Bug 1332313 - Add SSL to calamari
Summary: Add SSL to calamari
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Ceph Storage
Classification: Red Hat
Component: Calamari
Version: 2.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 2.0
Assignee: Christina Meno
QA Contact: Harish NV Rao
URL:
Whiteboard:
: 1319487 (view as bug list)
Depends On: 1343531
Blocks: 1343229
TreeView+ depends on / blocked
 
Reported: 2016-05-02 21:52 UTC by Christina Meno
Modified: 2016-09-21 20:29 UTC (History)
8 users (show)

Fixed In Version: RHEL: calamari-server-1.4.0-0.7.rc10.el7cp Ubuntu: calamari_1.4.0~rc10-2redhat1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-08-23 19:37:32 UTC
Target Upstream Version:


Attachments (Terms of Use)
selfsigned_ssl_cert_browser_msg1 (141.64 KB, image/png)
2016-06-20 12:43 UTC, Harish NV Rao
no flags Details
selfsigned_ssl_cert_browser_msg2 (177.69 KB, image/png)
2016-06-20 12:43 UTC, Harish NV Rao
no flags Details
selfsigned_ssl_cert_browser_msg3 (197.34 KB, image/png)
2016-06-20 12:44 UTC, Harish NV Rao
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:1755 normal SHIPPED_LIVE Red Hat Ceph Storage 2.0 bug fix and enhancement update 2016-08-23 23:23:52 UTC

Description Christina Meno 2016-05-02 21:52:20 UTC
Description of problem:
Currently calamari serves an API of HTTP and it's method of authentication is a session-based auth. This requires POSTing credentials in the clear.

We should make calamari serve traffic over SSL to protect authentication.


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 2 Christina Meno 2016-05-02 21:57:37 UTC
I've begun a quick branch to show that gevent Wsgi can indeed do SSL
https://github.com/ceph/calamari/tree/wip-gevent-ssl

I believe the next action is for my setup script to generate and install a self-signed cert doing something like https://devcenter.heroku.com/articles/ssl-certificate-self for example.

that way there is some measure of protection. If customers was more they can drop in their own cert to a configurable location.

My colleague suggests that there is someone here who is much more knowledgeable then me on this topic perhaps they could tell if I'm going about this wrong and if so how to proceed instead.

Comment 3 Christina Meno 2016-05-02 22:00:21 UTC
Siddharth Would you please review my plan and comment?

Comment 5 Christina Meno 2016-05-04 21:01:07 UTC
https://github.com/ceph/calamari/pull/437

Comment 7 Christina Meno 2016-05-09 17:38:47 UTC
With this change requests to http:// will error with connection reset.

All traffic must be sent to https://

Comment 11 Christina Meno 2016-06-17 19:59:13 UTC
Harish this is configuration error. Probably due to the docs being incorrect.

If you correct the line ssl_cert = /etc/calamari/ssl/certs/calamari-lite-bundled.crt it will work as intended.


[shadowman@magna090 ~]$ curl -k https://0.0.0.0:8002/api/v2/
curl: (35) TCP connection reset by peer
[shadowman@magna090 ~]$ sudo find /etc/calamari/ssl/
/etc/calamari/ssl/
/etc/calamari/ssl/certs
/etc/calamari/ssl/certs/calamari-lite-bundled.crt
/etc/calamari/ssl/private
/etc/calamari/ssl/private/calamari-lite.key
[shadowman@magna090 ~]$ grep ssl /etc/calamari/calamari.conf 
ssl_cert = /etc/calamari/ssl/private/calamari-lite-bundled.crt
ssl_key = /etc/calamari/ssl/private/calamari-lite.key
[shadowman@magna090 ~]$ sudo sed 's;ssl_cert.*$;ssl_cert = /etc/calamari/ssl/certs/calamari-lite-bundled.crt;' -i /etc/calamari/calamari.conf
[shadowman@magna090 ~]$ sudo supervisorctl restart calamari-lite
calamari-lite: stopped
calamari-lite: started
[shadowman@magna090 ~]$ curl -k https://0.0.0.0:8002/api/v2/
{"detail": "Authentication credentials were not provided."}[shadowman@magna090 ~]$

Comment 14 Harish NV Rao 2016-06-20 12:43:26 UTC
Created attachment 1169911 [details]
selfsigned_ssl_cert_browser_msg1

Comment 15 Harish NV Rao 2016-06-20 12:43:54 UTC
Created attachment 1169912 [details]
selfsigned_ssl_cert_browser_msg2

Comment 16 Harish NV Rao 2016-06-20 12:44:18 UTC
Created attachment 1169913 [details]
selfsigned_ssl_cert_browser_msg3

Comment 19 Christina Meno 2016-06-20 17:09:39 UTC
Harish, as Ken said those warnings are expected behavior with self signed certificates.

Comment 20 Harish NV Rao 2016-06-21 17:36:50 UTC
APIs are accessible only via https. moving to verified state

Tested on:
 calamari-server-1.4.2-1.el7cp.x86_64
 calamari-server 1.4.2-2redhat1xenial 
 ceph version 10.2.2-5.el7cp

Comment 22 errata-xmlrpc 2016-08-23 19:37:32 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-1755.html

Comment 23 Christina Meno 2016-09-21 20:29:03 UTC
*** Bug 1319487 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.