castellan

Bug #1916793
Activity log

Activity log for bug #1916793

Date	Who	What changed	Old value	New value	Message
2021-02-24 18:57:55	Arnaud Alcabas	bug			added bug
2021-02-24 19:07:00	Arnaud Alcabas	description	Castellan version: castellan-3.7.0 Openstack distro: devstack devstack local.conf: [[local\|localrc]] disable_all_services enable_plugin barbican https://opendev.org/openstack/barbican stable/victoria enable_service rabbit mysql key # Modify passwords as needed DATABASE_PASSWORD=secretdatabase RABBIT_PASSWORD=secretrabbit ADMIN_PASSWORD=secretadmin SERVICE_PASSWORD=secretservice SERVICE_TOKEN=111222333444 Behaviour with default keymanager: [stack@infraa-007 devstack]$ openstack secret order create --name swift_root_secret \ > --payload-content-type="application/octet-stream" --algorithm aes \ > --bit-length 256 --mode ctr key +----------------+--------------------------------------------------------------------------------+ \| Field \| Value \| +----------------+--------------------------------------------------------------------------------+ \| Order href \| http://10.112.11.91/key-manager/v1/orders/7f605f1a-3e7a-4ef3-b0c3-34ec4c5ec308 \| \| Type \| Key \| \| Container href \| N/A \| \| Secret href \| None \| \| Created \| None \| \| Status \| None \| \| Error code \| None \| \| Error message \| None \| +----------------+--------------------------------------------------------------------------------+ [stack@infraa-007 devstack]$ openstack secret order get http://10.112.11.91/key-manager/v1/orders/7f605f1a-3e7a-4ef3-b0c3-34ec4c5ec308 +----------------+---------------------------------------------------------------------------------+ \| Field \| Value \| +----------------+---------------------------------------------------------------------------------+ \| Order href \| http://10.112.11.91/key-manager/v1/orders/7f605f1a-3e7a-4ef3-b0c3-34ec4c5ec308 \| \| Type \| Key \| \| Container href \| N/A \| \| Secret href \| http://10.112.11.91/key-manager/v1/secrets/560f8100-4a0c-445c-bfec-33dd32c7a9db \| \| Created \| 2021-02-24T15:11:07+00:00 \| \| Status \| ACTIVE \| \| Error code \| None \| \| Error message \| None \| +----------------+---------------------------------------------------------------------------------+ [stack@infraa-007 devstack]$ openstack secret get http://10.112.11.91/key-manager/v1/orders/560f8100-4a0c-445c-bfec-33dd32c7a9db --payload --payload_content_type="application/octet-stream" +---------+--------------------------------------------------------------------------------------+ \| Field \| Value \| +---------+--------------------------------------------------------------------------------------+ \| Payload \| b'&G\xb6T\xac\x8dhy\x91\xb4\x14\xb6R\xe8\x15\xc0\|nzT\x91\x0b\t\xb1e\xe6t\xceF\x1bzu' \| +---------+--------------------------------------------------------------------------------------+ Behaviour with vault configured (repeat secret order create and secret order get): [stack@infraa-007 ~]# openstack secret get http://10.112.11.96:9311/v1/secrets/30e2eefb-aa60-4094-b65f-c0b0a279b31f --payload --payload_content_type="application/octet-stream" 5xx Server error: Internal Server Error: Secret payload retrieval failure seen - please contact site administrator. Internal Server Error: Secret payload retrieval failure seen - please contact site administrator. The problem is that vault plugin manager store the created key as bytes without going through the normalize process from barbican translator. When retrieving the key, barbican try to decode the bytes, expecting base64 and fails with: 2021-02-24 15:17:01.360 TRACE barbican.api.controllers ESC[01;35mESC[00mTraceback (most recent call last): 2021-02-24 15:17:01.360 TRACE barbican.api.controllers ESC[01;35mESC[00m File "/opt/stack/barbican/barbican/api/controllers/__init__.py", line 101, in handler 2021-02-24 15:17:01.360 TRACE barbican.api.controllers ESC[01;35mESC[00m return fn(inst, args, kwargs) 2021-02-24 15:17:01.360 TRACE barbican.api.controllers ESC[01;35mESC[00m File "/opt/stack/barbican/barbican/api/controllers/__init__.py", line 87, in enforcer 2021-02-24 15:17:01.360 TRACE barbican.api.controllers ESC[01;35mESC[00m return fn(inst, args, kwargs) 2021-02-24 15:17:01.360 TRACE