tripleo

[keystone_authtoken] www_authenticate_uri should be public endpoint instead of internal endpoint

Bug #1955397 reported by Takashi Kajinami
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
Critical
Takashi Kajinami

Bug Description

Description
===========
According to the parameter description, www_authenticate_uri should be complete "public" Identity API endpoint, which is accessible by all end users.
However in TripleO this parameter is set to internal endpoint.

Steps to reproduce
===========
* Deploy overcloud
* Check [keystone_authtoken] www_authenticate_uri parameter in each conf file

Expected result
===========
* the www_authenticate_uri parameter is set to public endpoint

Actual result
===========
* the www_authenticate_uri parameter is set to internal endpoint

Environment
===========
* This issue was initially found in stable/train but the same issue is observed even with master

Logs & Configs
===========
N/A

CVE References

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/822306

Changed in tripleo:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/822306
Committed: https://opendev.org/openstack/tripleo-heat-templates/commit/160936df134a471cfd245bd60964046027a571ea
Submitter: "Zuul (22348)"
Branch: master

commit 160936df134a471cfd245bd60964046027a571ea
Author: Takashi Kajinami <email address hidden>
Date: Mon Dec 20 19:46:44 2021 +0900

    Use public endpoint for [keystone_authtoken] www_authenticate_uri

    According to the parameter description, www_authenticate_uri should be
    complete public Identity endpoint, which is accessible by all end
    users.
    This change replaces internal endpoint by public endpoint to meet that
    requirement.

    Closes-Bug: #1955397
    Change-Id: I30165c8ee5aa4b777b73ad89ac709e2c8a375382

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (stable/wallaby)

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/823440

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-heat-templates (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/823588

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (stable/victoria)

Fix proposed to branch: stable/victoria
Review: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/823589

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (stable/ussuri)

Fix proposed to branch: stable/ussuri
Review: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/823610

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/823611

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-heat-templates (stable/train)

Related fix proposed to branch: stable/train
Review: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/823612

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-heat-templates (master)

Reviewed: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/823588
Committed: https://opendev.org/openstack/tripleo-heat-templates/commit/2b9461e97fc5c4ceb0848d1cc4484f656bb85515
Submitter: "Zuul (22348)"
Branch: master

commit 2b9461e97fc5c4ceb0848d1cc4484f656bb85515
Author: Takashi Kajinami <email address hidden>
Date: Thu Jan 6 10:32:48 2022 +0900

    Fix remaining usage of internal url for www_authenticate_uri

    This is follow-up of 160936df134a471cfd245bd60964046027a571ea and fixes
    remaining usage of internal endpoint url for [keystone_authtoken]
    www_authenticate_uri.

    Related-Bug: #1955397
    Change-Id: Ib2ee7295c7fcda276e4fcf011a9e427e041f4848

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (stable/victoria)

Reviewed: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/823589
Committed: https://opendev.org/openstack/tripleo-heat-templates/commit/5314c792be5727737041f7da3b3d7645d641eaa7
Submitter: "Zuul (22348)"
Branch: stable/victoria

commit 5314c792be5727737041f7da3b3d7645d641eaa7
Author: Takashi Kajinami <email address hidden>
Date: Mon Dec 20 19:46:44 2021 +0900

    Use public endpoint for [keystone_authtoken] www_authenticate_uri

    According to the parameter description, www_authenticate_uri should be
    complete public Identity endpoint, which is accessible by all end
    users.
    This change replaces internal endpoint by public endpoint to meet that
    requirement.

    Conflicts:
            deployment/ironic/ironic-conductor-container-puppet.yaml
            deployment/swift/swift-proxy-container-puppet.yaml

    Backport note:
    This change includes commit 2b9461e97fc5c4ceb0848d1cc4484f656bb85515
    which fixes the remaining usage of internal endpoint. Also, commit
    02bb4b8aa095619f2bc07aeb7302c2f333093569 was partially included
    to remove the following ineffective puppet parameter.
     neutron::server::placement::www_authenticate_uri

    (to victoria)
    Conflicts:
            deployment/aodh/aodh-api-container-puppet.yaml
            deployment/experimental/designate/designate-api-container-puppet.yaml
            deployment/manila/manila-share-container-puppet.yaml

    Backport note:
    This backport covers some services like zaqar which were removed in
    stable/wallaby.

