Bug 1228433

Summary: Tuskarclient does not support --os-cacert
Product: Red Hat OpenStack Reporter: Ben Nemec <bnemec>
Component: python-tuskarclientAssignee: Ben Nemec <bnemec>
Status: CLOSED ERRATA QA Contact: Ola Pavlenko <opavlenk>
Severity: high Docs Contact:
Priority: high    
Version: DirectorCC: bnemec, calfonso, dmacpher, jslagle, mburns, rhel-osp-director-maint
Target Milestone: gaKeywords: Triaged
Target Release: Director   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: python-tuskarclient-0.1.17-4.el7ost Doc Type: Bug Fix
Doc Text:
python-tuskarclient had no support to specify a custom CA certificate to verify SSL certificates from the Tuskar API server. Connections failed due the server using an certificate set unknown to the client. This fix adds the --os-cacert option to python-tuskarclient, which allows specification of the CA certificate path. This provides successful communication with the API server.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-05 13:52:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1236057    
Bug Blocks:    

Description Ben Nemec 2015-06-04 23:14:16 UTC 
Description of problem: The tuskar client does not support the --os-cacert parameter, which means a self-signed CA cannot be provided when talking to an endpoint secured by a self-signed certificate.


Version-Release number of selected component (if applicable):


How reproducible: Always


Steps to Reproduce:
1. Configure Keystone to use SSL
2. Attempt to use tuskarclient.  It will fail with the ssl error below.
3.

Actual results:

Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/tuskarclient/shell.py", line 245, in main
    TuskarShell(sys.argv[1:]).run()
  File "/usr/lib/python2.7/site-packages/tuskarclient/shell.py", line 75, in run
    args.func(tuskar_client, args)
  File "/usr/lib/python2.7/site-packages/tuskarclient/v2/roles_shell.py", line 22, in do_role_list
    roles = tuskar.roles.list()
  File "/usr/lib/python2.7/site-packages/tuskarclient/v2/roles.py", line 47, in list
    return self._list(self._path())
  File "/usr/lib/python2.7/site-packages/tuskarclient/openstack/common/apiclient/base.py", line 131, in _list
    body = self.client.get(url).json()
  File "/usr/lib/python2.7/site-packages/tuskarclient/openstack/common/apiclient/client.py", line 355, in get
    return self.client_request("GET", url, **kwargs)
  File "/usr/lib/python2.7/site-packages/tuskarclient/openstack/common/apiclient/client.py", line 345, in client_request
    self, method, url, **kwargs)
  File "/usr/lib/python2.7/site-packages/tuskarclient/openstack/common/apiclient/client.py", line 244, in client_request
    self.authenticate()
  File "/usr/lib/python2.7/site-packages/tuskarclient/openstack/common/apiclient/client.py", line 315, in authenticate
    self.auth_plugin.authenticate(self)
  File "/usr/lib/python2.7/site-packages/tuskarclient/openstack/common/apiclient/auth.py", line 203, in authenticate
    self._do_authenticate(http_client)
  File "/usr/lib/python2.7/site-packages/tuskarclient/common/auth.py", line 39, in _do_authenticate
    self._ksclient = ksclient.Client(**ks_kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/v2_0/client.py", line 152, in __init__
    self.authenticate()
  File "/usr/lib/python2.7/site-packages/keystoneclient/utils.py", line 318, in inner
    return func(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/httpclient.py", line 503, in authenticate
    resp = self.get_raw_token_from_identity_service(**kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/v2_0/client.py", line 196, in get_raw_token_from_identity_service
    _("Authorization Failed: %s") % e)
AuthorizationFailure: Authorization Failed: SSL exception connecting to https://192.0.2.2:13000/v2.0/tokens: [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed


Expected results: A successful command call.


Additional info:
Comment 4 Ana Krivokapic 2015-06-18 14:22:43 UTC 
Fixed here: https://review.openstack.org/#/c/190251/
Comment 6 Ola Pavlenko 2015-07-06 15:49:10 UTC 
Could you please provide a step-by-step instructions on how did you migrate the undercloud to work with keystone in SSL?
Is it just tuskar related or the whole ?

Thanks
Comment 7 Ben Nemec 2015-07-07 15:03:47 UTC 
Not quite all of the patches needed to enable ssl on the undercloud have merged yet.  I'm hoping that will happen soon (today?) though, and I'll get started on the documentation for it.
Comment 11 James Slagle 2015-07-13 15:24:19 UTC 
this was actually remerged and included in the 2015-07-10 puddle. the documentation is included as part of the puddle docs: 
http://rhos-release.virt.bos.redhat.com/mburns/2015-07-10.1/internal-html/installation/installing.html
Comment 12 Ola Pavlenko 2015-08-04 13:29:10 UTC 
python-tuskarclient-0.1.18-3.el7ost.noarch
Comment 14 errata-xmlrpc 2015-08-05 13:52:48 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2015:1549