Bug 927929
| Summary: | fetching certificates fails for PKI tokens | ||
|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Adam Young <ayoung> |
| Component: | openstack-keystone | Assignee: | Adam Young <ayoung> |
| Status: | CLOSED ERRATA | QA Contact: | Pavel Sedlák <psedlak> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 2.1 | CC: | afazekas, apevec, ayoung, psedlak, ykaul |
| Target Milestone: | rc | Flags: | apevec:
internal-review+
|
| Target Release: | 2.1 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | openstack-keystone-2012.2.3-8.el6ost | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-04-08 23:42:55 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
First part of verification - Reproduced with openstack-keystone-2012.2.3-7.el6ost. - keystone-manage pki_setup - updated keystone.conf - keystone restart $ glance --debug image-list 2>&1 |tail content-type: text/plain; charset=UTF-8 401 Unauthorized This server could not verify that you are authorized to access the document you requested. Either you supplied the wrong credentials (e.g., bad password), or your browser does not understand how to supply the credentials required. Request returned failure status. Invalid OpenStack Identity credentials. Verified with openstack-keystone-2012.2.3-8.el6ost. $ keystone token-get|grep ' id '|wc -c 4025 [root@os-r3 ~(keystone_admin)]$ glance --debug image-list curl -i -X GET -H 'X-Auth-Token: _LONG_KEY_HERE-REPLACED_' -H 'Content-Type: application/json' -H 'User-Agent: python-glanceclient' http://192.168.1.1:9292/v1/images/detail?sort_key=name&sort_dir=asc&limit=20 HTTP/1.1 200 OK date: Thu, 04 Apr 2013 18:02:04 GMT content-length: 915 content-type: application/json; charset=UTF-8 x-openstack-request-id: req-75fe78af-78b0-4a72-a264-6a545cf109aa {"images": [{"status": "active", "name": "MyAltImage", "deleted": false, "container_format": "bare", "created_at": "2013-04-04T17:59:20", "disk_format": "qcow2", "updated_at": "2013-04-04T17:59:20", "properties": {}, "min_disk": 0, "protected": false, "id": "bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb", "checksum": "d972013792949d0d3ba628fbe8685bce", "owner": "87b806e965fe482398644fd8847359f8", "is_public": true, "deleted_at": null, "min_ram": 0, "size": 13147648}, {"status": "active", "name": "MyMainImage", "deleted": false, "container_format": "bare", "created_at": "2013-04-04T17:59:18", "disk_format": "qcow2", "updated_at": "2013-04-04T17:59:19", "properties": {}, "min_disk": 0, "protected": false, "id": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa", "checksum": "d972013792949d0d3ba628fbe8685bce", "owner": "87b806e965fe482398644fd8847359f8", "is_public": true, "deleted_at": null, "min_ram": 0, "size": 13147648}]} +--------------------------------------+-------------+-------------+------------------+----------+--------+ | ID | Name | Disk Format | Container Format | Size | Status | +--------------------------------------+-------------+-------------+------------------+----------+--------+ | bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb | MyAltImage | qcow2 | bare | 13147648 | active | | aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa | MyMainImage | qcow2 | bare | 13147648 | active | +--------------------------------------+-------------+-------------+------------------+----------+--------+ [root@os-r3 bin(keystone_admin)]$ ll /var/lib/glance/keystone-signing/ total 20K drwx------. 2 glance glance 4.0K Apr 4 20:02 . drwxr-xr-x. 5 glance glance 4.0K Apr 4 19:49 .. -rw-r-----. 1 glance glance 1.1K Apr 4 20:02 cacert.pem -rw-r-----. 1 glance glance 1.6K Apr 4 20:02 revoked.pem -rw-r-----. 1 glance glance 2.4K Apr 4 20:02 signing_cert.pem Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0717.html |
Description of problem: Fetching the certificates for PKI is done on demand. If the certs are not in the cached directory, doing a command such as glance list with valid credentials will fail due to the middleware being unable to validate the CMS document Version-Release number of selected component (if applicable): How reproducible: 100% Steps to Reproduce: 1.Set up Packstack 2.Enable PKI tokens 3.glance image-list Actual results: 401 and report of invalid credentials Expected results: glance image-list returns successfully Additional info: Python 2.6 subprocess does not contain the 'output' keyword in its initializer. This means that the places that call subprocess are broken when there is an exception. The code to deal with missing cert files depends on this keyword. The changes that need to be made are in python-keystone/common/cms.py where we should drop the output parameter in the places like raise subprocess.CalledProcessError(retcode, "openssl", output=err) Also, in middleware/auth_token.py, checking for the files existence in def cert_file_missing(self, called_proc_err, file_name): It uses the output from the exception and should not, so return (called_proc_err.output.find(file_name) and not os.path.exists(file_name)) can become return (and not os.path.exists(file_name)) I've just finished hacking on psedlak-24h-new.neon.rhev.lab.eng.brq.redhat.com which now contains a functional version. I've made changes in middleware and cms. The diffs are attached as a patch. This removes a check that we can no longer perform as far as confirming that the file is the problem in the CMS call, but it really does not need to be there anyway, so it is safe to remove.