subcloud admin-ep-cert.pem updated without cert renew
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
StarlingX |
Fix Released
|
Medium
|
Bin Qian |
Bug Description
Subcloud admin endpoint certificate is updated unexpectedly.
When system controller audits subcloud intermediate CA certificate, subcloud mistakenly updates the intermediate CA certificate even when the certificate has not been changed. Then it triggers an unnecessary renew of admin endpoint certificate.
Expected behavior:
admin endpoint certificate should be updated when it is renewed or subcloud intermediate CA certificate is renewed.
actual behavior:
admin endpoint certificate on subcloud is updated when a subcloud intermediate CA audit occurs, e.g, when system controller performs a swact.
Note that updated certificate is a valid certificate. New certificate provides same level of security over admin endpoint communication. This is not security vulnerability.
Changed in starlingx: | |
assignee: | nobody → Bin Qian (bqian20) |
importance: | Undecided → Medium |
tags: | added: stx.5.0 stx.distcloud stx.security |
Reviewed: https:/ /review. opendev. org/760959 /git.openstack. org/cgit/ starlingx/ config/ commit/ ?id=cb6379d4a61 a226fcc85b590bf 17e47dcffbf233
Committed: https:/
Submitter: Zuul
Branch: master
commit cb6379d4a61a226 fcc85b590bf17e4 7dcffbf233
Author: Bin Qian <email address hidden>
Date: Mon Nov 2 11:57:24 2020 -0500
Update admin endpoint intermediate CA only when changed
The API should verify if the intermediate CA certificate is changed before
updating.
Closes-bug: 1902552
Change-Id: Ic2d8c6068a6b5f ba7dcdd8ec989eb 40c1036aaec
Signed-off-by: Bin Qian <email address hidden>