oslo.cache

Usage of dogpile.cache.backend.redis requires injection via backend_argument

Bug #2052351 reported by Takashi Kajinami on 2024-02-03

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	oslo.cache	Fix Released	High	Takashi Kajinami

Bug Description

Using redis backend always require usage of backend_arugment, which is considered advanced.
Because backend_argument is not secret, this means that password in the url may be leaked in logs.

In case we attempt to use the memcache_servers option, it always triggers the following traceback.

```
[Sat Feb 03 03:46:08.438124 2024] [wsgi:error] [pid 15934:tid 15945] [remote 127.0.0.1:49472] mod_wsgi (pid=15934): Failed to exec Python script file '/var/www/cgi-bin/keystone/keystone'.
[Sat Feb 03 03:46:08.438153 2024] [wsgi:error] [pid 15934:tid 15945] [remote 127.0.0.1:49472] mod_wsgi (pid=15934): Exception occurred processing WSGI script '/var/www/cgi-bin/keystone/keystone'.
[Sat Feb 03 03:46:08.439106 2024] [wsgi:error] [pid 15934:tid 15945] [remote 127.0.0.1:49472] Traceback (most recent call last):
[Sat Feb 03 03:46:08.439128 2024] [wsgi:error] [pid 15934:tid 15945] [remote 127.0.0.1:49472] File "/var/www/cgi-bin/keystone/keystone", line 52, in <module>
[Sat Feb 03 03:46:08.439129 2024] [wsgi:error] [pid 15934:tid 15945] [remote 127.0.0.1:49472] application = initialize_public_application()
[Sat Feb 03 03:46:08.439131 2024] [wsgi:error] [pid 15934:tid 15945] [remote 127.0.0.1:49472] File "/usr/lib/python3.9/site-packages/keystone/server/wsgi.py", line 23, in initialize_public_application
[Sat Feb 03 03:46:08.439132 2024] [wsgi:error] [pid 15934:tid 15945] [remote 127.0.0.1:49472] return flask_core.initialize_application(
[Sat Feb 03 03:46:08.439134 2024] [wsgi:error] [pid 15934:tid 15945] [remote 127.0.0.1:49472] File "/usr/lib/python3.9/site-packages/keystone/server/flask/core.py", line 171, in initialize_application
[Sat Feb 03 03:46:08.439135 2024] [wsgi:error] [pid 15934:tid 15945] [remote 127.0.0.1:49472] _unused, app = keystone.server.setup_backends(
[Sat Feb 03 03:46:08.439136 2024] [wsgi:error] [pid 15934:tid 15945] [remote 127.0.0.1:49472] File "/usr/lib/python3.9/site-packages/keystone/server/__init__.py", line 46, in setup_backends
[Sat Feb 03 03:46:08.439137 2024] [wsgi:error] [pid 15934:tid 15945] [remote 127.0.0.1:49472] drivers = backends.load_backends()
[Sat Feb 03 03:46:08.439139 2024] [wsgi:error] [pid 15934:tid 15945] [remote 127.0.0.1:49472] File "/usr/lib/python3.9/site-packages/keystone/server/backends.py", line 42, in load_backends
[Sat Feb 03 03:46:08.439140 2024] [wsgi:error] [pid 15934:tid 15945] [remote 127.0.0.1:49472] cache.configure_cache()
[Sat Feb 03 03:46:08.439141 2024] [wsgi:error] [pid 15934:tid 15945] [remote 127.0.0.1:49472] File "/usr/lib/python3.9/site-packages/keystone/common/cache/core.py", line 123, in configure_cache
[Sat Feb 03 03:46:08.439142 2024] [wsgi:error] [pid 15934:tid 15945] [remote 127.0.0.1:49472] cache.configure_cache_region(CONF, region)
[Sat Feb 03 03:46:08.439143 2024] [wsgi:error] [pid 15934:tid 15945] [remote 127.0.0.1:49472] File "/usr/lib/python3.9/site-packages/oslo_cache/core.py", line 405, in configure_cache_region
[Sat Feb 03 03:46:08.439144 2024] [wsgi:error] [pid 15934:tid 15945] [remote 127.0.0.1:49472] region.configure_from_config(config_dict,
[Sat Feb 03 03:46:08.439150 2024] [wsgi:error] [pid 15934:tid 15945] [remote 127.0.0.1:49472] File "/usr/lib/python3.9/site-packages/dogpile/cache/region.py", line 662, in configure_from_config
[Sat Feb 03 03:46:08.439151 2024] [wsgi:error] [pid 15934:tid 15945] [remote 127.0.0.1:49472] return self.configure(
[Sat Feb 03 03:46:08.439153 2024] [wsgi:error] [pid 15934:tid 15945] [remote 127.0.0.1:49472] File "/usr/lib/python3.9/site-packages/dogpile/cache/region.py", line 487, in configure
[Sat Feb 03 03:46:08.439154 2024] [wsgi:error] [pid 15934:tid 15945] [remote 127.0.0.1:49472] self.backend = backend_cls.from_config_dict(
[Sat Feb 03 03:46:08.439155 2024] [wsgi:error] [pid 15934:tid 15945] [remote 127.0.0.1:49472] File "/usr/lib/python3.9/site-packages/dogpile/cache/api.py", line 186, in from_config_dict
[Sat Feb 03 03:46:08.439156 2024] [wsgi:error] [pid 15934:tid 15945] [remote 127.0.0.1:49472] return cls(
[Sat Feb 03 03:46:08.439157 2024] [wsgi:error] [pid 15934:tid 15945] [remote 127.0.0.1:49472] File "/usr/lib/python3.9/site-packages/dogpile/cache/backends/redis.py", line 305, in __init__
[Sat Feb 03 03:46:08.439159 2024] [wsgi:error] [pid 15934:tid 15945] [remote 127.0.0.1:49472] super().__init__(
[Sat Feb 03 03:46:08.439160 2024] [wsgi:error] [pid 15934:tid 15945] [remote 127.0.0.1:49472] File "/usr/lib/python3.9/site-packages/dogpile/cache/backends/redis.py", line 124, in __init__
[Sat Feb 03 03:46:08.439161 2024] [wsgi:error] [pid 15934:tid 15945] [remote 127.0.0.1:49472] self._create_client()
[Sat Feb 03 03:46:08.439162 2024] [wsgi:error] [pid 15934:tid 15945] [remote 127.0.0.1:49472] File "/usr/lib/python3.9/site-packages/dogpile/cache/backends/redis.py", line 333, in _create_client
[Sat Feb 03 03:46:08.439163 2024] [wsgi:error] [pid 15934:tid 15945] [remote 127.0.0.1:49472] sentinel = redis.sentinel.Sentinel(
[Sat Feb 03 03:46:08.439165 2024] [wsgi:error] [pid 15934:tid 15945] [remote 127.0.0.1:49472] File "/usr/lib/python3.9/site-packages/redis/sentinel.py", line 185, in __init__
[Sat Feb 03 03:46:08.439166 2024] [wsgi:error] [pid 15934:tid 15945] [remote 127.0.0.1:49472] self.sentinels = [
[Sat Feb 03 03:46:08.439170 2024] [wsgi:error] [pid 15934:tid 15945] [remote 127.0.0.1:49472] TypeError: 'NoneType' object is not iterable
```

The snippet from keystone.conf
```
[cache]
backend=dogpile.cache.redis
memcache_servers=redis://:a_big_secret@localhost:6379
tls_enabled = true
tls_cafile = /etc/pki/tls/certs/ca-bundle.crt
```

See original description

Revision history for this message

Takashi Kajinami (kajinamit) wrote on 2024-02-03:

Hmm. It seems we are not supposed to use memcache_servers but set url via backend_arguments ?

description:

updated

Takashi Kajinami (kajinamit) on 2024-02-03

summary:	- Usage of dogpile.cache.backend.redis always crashes + Usage of dogpile.cache.backend.redis requires injection via + backend_argument
description:	updated

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-02-03: Fix proposed to oslo.cache (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/oslo.cache/+/907649

Changed in oslo.cache:
status:	New → In Progress

Takashi Kajinami (kajinamit) on 2024-02-03

Changed in oslo.cache:
importance:	Undecided → High
assignee:	nobody → Takashi Kajinami (kajinamit)
description:	updated

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-02-13: Fix merged to oslo.cache (master)

Reviewed: https://review.opendev.org/c/openstack/oslo.cache/+/907649
Committed: https://opendev.org/openstack/oslo.cache/commit/28411250dadaf73f0263b55e1d07337fc79b202b
Submitter: "Zuul (22348)"
Branch: master

commit 28411250dadaf73f0263b55e1d07337fc79b202b
Author: Takashi Kajinami <email address hidden>
Date: Sat Feb 3 21:10:28 2024 +0900

Add native options for redis backend

    This introduces a few new redis_* options to simplify the settings
    required to use the redis backend. The main aim of this change is to
    replace the requirement to inject url by backend_argument.

    [cache]
    backend=dogpile.cache.redis
    redis_server=127.0.0.1:6379
    redis_username=default
    redis_password=a_big_secret
    redis_socket_timeout=1.0

Closes-Bug: #2052351
Change-Id: Id72878f9cddaa99146eab5fb4ee76c8e6a633809

Changed in oslo.cache:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-02-26: Fix included in openstack/oslo.cache 3.7.0

This issue was fixed in the openstack/oslo.cache 3.7.0 release.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.