octavia

  1. Bug #1592612
  2. Comment #5

Comment 5 for bug 1592612

Revision history for this message
Jiahao liang (jiahao.liang) wrote : Re: TLS container could not be found

Hi guys,

This bug was previously marked as a duplicate of bug #1519170.

However, Lbaas TERMINATED_HTTPS is still not working for non-admin tenant even with bug #1519170 fixed.

I am going to reraise this bug and I assume that bug #1497410 and bug #1612588 will also have the same issue.

My test env is barbican(master), all other components are from stable/mitaka branch

The error I got was:
# source /home/stack/devstack/openrc admin demo
# neutron lbaas-listener-create --loadbalancer 40e04e16-4d84-46d8-8dcd-6717a734d37e --protocol-port 443 --protocol TERMINATED_HTTPS --name listener1 --default-tls-container

http://192.168.200.43:9311/v1/containers/2817e144-9f11-4bed-a14e-0390edf89659
TLS container http://192.168.200.43:9311/v1/containers/2817e144-9f11-4bed-a14e-0390edf89659 is invalid. Forbidden
Neutron server returns request_ids: ['req-6116a004-c17e-4a50-9ad6-f17380ce011a']

Related q-svc.log and barbican-svc.log will be attached on next comment.

I made a few breakpoint to traceback the issue and that's where I fount out the last error:
traceback neutron_lbaas/services/loadbalancer/plugin.py:730 self._validate_tls(listener)
traceback neutron_lbaas/services/loadbalancer/plugin.py:657 cert_parser.validate_cert(cert_container.get_certificate(),
traceback neutron_lbaas/common/cert_manager/barbican_cert_manager.py:45 return self._cert_container.certificate.payload
traceback python2.7/site-packages/barbicanclient/secrets.py:192 self._fetch_payload()
traceback python2.7/site-packages/barbicanclient/secrets.py:260 if not self.payload_content_type and not self.content_types:
traceback python2.7/site-packages/barbicanclient/secrets.py:34 self._fill_lazy_properties()
traceback python2.7/site-packages/barbicanclient/secrets.py:416 result = self._api.get(self._secret_ref)
Processed request: 403 Forbidden - GET http://192.168.200.43:9311/v1/secrets/469fe858-44cc-431d-9c7c-a6d7936ed56c/payload

==================================
I dumped the request and found the X-Auth-Token header is actually the token for admin tenant instead of demo tenant.
Also in /etc/barbican/policy.json, If I change "secret:get" to "rule:all_users", the issue will be solved.

I believe some work need to be done either on barbican client or the policy.json.