neutron

Error at listener's barbican container validation

Bug #1461752 reported by santosh
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Invalid
Undecided
Unassigned

Bug Description

Validation of the barabican container associated with listener (tls and sni) at plugin layer is throwing error.

In validate_tls_container() ,contain_id is passed where as it is expecting container_ref.

 def _validate_tls(self, listener, curr_listener=None):

        def validate_tls_container(container_ref):
        ...

       def validate_tls_containers(to_validate):
            for container_ref in to_validate:
                validate_tls_container(container_ref)
       ...
       if len(to_validate) > 0:
            validate_tls_containers(to_validate)

#to_validate is list of container_ids.

#at barbican_cert_manager.py get_cert() is cert_ref is a UUID instead of ref_url for container.

def get_cert(cert_ref, service_name='Octavia', resource_ref=None,
                 check_only=False, **kwargs):

         ...
         :param cert_ref: the UUID of the cert to retrieve
         ...

         cert_container = connection.containers.get(
                    container_ref=cert_ref

#above container_ref is a UUID whereas connection.container.get() expects a reference url.

We should prepare ref_url from container UUID
following should fix the issue.

diff --git a/neutron_lbaas/common/cert_manager/barbican_cert_manager.py b/neutron_lbaas/common/cert_manager/barbican_cert_manager.py
index 1ad38ee..8d3c3c4 100644
--- a/neutron_lbaas/common/cert_manager/barbican_cert_manager.py
+++ b/neutron_lbaas/common/cert_manager/barbican_cert_manager.py
@@ -219,6 +222,9 @@ class CertManager(cert_manager.CertManager):
         """
         connection = BarbicanKeystoneAuth.get_barbican_client()

+ if self.is_UUID(cert_ref):
+ cert_ref = self.get_cert_ref_url(cert_ref)
+

Error log:
-----------------------------------------------------------------------------------------------------------------------------------------------
ERROR neutron_lbaas.common.cert_manager.barbican_cert_manager [req-a5e704fb-f04b-45f2-9c50-f3bfebe09afd admin 5ca9f
cbf4652456a9bd53582b86bd0e9] Error getting 0b8d5af0-c156-46ad-b4c6-882a84824ce2
2015-06-04 09:58:38.126 TRACE neutron_lbaas.common.cert_manager.barbican_cert_manager Traceback (most recent call last):
2015-06-04 09:58:38.126 TRACE neutron_lbaas.common.cert_manager.barbican_cert_manager File "/opt/stack/neutron-lbaas/neutron_lbaas/common
/cert_manager/barbican_cert_manager.py", line 228, in get_cert
2015-06-04 09:58:38.126 TRACE neutron_lbaas.common.cert_manager.barbican_cert_manager container_ref=cert_ref
2015-06-04 09:58:38.126 TRACE neutron_lbaas.common.cert_manager.barbican_cert_manager File "/opt/stack/python-barbicanclient/barbicanclie
nt/containers.py", line 528, in get
2015-06-04 09:58:38.126 TRACE neutron_lbaas.common.cert_manager.barbican_cert_manager base.validate_ref(container_ref, 'Container')
2015-06-04 09:58:38.126 TRACE neutron_lbaas.common.cert_manager.barbican_cert_manager File "/opt/stack/python-barbicanclient/barbicanclie
nt/base.py", line 35, in validate_ref
2015-06-04 09:58:38.126 TRACE neutron_lbaas.common.cert_manager.barbican_cert_manager raise ValueError('{0} incorrectly specified.'.for
mat(entity))
2015-06-04 09:58:38.126 TRACE neutron_lbaas.common.cert_manager.barbican_cert_manager ValueError: Container incorrectly specified.
2015-06-04 09:58:38.126 TRACE neutron_lbaas.common.cert_manager.barbican_cert_manager
2015-06-04 09:58:38.167 INFO neutron.api.v2.resource [req-a5e704fb-f04b-45f2-9c50-f3bfebe09afd admin 5ca9fcbf4652456a9bd53582b86bd0e9] crea
te failed (client error): TLS container 0b8d5af0-c156-46ad-b4c6-882a84824ce2 could not be found
---------------------------------------------------------------------------------------------------------------------------------------------------

See original description
Tags: lbaas
santosh (chitr-prayatan)
description: updated
Revision history for this message
Adam Harwell (adam-harwell) wrote :

As per discussion on IRC -- this is working as intended, if it is rejecting containers when passed in simply as a UUID. The user must pass in a full container_ref. We might want to try to catch/validate even sooner in the API layer that the value for container_ref must be a full URI, not just a UUID. This feature does not seem to be well documented though, as I can't find anything describing its use, and the spec document for it is old and inaccurate (which appears to be what caused the confusion). We really need proper documentation, since at this moment it looks like the only "docs" are a few scattered wiki pages and blog posts with unclear examples.

Adam Harwell (adam-harwell)
Changed in neutron:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.