PKI certs not readable by keystone user
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
High
|
Dirk Mueller | ||
openstack-manuals |
Fix Released
|
High
|
Anne Gentle |
Bug Description
Most users are going to run 'keystone-manage pki_setup' as root. This generates a set of certificates and keys in /etc/keystone/ssl* which is owned by root:root.
This is problematic when trying to then run the Keystone daemon under the 'keystone' user account (nologin) when trying to run PKI. Unless you manually chown the files keystone:keystone you'll get an error like this:
2012-07-31 11:10:53 ERROR [keystone.
140380567730016
140380567730016
unable to load signing key file
-----
Is there anything we could/should do to make configuring PKI certs a bit more streamlined?
Until then I suppose we should make sure our documentation mentions the certs need to be readable by the keystone daemon user.
tags: | added: documentation |
Changed in keystone: | |
status: | New → Triaged |
importance: | Undecided → High |
Changed in keystone: | |
assignee: | nobody → Adam Young (ayoung) |
Changed in openstack-manuals: | |
status: | New → Triaged |
importance: | Undecided → High |
tags: | added: keystone |
Changed in keystone: | |
milestone: | none → grizzly-3 |
status: | Fix Committed → Fix Released |
summary: |
- keystone-manage pki_setup creates certs owned by root + PKI certs not readable by keystone user |
Changed in openstack-manuals: | |
assignee: | nobody → Anne Gentle (annegentle) |
Changed in keystone: | |
milestone: | grizzly-3 → 2013.1 |
Here is the issue: The certificates can be world readable, but the private key cannot be. It should only be readable by the account that is going to sign tokens.
The best option is to run keystone-manage pki_setup as the pki user.