Bug 1328402

Summary: [RFE] File permission (and or SELinux) prevent httpd to use custom secret_key file
Product: Red Hat OpenStack Reporter: Chaitanya Shastri <cshastri>
Component: python-django-horizonAssignee: Radomir Dopieralski <rdopiera>
Status: CLOSED ERRATA QA Contact: Ido Ovadia <iovadia>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.0 (Kilo)CC: amedeo.salvati, aortega, athomas, jrist, mrunge, rdopiera, srevivo
Target Milestone: asyncKeywords: FutureFeature, Triaged, ZStream
Target Release: 8.0 (Liberty)   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: python-django-horizon-8.0.1-7.el7ost Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1382729 (view as bug list) Environment:
Last Closed: 2016-12-21 16:51:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1382729    

Description Chaitanya Shastri 2016-04-19 10:27:31 UTC 
Description of problem:
By default, horizon generates a secret key in the SECRET_KEY directive in /etc/openstack-dashboard/local_settings file. We can set a custom file location in this file. When we set it to a custom file location, the file gets generated successfully, but after restarting httpd process, it logs "IOError: [Errno 13] Permission denied:" error to the .lock file generated. 

Version-Release number of selected component (if applicable):
OSP 7.0

How reproducible:
Checked it on freshly installed rhel7.2 system with OSP7 and it reproduced.

Steps to Reproduce:
1. On OSP7 overcloud controller, install mod_ssl package.

2. Modify secret_key variable in /etc/openstack-dashboard/local_settings with this:
  
 ...
from horizon.utils import secret_key
SECRET_KEY = secret_key.generate_or_read_from_file('/var/lib/openstack-dashboard/secret_key')
...

3.systemctl restart httpd.service

4. After starting httpd, under /var/lib/openstack-dashboard two files are successfully created owned by root:

# ll /var/lib/openstack-dashboard/
totale 4
-rw-------. 1 root root 64 15 apr 11.07 secret_key
-rw-r--r--. 1 root root  0 15 apr 11.07 _var_lib_openstack-dashboard_secret_key.lock

5.But, apache user can't unable to access the secret_key file.
Following are the log file entries:

-------------------
[Mon Apr 18 09:20:02.081848 2016] [:error] [pid 13067] [remote 192.168.100.1:184] mod_wsgi (pid=13067): Target WSGI script '/usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi' cannot be loaded as Python module.
[Mon Apr 18 09:20:02.081872 2016] [:error] [pid 13067] [remote 192.168.100.1:184] mod_wsgi (pid=13067): Exception occurred processing WSGI script '/usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi'.
[Mon Apr 18 09:20:02.081885 2016] [:error] [pid 13067] [remote 192.168.100.1:184] Traceback (most recent call last):
[Mon Apr 18 09:20:02.081899 2016] [:error] [pid 13067] [remote 192.168.100.1:184]   File "/usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi", line 14, in <module>
[Mon Apr 18 09:20:02.081915 2016] [:error] [pid 13067] [remote 192.168.100.1:184]     application = get_wsgi_application()
[Mon Apr 18 09:20:02.081920 2016] [:error] [pid 13067] [remote 192.168.100.1:184]   File "/usr/lib/python2.7/site-packages/django/core/wsgi.py", line 14, in get_wsgi_application
[Mon Apr 18 09:20:02.081930 2016] [:error] [pid 13067] [remote 192.168.100.1:184]     django.setup()
[Mon Apr 18 09:20:02.081934 2016] [:error] [pid 13067] [remote 192.168.100.1:184]   File "/usr/lib/python2.7/site-packages/django/__init__.py", line 17, in setup
[Mon Apr 18 09:20:02.081941 2016] [:error] [pid 13067] [remote 192.168.100.1:184]     configure_logging(settings.LOGGING_CONFIG, settings.LOGGING)
[Mon Apr 18 09:20:02.081945 2016] [:error] [pid 13067] [remote 192.168.100.1:184]   File "/usr/lib/python2.7/site-packages/django/conf/__init__.py", line 48, in __getattr__
[Mon Apr 18 09:20:02.081952 2016] [:error] [pid 13067] [remote 192.168.100.1:184]     self._setup(name)
[Mon Apr 18 09:20:02.081955 2016] [:error] [pid 13067] [remote 192.168.100.1:184]   File "/usr/lib/python2.7/site-packages/django/conf/__init__.py", line 44, in _setup
[Mon Apr 18 09:20:02.081961 2016] [:error] [pid 13067] [remote 192.168.100.1:184]     self._wrapped = Settings(settings_module)
[Mon Apr 18 09:20:02.081973 2016] [:error] [pid 13067] [remote 192.168.100.1:184]   File "/usr/lib/python2.7/site-packages/django/conf/__init__.py", line 92, in __init__
[Mon Apr 18 09:20:02.081979 2016] [:error] [pid 13067] [remote 192.168.100.1:184]     mod = importlib.import_module(self.SETTINGS_MODULE)
[Mon Apr 18 09:20:02.081983 2016] [:error] [pid 13067] [remote 192.168.100.1:184]   File "/usr/lib64/python2.7/importlib/__init__.py", line 37, in import_module
[Mon Apr 18 09:20:02.081990 2016] [:error] [pid 13067] [remote 192.168.100.1:184]     __import__(name)
[Mon Apr 18 09:20:02.081994 2016] [:error] [pid 13067] [remote 192.168.100.1:184]   File "/usr/share/openstack-dashboard/openstack_dashboard/wsgi/../../openstack_dashboard/settings.py", line 263, in <module>
[Mon Apr 18 09:20:02.082001 2016] [:error] [pid 13067] [remote 192.168.100.1:184]     from local.local_settings import *  # noqa
[Mon Apr 18 09:20:02.082005 2016] [:error] [pid 13067] [remote 192.168.100.1:184]   File "/usr/share/openstack-dashboard/openstack_dashboard/wsgi/../../openstack_dashboard/local/local_settings.py", line 102, in <module>
[Mon Apr 18 09:20:02.082014 2016] [:error] [pid 13067] [remote 192.168.100.1:184]     SECRET_KEY = secret_key.generate_or_read_from_file('/var/lib/openstack-dashboard/secret_key')
[Mon Apr 18 09:20:02.082018 2016] [:error] [pid 13067] [remote 192.168.100.1:184]   File "/usr/lib/python2.7/site-packages/horizon/utils/secret_key.py", line 54, in generate_or_read_from_file
[Mon Apr 18 09:20:02.082026 2016] [:error] [pid 13067] [remote 192.168.100.1:184]     with lock:
[Mon Apr 18 09:20:02.082029 2016] [:error] [pid 13067] [remote 192.168.100.1:184]   File "/usr/lib/python2.7/site-packages/oslo_concurrency/lockutils.py", line 217, in __enter__
[Mon Apr 18 09:20:02.082035 2016] [:error] [pid 13067] [remote 192.168.100.1:184]     self.acquire()
[Mon Apr 18 09:20:02.082039 2016] [:error] [pid 13067] [remote 192.168.100.1:184]   File "/usr/lib/python2.7/site-packages/oslo_concurrency/lockutils.py", line 200, in acquire
[Mon Apr 18 09:20:02.082044 2016] [:error] [pid 13067] [remote 192.168.100.1:184]     self.lockfile = open(self.fname, 'a')
[Mon Apr 18 09:20:02.082057 2016] [:error] [pid 13067] [remote 192.168.100.1:184] IOError: [Errno 13] Permission denied: '/var/lib/openstack-dashboard/_var_lib_openstack-dashboard_secret_key.lock'

