Fetching by secret container doesn't raises 404 exception
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu Cloud Archive |
Invalid
|
Undecided
|
Unassigned | ||
Queens |
Fix Released
|
High
|
Unassigned | ||
python-barbicanclient (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
High
|
Jorge Niedbalski | ||
Disco |
Fix Released
|
Undecided
|
Unassigned | ||
Eoan |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
Users of Ubuntu bionic running openstack clouds >= rocky
can't create octavia load balancers listeners anymore since the backport of the following patch:
https:/
This change was introduced as part of the following backports and
their posterior syncs into the current Bionic version.
**** IMPACTED VERSIONS NOTE ****
This issue can be triggered in standalone without any cloud-archive dependency and affects python-
However, this exception gets easily manifested in OpenStack deployments
that uses octavia packages from UCA + python-
This means that any Ubuntu openstack cloud deployed from UCA on release >= rocky will manifest this issue when deployed on top of Bionic
octavia-api | 3.0.0-0ubuntu3~
octavia-api | 4.0.0-0ubuntu1.
octavia-api | 4.0.0-0ubuntu1~
This change added a new exception handler in the code
that manages the decoding of the given PCKS12 certicate bundle when the listener is created, this handler now captures the PCKS12 decoding error and then raises it preventing
the listener creation to happen (when its invoked with i.e.: --default-
under the legacy code handler as can be seen here:
https:/
This exception is raised because the barbicanclient doesn't know how to distinguish between a given secret and a container, therefore, when the
user specifies a container UUID the client tries to fetch a secret with that uuid (including the /containers/UUID path) and a error 400 (not the expected 404 http error) is returned.
The change proposed on the SRU makes the client aware of container and secret UUID(s) and is able to split the path to distinguish a non-secret (such as a container), in that way if a container is passed, it fails to pass the parsing validation and the right return code (404) is returned by the client.
If a error 404 gets returned, then the except Exception block gets
executed and the legacy driver code for decoding the pcks12 certicate in octavia is invoked, this legacy
driver is able to decode the container payloads and the decoding of the pcks12 certificate succeeds.
This differentiation was implemented here:
https:/
As an example (this worked before the latest bionic version was pushed)
openstack loadbalancer listener create --protocol-port 443 --protocol "TERMINATED_HTTPS" --name "test-listener" --default-
With the newest package upgrade this creation will fail with the following exception:
The PKCS12 bundle is unreadable. Please check the PKCS12 bundle validity. In addition, make sure it does not require a pass phrase. Error: [('asn1 encoding routines', 'asn1_d2i_
Further rationale on this can be found on https:/
[Test Case]
1) Deploy this bundle or similar (http://
2) Create self-signed certificate, key and ca (http://
3) Create the 3 certs at barbican
$ openstack secret store --name "test-pk-1" --secret-type "private" --payload-
$ openstack secret store --name "test-ca-1" --secret-type "certificate" --payload-
$ openstack secret store --name "test-pub-1" --secret-type "certificate" --payload-
4) Create a loadbalancer
$ openstack loadbalancer create --name lb1 --vip-subnet-id private_subnet
5) Create a secrets container
$ openstack secret container create --type=
6) Try to create the listener
openstack loadbalancer listener create --protocol-port 443 --protocol "TERMINATED_HTTPS" --name "test-listener" --default-
With the newest package upgrade this creation will fail with the following exception:
The PKCS12 bundle is unreadable. Please check the PKCS12 bundle validity. In addition, make sure it does not require a pass phrase. Error: [('asn1 encoding routines', 'asn1_d2i_
[Regression Potential]
* Creation and List/Get secrets by UUID and with different prefixes (as container secrets) and how this can affect is something to validate with the new SRU.
* Please remember that this breakage is only exposed with octavia-api from UCA >= rocky, and affects a very minor subset of users that make use of the default-
The change considers both cases for compatibility so no breakage is expected on this front.
* Also the unit and functional tests have been included in the SRU changeset in order to ensure that no functionality is broken.
[Discussion]
The following changesets needs to be backported into the bionic version 4.6.0-0ubuntu1
All of those are part of 4.8.0 onward.
** https:/
** https:/
Corresponding reviews
https:/
https:/
Changed in python-barbicanclient (Ubuntu Focal): | |
status: | New → Fix Released |
Changed in python-barbicanclient (Ubuntu Eoan): | |
status: | New → Fix Released |
Changed in python-barbicanclient (Ubuntu Disco): | |
status: | New → Fix Released |
description: | updated |
description: | updated |
Changed in python-barbicanclient (Ubuntu Bionic): | |
status: | New → Won't Fix |
status: | Won't Fix → Confirmed |
Changed in cloud-archive: | |
status: | New → Invalid |
description: | updated |
description: | updated |
Changed in python-barbicanclient (Ubuntu Bionic): | |
status: | Triaged → In Progress |
assignee: | nobody → Jorge Niedbalski (niedbalski) |
Thanks Jorge. Uploaded to Bionic unapproved queue: /launchpad. net/ubuntu/ bionic/ +queue? queue_state= 1&queue_ text=python- barbicanclient
https:/