Neuton-LBaaS and Octavia out of synch if TLS container secret ACLs not set up correctly
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
octavia |
Invalid
|
Medium
|
Unassigned |
Bug Description
I'm hoping this is something that will go away with the neutron-lbaas and Octavia merge.
Create a self-signed certificate like so:
openssl genrsa -des3 -out self-signed_
openssl rsa -in self-signed_
openssl req -new -x509 -days 365 -key self-signed.key -out self-signed.crt
As the admin user, grant the demo user the ability to create cloud resources on the demo project:
openstack role add --project demo --user demo creator
Now, become the demo user:
source ~/devstack/openrc demo demo
As the demo user, upload the self-signed certificate to barbican:
openstack secret store --name='test_cert' --payload-
openstack secret store --name='test_key' --payload-
openstack secret container create --name=
As the demo user, grant access to the the above secrets BUT NOT THE CONTAINER to the 'admin' user. In my test, the admin user has ID: 02c0db7c648c471
openstack acl user add -u 02c0db7c648c471
openstack acl user add -u 02c0db7c648c471
Now, as the demo user, attempt to deploy a neutron-lbaas listener using the secret container above:
neutron lbaas-loadbalan
neutron lbaas-listener-
The neutron-lbaas command succeeds, but the Octavia deployment fails since it can't access the secret container.
This is fixed if you remember to grant access to the TLS container to the admin user like so:
openstack acl user add -u 02c0db7c648c471
However, neutron-lbaas and octavia should have similar failure scenarios if the permissions aren't set up exactly right in any case.
Changed in octavia: | |
importance: | Undecided → Medium |
tags: | added: lbaas |
no longer affects: | neutron |
Abandoned after re-enabling the Octavia launchpad.