Bug 1589725 - Users need to add octavia service user to secret ACL list for TERMINATED_HTTPS listeners
Summary: Users need to add octavia service user to secret ACL list for TERMINATED_HTTP...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-octavia
Version: 13.0 (Queens)
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: beta
: 14.0 (Rocky)
Assignee: Carlos Goncalves
QA Contact: Alexander Stafeyev
URL:
Whiteboard:
Depends On:
Blocks: 1569129
TreeView+ depends on / blocked
 
Reported: 2018-06-11 09:22 UTC by Carlos Goncalves
Modified: 2019-09-10 14:12 UTC (History)
7 users (show)

Fixed In Version: openstack-octavia-3.0.1-0.20181009115731.c57ae8d.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1569129
Environment:
Last Closed: 2019-01-11 11:50:06 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
OpenStack gerrit 552549 0 None None None 2018-06-11 09:22:19 UTC
Red Hat Product Errata RHEA-2019:0045 0 None None None 2019-01-11 11:50:31 UTC

Description Carlos Goncalves 2018-06-11 09:22:19 UTC 
+++ This bug was initially created as a clone of Bug #1569129 +++

Description of problem:

TLS-terminated HTTPS load balancer require a TLS container to be passed in at listener creation. Octavia needs to have permission to access the container, which it does not unless the user adds beforehand the Octavia service user to the ACL list with "openstack acl user add -u $OCTAVIA_SERVICE_USER <secret>". To do so, end-users need to know the right user to add ("octavia" in OSP).


How reproducible:
100%

Steps to Reproduce:

1. openstack secret store --name='tls_secret1' -t 'application/octet-stream' -e 'base64' --payload="$(base64 < server.p12)"
2. openstack loadbalancer create --name lb1 --vip-subnet-id private-subnet
3. openstack loadbalancer listener create --protocol-port 443 --protocol TERMINATED_HTTPS --name listener1 --default-tls-container=$(openstack secret list | awk '/ tls_secret1 / {print $2}') lb1

Actual results:
Listener provisioning will fail with ERROR. Check octavia-worker logs and you'll see Barbican denied Octavia access to the secret.

Expected results:
Octavia would be able to retrieve the secret and listener would be provisioned (ACTIVE).


Additional info:

Today, in order to create TERMINATED_HTTPS listeners users have to:

1. openstack secret store --name='tls_secret1' -t 'application/octet-stream' -e 'base64' --payload="$(base64 < server.p12)"
2. openstack acl user add -u octavia $(openstack secret list | awk '/ tls_secret1 / {print $2}')
3. openstack loadbalancer create --name lb1 --vip-subnet-id private-subnet
4. openstack loadbalancer listener create --protocol-port 443 --protocol TERMINATED_HTTPS --name listener1 --default-tls-container=$(openstack secret list | awk '/ tls_secret1 / {print $2}') lb1
Comment 6 errata-xmlrpc 2019-01-11 11:50:06 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:0045
Note You need to log in before you can comment on or make changes to this bug.