kolla-ansible

keystone-paste.ini file outdated in Keystone role

Bug #1695023 reported by Bertrand Lallau
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kolla-ansible
Fix Released
Undecided
Bertrand Lallau
Ocata
Fix Released
Undecided
Unassigned

Bug Description

Kolla-ansible actually bring it's own keystone-paste.ini file in order to fix this security bug:
https://bugs.launchpad.net/kolla/+bug/1587747

admin_token_auth middleware is no more present in the keystone-paste.ini file brings by Keystone.

Furthermore keystone-paste.ini brings by Kolla-ansible is outdated:
* http_proxy_to_wsgi middleware is missing
* healthcheck middleware is missing
* osprofiler middleware is missing

Hence this file should not be managed by kolla-ansible.

Bertrand Lallau (bertrand-lallau)
Changed in kolla-ansible:
assignee: nobody → Bertrand Lallau (bertrand-lallau)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (master)

Fix proposed to branch: master
Review: https://review.openstack.org/469934

Changed in kolla-ansible:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on kolla-ansible (master)

Change abandoned by Bertrand Lallau (<email address hidden>) on branch: master
Review: https://review.openstack.org/469934

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (master)

Reviewed: https://review.openstack.org/462535
Committed: https://git.openstack.org/cgit/openstack/kolla-ansible/commit/?id=6ce222af3e5f25c8c1f08172e43621ebab5be929
Submitter: Jenkins
Branch: master

commit 6ce222af3e5f25c8c1f08172e43621ebab5be929
Author: Jeffrey Zhang <email address hidden>
Date: Mon Jun 12 08:59:57 2017 +0800

    Remove keystone-paste.ini file in kolla

    keystone-paste.ini file is introduced by
    I3a3ca2e74c0ae341105d3481f97956c6da473046 for a security risk of
    admin_token_auth middleware. Now this middleware is removed by
    I57586ccfa0ad1309cc806d95377dc1ecad015914. So it is safe to use upstream
    keystone-paste.ini file.

    This patch also keep custom paste file feature. Just put the file to
    /etc/kolla/config/keystone/keyston-paste.ini path.

    Closes-Bug: #1695023
    Partially-Implements: blueprint custom-paste
    Change-Id: Ieb983b6a9edb6a156928f6b56a4bd2dbed4281e2

Changed in kolla-ansible:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible 5.0.0.0b3

This issue was fixed in the openstack/kolla-ansible 5.0.0.0b3 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/498699

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (stable/ocata)

Reviewed: https://review.openstack.org/498699
Committed: https://git.openstack.org/cgit/openstack/kolla-ansible/commit/?id=c80b21936a689e8d24aa49b2427fbf263e567669
Submitter: Jenkins
Branch: stable/ocata

commit c80b21936a689e8d24aa49b2427fbf263e567669
Author: Jeffrey Zhang <email address hidden>
Date: Mon Jun 12 08:59:57 2017 +0800

    Remove keystone-paste.ini file in kolla

    keystone-paste.ini file is introduced by
    I3a3ca2e74c0ae341105d3481f97956c6da473046 for a security risk of
    admin_token_auth middleware. Now this middleware is removed by
    I57586ccfa0ad1309cc806d95377dc1ecad015914. So it is safe to use upstream
    keystone-paste.ini file.

    This patch also keep custom paste file feature. Just put the file to
    /etc/kolla/config/keystone/keyston-paste.ini path.

    Closes-Bug: #1695023
    Partially-Implements: blueprint custom-paste
    Change-Id: Ieb983b6a9edb6a156928f6b56a4bd2dbed4281e2
    (cherry picked from commit 6ce222af3e5f25c8c1f08172e43621ebab5be929)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible 4.0.3

This issue was fixed in the openstack/kolla-ansible 4.0.3 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.