Bug 1201920
| Summary: | OpenStack SSL connection fails with Unexpected response returned from system, see log for details | ||
|---|---|---|---|
| Product: | Red Hat CloudForms Management Engine | Reporter: | Greg Blomquist <gblomqui> |
| Component: | Providers | Assignee: | Greg Blomquist <gblomqui> |
| Status: | CLOSED ERRATA | QA Contact: | Milan Falešník <mfalesni> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 5.4.0 | CC: | fdewaley, jfrey, jhardy, jocarter, mfalesni, mfeifer, obarenbo |
| Target Milestone: | GA | ||
| Target Release: | 5.4.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-06-16 12:53:00 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Greg Blomquist
2015-03-13 19:19:10 UTC
New commit detected on manageiq/master: https://github.com/ManageIQ/manageiq/commit/9de72f3cd399f1f6363c052defefc66198f4389d commit 9de72f3cd399f1f6363c052defefc66198f4389d Author: Greg Blomquist <gblomqui> AuthorDate: Mon Mar 16 14:28:20 2015 -0400 Commit: Greg Blomquist <gblomqui> CommitDate: Tue Mar 17 20:53:41 2015 -0400 Ensure that all Openstack connections try SSL This bug uncovered the fact that some connections to OpenStack were not attempting to use SSL. The main issue with OpenStack SSL connections is that we don't have: 1) standard ports from the OpenStack system designated as SSL ports for the Keystone service, and 2) a way to specify (in the ManageIQ database) whether a Provider's connection should be SSL or not This leaves the OpenStack connection code with the responsibility of checking whether connections should be trying SSL or not. This was originally implemented for the OpenStack API calls, but missed the call ManageIQ makes with an "unscoped token" when trying to establish the entire list of tenants available in an OpenStack environment. This patch introduces the notion of attempting all connections to OpenStack first without SSL, then, failing non-ssl, with SSL. https://bugzilla.redhat.com/show_bug.cgi?id=1201920 lib/openstack/openstack_handle/handle.rb | 34 ++++++++++++++-------- .../openstack_handle/identity_delegate.rb | 21 ++++++------- lib/spec/openstack/openstack_handle/handle_spec.rb | 2 +- 3 files changed, 34 insertions(+), 23 deletions(-) New commit detected on manageiq/master: https://github.com/ManageIQ/manageiq/commit/1de2abc084798c590ea0ce17957c347def2731a0 commit 1de2abc084798c590ea0ce17957c347def2731a0 Author: Greg Blomquist <gblomqui> AuthorDate: Mon Mar 16 14:50:37 2015 -0400 Commit: Greg Blomquist <gblomqui> CommitDate: Tue Mar 17 20:53:41 2015 -0400 Bypass default_tenant_name lookup when validating credentials It is unnecessary to determine the user's default tenant name when just validating the credentials. Setting the service to the Identity service will bypass the attempt to find the default tenant name and jump directly to checking if the credentials are valid. https://bugzilla.redhat.com/show_bug.cgi?id=1201920 vmdb/app/models/mixins/ems_openstack_mixin.rb | 1 + 1 file changed, 1 insertion(+) Verified in 5.4.0.0.22 against 5.4.0.0.11 where the error happens. I used a SSL secured port 5443 for connection and it worked for .22 and failed for .11 with the same error flash message as described in the bug description. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-1100.html |