Bug 817846

Summary: Add in SSL Support
Product: [Fedora] Fedora Reporter: Adam Young <ayoung>
Component: openstack-keystoneAssignee: Adam Young <ayoung>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: rawhideCC: apevec, apevec, bfilippov, breu, Jan.van.Eldik, jonathansteffan, jose.castro.leon, markmc, matt_domsch, p, rbryant
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-03-01 22:00:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
WSGI connector file, to be linked in /var/www/cgi-bin or comparable directory none

Description Adam Young 2012-05-01 14:54:04 UTC 
Description of problem:
Keystone is the authentication server, but currently all traffic goes in the clear.  

Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1.Install Run according to Getting started guide
  
Actual results:
Traffic goes in clear



Expected results:
Traffic should go via SSL

Additional info:
To get good SSL support will require running in HTTPD.  
It will also require notes on getting the other components to talk to Keystone via port 443
Comment 1 Adam Young 2012-05-01 14:55:38 UTC 
Created attachment 581403 [details]
WSGI connector file,  to be linked in /var/www/cgi-bin or comparable directory
Comment 2 Adam Young 2012-05-01 14:57:46 UTC 
This will put the admin server under /keystone/admin and the main Keystone server under /keystone/main.  I did this by hardlinking the keystone.py wsgi file into /var/www/cgi-bin,  but it probably should be under /usr/share from an RPM, and then either linked or copied into place.


[ayoung@ayoung apache-websocket]$ cat /etc/httpd/conf.d/keystone.conf
WSGIScriptAlias /keystone/main  /var/www/cgi-bin/keystone/main
WSGIScriptAlias /keystone/admin  /var/www/cgi-bin/keystone/admin

<Location "/keystone">
 NSSRequireSSL
 Authtype none
</Location>
Comment 3 Fedora Admin XMLRPC Client 2012-05-22 17:34:47 UTC 
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 4 Adam Young 2012-06-08 03:04:12 UTC 
Fixed upstream with https://github.com/openstack/keystone/commit/8de61f8af43563b1d93291c868634810d9e42902


Additional work by Derrek Higgens has shown how we can front with HTTPD for SSL termination.
Comment 5 Jose Castro Leon 2012-06-13 09:57:54 UTC 
In case that the CA certificate does not come with the distribution, python-keystoneclient fails due to validation of the CA.

https://bugs.launchpad.net/keystone/+bug/1012591
Comment 6 Adam Young 2012-06-13 14:16:38 UTC 
Jose,  I think that is the correct behavior.  CA and Certificate management are always part of dealing with SSL.

The CA should not come from the distribution,  it is up to the System administrator to distribute the CA
Comment 7 Jose Castro Leon 2012-06-13 14:25:12 UTC 
python-keystoneclient uses python-httplib package. This packege gets the CA certificates from /etc/pki/tls/certs/ca-bundle.crt as it is patched in the RPM from EPEL.

In our case, the CA is not in the bundle so and keystoneclient is taking the default one, so I saw several possibilities:

- specify as an extra parameter to keystoneclient
- append our CA chain in ca-bundle.crt
- modify httplib to point to our bundle

The latter two possibilities are non-friendly to maintain it, so this is why I was asking upstream to have an extra parameter when the CA was not in the bundle.
Comment 8 Adam Young 2013-03-01 22:00:58 UTC 
SSL support is in upstream, Fedora, and EPEL

https://github.com/openstack/keystone/commit/8de61f8af43563b1d93291c868634810d9e42902