In pike ssl deployment horizon cnt retrieve volumes/snapshots and service data via cinderclient

Bug #1744670 reported by Alexey Ananchenko on 2018-01-22
26
This bug affects 6 people
Affects Status Importance Assigned to Milestone
keystoneauth
Undecided
Unassigned
python-cinderclient
Undecided
Unassigned

Bug Description

Ops packages versions:
openstack-cinder.noarch 11.0.1-1.el7
openstack-dashboard.noarch 12.0.1-1.el7
openstack-glance.noarch 15.0.0-2.el7
openstack-keystone.noarch 12.0.0-1.el7
openstack-neutron.noarch 11.0.2-2.el7
openstack-neutron-common.noarch 11.0.2-2.el7
openstack-neutron-ml2.noarch 11.0.2-2.el7
openstack-nova-api.noarch 16.0.3-2.el7
openstack-nova-common.noarch 16.0.3-2.el7
openstack-nova-conductor.noarch 16.0.3-2.el7
openstack-nova-console.noarch 16.0.3-2.el7
openstack-nova-novncproxy.noarch 16.0.3-2.el7
openstack-nova-placement-api.noarch 16.0.3-2.el7
openstack-nova-scheduler.noarch 16.0.3-2.el7
python2-cinderclient.noarch 3.1.0-1.el7

Only after applying hard-coded links to certificate in cinder-client and keystone, the dashboard starts working:

/cinderclient/client.py

        if self.timeout:
            kwargs.setdefault('timeout', self.timeout)
        self.http_log_req((url, method,), kwargs)
        resp = requests.request(
            method,
            url,
+ cert = ("/etc/keystone/ssl/certs/signing_cert.pem",
            "/etc/keystone/ssl/private/signing_key.pem"),
            verify=self.verify_cert,
            **kwargs)
        self.http_log_resp(resp)

/keystoneauth1/session.py

    def __init__(self, auth=None, session=None, original_ip=None, verify=True,
                 cert=None, timeout=None, user_agent=None,
                 redirect=_DEFAULT_REDIRECT_LIMIT, additional_headers=None,
                 app_name=None, app_version=None, additional_user_agent=None,
                 discovery_cache=None):

        self.auth = auth
        self.session = _construct_session(session)
        self.original_ip = original_ip
        self.verify = verify
- self.cert = cert
+ self.cert = ("/etc/keystone/ssl/certs/signing_cert.pem",
        "/etc/keystone/ssl/private/signing_key.pem")
        self.timeout = None
        self.redirect = redirect
        self.additional_headers = additional_headers or {}
        self.app_name = app_name
        self.app_version = app_version
        self.additional_user_agent = additional_user_agent or []
        self._determined_user_agent = None
        if discovery_cache is None:
            discovery_cache = {}
        self._discovery_cache = discovery_cache

description: updated
description: updated
Morgan Fainberg (mdrnstm) wrote :

I am not sure what is happening here that is causing the certificate information to not be passed down. It seems like cinderclient is using requests directly (in Pike). And whatever else is calling keystoneauth is not passing the cert value to keystoneauth. If the cert values are not passed to keystone auth it is not possible for KSA to understand where to get the cert information from.

I am not sure what we need to do to solve this directly or if it is still an issue. Can you post your tracebackes/errors?

Marking incomplete until we have more information.

Changed in keystoneauth:
status: New → Incomplete
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers