Open Stack

On Mon, 2013-10-14 at 18:36 -0700, Bhuvan Arumugam wrote:
> Just making sure i'm not the only one facing this problem.
> https://bugs.launchpad.net/nova/+bug/1239894

Yep, we thought this may raise some issues but insecure by default was
just not acceptable. 

> keystoneclient v0.4.0 was released last week and used by all openstack
> services now. The insecure=False, as defined in
> keystoneclient.middleware.auth_token. The keystone client is happy as
> long as --insecure flag is used. There is no way to configure it in
> other openstack services like nova, neutron or glance while it is
> integrated with self-signed keystone instance.

I'm not following the problem. As you mentioned before the equivalent
setting for --insecure in auth_token is setting insecure=True in the
service's config file along with all the other keystone auth_token
settings. The equivalent when using the client library is passing
insecure=True to the client initialization. 

> We should introduce new config parameter keystone_api_insecure and
> configure keystoneclient behavior based on this parameter. The config
> parameter should be defined in all other openstack services, as all of
> them integrate with keystone.

A new config parameter where? I guess we could make insecure in
auth_token also response to an OS_SSL_INSECURE but that pattern is not
followed for any other service or parameter. 

> Until it's resolved, I think the known workaround is to use
> keystoneclient==0.3.2.
> 
> 
> Is there any other workaround for this issue?

Signed certificates.

> -- 
> Regards,
> Bhuvan Arumugam
> www.livecipher.com
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev