SSL insecure and cacert handling is broken

Bug #1715091 reported by Andras Kovi on 2017-09-05
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Andras Kovi

Bug Description

The SSL parameter handling in the client is broken in many ways:

1) insecure is not applied to the keystone session
2) Setting insecure and cacert with token authentication fails as these are not parameters of the Token auth plugin
3) Insecure is used as the verify parameter for requests which is not correct
4) There is no cacert parameter for the keystone session, verify should be used instead
5) A single cert cannot be passed to the client

6) Non-functional: No automated SSL tests exist in devstack jobs

Andras Kovi (akovi) on 2017-09-05
Changed in python-mistralclient:
assignee: nobody → Andras Kovi (akovi)
Changed in python-mistralclient:
importance: Undecided → Critical
Mike Fedosin (mfedosin) wrote :

Hi! We'd better ask Renat, but as far as I understand, we should not use native keystone authentication module in mistral client[1]. It's outdated and doesn't support many keystone features.

The recommended OpenStack way is to use python-openstackclient and osc-lib for authentication against keystone. It supports ssl and is developed by the community!
Mistral client provides a plugin for osc, which should be used for communication with Keystone[2].


Changed in python-mistralclient:
milestone: none → 3.2.0
Andras Kovi (akovi) wrote :

@Mike, I'm not completely sure how this could be achieved in mistralclient/auth/ Mistral is running in stand alone mode and we are using the target* parameters to direct the workflow executions to arbitrary clouds.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers