Cinder

Cinder quotas fail with https:// keystone URL.

Bug #1537783 reported by György Szombathelyi
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Cinder
Fix Released
Undecided
György Szombathelyi

Bug Description

AFter this bug:
https://bugs.launchpad.net/cinder/+bug/1516085
fixed, there's still an error at the connection to keystone, when keystone is secured by TLS. The problem is the client.Client call does not pass keystone_authoken.cafile nor keystone_authtoken.insecure, so the SSL checks can fail.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to cinder (master)

Fix proposed to branch: master
Review: https://review.openstack.org/272437

Changed in cinder:
assignee: nobody → György Szombathelyi (gyurco)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to cinder (master)

Reviewed: https://review.openstack.org/272437
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=6c27d05d8faa2fb284a0c9eeb57480bb5e82942f
Submitter: Jenkins
Branch: master

commit 6c27d05d8faa2fb284a0c9eeb57480bb5e82942f
Author: Gyorgy Szombathelyi <email address hidden>
Date: Sat Feb 20 19:34:48 2016 +0100

    Support https keystone CA checking in volume quotas

    Currently connecting to https secured keystone instance mostly
    fail in cinder quotas, since neither CA certificate nor the
    insecure option is passed to keystone client. Fixing this by
    passing these options from keystone_authtoken, converting them
    to a verify option for the keystone session object.

    Change-Id: Ifd9214b837d87d7bf6d78406a8cef447c2b7c39e
    Closes-Bug: #1537783

Changed in cinder:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to cinder (stable/mitaka)

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/298912

Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/cinder 9.0.0.0b1

This issue was fixed in the openstack/cinder 9.0.0.0b1 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to cinder (stable/mitaka)

Reviewed: https://review.openstack.org/298912
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=7b630d60041eee981f54136ab9457854a48ec74f
Submitter: Jenkins
Branch: stable/mitaka

commit 7b630d60041eee981f54136ab9457854a48ec74f
Author: Gyorgy Szombathelyi <email address hidden>
Date: Sat Feb 20 19:34:48 2016 +0100

    Support https keystone CA checking in volume quotas

    Currently connecting to https secured keystone instance mostly
    fail in cinder quotas, since neither CA certificate nor the
    insecure option is passed to keystone client. Fixing this by
    passing these options from keystone_authtoken, converting them
    to a verify option for the keystone session object.

    Change-Id: Ifd9214b837d87d7bf6d78406a8cef447c2b7c39e
    Closes-Bug: #1537783
    (cherry picked from commit 6c27d05d8faa2fb284a0c9eeb57480bb5e82942f)

tags: added: in-stable-mitaka
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to cinder (stable/liberty)

Related fix proposed to branch: stable/liberty
Review: https://review.openstack.org/332812

Revision history for this message
jichenjc (jichenjc) wrote :

I am trying to backport this to liberty https://review.openstack.org/332812
the reason is if no CA usage will lead to maluser to do the midattack if https is used?

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Related fix proposed to branch: stable/liberty
Review: https://review.openstack.org/333749

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on cinder (stable/liberty)

Change abandoned by jichenjc (<email address hidden>) on branch: stable/liberty
Review: https://review.openstack.org/332812

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to cinder (stable/liberty)

Reviewed: https://review.openstack.org/333749
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=36aae4305846605775b5a4a4acc0499daf39ec94
Submitter: Jenkins
Branch: stable/liberty

commit 36aae4305846605775b5a4a4acc0499daf39ec94
Author: Gyorgy Szombathelyi <email address hidden>
Date: Sat Feb 20 19:34:48 2016 +0100

    Support https keystone CA checking in volume quotas

    Currently connecting to https secured keystone instance mostly
    fail in cinder quotas, since neither CA certificate nor the
    insecure option is passed to keystone client. Fixing this by
    passing these options from keystone_authtoken, converting them
    to a verify option for the keystone session object.

    This can't be directly cherrypicked since code directory
    changes, so add patch to old place instead.

    Change-Id: Ifd9214b837d87d7bf6d78406a8cef447c2b7c39e
    Closes-Bug: #1537783
    (cherry picked from commit 6c27d05d8faa2fb284a0c9eeb57480bb5e82942f)

tags: added: in-stable-liberty
Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/cinder 8.1.0

This issue was fixed in the openstack/cinder 8.1.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/cinder 7.0.3

This issue was fixed in the openstack/cinder 7.0.3 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.