--insecure option did not take effect

Bug #1538959 reported by Zhongcheng Lao
34
This bug affects 7 people
Affects Status Importance Assigned to Milestone
python-neutronclient
Fix Released
High
Akihiro Motoki

Bug Description

When using python-neutronclient CLI against HTTPS endpoints,
it still validate the server certificate even invoking with --insecure option.

python-neutronclient git:(read-insecure) ✗ neutron --insecure --debug net-list

DEBUG: keystoneauth.session REQ: curl -g -i -X GET https://10.155.21.24:5000/v2.0 -H "Accept: application/json" -H "User-Agent: keystoneauth1/2.2.0 python-requests/2.9.1 CPython/2.7.10"
WARNING: keystoneauth.identity.generic.base Discovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL.
DEBUG: keystoneauth.identity.v2 Making authentication request to https://10.155.21.24:5000/v2.0/tokens
ERROR: neutronclient.shell SSL exception connecting to https://10.155.21.24:5000/v2.0/tokens: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)
Traceback (most recent call last):
  File "/Users/admin/python-dev/lib/python2.7/site-packages/neutronclient/shell.py", line 823, in run_subcommand
    return run_command(cmd, cmd_parser, sub_argv)
  File "/Users/admin/python-dev/lib/python2.7/site-packages/neutronclient/shell.py", line 105, in run_command
    return cmd.run(known_args)
  File "/Users/admin/python-dev/lib/python2.7/site-packages/cliff/display.py", line 92, in run
    column_names, data = self.take_action(parsed_args)
  File "/Users/admin/python-dev/lib/python2.7/site-packages/neutronclient/neutron/v2_0/__init__.py", line 697, in take_action
    data = self.retrieve_list(parsed_args)
  File "/Users/admin/python-dev/lib/python2.7/site-packages/neutronclient/neutron/v2_0/__init__.py", line 638, in retrieve_list
    neutron_client = self.get_client()
  File "/Users/admin/python-dev/lib/python2.7/site-packages/neutronclient/neutron/v2_0/__init__.py", line 406, in get_client
    return self.app.client_manager.neutron
  File "/Users/admin/python-dev/lib/python2.7/site-packages/neutronclient/common/clientmanager.py", line 39, in __get__
    self._handle = self.factory(instance)
  File "/Users/admin/python-dev/lib/python2.7/site-packages/neutronclient/neutron/client.py", line 34, in make_client
    instance.initialize()
  File "/Users/admin/python-dev/lib/python2.7/site-packages/neutronclient/common/clientmanager.py", line 116, in initialize
    httpclient.authenticate()
  File "/Users/admin/python-dev/lib/python2.7/site-packages/neutronclient/client.py", line 323, in authenticate
    self.get_token()
  File "/Users/admin/python-dev/lib/python2.7/site-packages/keystoneauth1/adapter.py", line 113, in get_token
    return self.session.get_token(auth or self.auth)
  File "/Users/admin/python-dev/lib/python2.7/site-packages/keystoneauth1/session.py", line 618, in get_token
    return (self.get_auth_headers(auth) or {}).get('X-Auth-Token')
  File "/Users/admin/python-dev/lib/python2.7/site-packages/keystoneauth1/session.py", line 597, in get_auth_headers
    return auth.get_headers(self, **kwargs)
  File "/Users/admin/python-dev/lib/python2.7/site-packages/keystoneauth1/plugin.py", line 84, in get_headers
    token = self.get_token(session)
  File "/Users/admin/python-dev/lib/python2.7/site-packages/keystoneauth1/identity/base.py", line 89, in get_token
    return self.get_access(session).auth_token
  File "/Users/admin/python-dev/lib/python2.7/site-packages/keystoneauth1/identity/base.py", line 135, in get_access
    self.auth_ref = self.get_auth_ref(session)
  File "/Users/admin/python-dev/lib/python2.7/site-packages/keystoneauth1/identity/generic/base.py", line 181, in get_auth_ref
    return self._plugin.get_auth_ref(session, **kwargs)
  File "/Users/admin/python-dev/lib/python2.7/site-packages/keystoneauth1/identity/v2.py", line 64, in get_auth_ref
    authenticated=False, log=False)
  File "/Users/admin/python-dev/lib/python2.7/site-packages/keystoneauth1/session.py", line 545, in post
    return self.request(url, 'POST', **kwargs)
  File "/Users/admin/python-dev/lib/python2.7/site-packages/keystoneauth1/_utils.py", line 180, in inner
    return func(*args, **kwargs)
  File "/Users/admin/python-dev/lib/python2.7/site-packages/keystoneauth1/session.py", line 425, in request
    resp = send(**kwargs)
  File "/Users/admin/python-dev/lib/python2.7/site-packages/keystoneauth1/session.py", line 463, in _send_request
    raise exceptions.SSLError(msg)
SSLError: SSL exception connecting to https://10.155.21.24:5000/v2.0/tokens: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)
SSL exception connecting to https://10.155.21.24:5000/v2.0/tokens: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)

