1328402 – [RFE] File permission (and or SELinux) prevent httpd to use custom secret_key file

Bug 1328402 - [RFE] File permission (and or SELinux) prevent httpd to use custom secret_key file

Summary: [RFE] File permission (and or SELinux) prevent httpd to use custom secret_key...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	python-django-horizon
Sub Component:
Version:	7.0 (Kilo)
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	async
Target Release:	8.0 (Liberty)
Assignee:	Radomir Dopieralski
QA Contact:	Ido Ovadia
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1382729
TreeView+	depends on / blocked

Reported:	2016-04-19 10:27 UTC by Chaitanya Shastri
Modified:	2020-01-17 15:43 UTC (History)
CC List:	7 users (show)
Fixed In Version:	python-django-horizon-8.0.1-7.el7ost
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1382729 (view as bug list)
Environment:
Last Closed:	2016-12-21 16:51:52 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Launchpad	1572187	0	None	None	None	2016-04-19 14:56:58 UTC
Red Hat Product Errata	RHBA-2016:2981	0	normal	SHIPPED_LIVE	python-django-horizon bug fix advisory	2016-12-21 21:35:52 UTC

Description Chaitanya Shastri 2016-04-19 10:27:31 UTC

Description of problem:
By default, horizon generates a secret key in the SECRET_KEY directive in /etc/openstack-dashboard/local_settings file. We can set a custom file location in this file. When we set it to a custom file location, the file gets generated successfully, but after restarting httpd process, it logs "IOError: [Errno 13] Permission denied:" error to the .lock file generated. 

Version-Release number of selected component (if applicable):
OSP 7.0

How reproducible:
Checked it on freshly installed rhel7.2 system with OSP7 and it reproduced.

Steps to Reproduce:
1. On OSP7 overcloud controller, install mod_ssl package.

2. Modify secret_key variable in /etc/openstack-dashboard/local_settings with this:
  
 ...
from horizon.utils import secret_key
SECRET_KEY = secret_key.generate_or_read_from_file('/var/lib/openstack-dashboard/secret_key')
...

3.systemctl restart httpd.service

4. After starting httpd, under /var/lib/openstack-dashboard two files are successfully created owned by root:

# ll /var/lib/openstack-dashboard/
totale 4
-rw-------. 1 root root 64 15 apr 11.07 secret_key
-rw-r--r--. 1 root root  0 15 apr 11.07 _var_lib_openstack-dashboard_secret_key.lock

5.But, apache user can't unable to access the secret_key file.
Following are the log file entries:

-------------------
[Mon Apr 18 09:20:02.081848 2016] [:error] [pid 13067] [remote 192.168.100.1:184] mod_wsgi (pid=13067): Target WSGI script '/usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi' cannot be loaded as Python module.
[Mon Apr 18 09:20:02.081872 2016] [:error] [pid 13067] [remote 192.168.100.1:184] mod_wsgi (pid=13067): Exception occurred processing WSGI script '/usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi'.
[Mon Apr 18 09:20:02.081885 2016] [:error] [pid 13067] [remote 192.168.100.1:184] Traceback (most recent call last):
[Mon Apr 18 09:20:02.081899 2016] [:error] [pid 13067] [remote 192.168.100.1:184]   File "/usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi", line 14, in <module>
[Mon Apr 18 09:20:02.081915 2016] [:error] [pid 13067] [remote 192.168.100.1:184]     application = get_wsgi_application()
[Mon Apr 18 09:20:02.081920 2016] [:error] [pid 13067] [remote 192.168.100.1:184]   File "/usr/lib/python2.7/site-packages/django/core/wsgi.py", line 14, in get_wsgi_application
[Mon Apr 18 09:20:02.081930 2016] [:error] [pid 13067] [remote 192.168.100.1:184]     django.setup()
[Mon Apr 18 09:20:02.081934 2016] [:error] [pid 13067] [remote 192.168.100.1:184]   File "/usr/lib/python2.7/site-packages/django/__init__.py", line 17, in setup
[Mon Apr 18 09:20:02.081941 2016] [:error] [pid 13067] [remote 192.168.100.1:184]     configure_logging(settings.LOGGING_CONFIG, settings.LOGGING)
[Mon Apr 18 09:20:02.081945 2016] [:error] [pid 13067] [remote 192.168.100.1:184]   File "/usr/lib/python2.7/site-packages/django/conf/__init__.py", line 48, in __getattr__
[Mon Apr 18 09:20:02.081952 2016] [:error] [pid 13067] [remote 192.168.100.1:184]     self._setup(name)
[Mon Apr 18 09:20:02.081955 2016] [:error] [pid 13067] [remote 192.168.100.1:184]   File "/usr/lib/python2.7/site-packages/django/conf/__init__.py", line 44, in _setup
[Mon Apr 18 09:20:02.081961 2016] [:error] [pid 13067] [remote 192.168.100.1:184]     self._wrapped = Settings(settings_module)
[Mon Apr 18 09:20:02.081973 2016] [:error] [pid 13067] [remote 192.168.100.1:184]   File "/usr/lib/python2.7/site-packages/django/conf/__init__.py", line 92, in __init__
[Mon Apr 18 09:20:02.081979 2016] [:error] [pid 13067] [remote 192.168.100.1:184]     mod = importlib.import_module(self.SETTINGS_MODULE)
[Mon Apr 18 09:20:02.081983 2016] [:error] [pid 13067] [remote 192.168.100.1:184]   File "/usr/lib64/python2.7/importlib/__init__.py", line 37, in import_module
[Mon Apr 18 09:20:02.081990 2016] [:error] [pid 13067] [remote 192.168.100.1:184]     __import__(name)
[Mon Apr 18 09:20:02.081994 2016] [:error] [pid 13067] [remote 192.168.100.1:184]   File "/usr/share/openstack-dashboard/openstack_dashboard/wsgi/../../openstack_dashboard/settings.py", line 263, in <module>
[Mon Apr 18 09:20:02.082001 2016] [:error] [pid 13067] [remote 192.168.100.1:184]     from local.local_settings import *  # noqa
[Mon Apr 18 09:20:02.082005 2016] [:error] [pid 13067] [remote 192.168.100.1:184]   File "/usr/share/openstack-dashboard/openstack_dashboard/wsgi/../../openstack_dashboard/local/local_settings.py", line 102, in <module>
[Mon Apr 18 09:20:02.082014 2016] [:error] [pid 13067] [remote 192.168.100.1:184]     SECRET_KEY = secret_key.generate_or_read_from_file('/var/lib/openstack-dashboard/secret_key')
[Mon Apr 18 09:20:02.082018 2016] [:error] [pid 13067] [remote 192.168.100.1:184]   File "/usr/lib/python2.7/site-packages/horizon/utils/secret_key.py", line 54, in generate_or_read_from_file
[Mon Apr 18 09:20:02.082026 2016] [:error] [pid 13067] [remote 192.168.100.1:184]     with lock:
[Mon Apr 18 09:20:02.082029 2016] [:error] [pid 13067] [remote 192.168.100.1:184]   File "/usr/lib/python2.7/site-packages/oslo_concurrency/lockutils.py", line 217, in __enter__
[Mon Apr 18 09:20:02.082035 2016] [:error] [pid 13067] [remote 192.168.100.1:184]     self.acquire()
[Mon Apr 18 09:20:02.082039 2016] [:error] [pid 13067] [remote 192.168.100.1:184]   File "/usr/lib/python2.7/site-packages/oslo_concurrency/lockutils.py", line 200, in acquire
[Mon Apr 18 09:20:02.082044 2016] [:error] [pid 13067] [remote 192.168.100.1:184]     self.lockfile = open(self.fname, 'a')
[Mon Apr 18 09:20:02.082057 2016] [:error] [pid 13067] [remote 192.168.100.1:184] IOError: [Errno 13] Permission denied: '/var/lib/openstack-dashboard/_var_lib_openstack-dashboard_secret_key.lock'

