kolla

Add TLS to the kibana service

Bug #1566117 reported by Jeffrey Zhang
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kolla
Fix Released
Critical
Dave McCowan
kolla newton-1 "n1"
Mitaka
Fix Released
Critical
Dave McCowan
kolla mitaka-rc4 "mitaka-rc4"

Bug Description

kibana auth is introduce in https://bugs.launchpad.net/kolla/+bug/1556487.

We need add TLS support for kibana, in this way, it will protect the plain credential when login.

Jeffrey Zhang (jeffrey4l)
Changed in kolla:
assignee: nobody → Jeffrey Zhang (jeffrey4l)
Steven Dake (sdake)
Changed in kolla:
status: New → Confirmed
importance: Undecided → Critical
milestone: none → newton-1
Revision history for this message
Dave McCowan (dave-mccowan) wrote :

This is harder than it looks. Since Kibana is a web application that returns URLs in response bodies, to support TLS those URLs need to be rewritten with https://. We'll need to use a front end like apache or nginx to to do that.

Revision history for this message
shake.chen (shake-chen) wrote :

seem horizon also need it.

Revision history for this message
Steven Dake (sdake) wrote :

Dave,

There are two parts to this. One is TLS of the kibana service, and one is encrypting the plaintext password passed over the wire. We can enable TLS in kibana config directly. Would that work to trigger the plaintext password to be encrypted? Then it would be a matter of setting the tls config bigs in kibana without the need for an nginx proxy.

Steven Dake (sdake)
Changed in kolla:
assignee: Jeffrey Zhang (jeffrey4l) → Steven Dake (sdake)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla (master)

Fix proposed to branch: master
Review: https://review.openstack.org/306302

Changed in kolla:
status: Confirmed → In Progress
Dave McCowan (dave-mccowan)
Changed in kolla:
assignee: Steven Dake (sdake) → Dave McCowan (dave-mccowan)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on kolla (master)

Change abandoned by Steven Dake (<email address hidden>) on branch: master
Review: https://review.openstack.org/306302
Reason: Dave sorted this out much more nicely :)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla (master)

Reviewed: https://review.openstack.org/306571
Committed: https://git.openstack.org/cgit/openstack/kolla/commit/?id=4c8227ec8bb58d0259f04e26137f9312eecabd5c
Submitter: Jenkins
Branch: master

commit 4c8227ec8bb58d0259f04e26137f9312eecabd5c
Author: Dave McCowan <email address hidden>
Date: Tue Apr 12 00:58:56 2016 -0400

    Add TLS to Kibana Web Interface

    Use HAProxy to terminate a TLS connection on port 5601 for the
    Kibana dashboard when TLS is enabled for Kolla. x-forwarded-for
    and x-forwarded-proto headers are set to give Kibana the info it
    needs to write returned URLs.

    Change-Id: I03a2dd3a8e2513d38281b30bf4bae6449fec0316
    Closes-bug: #1566117

Changed in kolla:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla (stable/mitaka)

Reviewed: https://review.openstack.org/306582
Committed: https://git.openstack.org/cgit/openstack/kolla/commit/?id=74a148705f8899b9ffdfa1d1d7aa5e067dfeaeb7
Submitter: Jenkins
Branch: stable/mitaka

commit 74a148705f8899b9ffdfa1d1d7aa5e067dfeaeb7
Author: Dave McCowan <email address hidden>
Date: Tue Apr 12 00:58:56 2016 -0400

    Add TLS to Kibana Web Interface

    Use HAProxy to terminate a TLS connection on port 5601 for the
    Kibana dashboard when TLS is enabled for Kolla. x-forwarded-for
    and x-forwarded-proto headers are set to give Kibana the info it
    needs to write returned URLs.

    Change-Id: I03a2dd3a8e2513d38281b30bf4bae6449fec0316
    Closes-bug: #1566117

Revision history for this message
Davanum Srinivas (DIMS) (dims-v) wrote : Fix included in openstack/kolla 2.0.0.0rc4

This issue was fixed in the openstack/kolla 2.0.0.0rc4 release candidate.

Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/kolla 2.0.0

This issue was fixed in the openstack/kolla 2.0.0 release.

Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/kolla 1.1.0

This issue was fixed in the openstack/kolla 1.1.0 release.

Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/kolla 3.0.0.0b1

This issue was fixed in the openstack/kolla 3.0.0.0b1 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.