It looks like the --insecure has not been passed to python-neutronclient.

Zhongcheng Lao (zlao)
Changed in python-neutronclient:
assignee: nobody → Zhongcheng Lao (zlao)
status: New → Confirmed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to python-neutronclient (master)

Fix proposed to branch: master
Review: https://review.openstack.org/273408

Changed in python-neutronclient:
status: Confirmed → In Progress
Zhongcheng Lao (zlao)
summary: - --insecure option did not take affect
+ --insecure option did not take effect
Changed in python-neutronclient:
importance: Undecided → High
Changed in python-neutronclient:
assignee: Zhongcheng Lao (zlao) → Yang Yu (yuyangbj)
Changed in python-neutronclient:
assignee: Yang Yu (yuyangbj) → Zhongcheng Lao (zlao)
Changed in python-neutronclient:
assignee: Zhongcheng Lao (zlao) → Akihiro Motoki (amotoki)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to python-neutronclient (master)

Reviewed: https://review.openstack.org/273408
Committed: https://git.openstack.org/cgit/openstack/python-neutronclient/commit/?id=1828552b9c6fada3f51a9fd9896737c1cd2ed6e7
Submitter: Jenkins
Branch: master

commit 1828552b9c6fada3f51a9fd9896737c1cd2ed6e7
Author: Zhongcheng Lao <email address hidden>
Date: Thu Jan 28 17:01:37 2016 +0800

    Fixed --insecure not taking effect when specified

    --insecure did not take effect currently which would prevent
    neutron client from establishing connections to keystone
    as by default the server certificate will be validated.

    This patch will fix the issue to take the --insecure option
    into consideration during constructing auth session.

    Co-Authored-By: Akihiro Motoki <email address hidden>
    Change-Id: Id622fe097b2f12ab1a047f17005022c335fc6a4b
    Closes-Bug: #1538959

Changed in python-neutronclient:
status: In Progress → Fix Released
Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/python-neutronclient 5.0.0

This issue was fixed in the openstack/python-neutronclient 5.0.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to python-neutronclient (stable/mitaka)

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/357803

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to python-neutronclient (stable/mitaka)

Reviewed: https://review.openstack.org/357803
Committed: https://git.openstack.org/cgit/openstack/python-neutronclient/commit/?id=10c9b937640dcc573b8f48c7d1530c56be4621a0
Submitter: Jenkins
Branch: stable/mitaka

commit 10c9b937640dcc573b8f48c7d1530c56be4621a0
Author: Zhongcheng Lao <email address hidden>
Date: Thu Jan 28 17:01:37 2016 +0800

    Fixed --insecure not taking effect when specified

    --insecure did not take effect currently which would prevent
    neutron client from establishing connections to keystone
    as by default the server certificate will be validated.

    This patch will fix the issue to take the --insecure option
    into consideration during constructing auth session.

    Conflicts:
     neutronclient/tests/unit/test_shell.py

    Closes-Bug: #1538959
    Co-Authored-By: Akihiro Motoki <email address hidden>
    Change-Id: Id622fe097b2f12ab1a047f17005022c335fc6a4b
    (cherry picked from commit 1828552b9c6fada3f51a9fd9896737c1cd2ed6e7)

tags: added: in-stable-mitaka
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.