Juniper Openstack

contrail api connecting to keystone insecurely needs to be suported

Series trunk
Bug #1650697

Bug #1650697 reported by Ignatious Johnson Christopher on 2016-12-17

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Juniper Openstack	Status tracked in Trunk
R3.0	Fix Committed	High	Ignatious Johnson Christopher	Juniper Openstack r3.0.4.0
R3.0.3.x	Fix Committed	High	Ignatious Johnson Christopher	Juniper Openstack r3.0.3.2
R3.1	Fix Committed	High	Ignatious Johnson Christopher	Juniper Openstack r3.1.2.0
R3.1.1.x	Fix Committed	High	Ignatious Johnson Christopher	Juniper Openstack r3.1.1.1
R3.2	Fix Committed	High	Ignatious Johnson Christopher	Juniper Openstack r3.2.0.0-fcs "r3.2.0.0"
Trunk	Fix Committed	High	Ignatious Johnson Christopher	Juniper Openstack r4.0.0.0-fcs "r4.0.0.0"

Bug Description

contrail-api connecting to keystone insecurely needs to be supported.

when insecure=True is set in the /etc/contrail/contrail-keystone-auth.conf, to allow contrail-api to connect to keystone insecurely, contrail-api fails to start with following traceback.

Traceback (most recent call last):
  File "/usr/bin/contrail-api", line 9, in <module>
    load_entry_point('vnc-cfg-api-server==0.1dev', 'console_scripts', 'contrail-api')()
  File "/usr/lib/python2.7/site-packages/vnc_cfg_api_server/vnc_cfg_api_server.py", line 3510, in server_main
    main()
  File "/usr/lib/python2.7/site-packages/vnc_cfg_api_server/vnc_cfg_api_server.py", line 3469, in main
    vnc_api_server = VncApiServer(args_str)
  File "/usr/lib/python2.7/site-packages/vnc_cfg_api_server/vnc_cfg_api_server.py", line 1470, in __init__
    auth_svc = vnc_auth_keystone.AuthServiceKeystone(self, self._args)
  File "/usr/lib/python2.7/site-packages/vnc_cfg_api_server/vnc_auth_keystone.py", line 143, in __init__
    if args.auth_protocol == 'https' and args.cafile:
AttributeError: 'Namespace' object has no attribute 'cafile'

See original description

Tags:

Ignatious Johnson Christopher (ijohnson-x) on 2016-12-17

no longer affects:

juniperopenstack/r3.0.2.x

Ignatious Johnson Christopher (ijohnson-x) on 2016-12-17

summary:	- contrail api and vncapi client connecting to keystone insecurely is - broken + contrail api and vncapi client connecting to keystone insecurely needs + to be suported
description:	updated

Revision history for this message

Ignatious Johnson Christopher (ijohnson-x) wrote on 2016-12-17:

Workaround is to set

cafile = ''

in the [KEYSTONE] section of /etc/contrail/contrail-keystone-auth.conf along with the insecure flag.

summary:	- contrail api and vncapi client connecting to keystone insecurely needs - to be suported + contrail api connecting to keystone insecurely needs to be suported
description:	updated
description:	updated

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-12-17: [Review update] master

Review in progress for https://review.opencontrail.org/27383
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-12-17: [Review update] R3.1

Review in progress for https://review.opencontrail.org/27384
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-12-17: [Review update] R3.2

Review in progress for https://review.opencontrail.org/27385
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-12-17: [Review update] R3.0

Review in progress for https://review.opencontrail.org/27386
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-12-17: [Review update] R3.0.3.x

#10

Review in progress for https://review.opencontrail.org/27387
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

Jeba Paulaiyan (jebap) wrote on 2016-12-18:

#12

Workaround for making the insecure mode work in builds without the above fixes:

Sample /etc/contrail/contrail-keystone-auth.conf file for insecure SSL:

root@nodek7-vm1:~# cat /etc/contrail/contrail-keystone-auth.conf

[KEYSTONE]
auth_url=https://192.168.196.3:35357/v2.0
auth_host=192.168.196.3
auth_protocol=https
auth_port=35357
admin_user=admin
admin_password=contrail123
admin_tenant_name=admin
memcache_servers=127.0.0.1:11211
insecure=True
cafile=
root@nodek7-vm1:~#

information type:

Proprietary → Public

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-12-18: A change has been merged

#13

Reviewed: https://review.opencontrail.org/27385
Committed: http://github.org/Juniper/contrail-controller/commit/22cf1ed196816705dc6f6ab21592548335ffa523
Submitter: Zuul (<email address hidden>)
Branch: R3.2

commit 22cf1ed196816705dc6f6ab21592548335ffa523
Author: Ignatious Johnson Christopher <email address hidden>
Date: Fri Dec 16 20:39:41 2016 -0800

When insecure flag is set to True in contrail-keystone-auth.conf,
contrail-api fails to start as the cafile is not initialized.
Initializing cafile to empty string, to handle insecure connections.

