OpenStack Identity (keystone)

keystone-manage fernet_setup fails silently

Bug #1624109 reported by Christophe Balczunas
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Invalid
Undecided
Unassigned

Bug Description

This from the Newton build openstack-keystone-10.0.0-0.20160905112836.816d260.el7.centos.noarch

I created a /etc/keystone/fernet-keys directory with 775 permissions and tried to run keystone-manage fernet_setup:

[root@newton1 fernet-keys]# keystone-manage fernet_setup
usage: keystone-manage [bootstrap|credential_setup|db_sync|db_version|doctor|domain_config_upload|fernet_rotate|fernet_setup|mapping_populate|mapping_purge|mapping_engine|pki_setup|saml_idp_metadata|token_flush] fernet_setup
       [-h] --keystone-user KEYSTONE_USER --keystone-group KEYSTONE_GROUP
keystone-manage [bootstrap|credential_setup|db_sync|db_version|doctor|domain_config_upload|fernet_rotate|fernet_setup|mapping_populate|mapping_purge|mapping_engine|pki_setup|saml_idp_metadata|token_flush] fernet_setup: error: argument --keystone-user is required

Two issues, the first is that it's asking for a --keystone-user, and --keystone-group switch, which is probably not meant to be required switches for this command.

If I supply some value for these switches, the command executes but does nothing (does not generate startup keys in the directory). I am unable to testout fernet tokens.

Revision history for this message
Boris Bobrov (bbobrov) wrote :

> Two issues, the first is that it's asking for a --keystone-user, and --keystone-group switch, which is probably not meant to be required switches for this command.

They are meant to be. You need to supply the user who will run keystone. The keys have permission 700 when they are created. It might be www-data or the user you are running apache with.

> If I supply some value for these switches, the command executes but does nothing (does not generate startup keys in the directory). I am unable to testout fernet tokens.

That's actually a bug :) It should probably fail loud.

Revision history for this message
Boris Bobrov (bbobrov) wrote :

> > Two issues, the first is that it's asking for a --keystone-user, and --keystone-group switch, which is probably not meant to be required switches for this command.

> They are meant to be. You need to supply the user who will run keystone. The keys have permission 700 when they are created. It might be www-data or the user you are running apache with.

Actually, this happens only when you run fernet_setup under root.

> If I supply some value for these switches, the command executes but does nothing (does not generate startup keys in the directory). I am unable to testout fernet tokens.

I cannot reproduce this. For garbage values i am getting
2016-09-16 01:11:45.194 11467 ERROR keystone ValueError: Unknown user 'asdasd' in --keystone-user

Steve Martinelli (stevemar)
tags: added: rc-potential
Revision history for this message
Christophe Balczunas (pentatonic) wrote :

Thanks guys. After supplying the correct existing user and group to the command, it worked. So it was really just a matter of the silent failure, and me not understanding what the --keystone-user and --keystone-group were used for.

Steve Martinelli (stevemar)
tags: removed: rc-potential
Revision history for this message
Steve Martinelli (stevemar) wrote :

Sounds this should be invalid. It picks up if the option is required or not, and prints valid output when the user id is garbage

Changed in keystone:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.