Bug 978408

Summary: Add a static directory for signing_dir
Product: [Fedora] Fedora Reporter: Pete Zaitcev <zaitcev>
Component: openstack-swiftAssignee: Pete Zaitcev <zaitcev>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 20CC: apevec, apevec, breu, david, derekh, jonathansteffan, markmc, mmagr, rbryant, silas, zaitcev
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-10-23 11:53:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Pete Zaitcev 2013-06-26 14:30:31 UTC
Description of problem:

The signing dir has to be relocated into home directory of user swift.
The RHOS already does this, although it's in a one-time directory
after bug 967631.

In 1.8.0-2 we have signing_dir = /tmp/keystone-signing-swift,
which is not too bad, but should be moved all the same.

Version-Release number of selected component (if applicable):

1.8.0-2.f19

Actual results:

Uncertain of security implications of /tmp/keystone-signing-swift.

Expected results:

/var/cache/swift (which cannot be used since recon lives there)
or
/var/lib/swift (needs verifying w/Adam and an LSB expert)

Additional info:

All this can easily be overridden by sysadmin. An update does not
override proxy-server.conf due to %config, so this is not a huge
deal. However, Packstack people are going to rely on us to make
it right (see bug 976081).

Comment 1 Pete Zaitcev 2013-06-26 14:30:56 UTC
see also
 https://bugs.launchpad.net/keystone/+bug/1036847/comments/10

Comment 2 Fedora End Of Life 2013-09-16 14:16:03 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 20 development cycle.
Changing version to '20'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora20

Comment 3 Alan Pevec 2013-10-23 11:53:00 UTC
(In reply to Pete Zaitcev from comment #1)
> see also
>  https://bugs.launchpad.net/keystone/+bug/1036847/comments/10

and also https://bugs.launchpad.net/keystone/+bug/1036847/comments/12
"current default in authtoken is tempfile.mkdtemp(prefix='keystone-signing-') so best is not to set signing_dir parameter and leave to authtoken to generate a tempdir which should be safe and secure"

Setting signing_dir is not needed since default was changed in https://github.com/openstack/python-keystoneclient/commit/03012e641d6c2a98fbfe3780102e28a65d11a887