    Closes-Bug: #1955397
    Change-Id: I30165c8ee5aa4b777b73ad89ac709e2c8a375382
    (cherry picked from commit 160936df134a471cfd245bd60964046027a571ea)
    (cherry picked from commit 58129434ac1269b0da306371e28a2cb2f8a05b12)

tags: added: in-stable-victoria
tags: added: in-stable-ussuri
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (stable/ussuri)

Reviewed: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/823610
Committed: https://opendev.org/openstack/tripleo-heat-templates/commit/cc81d668b8ebea35e47124b216eeb5e0625f0a8b
Submitter: "Zuul (22348)"
Branch: stable/ussuri

commit cc81d668b8ebea35e47124b216eeb5e0625f0a8b
Author: Takashi Kajinami <email address hidden>
Date: Mon Dec 20 19:46:44 2021 +0900

    Use public endpoint for [keystone_authtoken] www_authenticate_uri

    According to the parameter description, www_authenticate_uri should be
    complete public Identity endpoint, which is accessible by all end
    users.
    This change replaces internal endpoint by public endpoint to meet that
    requirement.

    Conflicts:
            deployment/ironic/ironic-conductor-container-puppet.yaml
            deployment/swift/swift-proxy-container-puppet.yaml

    Backport note:
    This change includes commit 2b9461e97fc5c4ceb0848d1cc4484f656bb85515
    which fixes the remaining usage of internal endpoint. Also, commit
    02bb4b8aa095619f2bc07aeb7302c2f333093569 was partially included
    to remove the following ineffective puppet parameter.
     neutron::server::placement::www_authenticate_uri

    (to victoria)
    Conflicts:
            deployment/aodh/aodh-api-container-puppet.yaml
            deployment/experimental/designate/designate-api-container-puppet.yaml
            deployment/manila/manila-share-container-puppet.yaml

    Backport note:
    This backport covers some services like zaqar which were removed in
    stable/wallaby.

    Closes-Bug: #1955397
    Change-Id: I30165c8ee5aa4b777b73ad89ac709e2c8a375382
    (cherry picked from commit 160936df134a471cfd245bd60964046027a571ea)
    (cherry picked from commit 58129434ac1269b0da306371e28a2cb2f8a05b12)
    (cherry picked from commit 5314c792be5727737041f7da3b3d7645d641eaa7)

tags: added: in-stable-train
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (stable/train)

Reviewed: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/823611
Committed: https://opendev.org/openstack/tripleo-heat-templates/commit/27ab145548e99442ab3908bbd3420f75630122ab
Submitter: "Zuul (22348)"
Branch: stable/train

commit 27ab145548e99442ab3908bbd3420f75630122ab
Author: Takashi Kajinami <email address hidden>
Date: Mon Dec 20 19:46:44 2021 +0900

    Use public endpoint for [keystone_authtoken] www_authenticate_uri

    According to the parameter description, www_authenticate_uri should be
    complete public Identity endpoint, which is accessible by all end
    users.
    This change replaces internal endpoint by public endpoint to meet that
    requirement.

    Conflicts:
            deployment/ironic/ironic-conductor-container-puppet.yaml
            deployment/swift/swift-proxy-container-puppet.yaml

    Backport note:
    This change includes commit 2b9461e97fc5c4ceb0848d1cc4484f656bb85515
    which fixes the remaining usage of internal endpoint. Also, commit
    02bb4b8aa095619f2bc07aeb7302c2f333093569 was partially included
    to remove the following ineffective puppet parameter.
     neutron::server::placement::www_authenticate_uri

    (to victoria)
    Conflicts:
            deployment/aodh/aodh-api-container-puppet.yaml
            deployment/experimental/designate/designate-api-container-puppet.yaml
            deployment/manila/manila-share-container-puppet.yaml

    Backport note:
    This backport covers some services like zaqar which were removed in
    stable/wallaby.

