Ceilometer

Expose insecure option of keystoneclient to avoid SSL cert validation

Series havana
Bug #1232437

Bug #1232437 reported by Julian Sternberg on 2013-09-28

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	Ceilometer	Fix Released	Wishlist	Julien Danjou	Ceilometer 2014.1 "icehouse"
	Havana	Fix Committed	Wishlist	Eoghan Glynn

Bug Description

The Ceilometer fix commit bug #1194046 seems to bring another problem.

Let's asume you comment out os_cacert or leave it blank if you dont need ssl,
the SSL auth against keystone will be used anyways as default and fails against it because of no cert and throws this error message:

2013-09-28 01:12:50.328 8621 ERROR keystoneclient.middleware.auth_token [-] HTTP connection exception: [Errno 1] _ssl.c:504: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
2013-09-28 01:12:50.328 8621 WARNING keystoneclient.middleware.auth_token [-] Authorization failed for token <function <lambda> at 0x7fc0bf96fde8>
2013-09-28 01:12:50.328 8621 INFO keystoneclient.middleware.auth_token [-] Invalid user token - rejecting request

Seems like it tries to connect through the Keystone auth uri with https:// instead of http:// which you can see here in the Debug output of the API Call:

root@openstack-controller:# ceilometer --debug resource-list
INFO (connectionpool:191) Starting new HTTP connection (1): 127.0.0.1
DEBUG (connectionpool:283) "POST /v2.0/tokens HTTP/1.1" 200 5397
DEBUG (http:110) curl -i -X GET -H 'X-Auth-Token: CENSORED' -H 'Content-Type: application/json' -H 'Accept: application/json' -H 'User-Agent: python-ceilometerclient' http://x.xx.xxx.xx:8777/v2/resources
DEBUG (http:120)
HTTP/1.0 401 Unauthorized
date: Sat, 28 Sep 2013 13:00:36 GMT
content-length: 23
content-type: text/plain
www-authenticate: Keystone uri='https://127.0.0.1:35357'
server: WSGIServer/0.1 Python/2.7.3

Authentication required

WARNING (http:165) Request returned failure status.
Invalid OpenStack Identity credentials.

See original description

Tags:

Julian Sternberg (jules-i) on 2013-09-28

description:	updated
description:	updated
description:	updated

Revision history for this message

Julien Danjou (jdanjou) wrote on 2013-09-30:

I've read the keystoneclient code to understand this, and the problem seems actually to be that when using an https URL, the CA of the server is checked anyway. The CA cert just allows to provide the CA to use; if you don't, what's used is the default httplib2 cert. So since your HTTPS Keystone server certificate is likely unrecognized, this does not work.

The only way to fix this is that you either provide the right CA cert to validate, or use the insecure option to keystoneclient. We don't export this into Ceilometer yet, so fixing this "bug" could be doing that.

Either way it's not really a bug.

Changed in ceilometer:
status:	New → Invalid
status:	Invalid → Triaged
importance:	Undecided → Low
importance:	Low → Wishlist
summary:	- Ceilometer fails against keystone without os_cacert + Expose insecure option of keystoneclient to avoid SSL cert validation

Revision history for this message

Doug Hellmann (doug-hellmann) wrote on 2013-09-30:

See https://pypi.python.org/pypi/httplib2.ca_certs_locater for a tool to have the certs file from the base OS used instead.

Revision history for this message

Julian Sternberg (jules-i) wrote on 2013-10-18:

The solution was somewhat easier.

i appended the keystone authtoken method with auth_protocol=http to my ceilometer.conf

[keystone_authtoken]
admin_tenant_name = admin
admin_password = xxxxxx
admin_user = admin
auth_protocol = http

and it worked just fine!

Revision history for this message

Julien Danjou (jdanjou) wrote on 2013-10-18:

Obviously changing to http rather than https remove the security layer and avoids the problem, but it's definitely not the best option. :)

Changed in ceilometer:
assignee:	nobody → Julien Danjou (jdanjou)

Revision history for this message

Julian Sternberg (jules-i) wrote on 2013-10-18:

i spent all my services between host machines a own internal vlan and dedicated network connection.

so do i really need a security layer?
i dunno :-)

my main problem is that all i have yet tried to get working https with keystone failed hardly.

Revision history for this message

Phil Neal (nealph) wrote on 2013-10-22:

Let me add another use case: in our dev environments the keystone service only provides an https endpoint, however configuring keys on multiple (sometimes transient) local boxes is a pain. Enabling an insecure option would allow us to do development against the https endpoints, then roll to a "production" configuration on release.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-10-31: Fix proposed to ceilometer (master)

Fix proposed to branch: master
Review: https://review.openstack.org/54698

Changed in ceilometer:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-11-13: Fix merged to ceilometer (master)

Reviewed: https://review.openstack.org/54698
Committed: http://github.com/openstack/ceilometer/commit/d48b4a3a4e5d0b80c3644844e0f1c8e3806c78d6
Submitter: Jenkins
Branch: master

commit d48b4a3a4e5d0b80c3644844e0f1c8e3806c78d6
Author: Julien Danjou <email address hidden>
Date: Thu Oct 31 11:27:03 2013 +0100

Add an insecure option for Keystone client

Change-Id: I05cea4c79ad89d2c55008ea0d7ba9eefa5908fa2
Closes-Bug: #1232437

Changed in ceilometer:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2013-12-04

Changed in ceilometer:
milestone:	none → icehouse-1
status:	Fix Committed → Fix Released

Eoghan Glynn (eglynn) on 2014-02-10

tags:

added: havana-backport-potential

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-02-10: Fix proposed to ceilometer (stable/havana)

Fix proposed to branch: stable/havana
Review: https://review.openstack.org/72332

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-03-06: Fix merged to ceilometer (stable/havana)

#10

Reviewed: https://review.openstack.org/72332
Committed: https://git.openstack.org/cgit/openstack/ceilometer/commit/?id=0a85f225f7067e77ba7f24516e20a35588a280e5
Submitter: Jenkins
Branch: stable/havana

commit 0a85f225f7067e77ba7f24516e20a35588a280e5
Author: Julien Danjou <email address hidden>
Date: Thu Oct 31 11:27:03 2013 +0100

Add an insecure option for Keystone client

    Change-Id: I05cea4c79ad89d2c55008ea0d7ba9eefa5908fa2
    Closes-Bug: #1232437
    (cherry picked from commit d48b4a3a4e5d0b80c3644844e0f1c8e3806c78d6)

Thierry Carrez (ttx) on 2014-04-17

Changed in ceilometer:
milestone:	icehouse-1 → 2014.1

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.