Related q-svc.log and barbican-svc.log will be attached on next comment.
I made a few breakpoint to traceback the issue and that's where I fount out the last error:
traceback neutron_lbaas/services/loadbalancer/plugin.py:730 self._validate_tls(listener)
traceback neutron_lbaas/services/loadbalancer/plugin.py:657 cert_parser.validate_cert(cert_container.get_certificate(),
traceback neutron_lbaas/common/cert_manager/barbican_cert_manager.py:45 return self._cert_container.certificate.payload
traceback python2.7/site-packages/barbicanclient/secrets.py:192 self._fetch_payload()
traceback python2.7/site-packages/barbicanclient/secrets.py:260 if not self.payload_content_type and not self.content_types:
traceback python2.7/site-packages/barbicanclient/secrets.py:34 self._fill_lazy_properties()
traceback python2.7/site-packages/barbicanclient/secrets.py:416 result = self._api.get(self._secret_ref)
Processed request: 403 Forbidden - GET http://192.168.200.43:9311/v1/secrets/469fe858-44cc-431d-9c7c-a6d7936ed56c/payload
==================================
I dumped the request and found the X-Auth-Token header is actually the token for admin tenant instead of demo tenant.
Also in /etc/barbican/policy.json, If I change "secret:get" to "rule:all_users", the issue will be solved.
I believe some work need to be done either on barbican client or the policy.json.
Hi guys,
This bug was previously marked as a duplicate of bug #1519170.
However, Lbaas TERMINATED_HTTPS is still not working for non-admin tenant even with bug #1519170 fixed.
I am going to reraise this bug and I assume that bug #1497410 and bug #1612588 will also have the same issue.
My test env is barbican(master), all other components are from stable/mitaka branch
The error I got was: devstack/ openrc admin demo create --loadbalancer 40e04e16- 4d84-46d8- 8dcd-6717a734d3 7e --protocol-port 443 --protocol TERMINATED_HTTPS --name listener1 --default- tls-container
# source /home/stack/
# neutron lbaas-listener-
http:// 192.168. 200.43: 9311/v1/ containers/ 2817e144- 9f11-4bed- a14e-0390edf896 59 192.168. 200.43: 9311/v1/ containers/ 2817e144- 9f11-4bed- a14e-0390edf896 59 is invalid. Forbidden c17e-4a50- 9ad6-f17380ce01 1a']
TLS container http://
Neutron server returns request_ids: ['req-6116a004-
Related q-svc.log and barbican-svc.log will be attached on next comment.
I made a few breakpoint to traceback the issue and that's where I fount out the last error: lbaas/services/ loadbalancer/ plugin. py:730 self._validate_ tls(listener) lbaas/services/ loadbalancer/ plugin. py:657 cert_parser. validate_ cert(cert_ container. get_certificate (), lbaas/common/ cert_manager/ barbican_ cert_manager. py:45 return self._cert_ container. certificate. payload 7/site- packages/ barbicanclient/ secrets. py:192 self._fetch_ payload( ) 7/site- packages/ barbicanclient/ secrets. py:260 if not self.payload_ content_ type and not self.content_types: 7/site- packages/ barbicanclient/ secrets. py:34 self._fill_ lazy_properties () 7/site- packages/ barbicanclient/ secrets. py:416 result = self._api. get(self. _secret_ ref) 192.168. 200.43: 9311/v1/ secrets/ 469fe858- 44cc-431d- 9c7c-a6d7936ed5 6c/payload
traceback neutron_
traceback neutron_
traceback neutron_
traceback python2.
traceback python2.
traceback python2.
traceback python2.
Processed request: 403 Forbidden - GET http://
======= ======= ======= ======= ====== policy. json, If I change "secret:get" to "rule:all_users", the issue will be solved.
I dumped the request and found the X-Auth-Token header is actually the token for admin tenant instead of demo tenant.
Also in /etc/barbican/
I believe some work need to be done either on barbican client or the policy.json.