Bug 1589725

Summary: Users need to add octavia service user to secret ACL list for TERMINATED_HTTPS listeners
Product: Red Hat OpenStack Reporter: Carlos Goncalves <cgoncalves>
Component: openstack-octaviaAssignee: Carlos Goncalves <cgoncalves>
Status: CLOSED ERRATA QA Contact: Alexander Stafeyev <astafeye>
Severity: high Docs Contact:
Priority: high    
Version: 13.0 (Queens)CC: astafeye, cgoncalves, ihrachys, lpeer, majopela, nyechiel, sputhenp
Target Milestone: betaKeywords: Triaged, ZStream
Target Release: 14.0 (Rocky)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-octavia-3.0.1-0.20181009115731.c57ae8d.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1569129 Environment:
Last Closed: 2019-01-11 11:50:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1569129    

Description Carlos Goncalves 2018-06-11 09:22:19 UTC 
+++ This bug was initially created as a clone of Bug #1569129 +++

Description of problem:

TLS-terminated HTTPS load balancer require a TLS container to be passed in at listener creation. Octavia needs to have permission to access the container, which it does not unless the user adds beforehand the Octavia service user to the ACL list with "openstack acl user add -u $OCTAVIA_SERVICE_USER <secret>". To do so, end-users need to know the right user to add ("octavia" in OSP).


How reproducible:
100%

Steps to Reproduce:

1. openstack secret store --name='tls_secret1' -t 'application/octet-stream' -e 'base64' --payload="$(base64 < server.p12)"
2. openstack loadbalancer create --name lb1 --vip-subnet-id private-subnet
3. openstack loadbalancer listener create --protocol-port 443 --protocol TERMINATED_HTTPS --name listener1 --default-tls-container=$(openstack secret list | awk '/ tls_secret1 / {print $2}') lb1

Actual results:
Listener provisioning will fail with ERROR. Check octavia-worker logs and you'll see Barbican denied Octavia access to the secret.

Expected results:
Octavia would be able to retrieve the secret and listener would be provisioned (ACTIVE).


Additional info:

Today, in order to create TERMINATED_HTTPS listeners users have to:

1. openstack secret store --name='tls_secret1' -t 'application/octet-stream' -e 'base64' --payload="$(base64 < server.p12)"
2. openstack acl user add -u octavia $(openstack secret list | awk '/ tls_secret1 / {print $2}')
3. openstack loadbalancer create --name lb1 --vip-subnet-id private-subnet
4. openstack loadbalancer listener create --protocol-port 443 --protocol TERMINATED_HTTPS --name listener1 --default-tls-container=$(openstack secret list | awk '/ tls_secret1 / {print $2}') lb1
Comment 6 errata-xmlrpc 2019-01-11 11:50:06 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:0045