----------------------

And it throws a 500 Internal Server Error page at horizon dashboard: http://<controller-IP>/dashboard

Actual results:

Apache user is unable to read the custom secret_key file changed in /etc/openstack-dashboard/local_settings file.

Expected results:

Apache user should get access to the secret_key file and horizon dashboard should come up without any error.


Additional info:

Workaround for this issue is to chown the files in custom location (here /var/lib/openstack-dashboard) with apache user and then issue 'semodule -i httpd-fastweb.pp' command. After restarting httpd, the horizon dashboard reappears.

Comment 2 Matthias Runge 2016-04-19 12:09:05 UTC

This basically asks for making any location to be read/writable from httpd.

Comment 4 Amedeo Salvati 2016-04-19 13:43:22 UTC

(In reply to Matthias Runge from comment #2)
> This basically asks for making any location to be read/writable from httpd.

no, /var/lib/openstack-dashboard already exists, so I hope httpd could be read/write.

[root@mi-horizon02 ~]# rpm -qf /var/lib/openstack-dashboard
openstack-dashboard-2015.1.2-4.el7ost.noarch
[root@mi-horizon02 ~]#

Comment 5 Chaitanya Shastri 2016-04-19 13:59:24 UTC

Even if I try using the default custom location for the secret_key file using the following in local_settings file, I get the same error:

from horizon.utils import secret_key
SECRET_KEY = secret_key.generate_or_read_from_file(os.path.join(LOCAL_PATH, '.secret_keystore'))

I am keeping the 'LOCAL_PATH' as it was in the local_settings file. Now when I  restart httpd, the files get generated in /usr/share/openstack-dashboard/openstack_dashboard/local directory. But when I try to access the horizon dashboard, I get the following in /var/log/httpd/horizon_error.log:

IOError: [Errno 13] Permission denied: '/usr/share/openstack-dashboard/openstack_dashboard/local/_usr_share_openstack-dashboard_openstack_dashboard_local_.secret_keystore.lock'

Comment 6 Matthias Runge 2016-04-19 14:58:25 UTC

I went ahead and submitted this possible fix. There is no need to create a lock before reading the key file.

https://review.openstack.org/307859

Comment 8 Matthias Runge 2016-08-30 12:39:36 UTC

the patch mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=1328402#c6 just merged yesterday.

Comment 10 Jason E. Rist 2016-10-04 02:46:06 UTC

Radomir, can you help?

Comment 11 Radomir Dopieralski 2016-10-04 08:29:34 UTC

Well, the patch is merged in osp10, I can backport it to osp8.

Comment 15 errata-xmlrpc 2016-12-21 16:51:52 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2981.html

Note You need to log in before you can comment on or make changes to this bug.