barbican.api.controllers ESC[01;35mESC[00m File "/opt/stack/barbican/barbican/api/controllers/secrets.py", line 209, in payload 2021-02-24 15:17:01.360 TRACE barbican.api.controllers ESC[01;35mESC[00m kwargs) 2021-02-24 15:17:01.360 TRACE barbican.api.controllers ESC[01;35mESC[00m File "/opt/stack/barbican/barbican/api/controllers/secrets.py", line 187, in _on_get_secret_payload 2021-02-24 15:17:01.360 TRACE barbican.api.controllers ESC[01;35mESC[00m transport_key) 2021-02-24 15:17:01.360 TRACE barbican.api.controllers ESC[01;35mESC[00m File "/opt/stack/barbican/barbican/plugin/resources.py", line 147, in get_secret 2021-02-24 15:17:01.360 TRACE barbican.api.controllers ESC[01;35mESC[00m requesting_content_type) 2021-02-24 15:17:01.360 TRACE barbican.api.controllers ESC[01;35mESC[00m File "/opt/stack/barbican/barbican/plugin/util/translations.py", line 108, in denormalize_after_decryption 2021-02-24 15:17:01.360 TRACE barbican.api.controllers ESC[01;35mESC[00m unencrypted = base64.decode_as_bytes(unencrypted) 2021-02-24 15:17:01.360 TRACE barbican.api.controllers ESC[01;35mESC[00m File "/usr/local/lib/python3.6/site-packages/oslo_serialization/base64.py", line 68, in decode_as_bytes 2021-02-24 15:17:01.360 TRACE barbican.api.controllers ESC[01;35mESC[00m encoded = encoded.decode('ascii') 2021-02-24 15:17:01.360 TRACE barbican.api.controllers ESC[01;35mESC[00mUnicodeDecodeError: 'ascii' codec can't decode byte 0xad in position 2: ordinal not in range(128) 2021-02-24 15:17:01.360 TRACE barbican.api.controllers ESC[01;35mESC[00m I can work around this for swift root key using a plain/text secret, but cinder/nova aren't playing nicely since the use the order method. Wrapping the key_value using base64 from oslo_serialization in vault_key_manager.py made it work as intented: key_value = base64.encode_as_bytes(os.urandom((length or 256) // 8))	Castellan version: castellan-3.7.0 Openstack distro: devstack devstack local.conf: [[local\|localrc]] disable_all_services enable_plugin barbican https://opendev.org/openstack/barbican stable/victoria enable_service rabbit mysql key # Modify passwords as needed DATABASE_PASSWORD=secretdatabase RABBIT_PASSWORD=secretrabbit ADMIN_PASSWORD=secretadmin SERVICE_PASSWORD=secretservice SERVICE_TOKEN=111222333444 Behaviour with default keymanager: [stack@infraa-007 devstack]$ openstack secret order create --name swift_root_secret \ > --payload-content-type="application/octet-stream" --algorithm aes \ > --bit-length 256 --mode ctr key +----------------+--------------------------------------------------------------------------------+ \| Field \| Value \| +----------------+--------------------------------------------------------------------------------+ \| Order href \| http://10.112.11.91/key-manager/v1/orders/7f605f1a-3e7a-4ef3-b0c3-34ec4c5ec308 \| \| Type \| Key \| \| Container href \| N/A \| \| Secret href \| None \| \| Created \| None \| \| Status \| None \| \| Error code \| None \| \| Error message \| None \| +----------------+--------------------------------------------------------------------------------+ [stack@infraa-007 devstack]$ openstack secret order get http://10.112.11.91/key-manager/v1/orders/7f605f1a-3e7a-4ef3-b0c3-34ec4c5ec308 +----------------+---------------------------------------------------------------------------------+ \| Field \| Value \| +----------------+---------------------------------------------------------------------------------+ \| Order href \| http://10.112.11.91/key-manager/v1/orders/7f605f1a-3e7a-4ef3-b0c3-34ec4c5ec308 \| \| Type \| Key \| \| Container href \| N/A \| \| Secret href \| http://10.112.11.91/key-manager/v1/secrets/560f8100-4a0c-445c-bfec-33dd32c7a9db \| \| Created \| 2021-02-24T15:11:07+00:00 \| \| Status \| ACTIVE \| \| Error code \| None \| \| Error message \| None \| +----------------+---------------------------------------------------------------------------------+ [stack@infraa-007 devstack]$ openstack secret get http://10.112.11.91/key-manager/v1/orders/560f8100-4a0c-445c-bfec-33dd32c7a9db --payload --payload_content_type="application/octet-stream" +---------+--------------------------------------------------------------------------------------+ \| Field \| Value \| +---------+--------------------------------------------------------------------------------------+ \| Payload \| b'&G\xb6T\xac\x8dhy\x91\xb4\x14\xb6R\xe8\x15\xc0\|nzT\x91\x0b\t\xb1e\xe6t\xceF\x1bzu' \| +---------+--------------------------------------------------------------------------------------+ Behaviour with vault configured (repeat secret order create and secret order get): [stack@infraa-007 ~]# openstack secret get http://10.112.11.91:9311/v1/secrets/30e2eefb-aa60-4094-b65f-c0b0a279b31f --payload --payload_content_type="application/octet-stream" 5xx Server error: Internal Server Error: Secret payload retrieval failure seen - please contact site administrator. Internal Server Error: Secret payload retrieval failure seen - please contact site administrator. The problem is that vault plugin manager store the created key as bytes without going through the normalize process from barbican translator. When retrieving the key, barbican try to decode the bytes, expecting base64 and fails with: 2021-02-24 15:17:01.360 TRACE barbican.api.controllers ESC[01;35mESC[00mTraceback (most recent call last): 2021-02-24 15:17:01.360 TRACE barbican.api.controllers ESC[01;35mESC[00m File "/opt/stack/barbican/barbican/api/controllers/__init__.py", line 101, in handler 2021-02-24 15:17:01.360 TRACE barbican.api.controllers ESC[01;35mESC[00m return fn(inst, args, kwargs) 2021-02-24 15:17:01.360 TRACE barbican.api.controllers ESC[01;35mESC[00m File "/opt/stack/barbican/barbican/api/controllers/__init__.py", line 87, in enforcer 2021-02-24 15:17:01.360 TRACE barbican.api.controllers ESC[01;35mESC[00m return fn(inst, args, kwargs) 2021-02-24 15:17:01.360 TRACE barbican.api.controllers ESC[01;35mESC[00m File "/opt/stack/barbican/barbican/api/controllers/secrets.py", line 209, in payload 2021-02-24 15:17:01.360 TRACE barbican.api.controllers ESC[01;35mESC[00m kwargs) 2021-02-24 15:17:01.360 TRACE barbican.api.controllers ESC[01;35mESC[00m File "/opt/stack/barbican/barbican/api/controllers/secrets.py", line 187, in _on_get_secret_payload 2021-02-24 15:17:01.360 TRACE barbican.api.controllers ESC[01;35mESC[00m transport_key) 2021-02-24 15:17:01.360 TRACE barbican.api.controllers ESC[01;35mESC[00m File "/opt/stack/barbican/barbican/plugin/resources.py", line 147, in get_secret 2021-02-24 15:17:01.360 TRACE barbican.api.controllers ESC[01;35mESC[00m requesting_content_type) 2021-02-24 15:17:01.360 TRACE barbican.api.controllers ESC[01;35mESC[00m File "/opt/stack/barbican/barbican/plugin/util/translations.py", line 108, in denormalize_after_decryption 2021-02-24 15:17:01.360 TRACE barbican.api.controllers ESC[01;35mESC[00m unencrypted = base64.decode_as_bytes(unencrypted) 2021-02-24 15:17:01.360 TRACE barbican.api.controllers ESC[01;35mESC[00m File "/usr/local/lib/python3.6/site-packages/oslo_serialization/base64.py", line 68, in decode_as_bytes 2021-02-24 15:17:01.360 TRACE barbican.api.controllers ESC[01;35mESC[00m encoded = encoded.decode('ascii') 2021-02-24 15:17:01.360 TRACE barbican.api.controllers ESC[01;35mESC[00mUnicodeDecodeError: 'ascii' codec can't decode byte 0xad in position 2: ordinal not in range(128) 2021-02-24 15:17:01.360 TRACE barbican.api.controllers ESC[01;35mESC[00m I can work around this for swift root key using a plain/text secret, but cinder/nova aren't playing nicely since the use the order method. Wrapping the key_value using base64 from oslo_serialization in vault_key_manager.py made it work as intented: key_value = base64.encode_as_bytes(os.urandom((length or 256) // 8))
2021-02-24 19:29:46	Arnaud Alcabas	tags		vault
2021-04-07 05:18:37	Nobuto Murata	bug			added subscriber Nobuto Murata
2021-04-07 10:42:44	Yoshi Kadokawa	bug			added subscriber Yoshi Kadokawa
2021-04-15 03:12:29	Dominique Poulain	bug			added subscriber Dominique Poulain
2021-04-19 07:30:51	Yoshi Kadokawa	castellan: status	New	Confirmed
2021-09-09 06:07:50	Yoshi Kadokawa	castellan: status	Confirmed	In Progress
2021-09-09 06:07:54	Yoshi Kadokawa	castellan: assignee		Yoshi Kadokawa (yoshikadokawa)
2021-09-16 11:37:56	Yoshi Kadokawa	castellan: assignee	Yoshi Kadokawa (yoshikadokawa)
2021-09-16 11:38:16	Yoshi Kadokawa	castellan: status	In Progress	New
2021-09-16 12:04:55	Nobuto Murata	castellan: status	New	Invalid