----------------------

And it throws a 500 Internal Server Error page at horizon dashboard: http://<controller-IP>/dashboard

Actual results:

Apache user is unable to read the custom secret_key file changed in /etc/openstack-dashboard/local_settings file.

Expected results:

Apache user should get access to the secret_key file and horizon dashboard should come up without any error.


Additional info:

Workaround for this issue is to chown the files in custom location (here /var/lib/openstack-dashboard) with apache user and then issue 'semodule -i httpd-fastweb.pp' command. After restarting httpd, the horizon dashboard reappears.
Comment 2 Matthias Runge 2016-04-19 12:09:05 UTC 
This basically asks for making any location to be read/writable from httpd.
Comment 4 Amedeo Salvati 2016-04-19 13:43:22 UTC 
(In reply to Matthias Runge from comment #2)
> This basically asks for making any location to be read/writable from httpd.

no, /var/lib/openstack-dashboard already exists, so I hope httpd could be read/write.

[root@mi-horizon02 ~]# rpm -qf /var/lib/openstack-dashboard
openstack-dashboard-2015.1.2-4.el7ost.noarch
[root@mi-horizon02 ~]#
Comment 5 Chaitanya Shastri 2016-04-19 13:59:24 UTC 
Even if I try using the default custom location for the secret_key file using the following in local_settings file, I get the same error:

from horizon.utils import secret_key
SECRET_KEY = secret_key.generate_or_read_from_file(os.path.join(LOCAL_PATH, '.secret_keystore'))

I am keeping the 'LOCAL_PATH' as it was in the local_settings file. Now when I  restart httpd, the files get generated in /usr/share/openstack-dashboard/openstack_dashboard/local directory. But when I try to access the horizon dashboard, I get the following in /var/log/httpd/horizon_error.log:

IOError: [Errno 13] Permission denied: '/usr/share/openstack-dashboard/openstack_dashboard/local/_usr_share_openstack-dashboard_openstack_dashboard_local_.secret_keystore.lock'
Comment 6 Matthias Runge 2016-04-19 14:58:25 UTC 
I went ahead and submitted this possible fix. There is no need to create a lock before reading the key file.

https://review.openstack.org/307859
Comment 8 Matthias Runge 2016-08-30 12:39:36 UTC 
the patch mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=1328402#c6 just merged yesterday.
Comment 10 Jason E. Rist 2016-10-04 02:46:06 UTC 
Radomir, can you help?
Comment 11 Radomir Dopieralski 2016-10-04 08:29:34 UTC 
Well, the patch is merged in osp10, I can backport it to osp8.
Comment 15 errata-xmlrpc 2016-12-21 16:51:52 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2981.html