Bug 817846 - Add in SSL Support
Add in SSL Support
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: openstack-keystone (Show other bugs)
rawhide
Unspecified All
unspecified Severity high
: ---
: ---
Assigned To: Adam Young
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-05-01 10:54 EDT by Adam Young
Modified: 2013-03-01 17:00 EST (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-03-01 17:00:58 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
WSGI connector file, to be linked in /var/www/cgi-bin or comparable directory (580 bytes, text/x-python)
2012-05-01 10:55 EDT, Adam Young
no flags Details

  None (edit)
Description Adam Young 2012-05-01 10:54:04 EDT
Description of problem:
Keystone is the authentication server, but currently all traffic goes in the clear.  

Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1.Install Run according to Getting started guide
  
Actual results:
Traffic goes in clear



Expected results:
Traffic should go via SSL

Additional info:
To get good SSL support will require running in HTTPD.  
It will also require notes on getting the other components to talk to Keystone via port 443
Comment 1 Adam Young 2012-05-01 10:55:38 EDT
Created attachment 581403 [details]
WSGI connector file,  to be linked in /var/www/cgi-bin or comparable directory
Comment 2 Adam Young 2012-05-01 10:57:46 EDT
This will put the admin server under /keystone/admin and the main Keystone server under /keystone/main.  I did this by hardlinking the keystone.py wsgi file into /var/www/cgi-bin,  but it probably should be under /usr/share from an RPM, and then either linked or copied into place.


[ayoung@ayoung apache-websocket]$ cat /etc/httpd/conf.d/keystone.conf
WSGIScriptAlias /keystone/main  /var/www/cgi-bin/keystone/main
WSGIScriptAlias /keystone/admin  /var/www/cgi-bin/keystone/admin

<Location "/keystone">
 NSSRequireSSL
 Authtype none
</Location>
Comment 3 Fedora Admin XMLRPC Client 2012-05-22 13:34:47 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 4 Adam Young 2012-06-07 23:04:12 EDT
Fixed upstream with https://github.com/openstack/keystone/commit/8de61f8af43563b1d93291c868634810d9e42902


Additional work by Derrek Higgens has shown how we can front with HTTPD for SSL termination.
Comment 5 Jose Castro Leon 2012-06-13 05:57:54 EDT
In case that the CA certificate does not come with the distribution, python-keystoneclient fails due to validation of the CA.

https://bugs.launchpad.net/keystone/+bug/1012591
Comment 6 Adam Young 2012-06-13 10:16:38 EDT
Jose,  I think that is the correct behavior.  CA and Certificate management are always part of dealing with SSL.

The CA should not come from the distribution,  it is up to the System administrator to distribute the CA
Comment 7 Jose Castro Leon 2012-06-13 10:25:12 EDT
python-keystoneclient uses python-httplib package. This packege gets the CA certificates from /etc/pki/tls/certs/ca-bundle.crt as it is patched in the RPM from EPEL.

In our case, the CA is not in the bundle so and keystoneclient is taking the default one, so I saw several possibilities:

- specify as an extra parameter to keystoneclient
- append our CA chain in ca-bundle.crt
- modify httplib to point to our bundle

The latter two possibilities are non-friendly to maintain it, so this is why I was asking upstream to have an extra parameter when the CA was not in the bundle.
Comment 8 Adam Young 2013-03-01 17:00:58 EST
SSL support is in upstream, Fedora, and EPEL

https://github.com/openstack/keystone/commit/8de61f8af43563b1d93291c868634810d9e42902

Note You need to log in before you can comment on or make changes to this bug.