    (to train)
    Conflicts:
            deployment/octavia/octavia-api-container-puppet.yaml

    Backport note:
    This backport covers panko and ec2api which were removed in
    stable/ussuri. The authtoken parameters in ceilometer template are left
    because these parameters have no effect. These will be removed by a
    separate commit.

    Closes-Bug: #1955397
    Change-Id: I30165c8ee5aa4b777b73ad89ac709e2c8a375382
    (cherry picked from commit 160936df134a471cfd245bd60964046027a571ea)
    (cherry picked from commit 58129434ac1269b0da306371e28a2cb2f8a05b12)
    (cherry picked from commit 5314c792be5727737041f7da3b3d7645d641eaa7)
    (cherry picked from commit cc81d668b8ebea35e47124b216eeb5e0625f0a8b)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (stable/wallaby)

Reviewed: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/823440
Committed: https://opendev.org/openstack/tripleo-heat-templates/commit/58129434ac1269b0da306371e28a2cb2f8a05b12
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit 58129434ac1269b0da306371e28a2cb2f8a05b12
Author: Takashi Kajinami <email address hidden>
Date: Mon Dec 20 19:46:44 2021 +0900

    Use public endpoint for [keystone_authtoken] www_authenticate_uri

    According to the parameter description, www_authenticate_uri should be
    complete public Identity endpoint, which is accessible by all end
    users.
    This change replaces internal endpoint by public endpoint to meet that
    requirement.

    Conflicts:
            deployment/ironic/ironic-conductor-container-puppet.yaml
            deployment/swift/swift-proxy-container-puppet.yaml

    Backport note:
    This change includes commit 2b9461e97fc5c4ceb0848d1cc4484f656bb85515
    which fixes the remaining usage of internal endpoint. Also, commit
    02bb4b8aa095619f2bc07aeb7302c2f333093569 was partially included
    to remove the following ineffective puppet parameter.
     neutron::server::placement::www_authenticate_uri

    Closes-Bug: #1955397
    Change-Id: I30165c8ee5aa4b777b73ad89ac709e2c8a375382
    (cherry picked from commit 160936df134a471cfd245bd60964046027a571ea)

tags: added: in-stable-wallaby
Revision history for this message
Nick Tait (nickthetait) wrote :

I just linked the CVE (CVE-2021-4180) which was created to track this issue.

Takashi Kajinami (kajinamit)
Changed in tripleo:
importance: Undecided → Critical
assignee: nobody → Takashi Kajinami (kajinamit)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-heat-templates (stable/train)

Reviewed: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/823612
Committed: https://opendev.org/openstack/tripleo-heat-templates/commit/56ac69965fce0242c4b84168b78a966f8670c10e
Submitter: "Zuul (22348)"
Branch: stable/train

commit 56ac69965fce0242c4b84168b78a966f8670c10e
Author: Takashi Kajinami <email address hidden>
Date: Sat Jan 18 23:04:35 2020 +0900

    Remove unnecessary hieradata for ceilometer::keystone::authtoken

    ceilometer::keystone::authtoken module is never loaded, so remove
    hieradata related to the module.

    Conflicts:
            environments/undercloud.yaml

    Related-Bug: #1955397
    Change-Id: I4f89235b15a71435797b070fd664dda1eff0ebfc
    (cherry picked from commit 48a1effb1cca772d5cbefbaacc1d5bc90c18efa9)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 12.4.6

This issue was fixed in the openstack/tripleo-heat-templates 12.4.6 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 16.0.0

This issue was fixed in the openstack/tripleo-heat-templates 16.0.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 13.6.0

This issue was fixed in the openstack/tripleo-heat-templates 13.6.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates train-eol

This issue was fixed in the openstack/tripleo-heat-templates train-eol release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.