OpenStack Identity (keystone)

insecure=True not documented outside of keystoneclient.middleware.auth_token

Bug #1239894 reported by Bhuvan Arumugam
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Invalid
Low
Unassigned
openstack-manuals
Fix Released
High
Andreas Jaeger
openstack-manuals havana
python-keystoneclient
Invalid
Undecided
Unassigned

Bug Description

We use self signed certificate with all openstack services. It all worked so far, but break once keystoneclient v0.4.0 was released last week.

As per this commit, keystoneclient by default use insecure=False.
https://github.com/openstack/python-keystoneclient/commit/20e166fd8a943ee3f91ba362a47e9c14c7cc5f4c

This break self-signed instances. The openstack components {nova, glance, neutron} are unable to communicate with keystone. We don't use horion or swift. I presume they are broken as well. The keystone client is happy though if we use --insecure flag, while using it directly.

Ideally, we should introduce new config parameter keystone_api_insecure. The insecure flag in keystoneclient should be defined based on this parameter. This should be fixed in all openstack services, nova, glance & neutron.

[barumugam@build tempest]$ keystone --insecure tenant-list
+----------------------------+----------------------------+---------+
| id | name | enabled |
+----------------------------+----------------------------+---------+
| csi-tenant-tempest | csi-tenant-tempest | True |
+----------------------------+----------------------------+---------+

[barumugam@build tempest]$ nova --insecure list
ERROR: Unauthorized (HTTP 401)

Nova log:

2013-10-13 00:01:56,680 (keystoneclient.middleware.auth_token): ERROR auth_token _http_request HTTP connection exception: [Errno 1] _ssl.c:490: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
2013-10-13 00:01:56,682 (keystoneclient.middleware.auth_token): DEBUG auth_token _validate_user_token Token validation failure.
Traceback (most recent call last):
  File "/usr/local/csi/share/csi-nova.venv/lib/python2.6/site-packages/keystoneclient/middleware/auth_token.py", line 808, in _validate_user_token
    verified = self.verify_signed_token(user_token)
  File "/usr/local/csi/share/csi-nova.venv/lib/python2.6/site-packages/keystoneclient/middleware/auth_token.py", line 1165, in verify_signed_token
    if self.is_signed_token_revoked(signed_text):
  File "/usr/local/csi/share/csi-nova.venv/lib/python2.6/site-packages/keystoneclient/middleware/auth_token.py", line 1127, in is_signed_token_revoked
    revocation_list = self.token_revocation_list
  File "/usr/local/csi/share/csi-nova.venv/lib/python2.6/site-packages/keystoneclient/middleware/auth_token.py", line 1217, in token_revocation_list
    self.token_revocation_list = self.fetch_revocation_list()
  File "/usr/local/csi/share/csi-nova.venv/lib/python2.6/site-packages/keystoneclient/middleware/auth_token.py", line 1235, in fetch_revocation_list
    additional_headers=headers)
  File "/usr/local/csi/share/csi-nova.venv/lib/python2.6/site-packages/keystoneclient/middleware/auth_token.py", line 739, in _json_request
    response = self._http_request(method, path, **kwargs)
  File "/usr/local/csi/share/csi-nova.venv/lib/python2.6/site-packages/keystoneclient/middleware/auth_token.py", line 704, in _http_request
    raise NetworkError('Unable to communicate with keystone')

Revision history for this message
Jamie Lennox (jamielennox) wrote :

Mailing List Thread: http://lists.openstack.org/pipermail/openstack-dev/2013-October/016627.html

Revision history for this message
Dolph Mathews (dolph) wrote :

Can you share you auth_token configuration?

Changed in python-keystoneclient:
status: New → Incomplete
Revision history for this message
Dolph Mathews (dolph) wrote :

This doesn't appear to be relevant to nova itself

Changed in nova:
status: New → Invalid
Revision history for this message
Davanum Srinivas (DIMS) (dims-v) wrote :

@Bhuvan,

Did you try adding insecure=true flag in /etc/nova/api-paste.ini? in the "[filter:authtoken]" section?

