tacker

[RFE] Support for adding VIM with self-signed certificate (insecure)

Bug #1607747 reported by Luka Krajger on 2016-07-29

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tacker	Won't Fix	Low	Unassigned

Bug Description

Hi, it would be nice to support VIM instances with self-signed SSL certificates. This is mostly useful for development and testing purposes. Currently users can install self-signed VIM certs to tacker maching to get things to work but this can be a lot of work in some cases.

I am thinking that "insecure" flag could be added to vim.config file with default value set to "False". Like this for example:

  auth_url: http://127.0.0.1:5000
  username: nfv_user
  password: devstack
  project_name: nfv
+insecure: False

What do you guys think?

Tags:

Sridhar Ramaswamy (srics-r) on 2016-07-30

Changed in tacker:
importance:	Undecided → Medium
importance:	Medium → Low

Revision history for this message

Sridhar Ramaswamy (srics-r) wrote on 2016-07-30:

Supporting secure Tacker -> VIM connection is a nice improvement. However I didn't understand the notion of using "insecure" flag.

My general opinion is we are better off spending our efforts in supporting cert based authentication instead of using username / password,

auth_url: https://127.0.0.1:5002
ca_cert: <xyz>
project_name: nfv
project_domain: Default

What do you think?

Revision history for this message

Luka Krajger (luka-krajger) wrote on 2016-08-01:

Hi Sridhar, I am sorry that I wasn't being clear.

> Supporting secure Tacker -> VIM connection is a nice improvement. However I didn't understand the notion of using "insecure" flag.

I was talking about the case when OpenStack uses HTTPS public endpoints, but the SSL certs are self-signed. In this case users need to use "--insecure" flag for command line clients (ex: tacker --insecure vnfd-list) otherwise this error is thrown:

SSL certificate validation has failed: [Errno 1] _ssl.c:510: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

We get the same error when Tacker service tries to connect to the VIM with self-signed certs. So I was thinking that by using the "insecure" flag in VIM config we would disable SSL checks in VIM driver (openstack_driver.py).

> My general opinion is we are better off spending our efforts in supporting cert based authentication instead of using username / password,

I think that your suggestion is another topic, but I agree with you. It is a bad practice to store passwords in config files. Does keystone support cert based auth?

Yasufumi Ogawa (yasufum) on 2022-11-29

Changed in tacker:
status:	New → Won't Fix

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.