tripleo

Keystone's admin endpoint is listening on the public VIP

Bug #1710909 reported by Juan Antonio Osorio Robles
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
High
Juan Antonio Osorio Robles
tripleo pike-rc1

Bug Description

Here's a sample of the haproxy configuration:

listen keystone_admin
  bind 10.0.0.5:13357 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem
  bind 192.168.24.6:35357 transparent
  mode http
  http-request set-header X-Forwarded-Proto https if { ssl_fc }
  http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
  option httpchk GET /v3
  redirect scheme https code 301 if { hdr(host) -i 10.0.0.5 } !{ ssl_fc }
  rsprep ^Location:\ http://(.*) Location:\ https://\1
  server overcloud-controller-0.ctlplane.localdomain 192.168.24.15:35357 check fall 5 inter 2000 rise 2
  server overcloud-controller-1.ctlplane.localdomain 192.168.24.8:35357 check fall 5 inter 2000 rise 2
  server overcloud-controller-2.ctlplane.localdomain 192.168.24.16:35357 check fall 5 inter 2000 rise 2

This should not be the case, since the keystone_admin endpoint is meant for internal use (by an admin).

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (master)

Fix proposed to branch: master
Review: https://review.openstack.org/493937

Changed in tripleo:
assignee: nobody → Juan Antonio Osorio Robles (juan-osorio-robles)
status: New → In Progress
Emilien Macchi (emilienm)
Changed in tripleo:
importance: Undecided → High
milestone: none → pike-rc1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (master)

Reviewed: https://review.openstack.org/493937
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=5222b8d920d5b5b2e87004c10808b6bea597720a
Submitter: Jenkins
Branch: master

commit 5222b8d920d5b5b2e87004c10808b6bea597720a
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Tue Aug 15 19:02:42 2017 +0300

    Remove extra keystone admin haproxy listen and allow TLS

    The current code exposes an unused public listen directive in HAProxy
    for the keystone admin endpoint. This is not ideal and should be
    removed, as it exposes the service unnecessarily. We should stick to
    just exposing it to the ctlplane network as is the default.

    If folks really need to expose it to the public network, they can do so
    by modifying the ServiceNetMap through t-h-t and setting the keystone
    admin endpoint's network to external.

    Now, for "single" or "internal" haproxy endpoints, this adds the ability
    to detect if they're using the external network, and thus use TLS on it.
    Which is something a deployer would want if they exposed the keystone
    admin endpoint in such a way.

    Change-Id: I79563f62fd49a4f7654779157ebda3c239d6dd22
    Closes-Bug: #1710909
    Closes-Bug: #1639996

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/494947

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-tripleo 7.3.0

This issue was fixed in the openstack/puppet-tripleo 7.3.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (stable/ocata)

Reviewed: https://review.openstack.org/494947
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=673c45e789a6947856540cfca2771851f3b1d0aa
Submitter: Jenkins
Branch: stable/ocata

commit 673c45e789a6947856540cfca2771851f3b1d0aa
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Tue Aug 15 19:02:42 2017 +0300

    Remove extra keystone admin haproxy listen and allow TLS

    The current code exposes an unused public listen directive in HAProxy
    for the keystone admin endpoint. This is not ideal and should be
    removed, as it exposes the service unnecessarily. We should stick to
    just exposing it to the ctlplane network as is the default.

    If folks really need to expose it to the public network, they can do so
    by modifying the ServiceNetMap through t-h-t and setting the keystone
    admin endpoint's network to external.

    Now, for "single" or "internal" haproxy endpoints, this adds the ability
    to detect if they're using the external network, and thus use TLS on it.
    Which is something a deployer would want if they exposed the keystone
    admin endpoint in such a way.

    Conflicts:
     manifests/haproxy.pp

    Change-Id: I79563f62fd49a4f7654779157ebda3c239d6dd22
    Closes-Bug: #1710909
    Closes-Bug: #1639996
    (cherry picked from commit 5222b8d920d5b5b2e87004c10808b6bea597720a)

tags: added: in-stable-ocata
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (stable/newton)

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/510738

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-tripleo 6.5.3

This issue was fixed in the openstack/puppet-tripleo 6.5.3 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (stable/newton)

Reviewed: https://review.openstack.org/510738
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=4d6fb86be4dac27acf82e4e3eb3397cd8f9686ff
Submitter: Jenkins
Branch: stable/newton

commit 4d6fb86be4dac27acf82e4e3eb3397cd8f9686ff
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Tue Aug 15 19:02:42 2017 +0300

    Remove extra keystone admin haproxy listen and allow TLS

    The current code exposes an unused public listen directive in HAProxy
    for the keystone admin endpoint. This is not ideal and should be
    removed, as it exposes the service unnecessarily. We should stick to
    just exposing it to the ctlplane network as is the default.

    If folks really need to expose it to the public network, they can do so
    by modifying the ServiceNetMap through t-h-t and setting the keystone
    admin endpoint's network to external.

    Now, for "single" or "internal" haproxy endpoints, this adds the ability
    to detect if they're using the external network, and thus use TLS on it.
    Which is something a deployer would want if they exposed the keystone
    admin endpoint in such a way.

    Conflicts:
     manifests/haproxy.pp
     manifests/haproxy/endpoint.pp

    (cherry picked from commit 5222b8d920d5b5b2e87004c10808b6bea597720a)
    (cherry picked from commit 673c45e789a6947856540cfca2771851f3b1d0aa)

    Change-Id: I79563f62fd49a4f7654779157ebda3c239d6dd22
    Closes-Bug: #1710909
    Closes-Bug: #1639996

tags: added: in-stable-newton
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-tripleo 5.6.4

This issue was fixed in the openstack/puppet-tripleo 5.6.4 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.