Bug 1392586 - [RFE] Support SSL (TLS) for OpenStack External Providers
Summary: [RFE] Support SSL (TLS) for OpenStack External Providers
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: ovirt-engine
Classification: oVirt
Component: Frontend.WebAdmin
Version: 4.0.5.1
Hardware: x86_64
OS: Linux
unspecified
medium vote
Target Milestone: ---
: ---
Assignee: Daniel Erez
QA Contact: Pavel Stehlik
URL:
Whiteboard:
: 1581309 (view as bug list)
Depends On:
Blocks: 1581309
TreeView+ depends on / blocked
 
Reported: 2016-11-07 20:08 UTC by Andrew Richards
Modified: 2021-05-01 16:45 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-05-27 13:52:05 UTC
oVirt Team: Storage
ylavi: ovirt-future?
rule-engine: planning_ack?
rule-engine: devel_ack?
rule-engine: testing_ack?

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Andrew Richards 2016-11-07 20:08:20 UTC 
Description of problem:
When attempting to add an external provider for OpenStack Volume (Cinder) in oVirt Engine GUI, if the endpoints of the Keystone and Cinder APIs are configured to use HTTPS, both the Test button in the Add Provider panel and when confirming the config with the OK button. 

My entries for the Add Provider panel are as follows:
Provider URL = https://cinderkeystone.fqdn:8776
Username = admin
Password = myPassword
Tenant Name = admin
Authentication URL = https://cinderkeystone.fqdn:5000/v2.0

These values work correctly when used to query both Keystone and Cinder with the python-openstackclient tool on the same host which is running oVirt Engine.

curl is also able to resolve the endpoints and get the expected response from each API (note curl does not require an "--insecure" flag, as the SSL certificate for the Cinder+Keystone host is trusted by the oVirt Engine host):

$ curl https://cinderkeystone.fqdn:8776
{"versions": [{"status": "DEPRECATED", "updated": "2016-05-02T20:25:19Z", "links": [{"href": "http://docs.openstack.org/", "type": "text/html", "rel": "describedby"}, {"href": "http://cinderkeystone.fqdn:8776/v1/", "rel": "self"}], "min_version": "", "version": "", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.volume+json;version=1"}], "id": "v1.0"}, {"status": "SUPPORTED", "updated": "2014-06-28T12:20:21Z", "links": [{"href": "http://docs.openstack.org/", "type": "text/html", "rel": "describedby"}, {"href": "http://cinderkeystone.fqdn:8776/v2/", "rel": "self"}], "min_version": "", "version": "", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.volume+json;version=1"}], "id": "v2.0"}, {"status": "CURRENT", "updated": "2016-02-08T12:20:21Z", "links": [{"href": "http://docs.openstack.org/", "type": "text/html", "rel": "describedby"}, {"href": "http://cinderkeystone.fqdn:8776/v3/", "rel": "self"}], "min_version": "3.0", "version": "3.15", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.volume+json;version=1"}], "id": "v3.0"}]}

$ curl https://keystone.fqdn:5000/v2.0
{"version": {"status": "deprecated", "updated": "2016-08-04T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v2.0+json"}], "id": "v2.0", "links": [{"href": "https://cinderkeystone.fqdn:5000/v2.0/", "rel": "self"}, {"href": "http://docs.openstack.org/", "type": "text/html", "rel": "describedby"}]}}

When checking the Add Provider entries with he Test button, the test fails with a message adjacent to the Test button: "Test Failed (unknown error)." Here are the related entries in /var/log/ovirt-engine/engine.log:

INFO  [org.ovirt.engine.core.bll.provider.TestProviderConnectivityCommand] (default task-203) [6019d64a] Running command: TestProviderConnectivityCommand internal: false. Entities affected :  ID: aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group CREATE_STORAGE_POOL with role type ADMIN
ERROR [org.ovirt.engine.core.bll.provider.TestProviderConnectivityCommand] (default task-203) [6019d64a] Command 'org.ovirt.engine.core.bll.provider.TestProviderConnectivityCommand' failed: EngineException: (Failed with error PROVIDER_FAILURE and code 5050)

When proceeding to add the Cinder external provider via the GUI, the process apparently completes without error (relevant lines from /var/log/ovirt-engine/engine.log):

INFO  [org.ovirt.engine.core.bll.provider.AddProviderCommand] (default task-129) [6b4ff1d6] Running command: AddProviderCommand internal: false. Entities affected :  ID: aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group CREATE_STORAGE_POOL with role type ADMIN
INFO  [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-129) [6b4ff1d6] Correlation ID: 6b4ff1d6, Call Stack: null, Custom Event ID: -1, Message: Provider testssl was added. (User: admin@internal-authz)
INFO  [org.ovirt.engine.core.bll.provider.storage.AddLibvirtSecretCommand] (default task-158) [44d78b14] Running command: AddLibvirtSecretCommand internal: false. Entities affected :  ID: aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group CREATE_STORAGE_POOL with role type ADMIN
INFO  [org.ovirt.engine.core.vdsbroker.vdsbroker.RegisterLibvirtSecretsVDSCommand] (default task-158) [44d78b14] START, RegisterLibvirtSecretsVDSCommand(HostName = koslab13, RegisterLibvirtSecretsVDSParameters:{runAsync='true', hostId='01c06be0-9588-4264-938f-4602746c5197', libvirtSecrets='[org.ovirt.engine.core.common.businessentities.storage.LibvirtSecret@b09d8da9]', clearUnusedSecrets='false'}), log id: 1d65bb71
INFO  [org.ovirt.engine.core.vdsbroker.vdsbroker.RegisterLibvirtSecretsVDSCommand] (default task-158) [44d78b14] FINISH, RegisterLibvirtSecretsVDSCommand, log id: 1d65bb71
INFO  [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-158) [44d78b14] Correlation ID: 44d78b14, Call Stack: null, Custom Event ID: -1, Message: Authentication Key 2bb28b19-ed00-496c-8279-0ad0ed7a660e was added. (User: admin@internal-authz).

Once the Cinder External Provider has been added, it appears to work correctly; creating RBD images via Cinder, attaching them to VMs, running the VMs, taking snapshots, etc.

Version-Release number of selected component (if applicable):
ovirt-engine.noarch 4.0.5.1-1.el7.centos @ovirt-4.0-pre
on CentOS Linux 7.2.1511 (Core) kernel 3.10.0-327.36.3.el7.x86_64

How reproducible:
Consistently reproducible

Steps to Reproduce:
1. Configure an OpenStack Cinder controller and its Keystone controller to present their respective API endpoints via HTTPS with signed and trusted keys. 
2. Enter the HTTPS endpoint connection info into the Add Provider pane of the oVirt Engine GUI for External Providers.
3. Click the Test button to verify the connection to the Cinder API prior to committing to adding the external provider.

Actual results:
Testing valid connection entries with the Test button fails with a message adjacent to the Test button: "Test Failed (unknown error)."

Expected results:
Testing valid connection entries with the Test button returns a successful response from the oVirt Engine GUI.

Additional info:
n/a
Comment 1 Daniel Erez 2017-01-03 16:43:32 UTC 
SSL support for OpenStack external providers hasn't been included in the integration scope. Setting as an RFE.
Comment 2 Doron Fediuck 2018-05-27 13:52:05 UTC 
Closing old RFEs.
If relevant, please re-open and explain why.
As always- patches are welcomed!
Comment 3 Tal Nisan 2018-05-31 14:12:20 UTC 
*** Bug 1581309 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.