OpenStack Identity (keystone)

documentation should advice against using pki_setup and ssl_setup

Bug #1291366 reported by Adam Young
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Lance Bragstad
OpenStack Identity (keystone) 2014.2 "juno"

Bug Description

Both of these tools generate Self-signed CA certificates. As such, they are only appropriate for development deployments, and should be treated as such. While sites with mature PKI policies would recognize this, that majority of people new to Open Stack are not PKI experts, and are using the provided tools. The http://docs.openstack.org/developer/keystone/configuration.html#certificates-for-pki should state this clearly.

Adam Young (ayoung)
Changed in keystone:
assignee: nobody → Adam Young (ayoung)
Revision history for this message
Dolph Mathews (dolph) wrote :

There should also be a description of both commands in --help to that effect:

$ keystone-manage pki_setup --help
usage: keystone-manage [db_sync|db_version|pki_setup|ssl_setup|token_flush] pki_setup
       [-h] [--keystone-user KEYSTONE_USER] [--keystone-group KEYSTONE_GROUP]

optional arguments:
  -h, --help show this help message and exit
  --keystone-user KEYSTONE_USER
  --keystone-group KEYSTONE_GROUP

$ keystone-manage ssl_setup --help
usage: keystone-manage [db_sync|db_version|pki_setup|ssl_setup|token_flush] ssl_setup
       [-h] [--keystone-user KEYSTONE_USER] [--keystone-group KEYSTONE_GROUP]

optional arguments:
  -h, --help show this help message and exit
  --keystone-user KEYSTONE_USER
  --keystone-group KEYSTONE_GROUP

Changed in keystone:
status: New → Triaged
tags: added: documentation
Changed in keystone:
importance: Undecided → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/103697

Changed in keystone:
assignee: Adam Young (ayoung) → Lance Bragstad (lbragstad)
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/103697
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=bb34e70d04f336a58859a83abe17598672d308a9
Submitter: Jenkins
Branch: master

commit bb34e70d04f336a58859a83abe17598672d308a9
Author: Lance Bragstad <email address hidden>
Date: Mon Jun 30 18:14:51 2014 -0500

    Fix docs and scripts for pki_setup and ssl_setup

    Make sure we document that pki_setup and ssl_setup scripts are not
    recommended for production deployments.

    Closes-Bug: #1291366
    Change-Id: Ic0e163a7d54f7438b7963ed18a356137206dde8a

Changed in keystone:
status: In Progress → Fix Committed
Russell Bryant (russellb)
Changed in keystone:
milestone: none → juno-2
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in keystone:
milestone: juno-2 → 2014.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.