Horizon fails with FilePermissionError: Insecure permissions on key file
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack-Ansible |
Fix Released
|
Critical
|
Unassigned |
Bug Description
I deployed Horizon from source using the openstack-ansible master branch. When accessing the Horizon screen, an Internal Server Error is generated.
The following error recorded in the journal log of the Horizon container:
horizon.
Please see the attachment for the complete traceback.
The first deployment was successful. Applying the ansible playbook twice may reproduce this.
The mode of all non-executable regular files under the `/openstack/
$ sudo lxc-attach -n opstk-1_
total 36K
drwxr-xr-x 5 horizon horizon 4.0K Feb 1 08:16 .
drwxr-xr-x 19 horizon horizon 4.0K Feb 1 08:16 ..
-rwxr-xr-x 1 horizon horizon 64 Feb 1 08:16 .secret_key_store
-rwxr-xr-x 1 horizon horizon 0 Feb 1 08:16 __init__.py
drwxr-xr-x 2 horizon horizon 4.0K Feb 1 08:16 __pycache__
-rwxr-xr-x 1 horizon horizon 0 Feb 1 08:16 _openstack_
drwxr-xr-x 3 horizon horizon 4.0K Feb 1 08:16 enabled
drwxr-xr-x 2 horizon horizon 4.0K Feb 1 08:16 local_settings.d
lrwxrwxrwx 1 horizon horizon 30 Feb 1 08:16 local_settings.py -> /etc/horizon/
-rwxr-xr-x 1 horizon horizon 12K Feb 1 08:16 local_settings.
The location where the problem is occurring is the `Ensure horizon dirs are accessible by user` task in `/etc/ansible/
diff --git a/tasks/
index 5739e70..6cfc2c1 100644
--- a/tasks/
+++ b/tasks/
@@ -36,7 +36,6 @@
state: directory
owner: "{{ horizon_
group: "{{ horizon_
- mode: "0755"
recurse: yes
with_items:
- { path: "{{ horizon_lib_dir }}", fixup: True }
The above patch gets Horizon working, but it won't fix the underlying problem.
It is inappropriate to create files written by app such as `.secret_key_store` inside the python site-packages directory. The write destination should be under /srv/, /var/lib/, /var/cache/.
----
Additional information:
openstack-ansible version: master brainch (32e503af74ba89
Same error reproduced using openstack-ansible v2023.2.
Command to deploy the Horizon: (cd /opt/openstack-
OS: Ubuntu 22.04
Related bug: https:/
Changed in openstack-ansible: | |
importance: | Undecided → Critical |
status: | New → Confirmed |
Hi,
I finally got some time to work on this issue.
Looking at my sandbox right now, I think there're 2 different issues right now.
First one, which is obviously wrong, is regarding wrong permissions set for `openstack_ dashboard/ local/` folder. And this one I will fix right away.
The second part is regarding .secret_key_store specifically. This is actually a bit different. In a default template of user_secrets.yml we do have `horizon_ secret_ key` variable, which is expected to be populated during initial setup: /opendev. org/openstack/ openstack- ansible/ src/branch/ master/ etc/openstack_ deploy/ user_secrets. yml#L136
https:/
This variable is then used to define the `SECRET_KEY` and ensures, that such key will be the same across all backends.
However, if the variable `horizon_ secret_ key` is not defined, the suggested by horizon approach will be used, which is to place .secret_key_store under LOCAL_PATH: /docs.openstack .org/horizon/ latest/ configuration/ settings. html#secret- key
https:/
Which is exactly what we are doing: /opendev. org/openstack/ openstack- ansible- os_horizon/ src/commit/ d4ef66fc0284777 09d6e4bd36a2bb3 9c957c3eae/ templates/ horizon_ local_settings. py.j2#L140- L154
https:/
You should be also able to define any arbitrary path for the secret key, by leveraging `horizon_ config_ overrides` variable, for example:
horizon_ config_ overrides: key.generate_ or_read_ from_file( '/var/cache/ .secret_ key_store' )
SECRET_KEY: secret_
But for multi-backend setup I'd suggest to use `horizon_ secret_ key` as secret key should be the same across all workers.