Revision history for this message
Bhuvan Arumugam (bhuvan) wrote :

@dims-v, that is it.
I didn't set [filter:authtoken].insecure=True in /etc/nova/api-paste.ini. With this flag, openstack services could communicate with self-signed keystone instance.

Since this is a change in behavior with keystoneclient, we should document it somewhere here:
http://docs.openstack.org/developer/python-keystoneclient/using-api.html

... something in these lines:

If you use keystone with self signed certificate, the openstack services wouldn't be able to verify the certificate. To disable certificate verification, you should define insecure=True in [filter:authtoken] section in /etc/nova/api-paste.ini file. The flag should be defined for other components as well.

Changed in python-keystoneclient:
status: Incomplete → New
Revision history for this message
Dolph Mathews (dolph) wrote :

Agree that this is a doc bug, although keystoneclient doesn't currently document usage for auth_token at all, beyond help attributes via oslo.config / argparse (in this case... `cfg.BoolOpt('insecure', default=False, help='Verify HTTPS connections.')` ). openstack-manuals does have coverage on this topic though.

Changed in python-keystoneclient:
status: New → Invalid
Revision history for this message
Jamie Lennox (jamielennox) wrote :

keystoneclient does hae some documentation for auth_token. It is in the python-keystoneclient/doc/source/middlewarearchitecture.rst document, but i'm not sure where this gets published to.

Revision history for this message
Dolph Mathews (dolph) wrote :

Jamie: see bug 1240202. Added keystone to this bug so that the canonical version can be revised-

  https://github.com/openstack/keystone/blob/master/doc/source/middlewarearchitecture.rst#configuration-options

Changed in keystone:
status: New → Triaged
importance: Undecided → Low
Dolph Mathews (dolph)
tags: added: documentation
removed: certificate keystoneclient self-signed
summary: - openstack services unable to reach to self-signed keystone
+ insecure=True not documented outside of
+ keystoneclient.middleware.auth_token
Tom Fifield (fifieldt)
Changed in openstack-manuals:
status: New → Confirmed
importance: Undecided → High
milestone: none → havana
status: Confirmed → Triaged
Tom Fifield (fifieldt)
no longer affects: nova
tags: added: sec-guide
chandan kumar (chkumar246)
Changed in openstack-manuals:
assignee: nobody → chandankumar (chandankumar-093047)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-manuals (master)

Fix proposed to branch: master
Review: https://review.openstack.org/63541

Changed in openstack-manuals:
status: Triaged → In Progress
OpenStack Infra (hudson-openstack)
Changed in openstack-manuals:
assignee: chandankumar (chandankumar-093047) → Andreas Jaeger (jaegerandi)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-manuals (master)

Reviewed: https://review.openstack.org/63541
Committed: https://git.openstack.org/cgit/openstack/openstack-manuals/commit/?id=fda2f0459a5d9d48d40d607ba447db1204458e75
Submitter: Jenkins
Branch: master

commit fda2f0459a5d9d48d40d607ba447db1204458e75
Author: Chandan Kumar <email address hidden>
Date: Sat Dec 21 04:08:41 2013 +0530

    Added docs for disabling SSL certificates in openstack services

    Closes-Bug:#1239894

    Change-Id: If3ad6cb364dcccd224db1da738b7f189856b465f
    backport:none

Changed in openstack-manuals:
status: In Progress → Fix Released
Revision history for this message
Steve Martinelli (stevemar) wrote :

refer to http://docs.openstack.org/developer/keystonemiddleware/middlewarearchitecture.html, we no longer have a version of this in keystone server docs

Changed in keystone:
status: Triaged → Invalid
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/openstack-manuals 15.0.0

This issue was fixed in the openstack/openstack-manuals 15.0.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.