpenStack

[detached-keystone plugin] OSTF should use public VIP to access Keystone if SSL is enabled

  1. Series 8.0.x
  2. Bug #1533306
Bug #1533306 reported by Artem Panchenko
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fuel for OpenStack
Fix Released
High
Artem Panchenko
Fuel for OpenStack 9.0
8.0.x
Fix Released
High
Artem Panchenko
Fuel for OpenStack 8.0
Mitaka
Fix Released
High
Artem Panchenko
Fuel for OpenStack 9.0

Bug Description

Health checks engine fails to setup HTTP proxy if detached-keystone plugin is used for environment and SSL for OpenStack endpoints is enabled:

fuel_health.config: DEBUG: Trying to authenticate at "https://10.109.6.4:5000/v2.0/" using HTTP proxy "http://10.109.5.8:8888" ...
keystoneclient.auth.identity.v2: DEBUG: Making authentication request to https://10.109.6.4:5000/v2.0/tokens
requests.packages.urllib3.connectionpool: INFO: Starting new HTTPS connection (1): 10.109.6.4
fuel_health.config: WARNING: Can not connect to Keystone with proxy on 10.109.5.8, error: Authorization Failed: SSL exception connecting to https://10.109.6.4:5000/v2.0/tokens: [Errno 1] _ssl.c:504: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
fuel_health.config: DEBUG: Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/fuel_health/config.py", line 834, in find_proxy
    if self.check_proxy_auth(proxy_ip, proxy_port, keystone_vip):
  File "/usr/lib/python2.7/site-packages/fuel_health/config.py", line 822, in check_proxy_auth
    timeout=10)
  File "/usr/lib/python2.7/site-packages/keystoneclient/v2_0/client.py", line 166, in __init__
    self.authenticate()
  File "/usr/lib/python2.7/site-packages/keystoneclient/utils.py", line 337, in inner
    return func(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/httpclient.py", line 589, in authenticate
    resp = self.get_raw_token_from_identity_service(**kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/v2_0/client.py", line 210, in get_raw_token_from_identity_service
    _("Authorization Failed: %s") % e)
AuthorizationFailure: Authorization Failed: SSL exception connecting to https://10.109.6.4:5000/v2.0/tokens: [Errno 1] _ssl.c:504: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

OSTF tries to use detach_keystone_vip for accessing Keystone via HTTPS, but SSL endpoint is available only via public VIP by design:

http://paste.openstack.org/show/483631/

Artem Panchenko (apanchenko-8)
no longer affects: fuel
no longer affects: fuel/future
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to fuel-ostf (master)

Fix proposed to branch: master
Review: https://review.openstack.org/266520

Changed in fuel:
assignee: Fuel QA Team (fuel-qa) → Artem Panchenko (apanchenko-8)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to fuel-ostf (master)

Reviewed: https://review.openstack.org/266520
Committed: https://git.openstack.org/cgit/openstack/fuel-ostf/commit/?id=39b5aec35a455b791a8bbe5d6d77fc0c43901120
Submitter: Jenkins
Branch: master

commit 39b5aec35a455b791a8bbe5d6d77fc0c43901120
Author: Artem Panchenko <email address hidden>
Date: Tue Jan 12 20:11:25 2016 +0200

    Use public VIP for Keystone API if SSL is enabled

    Force OSTF and OpenStack clients to use cluster public
    VIP instead of Keystone public VIP for authentification
    if SSL is enabled for endpoints, because by design SSL
    is configured only for public VIP.

    Change-Id: I53e54918b893f507cbac7d716300546a825467ea
    Closes-bug: #1533306

Changed in fuel:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to fuel-ostf (stable/8.0)

Fix proposed to branch: stable/8.0
Review: https://review.openstack.org/268359

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to fuel-ostf (stable/8.0)

Reviewed: https://review.openstack.org/268359
Committed: https://git.openstack.org/cgit/openstack/fuel-ostf/commit/?id=0ce0ce00804e2a8ed806b814136ec3afa49c3976
Submitter: Jenkins
Branch: stable/8.0

commit 0ce0ce00804e2a8ed806b814136ec3afa49c3976
Author: Artem Panchenko <email address hidden>
Date: Tue Jan 12 20:11:25 2016 +0200

    Use public VIP for Keystone API if SSL is enabled

    Force OSTF and OpenStack clients to use cluster public
    VIP instead of Keystone public VIP for authentication
    if SSL is enabled for endpoints, because by design SSL
    is configured only for public VIP.

    Change-Id: I53e54918b893f507cbac7d716300546a825467ea
    Closes-bug: #1533306
    (cherry picked from commit 39b5aec35a455b791a8bbe5d6d77fc0c43901120)

Revision history for this message
Tatyanka (tatyana-leontovich) wrote :

verified 466 iso

Nastya Urlapova (aurlapova)
tags: added: area-ostf
removed: module-ostf ostf
tags: added: module-ostf ostf
removed: area-ostf
tags: added: area-ostf
removed: module-ostf ostf
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.