Unable to set "insecure" option in nova, cinder and neutron config groups

Bug #1809318 reported by Goutham Pacha Ravi on 2018-12-20
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Manila
Medium
Goutham Pacha Ravi

Bug Description

Setup manila with config options:
[nova]/insecure = True
[neutron]/insecure = True
[cinder]/insecure = True

You'll notice that none of these clients are created with "insecure" set to True. Instead, because of the override in the code [1][2], these options are ignored in favor of the option "api_insecure". Since manila uses keystone session based authentication for all three clients (nova, neutron and cinder), it should allow setting the keystone session parameters [3] and fall back on older parameter names if they are not provided.

[1] https://github.com/openstack/manila/blob/7969d94/manila/compute/nova.py#L47
[2] https://github.com/openstack/manila/blob/7969d94/manila/compute/nova.py#L79
[3] https://github.com/openstack/keystoneauth/blob/8032328/keystoneauth1/loading/session.py#L84

Changed in manila:
assignee: nobody → Goutham Pacha Ravi (gouthamr)
importance: Undecided → Medium
Changed in manila:
status: New → In Progress
Goutham Pacha Ravi (gouthamr) wrote :

Change proposed to openstack/manila (master):
https://review.openstack.org/#/c/626506/

Changed in manila:
milestone: none → stein-3
tags: added: queen-backport-potential rocky-backport-potential

Reviewed: https://review.openstack.org/626506
Committed: https://git.openstack.org/cgit/openstack/manila/commit/?id=198bea78ac01aaf8a703ca7878b2a85a1b59667e
Submitter: Zuul
Branch: master

commit 198bea78ac01aaf8a703ca7878b2a85a1b59667e
Author: Goutham Pacha Ravi <email address hidden>
Date: Wed Dec 19 23:38:13 2018 -0800

    Deprecate old keystone session config opts

    In the past, the options ca_certificates_file,
    nova_ca_certificates_file, cinder_ca_certificates_file,
    api_insecure, nova_api_insecure, cinder_api_insecure
    were supplied to instantiate nova, neutron and cinder
    clients. These options have now been subsumed in a more
    generic way into the Keystone session logic as 'cafile'
    and 'insecure'. Deprecate the older options in Stein so
    that we can remove them in a future release.

    This deprecation began many releases ago when we switched
    to using keystone sessions [1]. However, we were still
    overriding the values of "insecure" and "cafile" if provided,
    forcing users to continue using deprecated parameters
    "api_insecure" and "ca_certificates_file". So despite
    this fix originating in the Stein release, it would be
    prudent to backport it to all maintained releases and
    remove support for these older options in/beyond Train
    release (9.0.0).

    [1] Ic211a11308a3295409467efd88bff413482ee58d
    Change-Id: I148e9079c7c1ab119f519f727d4ad97758473325
    Related-Bug: #1802393
    Closes-Bug: #1809318

Changed in manila:
status: In Progress → Fix Released

Reviewed: https://review.openstack.org/627418
Committed: https://git.openstack.org/cgit/openstack/manila/commit/?id=4947cb0f6c610d5abf6d34d20bb50febd5b0239b
Submitter: Zuul
Branch: stable/rocky

commit 4947cb0f6c610d5abf6d34d20bb50febd5b0239b
Author: Goutham Pacha Ravi <email address hidden>
Date: Wed Dec 19 23:38:13 2018 -0800

    Deprecate old keystone session config opts

    In the past, the options ca_certificates_file,
    nova_ca_certificates_file, cinder_ca_certificates_file,
    api_insecure, nova_api_insecure, cinder_api_insecure
    were supplied to instantiate nova, neutron and cinder
    clients. These options have now been subsumed in a more
    generic way into the Keystone session logic as 'cafile'
    and 'insecure'. Deprecate the older options in Stein so
    that we can remove them in a future release.

    This deprecation began many releases ago when we switched
    to using keystone sessions [1]. However, we were still
    overriding the values of "insecure" and "cafile" if provided,
    forcing users to continue using deprecated parameters
    "api_insecure" and "ca_certificates_file". So despite
    this fix originating in the Stein release, it would be
    prudent to backport it to all maintained releases and
    remove support for these older options in/beyond Train
    release (9.0.0).

    [1] Ic211a11308a3295409467efd88bff413482ee58d
    Change-Id: I148e9079c7c1ab119f519f727d4ad97758473325
    Related-Bug: #1802393
    Closes-Bug: #1809318
    (cherry picked from commit 198bea78ac01aaf8a703ca7878b2a85a1b59667e)

tags: added: in-stable-rocky

Reviewed: https://review.openstack.org/628094
Committed: https://git.openstack.org/cgit/openstack/manila/commit/?id=71fede769ca14c2b7ea8f20cc181c2aa6362948d
Submitter: Zuul
Branch: stable/queens

commit 71fede769ca14c2b7ea8f20cc181c2aa6362948d
Author: Goutham Pacha Ravi <email address hidden>
Date: Wed Dec 19 23:38:13 2018 -0800

    Deprecate old keystone session config opts

    In the past, the options ca_certificates_file,
    nova_ca_certificates_file, cinder_ca_certificates_file,
    api_insecure, nova_api_insecure, cinder_api_insecure
    were supplied to instantiate nova, neutron and cinder
    clients. These options have now been subsumed in a more
    generic way into the Keystone session logic as 'cafile'
    and 'insecure'. Deprecate the older options in Stein so
    that we can remove them in a future release.

    This deprecation began many releases ago when we switched
    to using keystone sessions [1]. However, we were still
    overriding the values of "insecure" and "cafile" if provided,
    forcing users to continue using deprecated parameters
    "api_insecure" and "ca_certificates_file". So despite
    this fix originating in the Stein release, it would be
    prudent to backport it to all maintained releases and
    remove support for these older options in/beyond Train
    release (9.0.0).

    [1] Ic211a11308a3295409467efd88bff413482ee58d
    Change-Id: I148e9079c7c1ab119f519f727d4ad97758473325
    Related-Bug: #1802393
    Closes-Bug: #1809318
    (cherry picked from commit 198bea78ac01aaf8a703ca7878b2a85a1b59667e)
    (cherry picked from commit 4947cb0f6c610d5abf6d34d20bb50febd5b0239b)

tags: added: in-stable-queens

This issue was fixed in the openstack/manila 7.1.0 release.

This issue was fixed in the openstack/manila 6.1.0 release.

This issue was fixed in the openstack/manila 8.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers