OpenStack Identity (keystone)

service_ssl in config never checked for existence or default

Bug #897382 reported by Jay Pipes
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Low
Jay Pipes
OpenStack Identity (keystone) 2012.1 "essex"

Bug Description

Seems like some recent changes to Keystone adding SSL support break older configurations.

After solving bug 897376, I got this:

Starting the Legacy Authentication component
admin : INFO **************************************************
admin : INFO Configuration options gathered from config file:
admin : INFO /tmp/test.53878/etc/auth.conf
admin : INFO ================================================
admin : INFO admin_host 0.0.0.0
admin : INFO admin_port 41351
admin : INFO backends keystone.backends.sqlalchemy
admin : INFO debug True
admin : INFO default_store sqlite
admin : INFO keystone-admin-role Admin
admin : INFO keystone-service-admin-role KeystoneServiceAdmin
admin : INFO log_file /tmp/test.53878/auth.log
admin : INFO service-header-mappings {
'nova' : 'X-Server-Management-Url',
'swift' : 'X-Storage-Url',
'cdn' : 'X-CDN-Management-Url'}
admin : INFO service_host 0.0.0.0
admin : INFO service_port 34338
admin : INFO verbose True
admin : INFO **************************************************
Using config file: /tmp/test.53878/etc/auth.conf
Traceback (most recent call last):
  File "/home/jpipes/repos/glance/.glance-venv/bin/keystone", line 7, in <module>
    execfile(__file__)
  File "/home/jpipes/repos/glance/.glance-venv/src/keystone/bin/keystone", line 76, in <module>
    if conf['service_ssl'] == 'True':
KeyError: 'service_ssl'

That should instead be a non-erroring check for the service_ssl configuration option.

Cheers,
-jay

Revision history for this message
Jay Pipes (jaypipes) wrote :

Note that pretty much all of the SSL-related variables in bin/keystone suffer from this problem:

certfile, keyfile, ca_certs, certs_required, admin_ssl

Jay Pipes (jaypipes)
Changed in keystone:
status: New → Triaged
importance: Undecided → Low
assignee: nobody → Jay Pipes (jaypipes)
Revision history for this message
Openstack Gerrit (openstack-gerrit) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/1936
Committed: http://github.com/openstack/keystone/commit/d9f9501f36912f3e26aaafb55e5dc19c9bcea909
Submitter: Jenkins
Branch: master

 status fixcommitted
 done

commit d9f9501f36912f3e26aaafb55e5dc19c9bcea909
Author: Jay Pipes <email address hidden>
Date: Mon Nov 28 19:45:01 2011 -0500

    Fixes a number of configuration/startup bugs

    LP Bug#897376 - log_file in configuration file not respected

    Adds a check to ensure that the log_file in the configuration
    file, if set, is not overridden by the default options['log_file']
    value set in keystone.common.configu.load_paste_app()

    LP Bug#897382 - service_ssl not safely checked for existence

    Added safe checks for a number of SSL-related variables in
    bin/keystone to help support easy migration for existing
    configuration files that did not have the SSL options in them.

    LP Bug#897397 - bin/keystone-auth does not respect service_port
                    or service_host

    Replicates the same behaviour that is in keystone-admin into
    keystone-auth so that it recognizes service_host and service_port
    instead of only bind_host and bind_port. This enables you to
    pass the main keystone.conf file to keystone-auth and it will
    not bomb.

    Note: keystone.common.config should go away once openstack.common.config
    is a reality...

    Change-Id: If2dfa57ba00758144219f8c1d42c05e56ed44ca2

Changed in keystone:
status: Triaged → Fix Committed
Thierry Carrez (ttx)
Changed in keystone:
milestone: none → essex-2
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in keystone:
milestone: essex-2 → 2012.1
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.