OpenStack Shared File Systems Service (Manila)

Unable to set "insecure" option in nova, cinder and neutron config groups

Bug #1809318 reported by Goutham Pacha Ravi
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Shared File Systems Service (Manila)
Fix Released
Medium
Goutham Pacha Ravi
OpenStack Shared File Systems Service (Manila) stein-3

Bug Description

Setup manila with config options:
[nova]/insecure = True
[neutron]/insecure = True
[cinder]/insecure = True

You'll notice that none of these clients are created with "insecure" set to True. Instead, because of the override in the code [1][2], these options are ignored in favor of the option "api_insecure". Since manila uses keystone session based authentication for all three clients (nova, neutron and cinder), it should allow setting the keystone session parameters [3] and fall back on older parameter names if they are not provided.

[1] https://github.com/openstack/manila/blob/7969d94/manila/compute/nova.py#L47
[2] https://github.com/openstack/manila/blob/7969d94/manila/compute/nova.py#L79
[3] https://github.com/openstack/keystoneauth/blob/8032328/keystoneauth1/loading/session.py#L84

Goutham Pacha Ravi (gouthamr)
Changed in manila:
assignee: nobody → Goutham Pacha Ravi (gouthamr)
importance: Undecided → Medium
OpenStack Infra (hudson-openstack)
Changed in manila:
status: New → In Progress
Revision history for this message
Goutham Pacha Ravi (gouthamr) wrote :

Change proposed to openstack/manila (master):
https://review.openstack.org/#/c/626506/

Changed in manila:
milestone: none → stein-3
tags: added: queen-backport-potential rocky-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to manila (master)

Reviewed: https://review.openstack.org/626506
Committed: https://git.openstack.org/cgit/openstack/manila/commit/?id=198bea78ac01aaf8a703ca7878b2a85a1b59667e
Submitter: Zuul
Branch: master

commit 198bea78ac01aaf8a703ca7878b2a85a1b59667e
Author: Goutham Pacha Ravi <email address hidden>
Date: Wed Dec 19 23:38:13 2018 -0800

    Deprecate old keystone session config opts

    In the past, the options ca_certificates_file,
    nova_ca_certificates_file, cinder_ca_certificates_file,
    api_insecure, nova_api_insecure, cinder_api_insecure
    were supplied to instantiate nova, neutron and cinder
    clients. These options have now been subsumed in a more
    generic way into the Keystone session logic as 'cafile'
    and 'insecure'. Deprecate the older options in Stein so
    that we can remove them in a future release.

    This deprecation began many releases ago when we switched
    to using keystone sessions [1]. However, we were still
    overriding the values of "insecure" and "cafile" if provided,
    forcing users to continue using deprecated parameters
    "api_insecure" and "ca_certificates_file". So despite
    this fix originating in the Stein release, it would be
    prudent to backport it to all maintained releases and
    remove support for these older options in/beyond Train
    release (9.0.0).

    [1] Ic211a11308a3295409467efd88bff413482ee58d
    Change-Id: I148e9079c7c1ab119f519f727d4ad97758473325
    Related-Bug: #1802393
    Closes-Bug: #1809318

Changed in manila:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to manila (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.openstack.org/627418

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to manila (stable/rocky)

Reviewed: https://review.openstack.org/627418
Committed: https://git.openstack.org/cgit/openstack/manila/commit/?id=4947cb0f6c610d5abf6d34d20bb50febd5b0239b
Submitter: Zuul
Branch: stable/rocky

commit 4947cb0f6c610d5abf6d34d20bb50febd5b0239b
Author: Goutham Pacha Ravi <email address hidden>
Date: Wed Dec 19 23:38:13 2018 -0800

    Deprecate old keystone session config opts

    In the past, the options ca_certificates_file,
    nova_ca_certificates_file, cinder_ca_certificates_file,
    api_insecure, nova_api_insecure, cinder_api_insecure
    were supplied to instantiate nova, neutron and cinder
    clients. These options have now been subsumed in a more
    generic way into the Keystone session logic as 'cafile'
    and 'insecure'. Deprecate the older options in Stein so
    that we can remove them in a future release.

    This deprecation began many releases ago when we switched
    to using keystone sessions [1]. However, we were still
    overriding the values of "insecure" and "cafile" if provided,
    forcing users to continue using deprecated parameters
    "api_insecure" and "ca_certificates_file". So despite
    this fix originating in the Stein release, it would be
    prudent to backport it to all maintained releases and
    remove support for these older options in/beyond Train
    release (9.0.0).

    [1] Ic211a11308a3295409467efd88bff413482ee58d
    Change-Id: I148e9079c7c1ab119f519f727d4ad97758473325
    Related-Bug: #1802393
    Closes-Bug: #1809318
    (cherry picked from commit 198bea78ac01aaf8a703ca7878b2a85a1b59667e)

tags: added: in-stable-rocky
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to manila (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/628094

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to manila (stable/queens)

Reviewed: https://review.openstack.org/628094
Committed: https://git.openstack.org/cgit/openstack/manila/commit/?id=71fede769ca14c2b7ea8f20cc181c2aa6362948d
Submitter: Zuul
Branch: stable/queens

commit 71fede769ca14c2b7ea8f20cc181c2aa6362948d
Author: Goutham Pacha Ravi <email address hidden>
Date: Wed Dec 19 23:38:13 2018 -0800

    Deprecate old keystone session config opts

    In the past, the options ca_certificates_file,
    nova_ca_certificates_file, cinder_ca_certificates_file,
    api_insecure, nova_api_insecure, cinder_api_insecure
    were supplied to instantiate nova, neutron and cinder
    clients. These options have now been subsumed in a more
    generic way into the Keystone session logic as 'cafile'
    and 'insecure'. Deprecate the older options in Stein so
    that we can remove them in a future release.

    This deprecation began many releases ago when we switched
    to using keystone sessions [1]. However, we were still
    overriding the values of "insecure" and "cafile" if provided,
    forcing users to continue using deprecated parameters
    "api_insecure" and "ca_certificates_file". So despite
    this fix originating in the Stein release, it would be
    prudent to backport it to all maintained releases and
    remove support for these older options in/beyond Train
    release (9.0.0).

    [1] Ic211a11308a3295409467efd88bff413482ee58d
    Change-Id: I148e9079c7c1ab119f519f727d4ad97758473325
    Related-Bug: #1802393
    Closes-Bug: #1809318
    (cherry picked from commit 198bea78ac01aaf8a703ca7878b2a85a1b59667e)
    (cherry picked from commit 4947cb0f6c610d5abf6d34d20bb50febd5b0239b)

tags: added: in-stable-queens
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/manila 7.1.0

This issue was fixed in the openstack/manila 7.1.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/manila 6.1.0

This issue was fixed in the openstack/manila 6.1.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/manila 8.0.0.0rc1

This issue was fixed in the openstack/manila 8.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.