Cinder

Cinder request to glance does not support mTLS

Bug #1917797 reported by hamza on 2021-03-04

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	Cinder	In Progress	Low	Unassigned	Cinder wallaby-rc1 "18.0.0.0rc1"

Bug Description

in https://github.com/openstack/cinder/blob/39e6008543cd72bbb0daebda676d69ec80bc7be4/cinder/image/glance.py#L107

the code does not send cert/key certificates to

https://github.com/openstack/keystoneauth/blob/c2d2e7af2989a81104739f7bb0c397c9e98a3949/keystoneauth1/loading/session.py#L51

so if the glance API requires mTLS the request will fail

See original description

Tags:

Revision history for this message

Sri Harsha mekala (harshayahoo) wrote on 2021-03-04:

Proposed change (until the launchpad/review.opendev.org integration is restored):https://review.opendev.org/c/openstack/cinder/+/778768

Revision history for this message

Sri Harsha mekala (harshayahoo) wrote on 2021-03-04:

This bug is similar to https://bugs.launchpad.net/python-cinderclient/+bug/1915996

Sofia Enriquez (lsofia-enriquez) on 2021-03-10

Changed in cinder:
status:	New → In Progress

Eric Harney (eharney) on 2021-03-10

Changed in cinder:
status:	In Progress → Incomplete

Brian Rosmaita (brian-rosmaita) on 2021-03-10

Changed in cinder:
status:	Incomplete → Opinion

Revision history for this message

Brian Rosmaita (brian-rosmaita) wrote on 2021-03-10:

This requires some discussion. I think what you are talking about here is mTLS, not TLS in general. Please propose a spec for Xena outlining the gaps and how you propose to address them.

Here's info about putting together a proposal: https://docs.openstack.org/cinder/latest/contributor/contributing.html#new-feature-planning

Also, we have the Xena PTG coming up, you might want to discuss this topic there: https://etherpad.opendev.org/p/xena-ptg-cinder-planning

Sofia Enriquez (lsofia-enriquez) on 2021-03-17

tags:	added: mtls
Changed in cinder:
importance:	Undecided → Low
milestone:	none → 19.0.0

Revision history for this message

Adam Harwell (adam-harwell) wrote on 2021-03-17:

Yes, this was incorrectly labeled as a "TLS" issue, he meant "mTLS". I've fixed the wording. I think this is the only gap, and this single patch fixes it: https://review.opendev.org/c/openstack/cinder/+/778768

I don't know if this is worth an entire "feature", I look at this as a bug (not properly using keystone's sessions by omitting a standard var).

summary:	- Cinder request to glance does not support TLS + Cinder request to glance does not support mTLS
description:	updated

Revision history for this message

Adam Harwell (adam-harwell) wrote on 2021-03-17:

When I say "I think this is the only gap", I don't just mean in Cinder... I mean in the entirety of the core OpenStack ecosystem. With this patch and the patch from the client bug mentioned above, we have tested end-to-end mTLS across all services successfully. mTLS was done as part of the keystonesession work several cycles ago, so this isn't anything new we're implementing, just passing a few config vars through to enable it correctly. :)

Brian Rosmaita (brian-rosmaita) on 2021-03-19

Changed in cinder:
status:	Opinion → Triaged
status:	Triaged → In Progress
milestone:	19.0.0 → wallaby-rc1

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-03-26: Fix included in openstack/cinder 18.0.0.0rc1

This issue was fixed in the openstack/cinder 18.0.0.0rc1 release candidate.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.