OpenStack-Ansible

Horizon secret_key_store permissions cause FilePermissionError

Bug #1403917 reported by Jesse Pretorius
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack-Ansible
Fix Released
Critical
Matt Thompson
Juno
Fix Released
Critical
Darren Birkett
OpenStack-Ansible 10.1.2

Bug Description

When the secret key is created in the first Horizon container, the file permissions are not set correctly, resulting in Horizon throwing an exception when you try to access it: FilePermissionError: Insecure key file permissions!

horizon_container-04a4f706:~# ls -al /var/lib/horizon/
total 12
drwx------ 2 www-data www-data 4096 Dec 18 15:05 .
drwxr-xr-x 31 root root 4096 Dec 17 18:15 ..
-rwx------ 1 www-data www-data 64 Dec 17 18:11 .secret_key_store

The permissions should be 0600.

The error is thrown by /usr/local/lib/python2.7/dist-packages/horizon/utils/secret_key.py

Removing /var/lib/horizon (or the key) and re-running the horizon-all play puts everything there properly.

See original description
Jesse Pretorius (jesse-pretorius)
description: updated
Jesse Pretorius (jesse-pretorius)
description: updated
Jesse Pretorius (jesse-pretorius)
description: updated
Jesse Pretorius (jesse-pretorius)
summary: - Apache in Horizon container throws FilePermissionError:
+ Apache in Horizon container throws FilePermissionError
summary: - Apache in Horizon container throws FilePermissionError
+ Horizon secret_key_store permissions cause FilePermissionError
Revision history for this message
Matt Thompson (mattt416) wrote :

Unable to replicate this on a freshly deployed multi-node cluster:

root@201412181651-node1:~/ansible-lxc-rpc/rpc_deployment# ansible horizon_all -m shell -a 'ls -al /var/lib/horizon/.secret_key_store'
201412181651-node1_horizon_container-e4931497 | success | rc=0 >>
-rw------- 1 www-data www-data 64 Dec 18 17:42 /var/lib/horizon/.secret_key_store

201412181651-node3_horizon_container-b45c1eed | FAILED | rc=2 >>
ls: cannot access /var/lib/horizon/.secret_key_store: No such file or directory

201412181651-node2_horizon_container-ee071593 | FAILED | rc=2 >>
ls: cannot access /var/lib/horizon/.secret_key_store: No such file or directory

root@201412181651-node1:~/ansible-lxc-rpc/rpc_deployment#

After using Horizon:

root@201412181651-node1:~/ansible-lxc-rpc/rpc_deployment# ansible horizon_all -m shell -a 'ls -al /var/lib/horizon/.secret_key_store'
201412181651-node1_horizon_container-e4931497 | success | rc=0 >>
-rw------- 1 www-data www-data 64 Dec 18 17:42 /var/lib/horizon/.secret_key_store

201412181651-node3_horizon_container-b45c1eed | success | rc=0 >>
-rw------- 1 www-data www-data 64 Dec 19 03:16 /var/lib/horizon/.secret_key_store

201412181651-node2_horizon_container-ee071593 | success | rc=0 >>
-rw------- 1 www-data www-data 64 Dec 19 09:09 /var/lib/horizon/.secret_key_store

root@201412181651-node1:~/ansible-lxc-rpc/rpc_deployment#

I'm wondering if this is specific to the AIO deploy?

--Matt

Jesse Pretorius (jesse-pretorius)
Changed in openstack-ansible:
assignee: Jesse Pretorius (jesse-pretorius) → Matt Thompson (mattt416)
status: New → In Progress
Revision history for this message
Jesse Pretorius (jesse-pretorius) wrote :

The issue only appears to show up when the play for Horizon is re-run. The root cause has been identified and is resolved with this patch: https://review.openstack.org/#/c/143083/

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to os-ansible-deployment (master)

Reviewed: https://review.openstack.org/143083
Committed: https://git.openstack.org/cgit/stackforge/os-ansible-deployment/commit/?id=22c974674aa8c14ac1abef6602a22f9d22ded247
Submitter: Jenkins
Branch: master

commit 22c974674aa8c14ac1abef6602a22f9d22ded247
Author: Matt Thompson <email address hidden>
Date: Fri Dec 19 13:14:58 2014 +0000

    Do not recursively chmod/chown files in container_directories

    Currently, we recursively chmod/chown files present in the directory
    being iterated over in the contain_directories variable. This is fine
    on first run as most of these directories (if not all) do not exist and
    are therefore empty. However, when the container_common role is
    re-applied, all files within will be altered. According to
    http://docs.ansible.com/file_module.html, non-existent parent
    directories will get automatically created when state=directory,
    recurse=yes is not necessary. This is presumably why recurse=yes was
    originally specified.

    This commit also explicitly creates /var/lib/nova/cache to ensure it's
    created with the right permission/ownership. Lastly, we set some valid
    ownership/permissions on /var/lib/nova/instances. This was implicitly
    happening with recurse=yes as the directory gets created in another
    role prior to container_os_setup.yml being run.

    Change-Id: Ibe54e19daa7e6d71dbde0f1ac59d86fc31cce7e5
    Closes-Bug: #1403917

Changed in openstack-ansible:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to os-ansible-deployment (juno)

Fix proposed to branch: juno
Review: https://review.openstack.org/146835

Darren Birkett (darren-birkett)
tags: removed: juno-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to os-ansible-deployment (juno)

Reviewed: https://review.openstack.org/146835
Committed: https://git.openstack.org/cgit/stackforge/os-ansible-deployment/commit/?id=8b97d7fa2136b646b243b1d26d16b3a0b6c0e379
Submitter: Jenkins
Branch: juno

commit 8b97d7fa2136b646b243b1d26d16b3a0b6c0e379
Author: Matt Thompson <email address hidden>
Date: Fri Dec 19 13:14:58 2014 +0000

    Do not recursively chmod/chown files in container_directories

    Currently, we recursively chmod/chown files present in the directory
    being iterated over in the contain_directories variable. This is fine
    on first run as most of these directories (if not all) do not exist and
    are therefore empty. However, when the container_common role is
    re-applied, all files within will be altered. According to
    http://docs.ansible.com/file_module.html, non-existent parent
    directories will get automatically created when state=directory,
    recurse=yes is not necessary. This is presumably why recurse=yes was
    originally specified.

    This commit also explicitly creates /var/lib/nova/cache to ensure it's
    created with the right permission/ownership. Lastly, we set some valid
    ownership/permissions on /var/lib/nova/instances. This was implicitly
    happening with recurse=yes as the directory gets created in another
    role prior to container_os_setup.yml being run.

    Change-Id: Ibe54e19daa7e6d71dbde0f1ac59d86fc31cce7e5
    Closes-Bug: #1403917
    (cherry picked from commit 22c974674aa8c14ac1abef6602a22f9d22ded247)

Kevin Carter (kevin-carter)
Changed in openstack-ansible:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.