[openstack-dev] [keystoneclient] self-signed keystone not accessible from other services

Dolph Mathews dolph.mathews at gmail.com
Tue Oct 15 02:32:18 UTC 2013 

On Monday, October 14, 2013, Jamie Lennox wrote:

> On Mon, 2013-10-14 at 18:36 -0700, Bhuvan Arumugam wrote:
> > Just making sure i'm not the only one facing this problem.
> > https://bugs.launchpad.net/nova/+bug/1239894
>
> Yep, we thought this may raise some issues but insecure by default was
> just not acceptable.
>
> > keystoneclient v0.4.0 was released last week and used by all openstack
> > services now. The insecure=False, as defined in
> > keystoneclient.middleware.auth_token. The keystone client is happy as
> > long as --insecure flag is used. There is no way to configure it in
> > other openstack services like nova, neutron or glance while it is
> > integrated with self-signed keystone instance.
>
> I'm not following the problem. As you mentioned before the equivalent
> setting for --insecure in auth_token is setting insecure=True in the
> service's config file along with all the other keystone auth_token
> settings. The equivalent when using the client library is passing
> insecure=True to the client initialization.
>
> > We should introduce new config parameter keystone_api_insecure and
> > configure keystoneclient behavior based on this parameter. The config
> > parameter should be defined in all other openstack services, as all of
> > them integrate with keystone.
>
> A new config parameter where? I guess we could make insecure in
> auth_token also response to an OS_SSL_INSECURE but that pattern is not
> followed for any other service or parameter.
>
>
 That's something I'd rather not support without a *very* strong use case.
Using --insecure is inconvenient by design.

> Until it's resolved, I think the known workaround is to use
> > keystoneclient==0.3.2.
> >
> >
> > Is there any other workaround for this issue?
>
> Signed certificates.
>
> > --
> > Regards,
> > Bhuvan Arumugam
> > www.livecipher.com
> > _______________________________________________
> > OpenStack-dev mailing list
> > OpenStack-dev at lists.openstack.org <javascript:;>
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org <javascript:;>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>


-- 

-Dolph
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20131014/de4efebf/attachment.html>

More information about the OpenStack-dev mailing list