Python client library for Sahara

Sahara doesn't work with secured network / OpenStack components

Bug #1249063 reported by Bill Stokes
264
This bug affects 3 people
Affects Status Importance Assigned to Milestone
OpenStack Security Advisory
Won't Fix
Undecided
Unassigned
Python client library for Sahara
Fix Released
High
Andrew Lazarev
Sahara
Fix Released
Critical
Andrew Lazarev

Bug Description

[Version 0.3.rc4] The Savanana endpoint and python-savannaclient don't work properly in secured environments. The ability to pass along a certificate to validate the token for Keystone, Nova, Cinder is not available, and causes these API calls to fail as unauthorized.

The Savanna REST API and CLI needs to provide a parameter for the OS CACERT (OPENSTACK_SSL_CACERT) and another to allow for insecure. These values would then be forwarded on to the corresponding OpenStack components (savanna/openstackl/utils/ files).

All keystone auth middleware configs should be exposed to the savanna.conf

See original description
Bill Stokes (stokesb1)
information type: Private Security → Public
Sergey Lukjanov (slukjanov)
Changed in savanna:
importance: Undecided → Low
importance: Low → Undecided
Sergey Lukjanov (slukjanov)
summary: - Savanna doesn't work with secured network/Openstack components
+ Savanna doesn't work with secured network / Openstack components
description: updated
description: updated
summary: - Savanna doesn't work with secured network / Openstack components
+ Savanna doesn't work with secured network / OpenStack components
Changed in savanna:
milestone: none → icehouse-1
description: updated
Changed in savanna:
importance: Undecided → High
status: New → Triaged
Sergey Lukjanov (slukjanov)
information type: Public → Public Security
Sergey Lukjanov (slukjanov)
Changed in savanna:
assignee: nobody → Sergey Lukjanov (slukjanov)
Sergey Lukjanov (slukjanov)
Changed in python-savannaclient:
status: New → Triaged
importance: Undecided → High
milestone: none → 0.4.0
Sergey Lukjanov (slukjanov)
Changed in savanna:
milestone: icehouse-1 → icehouse-2
Changed in python-savannaclient:
milestone: 0.4.0 → next
Sergey Reshetnyak (sreshetniak)
Changed in savanna:
assignee: Sergey Lukjanov (slukjanov) → Sergey Reshetnyak (sreshetniak)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to savanna (master)

Fix proposed to branch: master
Review: https://review.openstack.org/66027

Changed in savanna:
status: Triaged → In Progress
Sergey Lukjanov (slukjanov)
Changed in savanna:
milestone: icehouse-2 → icehouse-3
Alexander Ignatov (aignatov)
Changed in python-savannaclient:
assignee: nobody → Alexander Ignatov (aignatov)
assignee: Alexander Ignatov (aignatov) → nobody
Sergey Reshetnyak (sreshetniak)
Changed in savanna:
status: In Progress → Incomplete
Revision history for this message
Sergey Lukjanov (slukjanov) wrote : Re: Savanna doesn't work with secured network / OpenStack components

Sergey, why it's incomplete?

Sergey Lukjanov (slukjanov)
Changed in savanna:
milestone: icehouse-3 → next
Revision history for this message
Sergey Lukjanov (slukjanov) wrote :

All configs of auth_token middleware should be exposed.

Changed in sahara:
milestone: next → juno-1
assignee: Sergey Reshetnyak (sreshetniak) → Sergey Lukjanov (slukjanov)
status: Incomplete → Triaged
Openstack Gerrit (openstack-gerrit)
Changed in sahara:
status: Triaged → In Progress
Sergey Lukjanov (slukjanov)
Changed in sahara:
importance: High → Critical
Revision history for this message
Thierry Carrez (ttx) wrote :

not covered by OpenStack VMT yet (no stable release yet)

Changed in ossa:
status: New → Won't Fix
Sergey Lukjanov (slukjanov)
summary: - Savanna doesn't work with secured network / OpenStack components
+ Sahara doesn't work with secured network / OpenStack components
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to sahara (master)

Reviewed: https://review.openstack.org/74688
Committed: https://git.openstack.org/cgit/openstack/sahara/commit/?id=1c70740f7d3f3da27998f8cde58180c127d18f74
Submitter: Jenkins
Branch: master

commit 1c70740f7d3f3da27998f8cde58180c127d18f74
Author: Sergey Lukjanov <email address hidden>
Date: Wed Feb 19 16:27:43 2014 +0400

    Rework keystone auth_token middleware configs

    We're using Sahara-specific configs and there are some other potential
    inconsistencies.

    * use common OpenStack [keystone_authtoken] section for middleware
      configurations;
    * token validator reworked to be consistent with update auth_token
      middleware usage;
    * auth_uri is now stored in context for consistency, additonally, it
    * provides correct auth_uri in multi process sahara deployment.

    Closes-Bug: #1257472
    Closes-Bug: #1249063

    Change-Id: I5a33ae6269d40dadcd4893b27a937a37e0c74006

Changed in sahara:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in sahara:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in sahara:
milestone: juno-1 → 2014.2
Revision history for this message
Tom Fifield (fifieldt) wrote :

Was this ever fixed in python-saharaclient?

Andrew Lazarev (alazarev)
Changed in python-saharaclient:
milestone: next → none
Changed in sahara:
milestone: 2014.2 → none
Changed in python-saharaclient:
assignee: nobody → Andrew Lazarev (alazarev)
Changed in sahara:
assignee: Sergey Lukjanov (slukjanov) → Andrew Lazarev (alazarev)
Revision history for this message
Andrew Lazarev (alazarev) wrote :

Resolved by https://review.openstack.org/#/c/145382/

Changed in python-saharaclient:
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.