Running Pike manila-api directly with SSL does not speak SSL
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Shared File Systems Service (Manila) |
Fix Released
|
Undecided
|
junboli |
Bug Description
Deploying manila-api with the SSL keys and certificates configured in the manila configuration file, and running manila-api directly results in the API speaking HTTP over HTTPS -- if the endpoint is registered as an https:// endpoint, the manila command line client gives the following error:
[Note we need to use --insecure due to using self-signed certificates]
# openstack --insecure endpoint list | grep manila
| 6a6a21c0cea0426
...
# manila --insecure service-list
...
ERROR: HTTPSConnection
If you use curl -k (again, for self-signed certificates), you can see it does actually uses HTTP:
# curl -k https:/
curl: (35) error:140770FC:SSL routines:
# curl -k http://
{"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}
If manila-api is deployed via WSGI, then it can be deployed and used while utilising HTTPS:
# manila --insecure service-list
...
+----+-
| Id | Binary | Host | Zone | Status | State | Updated_at |
+----+-
| 1 | manila-scheduler | d52-54-77-77-01-01 | nova | enabled | up | 2017-11-
| 2 | manila-share | d52-54-
| 3 | manila-share | d52-54-
+----+-
Worse, you have no idea that this is a problem when it's deploying since the configuration parameters are not marked as deprecated and there is no pointer in the release notes. If you search the code for the configuration options, you can see that they are defined, but never used:
steven@
doc/source/
doc/source/
Changed in manila: | |
assignee: | nobody → junboli (junboli) |
Changed in manila: | |
status: | New → In Progress |
tags: | added: pike-backport-potential |
Reviewed: https:/ /review. openstack. org/519206 /git.openstack. org/cgit/ openstack/ manila/ commit/ ?id=fa5b81f903b 3ac0028f7e935ae a728a443689bfe
Committed: https:/
Submitter: Zuul
Branch: master
commit fa5b81f903b3ac0 028f7e935aea728 a443689bfe
Author: junboli <email address hidden>
Date: Fri Nov 17 13:22:01 2017 +0800
Add ssl support for manila API access
Currently, Manila does not support secure access the manila
APIs, obviously, this is a defect for manila service. This
change is to add ssl support for manila project.
Closes-bug: #1732844 648cc065b2b2112 788bf4484d0
Closes-bug: #1730529
Change-Id: I2dbc52ce95933e