Bug 817846
Summary: | Add in SSL Support | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Adam Young <ayoung> | ||||
Component: | openstack-keystone | Assignee: | Adam Young <ayoung> | ||||
Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | rawhide | CC: | apevec, apevec, bfilippov, breu, Jan.van.Eldik, jonathansteffan, jose.castro.leon, markmc, matt_domsch, p, rbryant | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | All | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2013-03-01 22:00:58 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Adam Young
2012-05-01 14:54:04 UTC
Created attachment 581403 [details]
WSGI connector file, to be linked in /var/www/cgi-bin or comparable directory
This will put the admin server under /keystone/admin and the main Keystone server under /keystone/main. I did this by hardlinking the keystone.py wsgi file into /var/www/cgi-bin, but it probably should be under /usr/share from an RPM, and then either linked or copied into place. [ayoung@ayoung apache-websocket]$ cat /etc/httpd/conf.d/keystone.conf WSGIScriptAlias /keystone/main /var/www/cgi-bin/keystone/main WSGIScriptAlias /keystone/admin /var/www/cgi-bin/keystone/admin <Location "/keystone"> NSSRequireSSL Authtype none </Location> This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. Fixed upstream with https://github.com/openstack/keystone/commit/8de61f8af43563b1d93291c868634810d9e42902 Additional work by Derrek Higgens has shown how we can front with HTTPD for SSL termination. In case that the CA certificate does not come with the distribution, python-keystoneclient fails due to validation of the CA. https://bugs.launchpad.net/keystone/+bug/1012591 Jose, I think that is the correct behavior. CA and Certificate management are always part of dealing with SSL. The CA should not come from the distribution, it is up to the System administrator to distribute the CA python-keystoneclient uses python-httplib package. This packege gets the CA certificates from /etc/pki/tls/certs/ca-bundle.crt as it is patched in the RPM from EPEL. In our case, the CA is not in the bundle so and keystoneclient is taking the default one, so I saw several possibilities: - specify as an extra parameter to keystoneclient - append our CA chain in ca-bundle.crt - modify httplib to point to our bundle The latter two possibilities are non-friendly to maintain it, so this is why I was asking upstream to have an extra parameter when the CA was not in the bundle. SSL support is in upstream, Fedora, and EPEL https://github.com/openstack/keystone/commit/8de61f8af43563b1d93291c868634810d9e42902 |