Change-Id: I23e4fd8ba533000e041fc892845ccc0bbd50fc48
Closes-Bug: 1650697

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-12-18:

#14

Reviewed: https://review.opencontrail.org/27386
Committed: http://github.org/Juniper/contrail-controller/commit/bb9166ee26e03ce527574b05b413546bff1b34c9
Submitter: Zuul (<email address hidden>)
Branch: R3.0

commit bb9166ee26e03ce527574b05b413546bff1b34c9
Author: Ignatious Johnson Christopher <email address hidden>
Date: Fri Dec 16 20:39:41 2016 -0800

When insecure flag is set to True in contrail-keystone-auth.conf,
contrail-api fails to start as the cafile is not initialized.
Initializing cafile to empty string, to handle insecure connections.

Change-Id: I23e4fd8ba533000e041fc892845ccc0bbd50fc48
Closes-Bug: 1650697

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-12-18:

#15

Reviewed: https://review.opencontrail.org/27383
Committed: http://github.org/Juniper/contrail-controller/commit/665682d81099f7b4f501834477ce19a92a564760
Submitter: Zuul (<email address hidden>)
Branch: master

commit 665682d81099f7b4f501834477ce19a92a564760
Author: Ignatious Johnson Christopher <email address hidden>
Date: Fri Dec 16 20:39:41 2016 -0800

When insecure flag is set to True in contrail-keystone-auth.conf,
contrail-api fails to start as the cafile is not initialized.
Initializing cafile to empty string, to handle insecure connections.

Change-Id: I23e4fd8ba533000e041fc892845ccc0bbd50fc48
Closes-Bug: 1650697

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-12-18:

#16

Reviewed: https://review.opencontrail.org/27384
Committed: http://github.org/Juniper/contrail-controller/commit/1d9298de5182baf04aa6fc6973e2d74c3c259897
Submitter: Zuul (<email address hidden>)
Branch: R3.1

commit 1d9298de5182baf04aa6fc6973e2d74c3c259897
Author: Ignatious Johnson Christopher <email address hidden>
Date: Fri Dec 16 20:39:41 2016 -0800

When insecure flag is set to True in contrail-keystone-auth.conf,
contrail-api fails to start as the cafile is not initialized.
Initializing cafile to empty string, to handle insecure connections.

Change-Id: I23e4fd8ba533000e041fc892845ccc0bbd50fc48
Closes-Bug: 1650697

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-12-19:

#17

Reviewed: https://review.opencontrail.org/27387
Committed: http://github.org/Juniper/contrail-controller/commit/9c6d9ca425e9030fdab01db81f15eac479772854
Submitter: Zuul (<email address hidden>)
Branch: R3.0.3.x

commit 9c6d9ca425e9030fdab01db81f15eac479772854
Author: Ignatious Johnson Christopher <email address hidden>
Date: Fri Dec 16 20:39:41 2016 -0800

When insecure flag is set to True in contrail-keystone-auth.conf,
contrail-api fails to start as the cafile is not initialized.
Initializing cafile to empty string, to handle insecure connections.

Change-Id: I23e4fd8ba533000e041fc892845ccc0bbd50fc48
Closes-Bug: 1650697

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-01-14: [Review update] R3.1.1.x

#18

Review in progress for https://review.opencontrail.org/27898
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-01-31: A change has been merged

#20

Reviewed: https://review.opencontrail.org/27898
Committed: http://github.org/Juniper/contrail-controller/commit/edeac12c6f0fb44e79039d914da28153fca10cb7
Submitter: Zuul (<email address hidden>)
Branch: R3.1.1.x

commit edeac12c6f0fb44e79039d914da28153fca10cb7
Author: Ignatious Johnson Christopher <email address hidden>
Date: Mon Nov 21 15:07:15 2016 -0800

Certificates needs to be chanined and bundled
in the order (certfile, keyfile and cacert).

1. Chaining in the certificate in correct order
2. Making certfile/keyfile optional

Closes-Bug: 1639426
Closes-Bug: 1630513

Getting certs as argument to the VncApi class and creating
unique certbundle for request to different api-servers.
Closes-Bug: 1644713
Closes-Bug: 1644707

Change-Id: Ib5e66bfdd27795bd090c3b3b49207241cbc5f0ae
(cherry picked from commit df192ce6f9623c628dee975754027f827dbc28d9)
(cherry picked from commit d49aec87815d0b881aaec405832c5ac581e29c3d)
(cherry picked from commit 18a920da6f4ce95a66565a5e61ed9b5d6af39d4f)

Conflicts:
src/api-lib/vnc_api.py

When insecure flag is set to True in contrail-keystone-auth.conf,
contrail-api fails to start as the cafile is not initialized.
Initializing cafile to empty string, to handle insecure connections.

Change-Id: I23e4fd8ba533000e041fc892845ccc0bbd50fc48
Closes-Bug: 1650697
(cherry picked from commit 9c6d9ca425e9030fdab01db81f15eac479772854)

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.