OpenStack Shared File Systems Service (Manila)

Running Pike manila-api directly with SSL does not speak SSL

Bug #1730529 reported by Steve Kowalik
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Shared File Systems Service (Manila)
Fix Released
Undecided
junboli

Bug Description

Deploying manila-api with the SSL keys and certificates configured in the manila configuration file, and running manila-api directly results in the API speaking HTTP over HTTPS -- if the endpoint is registered as an https:// endpoint, the manila command line client gives the following error:

[Note we need to use --insecure due to using self-signed certificates]
# openstack --insecure endpoint list | grep manila
| 6a6a21c0cea04268a6f8d473d53d6342 | RegionOne | manilav2 | sharev2 | True | internal | https://d52-54-77-77-01-01.vp4.cloud.suse.de:8786/v2/$(project_id)s |
...
# manila --insecure service-list
...
ERROR: HTTPSConnectionPool(host='public.d52-54-77-77-01-01.vp4.cloud.suse.de', port=8786): Max retries exceeded with url: / (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'SSL23_GET_SERVER_HELLO', 'unknown protocol')],)",),))

If you use curl -k (again, for self-signed certificates), you can see it does actually uses HTTP:

# curl -k https://d52-54-77-77-01-01.vp4.cloud.suse.de:8786/v2/
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
# curl -k http://d52-54-77-77-01-01.vp4.cloud.suse.de:8786/v2/
{"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}

If manila-api is deployed via WSGI, then it can be deployed and used while utilising HTTPS:

# manila --insecure service-list
...
+----+------------------+--------------------------------------+------+---------+-------+----------------------------+
| Id | Binary | Host | Zone | Status | State | Updated_at |
+----+------------------+--------------------------------------+------+---------+-------+----------------------------+
| 1 | manila-scheduler | d52-54-77-77-01-01 | nova | enabled | up | 2017-11-06T23:28:45.000000 |
| 2 | manila-share | d52-54-77-77-01-02@backend-generic-0 | nova | enabled | down | None |
| 3 | manila-share | d52-54-77-77-01-03@backend-generic-0 | nova | enabled | down | None |
+----+------------------+--------------------------------------+------+---------+-------+----------------------------+

Worse, you have no idea that this is a problem when it's deploying since the configuration parameters are not marked as deprecated and there is no pointer in the release notes. If you search the code for the configuration options, you can see that they are defined, but never used:

steven@wrecked:~/manila% git grep "ssl_\(key\|cert\)_file"
doc/source/configuration/tables/manila-ca.inc: * - ``ssl_cert_file`` = ``None``
doc/source/configuration/tables/manila-ca.inc: * - ``ssl_key_file`` = ``None``

junboli (junboli)
Changed in manila:
assignee: nobody → junboli (junboli)
OpenStack Infra (hudson-openstack)
Changed in manila:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to manila (master)

Reviewed: https://review.openstack.org/519206
Committed: https://git.openstack.org/cgit/openstack/manila/commit/?id=fa5b81f903b3ac0028f7e935aea728a443689bfe
Submitter: Zuul
Branch: master

commit fa5b81f903b3ac0028f7e935aea728a443689bfe
Author: junboli <email address hidden>
Date: Fri Nov 17 13:22:01 2017 +0800

    Add ssl support for manila API access

    Currently, Manila does not support secure access the manila
    APIs, obviously, this is a defect for manila service. This
    change is to add ssl support for manila project.

    Closes-bug: #1732844
    Closes-bug: #1730529
    Change-Id: I2dbc52ce95933e648cc065b2b2112788bf4484d0

Changed in manila:
status: In Progress → Fix Released
Tom Barron (tpb)
tags: added: pike-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to manila (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/524212

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to manila (stable/pike)

Reviewed: https://review.openstack.org/524212
Committed: https://git.openstack.org/cgit/openstack/manila/commit/?id=0d71c7e56cf66291111cb49e39e203fcf6d2e74d
Submitter: Zuul
Branch: stable/pike

commit 0d71c7e56cf66291111cb49e39e203fcf6d2e74d
Author: junboli <email address hidden>
Date: Fri Nov 17 13:22:01 2017 +0800

    Add ssl support for manila API access

    Currently, Manila does not support secure access the manila
    APIs, obviously, this is a defect for manila service. This
    change is to add ssl support for manila project.

    Closes-bug: #1732844
    Closes-bug: #1730529
    Change-Id: I2dbc52ce95933e648cc065b2b2112788bf4484d0
    (cherry picked from commit fa5b81f903b3ac0028f7e935aea728a443689bfe)

tags: added: in-stable-pike
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/manila 6.0.0.0b2

This issue was fixed in the openstack/manila 6.0.0.0b2 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/manila 5.0.2

This issue was fixed in the openstack/manila 5.0.2 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.