817846 – Add in SSL Support

Bug 817846 - Add in SSL Support

Summary: Add in SSL Support

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	openstack-keystone
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	All
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Adam Young
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-05-01 14:54 UTC by Adam Young
Modified:	2013-03-01 22:00 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2013-03-01 22:00:58 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
WSGI connector file, to be linked in /var/www/cgi-bin or comparable directory (580 bytes, text/x-python) 2012-05-01 14:55 UTC, Adam Young	no flags	Details
View All

Description Adam Young 2012-05-01 14:54:04 UTC

Description of problem:
Keystone is the authentication server, but currently all traffic goes in the clear.  

Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1.Install Run according to Getting started guide
  
Actual results:
Traffic goes in clear



Expected results:
Traffic should go via SSL

Additional info:
To get good SSL support will require running in HTTPD.  
It will also require notes on getting the other components to talk to Keystone via port 443

Comment 1 Adam Young 2012-05-01 14:55:38 UTC

Created attachment 581403 [details]
WSGI connector file,  to be linked in /var/www/cgi-bin or comparable directory

Comment 2 Adam Young 2012-05-01 14:57:46 UTC

This will put the admin server under /keystone/admin and the main Keystone server under /keystone/main.  I did this by hardlinking the keystone.py wsgi file into /var/www/cgi-bin,  but it probably should be under /usr/share from an RPM, and then either linked or copied into place.


[ayoung@ayoung apache-websocket]$ cat /etc/httpd/conf.d/keystone.conf
WSGIScriptAlias /keystone/main  /var/www/cgi-bin/keystone/main
WSGIScriptAlias /keystone/admin  /var/www/cgi-bin/keystone/admin

<Location "/keystone">
 NSSRequireSSL
 Authtype none
</Location>

Comment 3 Fedora Admin XMLRPC Client 2012-05-22 17:34:47 UTC

This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 4 Adam Young 2012-06-08 03:04:12 UTC

Fixed upstream with https://github.com/openstack/keystone/commit/8de61f8af43563b1d93291c868634810d9e42902


Additional work by Derrek Higgens has shown how we can front with HTTPD for SSL termination.

Comment 5 Jose Castro Leon 2012-06-13 09:57:54 UTC

In case that the CA certificate does not come with the distribution, python-keystoneclient fails due to validation of the CA.

https://bugs.launchpad.net/keystone/+bug/1012591

Comment 6 Adam Young 2012-06-13 14:16:38 UTC

Jose,  I think that is the correct behavior.  CA and Certificate management are always part of dealing with SSL.

The CA should not come from the distribution,  it is up to the System administrator to distribute the CA

Comment 7 Jose Castro Leon 2012-06-13 14:25:12 UTC

python-keystoneclient uses python-httplib package. This packege gets the CA certificates from /etc/pki/tls/certs/ca-bundle.crt as it is patched in the RPM from EPEL.

In our case, the CA is not in the bundle so and keystoneclient is taking the default one, so I saw several possibilities:

- specify as an extra parameter to keystoneclient
- append our CA chain in ca-bundle.crt
- modify httplib to point to our bundle

The latter two possibilities are non-friendly to maintain it, so this is why I was asking upstream to have an extra parameter when the CA was not in the bundle.

Comment 8 Adam Young 2013-03-01 22:00:58 UTC

SSL support is in upstream, Fedora, and EPEL

https://github.com/openstack/keystone/commit/8de61f8af43563b1d93291c868634810d9e42902

Note You need to log in before you can comment on or make changes to this bug.