Bug 1332313 – Add SSL to calamari

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1332313 - Add SSL to calamari

Summary:	Add SSL to calamari

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Ceph Storage
Classification:	Red Hat
Component:	Calamari (Show other bugs)
Sub Component:
Version:	2.0
Hardware:	Unspecified Unspecified

Priority	unspecified Severity unspecified
Target Milestone:	rc
Target Release:	2.0
Assigned To:	Gregory Meno
QA Contact:	Harish NV Rao
Docs Contact:

URL:
Whiteboard:
Keywords:

Duplicates:	1319487 (view as bug list)
Depends On:	1343531
Blocks:	1343229
	Show dependency tree / graph

Reported:	2016-05-02 17:52 EDT by Gregory Meno
Modified:	2016-09-21 16:29 EDT (History)
CC List:	8 users (show)

See Also:
Fixed In Version:	RHEL: calamari-server-1.4.0-0.7.rc10.el7cp Ubuntu: calamari_1.4.0~rc10-2redhat1
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2016-08-23 15:37:32 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
selfsigned_ssl_cert_browser_msg1 (141.64 KB, image/png) 2016-06-20 08:43 EDT, Harish NV Rao	no flags	Details
selfsigned_ssl_cert_browser_msg2 (177.69 KB, image/png) 2016-06-20 08:43 EDT, Harish NV Rao	no flags	Details
selfsigned_ssl_cert_browser_msg3 (197.34 KB, image/png) 2016-06-20 08:44 EDT, Harish NV Rao	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:1755	normal	SHIPPED_LIVE	Red Hat Ceph Storage 2.0 bug fix and enhancement update	2016-08-23 19:23:52 EDT

Groups: None (edit)

Description Gregory Meno 2016-05-02 17:52:20 EDT

Description of problem:
Currently calamari serves an API of HTTP and it's method of authentication is a session-based auth. This requires POSTing credentials in the clear.

We should make calamari serve traffic over SSL to protect authentication.


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 2 Gregory Meno 2016-05-02 17:57:37 EDT

I've begun a quick branch to show that gevent Wsgi can indeed do SSL
https://github.com/ceph/calamari/tree/wip-gevent-ssl

I believe the next action is for my setup script to generate and install a self-signed cert doing something like https://devcenter.heroku.com/articles/ssl-certificate-self for example.

that way there is some measure of protection. If customers was more they can drop in their own cert to a configurable location.

My colleague suggests that there is someone here who is much more knowledgeable then me on this topic perhaps they could tell if I'm going about this wrong and if so how to proceed instead.

Comment 3 Gregory Meno 2016-05-02 18:00:21 EDT

Siddharth Would you please review my plan and comment?

Comment 5 Gregory Meno 2016-05-04 17:01:07 EDT

https://github.com/ceph/calamari/pull/437

Comment 7 Gregory Meno 2016-05-09 13:38:47 EDT

With this change requests to http:// will error with connection reset.

All traffic must be sent to https://

Comment 11 Gregory Meno 2016-06-17 15:59:13 EDT

Harish this is configuration error. Probably due to the docs being incorrect.

If you correct the line ssl_cert = /etc/calamari/ssl/certs/calamari-lite-bundled.crt it will work as intended.


[shadowman@magna090 ~]$ curl -k https://0.0.0.0:8002/api/v2/
curl: (35) TCP connection reset by peer
[shadowman@magna090 ~]$ sudo find /etc/calamari/ssl/
/etc/calamari/ssl/
/etc/calamari/ssl/certs
/etc/calamari/ssl/certs/calamari-lite-bundled.crt
/etc/calamari/ssl/private
/etc/calamari/ssl/private/calamari-lite.key
[shadowman@magna090 ~]$ grep ssl /etc/calamari/calamari.conf 
ssl_cert = /etc/calamari/ssl/private/calamari-lite-bundled.crt
ssl_key = /etc/calamari/ssl/private/calamari-lite.key
[shadowman@magna090 ~]$ sudo sed 's;ssl_cert.*$;ssl_cert = /etc/calamari/ssl/certs/calamari-lite-bundled.crt;' -i /etc/calamari/calamari.conf
[shadowman@magna090 ~]$ sudo supervisorctl restart calamari-lite
calamari-lite: stopped
calamari-lite: started
[shadowman@magna090 ~]$ curl -k https://0.0.0.0:8002/api/v2/
{"detail": "Authentication credentials were not provided."}[shadowman@magna090 ~]$

Comment 12 Gregory Meno 2016-06-17 16:13:07 EDT

I made a comment on the docs https://gitlab.cee.redhat.com/red-hat-ceph-storage-documentation/doc-Red_Hat_Ceph_Storage_2-Installation_Guide/commit/bde1932e94b59d609b1f633b3ab465800f1d449c

John would you please update that?

Comment 14 Harish NV Rao 2016-06-20 08:43 EDT

Created attachment 1169911 [details]
selfsigned_ssl_cert_browser_msg1

Comment 15 Harish NV Rao 2016-06-20 08:43 EDT

Created attachment 1169912 [details]
selfsigned_ssl_cert_browser_msg2

Comment 16 Harish NV Rao 2016-06-20 08:44 EDT

Created attachment 1169913 [details]
selfsigned_ssl_cert_browser_msg3

Comment 19 Gregory Meno 2016-06-20 13:09:39 EDT

Harish, as Ken said those warnings are expected behavior with self signed certificates.

Comment 20 Harish NV Rao 2016-06-21 13:36:50 EDT

APIs are accessible only via https. moving to verified state

Tested on:
 calamari-server-1.4.2-1.el7cp.x86_64
 calamari-server 1.4.2-2redhat1xenial 
 ceph version 10.2.2-5.el7cp

Comment 22 errata-xmlrpc 2016-08-23 15:37:32 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-1755.html

Comment 23 Gregory Meno 2016-09-21 16:29:03 EDT

*** Bug 1319487 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.