Bug 1332313

Summary: Add SSL to calamari
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Christina Meno <gmeno>
Component: CalamariAssignee: Christina Meno <gmeno>
Calamari sub component: Back-end QA Contact: Harish NV Rao <hnallurv>
Status: CLOSED ERRATA Docs Contact:
Severity: medium    
Priority: unspecified CC: ceph-eng-bugs, hnallurv, jowilkin, kdreyer, sisharma, vakulkar, vikumar, vsarmila
Version: 2.0   
Target Milestone: rc   
Target Release: 2.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: RHEL: calamari-server-1.4.0-0.7.rc10.el7cp Ubuntu: calamari_1.4.0~rc10-2redhat1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-08-23 19:37:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1343531    
Bug Blocks: 1343229    
Attachments:
Description Flags
selfsigned_ssl_cert_browser_msg1
none
selfsigned_ssl_cert_browser_msg2
none
selfsigned_ssl_cert_browser_msg3 none

Description Christina Meno 2016-05-02 21:52:20 UTC 
Description of problem:
Currently calamari serves an API of HTTP and it's method of authentication is a session-based auth. This requires POSTing credentials in the clear.

We should make calamari serve traffic over SSL to protect authentication.


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 2 Christina Meno 2016-05-02 21:57:37 UTC 
I've begun a quick branch to show that gevent Wsgi can indeed do SSL
https://github.com/ceph/calamari/tree/wip-gevent-ssl

I believe the next action is for my setup script to generate and install a self-signed cert doing something like https://devcenter.heroku.com/articles/ssl-certificate-self for example.

that way there is some measure of protection. If customers was more they can drop in their own cert to a configurable location.

My colleague suggests that there is someone here who is much more knowledgeable then me on this topic perhaps they could tell if I'm going about this wrong and if so how to proceed instead.
Comment 3 Christina Meno 2016-05-02 22:00:21 UTC 
Siddharth Would you please review my plan and comment?
Comment 5 Christina Meno 2016-05-04 21:01:07 UTC 
https://github.com/ceph/calamari/pull/437
Comment 7 Christina Meno 2016-05-09 17:38:47 UTC 
With this change requests to http:// will error with connection reset.

All traffic must be sent to https://
Comment 11 Christina Meno 2016-06-17 19:59:13 UTC 
Harish this is configuration error. Probably due to the docs being incorrect.

If you correct the line ssl_cert = /etc/calamari/ssl/certs/calamari-lite-bundled.crt it will work as intended.


[shadowman@magna090 ~]$ curl -k https://0.0.0.0:8002/api/v2/
curl: (35) TCP connection reset by peer
[shadowman@magna090 ~]$ sudo find /etc/calamari/ssl/
/etc/calamari/ssl/
/etc/calamari/ssl/certs
/etc/calamari/ssl/certs/calamari-lite-bundled.crt
/etc/calamari/ssl/private
/etc/calamari/ssl/private/calamari-lite.key
[shadowman@magna090 ~]$ grep ssl /etc/calamari/calamari.conf 
ssl_cert = /etc/calamari/ssl/private/calamari-lite-bundled.crt
ssl_key = /etc/calamari/ssl/private/calamari-lite.key
[shadowman@magna090 ~]$ sudo sed 's;ssl_cert.*$;ssl_cert = /etc/calamari/ssl/certs/calamari-lite-bundled.crt;' -i /etc/calamari/calamari.conf
[shadowman@magna090 ~]$ sudo supervisorctl restart calamari-lite
calamari-lite: stopped
calamari-lite: started
[shadowman@magna090 ~]$ curl -k https://0.0.0.0:8002/api/v2/
{"detail": "Authentication credentials were not provided."}[shadowman@magna090 ~]$
Comment 12 Christina Meno 2016-06-17 20:13:07 UTC 
I made a comment on the docs https://gitlab.cee.redhat.com/red-hat-ceph-storage-documentation/doc-Red_Hat_Ceph_Storage_2-Installation_Guide/commit/bde1932e94b59d609b1f633b3ab465800f1d449c

John would you please update that?
Comment 14 Harish NV Rao 2016-06-20 12:43:26 UTC 
Created attachment 1169911 [details]
selfsigned_ssl_cert_browser_msg1
Comment 15 Harish NV Rao 2016-06-20 12:43:54 UTC 
Created attachment 1169912 [details]
selfsigned_ssl_cert_browser_msg2
Comment 16 Harish NV Rao 2016-06-20 12:44:18 UTC 
Created attachment 1169913 [details]
selfsigned_ssl_cert_browser_msg3
Comment 19 Christina Meno 2016-06-20 17:09:39 UTC 
Harish, as Ken said those warnings are expected behavior with self signed certificates.
Comment 20 Harish NV Rao 2016-06-21 17:36:50 UTC 
APIs are accessible only via https. moving to verified state

Tested on:
 calamari-server-1.4.2-1.el7cp.x86_64
 calamari-server 1.4.2-2redhat1xenial 
 ceph version 10.2.2-5.el7cp
Comment 22 errata-xmlrpc 2016-08-23 19:37:32 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-1755.html
Comment 23 Christina Meno 2016-09-21 20:29:03 UTC 
*** Bug 1319487 has been marked as a duplicate of this bug. ***