puppet-keystone

Puppet doesn't enforce permissions for $keystone_wsgi_script_path directory

Bug #1645299 reported by Rafal Szmigiel
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
puppet-keystone
Fix Released
Undecided
Rafal Szmigiel

Bug Description

Puppet's manifest puppet-keystone/manifests/wsgi/apache.pp doesn't enforce $keystone_wsgi_script_path permissions. In the case of more restrictive, system-wide umask setting directory may become inaccessible for web-server resulting in keystone failures.

This has been confirmed when I was working with Red Hat OpenStack Platform 9 including this code:

$ umask
0077

drwx------. 2 keystone 51 Nov 28 05:44 /var/www/cgi-bin/keystone

during the deployment with RH OSP director:

Notice: /Stage[main]/Keystone::Service/Service[keystone]: Triggered 'refresh' from 1 events
Notice: /Stage[main]/Apache::Service/Service[httpd]/ensure: ensure changed 'stopped' to 'running'
Notice: /Stage[main]/Keystone::Deps/Anchor[keystone::service::end]: Triggered 'refresh' from 26 events
Error: Could not prefetch keystone_service provider 'openstack': Could not authenticate
Error: Not managing Keystone_service[Image Service] due to earlier Keystone API failures.
Error: /Stage[main]/Glance::Keystone::Auth/Keystone::Resource::Service_identity[glance]/Keystone_service[Image Service::image]/ensure: change from absent to present failed: Not managing Keys
tone_service[Image Service] due to earlier Keystone API failures.

in /var/log/httpd/keystone_wsgi_main_error.log:

[Mon Nov 28 05:46:05.899651 2016] [core:error] [pid 23270] (13)Permission denied: [client 192.168.111.1:46948] AH00035: access to /v2.0/tokens denied (filesystem path '/var/www/cgi-bin/keyst
one/keystone-public') because search permissions are missing on a component of the path
[Mon Nov 28 05:46:20.907486 2016] [core:error] [pid 23264] (13)Permission denied: [client 192.168.111.1:46982] AH00035: access to /v2.0 denied (filesystem path '/var/www/cgi-bin/keystone/key
stone-public') because search permissions are missing on a component of the path
[Mon Nov 28 05:46:20.911575 2016] [core:error] [pid 23269] (13)Permission denied: [client 192.168.111.1:46984] AH00035: access to /v2.0/tokens denied (filesystem path '/var/www/cgi-bin/keyst
one/keystone-public') because search permissions are missing on a component of the path
[Mon Nov 28 05:46:35.907123 2016] [core:error] [pid 23270] (13)Permission denied: [client 192.168.111.1:46988] AH00035: access to /v2.0 denied (filesystem path '/var/www/cgi-bin/keystone/key
stone-public') because search permissions are missing on a component of the path

Rafal Szmigiel (a-rafal)
Changed in puppet-keystone:
assignee: nobody → Rafal Szmigiel (a-rafal)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/403658

Changed in puppet-keystone:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-keystone (master)

Reviewed: https://review.openstack.org/403658
Committed: https://git.openstack.org/cgit/openstack/puppet-keystone/commit/?id=4f15fb64b1cb60388efbee75acbfb3b13a8fa1f6
Submitter: Jenkins
Branch: master

commit 4f15fb64b1cb60388efbee75acbfb3b13a8fa1f6
Author: Rafal Szmigiel <email address hidden>
Date: Mon Nov 28 13:11:44 2016 +0100

    Ensures $keystone_wsgi_script_path right permissions.

    Closes-Bug: 1645299

    In the case of more restrictive, system-wide umask setting,
    directory $keystone_wsgi_script_path may become inaccessible for
    web-server resulting in keystone failures.

    Change-Id: I4cdc053bb88da0a7c2604ff0b431de57e24b41eb

Changed in puppet-keystone:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-keystone 10.1.0

This issue was fixed in the openstack/puppet-keystone 10.1.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-keystone (stable/newton)

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/432942

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-keystone (stable/mitaka)

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/432943

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-keystone (stable/newton)

Reviewed: https://review.openstack.org/432942
Committed: https://git.openstack.org/cgit/openstack/puppet-keystone/commit/?id=1841d11ab11b84c73ba706c24e101bceda4e4cd7
Submitter: Jenkins
Branch: stable/newton

commit 1841d11ab11b84c73ba706c24e101bceda4e4cd7
Author: Rafal Szmigiel <email address hidden>
Date: Mon Nov 28 13:11:44 2016 +0100

    Ensures $keystone_wsgi_script_path right permissions.

    Closes-Bug: 1645299

    In the case of more restrictive, system-wide umask setting,
    directory $keystone_wsgi_script_path may become inaccessible for
    web-server resulting in keystone failures.

    Change-Id: I4cdc053bb88da0a7c2604ff0b431de57e24b41eb
    (cherry picked from commit 4f15fb64b1cb60388efbee75acbfb3b13a8fa1f6)

tags: added: in-stable-newton
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-keystone (stable/mitaka)

Reviewed: https://review.openstack.org/432943
Committed: https://git.openstack.org/cgit/openstack/puppet-keystone/commit/?id=3d78c4f04d78f58914f600b2b2ce3835968cc18d
Submitter: Jenkins
Branch: stable/mitaka

commit 3d78c4f04d78f58914f600b2b2ce3835968cc18d
Author: Rafal Szmigiel <email address hidden>
Date: Mon Nov 28 13:11:44 2016 +0100

    Ensures $keystone_wsgi_script_path right permissions.

    Closes-Bug: 1645299

    In the case of more restrictive, system-wide umask setting,
    directory $keystone_wsgi_script_path may become inaccessible for
    web-server resulting in keystone failures.

    Change-Id: I4cdc053bb88da0a7c2604ff0b431de57e24b41eb
    (cherry picked from commit 4f15fb64b1cb60388efbee75acbfb3b13a8fa1f6)

tags: added: in-stable-mitaka
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-keystone 9.6.0

This issue was fixed in the openstack/puppet-keystone 9.6.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.