Puppet doesn't enforce permissions for $keystone_wsgi_script_path directory

Bug #1645299 reported by Rafal Szmigiel on 2016-11-28
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
puppet-keystone
Undecided
Rafal Szmigiel

Bug Description

Puppet's manifest puppet-keystone/manifests/wsgi/apache.pp doesn't enforce $keystone_wsgi_script_path permissions. In the case of more restrictive, system-wide umask setting directory may become inaccessible for web-server resulting in keystone failures.

This has been confirmed when I was working with Red Hat OpenStack Platform 9 including this code:

$ umask
0077

drwx------. 2 keystone 51 Nov 28 05:44 /var/www/cgi-bin/keystone

during the deployment with RH OSP director:

Notice: /Stage[main]/Keystone::Service/Service[keystone]: Triggered 'refresh' from 1 events
Notice: /Stage[main]/Apache::Service/Service[httpd]/ensure: ensure changed 'stopped' to 'running'
Notice: /Stage[main]/Keystone::Deps/Anchor[keystone::service::end]: Triggered 'refresh' from 26 events
Error: Could not prefetch keystone_service provider 'openstack': Could not authenticate
Error: Not managing Keystone_service[Image Service] due to earlier Keystone API failures.
Error: /Stage[main]/Glance::Keystone::Auth/Keystone::Resource::Service_identity[glance]/Keystone_service[Image Service::image]/ensure: change from absent to present failed: Not managing Keys
tone_service[Image Service] due to earlier Keystone API failures.

in /var/log/httpd/keystone_wsgi_main_error.log:

[Mon Nov 28 05:46:05.899651 2016] [core:error] [pid 23270] (13)Permission denied: [client 192.168.111.1:46948] AH00035: access to /v2.0/tokens denied (filesystem path '/var/www/cgi-bin/keyst
one/keystone-public') because search permissions are missing on a component of the path
[Mon Nov 28 05:46:20.907486 2016] [core:error] [pid 23264] (13)Permission denied: [client 192.168.111.1:46982] AH00035: access to /v2.0 denied (filesystem path '/var/www/cgi-bin/keystone/key
stone-public') because search permissions are missing on a component of the path
[Mon Nov 28 05:46:20.911575 2016] [core:error] [pid 23269] (13)Permission denied: [client 192.168.111.1:46984] AH00035: access to /v2.0/tokens denied (filesystem path '/var/www/cgi-bin/keyst
one/keystone-public') because search permissions are missing on a component of the path
[Mon Nov 28 05:46:35.907123 2016] [core:error] [pid 23270] (13)Permission denied: [client 192.168.111.1:46988] AH00035: access to /v2.0 denied (filesystem path '/var/www/cgi-bin/keystone/key
stone-public') because search permissions are missing on a component of the path

Rafal Szmigiel (a-rafal) on 2016-11-28
Changed in puppet-keystone:
assignee: nobody → Rafal Szmigiel (a-rafal)

Fix proposed to branch: master
Review: https://review.openstack.org/403658

Changed in puppet-keystone:
status: New → In Progress

Reviewed: https://review.openstack.org/403658
Committed: https://git.openstack.org/cgit/openstack/puppet-keystone/commit/?id=4f15fb64b1cb60388efbee75acbfb3b13a8fa1f6
Submitter: Jenkins
Branch: master

commit 4f15fb64b1cb60388efbee75acbfb3b13a8fa1f6
Author: Rafal Szmigiel <email address hidden>
Date: Mon Nov 28 13:11:44 2016 +0100

    Ensures $keystone_wsgi_script_path right permissions.

    Closes-Bug: 1645299

    In the case of more restrictive, system-wide umask setting,
    directory $keystone_wsgi_script_path may become inaccessible for
    web-server resulting in keystone failures.

    Change-Id: I4cdc053bb88da0a7c2604ff0b431de57e24b41eb

Changed in puppet-keystone:
status: In Progress → Fix Released

This issue was fixed in the openstack/puppet-keystone 10.1.0 release.

Reviewed: https://review.openstack.org/432942
Committed: https://git.openstack.org/cgit/openstack/puppet-keystone/commit/?id=1841d11ab11b84c73ba706c24e101bceda4e4cd7
Submitter: Jenkins
Branch: stable/newton

commit 1841d11ab11b84c73ba706c24e101bceda4e4cd7
Author: Rafal Szmigiel <email address hidden>
Date: Mon Nov 28 13:11:44 2016 +0100

    Ensures $keystone_wsgi_script_path right permissions.

    Closes-Bug: 1645299

    In the case of more restrictive, system-wide umask setting,
    directory $keystone_wsgi_script_path may become inaccessible for
    web-server resulting in keystone failures.

    Change-Id: I4cdc053bb88da0a7c2604ff0b431de57e24b41eb
    (cherry picked from commit 4f15fb64b1cb60388efbee75acbfb3b13a8fa1f6)

tags: added: in-stable-newton

Reviewed: https://review.openstack.org/432943
Committed: https://git.openstack.org/cgit/openstack/puppet-keystone/commit/?id=3d78c4f04d78f58914f600b2b2ce3835968cc18d
Submitter: Jenkins
Branch: stable/mitaka

commit 3d78c4f04d78f58914f600b2b2ce3835968cc18d
Author: Rafal Szmigiel <email address hidden>
Date: Mon Nov 28 13:11:44 2016 +0100

    Ensures $keystone_wsgi_script_path right permissions.

    Closes-Bug: 1645299

    In the case of more restrictive, system-wide umask setting,
    directory $keystone_wsgi_script_path may become inaccessible for
    web-server resulting in keystone failures.

    Change-Id: I4cdc053bb88da0a7c2604ff0b431de57e24b41eb
    (cherry picked from commit 4f15fb64b1cb60388efbee75acbfb3b13a8fa1f6)

tags: added: in-stable-mitaka

This issue was fixed in the openstack/puppet-keystone 9.6.0 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers