<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 10/15/2013 01:20 PM, Bhuvan Arumugam
wrote:<br>
</div>
<blockquote
cite="mid:CAK0Yc0495hkGeO8LQRLOZWtPkBV0dz5SVgsXfy+kSOKcT=GOdg@mail.gmail.com"
type="cite">
<div dir="ltr"><br>
<div class="gmail_extra">
<div class="gmail_quote">On Mon, Oct 14, 2013 at 7:20 PM,
Jamie Lennox <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:jamielennox@redhat.com" target="_blank">jamielennox@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div class="im">On Mon, 2013-10-14 at 18:36 -0700, Bhuvan
Arumugam wrote:<br>
> Just making sure i'm not the only one facing this
problem.<br>
> <a moz-do-not-send="true"
href="https://bugs.launchpad.net/nova/+bug/1239894"
target="_blank">https://bugs.launchpad.net/nova/+bug/1239894</a><br>
<br>
</div>
Yep, we thought this may raise some issues but insecure by
default was<br>
just not acceptable.<br>
</blockquote>
<div><br>
</div>
<div>I think we should document it.</div>
</div>
</div>
</div>
</blockquote>
We are working on updating the docs. We would be appreciate you
lending a hand in documenting it.<br>
<br>
<blockquote
cite="mid:CAK0Yc0495hkGeO8LQRLOZWtPkBV0dz5SVgsXfy+kSOKcT=GOdg@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div> </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div class="im"><br>
> keystoneclient v0.4.0 was released last week and
used by all openstack<br>
> services now. The insecure=False, as defined in<br>
> keystoneclient.middleware.auth_token. The keystone
client is happy as<br>
> long as --insecure flag is used. There is no way to
configure it in<br>
> other openstack services like nova, neutron or
glance while it is<br>
> integrated with self-signed keystone instance.<br>
<br>
</div>
I'm not following the problem. As you mentioned before the
equivalent<br>
setting for --insecure in auth_token is setting
insecure=True in the<br>
service's config file along with all the other keystone
auth_token<br>
settings. The equivalent when using the client library is
passing<br>
insecure=True to the client initialization.<br>
</blockquote>
<div><br>
</div>
<div>Yep, the problem is solved after setting this flag in
[filter:authtoken] section in /etc/nova/api-paste.ini.</div>
</div>
</div>
</div>
</blockquote>
<br>
No, the problem is kicked under the carpet. We cannot support
insecure by default. Doing certificates even for development is not
that difficult. We have patches up for review in Devstack etc to
support this.<br>
<br>
<a class="moz-txt-link-freetext" href="https://review.openstack.org/#/c/47076/">https://review.openstack.org/#/c/47076/</a><br>
<br>
But it is still having Jenkins issues.<br>
<blockquote
cite="mid:CAK0Yc0495hkGeO8LQRLOZWtPkBV0dz5SVgsXfy+kSOKcT=GOdg@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div> </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div class="im">> We should introduce new config
parameter keystone_api_insecure and<br>
> configure keystoneclient behavior based on this
parameter. The config<br>
> parameter should be defined in all other openstack
services, as all of<br>
> them integrate with keystone.<br>
<br>
</div>
A new config parameter where? I guess we could make
insecure in<br>
auth_token also response to an OS_SSL_INSECURE but that
pattern is not<br>
followed for any other service or parameter.<br>
</blockquote>
<div><br>
</div>
<div>I think we are inconsistent in using this flag for
different services. For instance, we use:</div>
<div> neutron_api_insecure</div>
<div> glance_api_insecure</div>
<div> </div>
<div>for keystone, we use:</div>
<div>insecure=True</div>
<div> </div>
<div>I think it's reasonable as one way or the other, it's
configurable. We'll be good if we document it somwhere
here.</div>
<div>
<a moz-do-not-send="true"
href="http://docs.openstack.org/developer/python-keystoneclient/using-api.html">http://docs.openstack.org/developer/python-keystoneclient/using-api.html</a></div>
<div><br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div class="im">> Until it's resolved, I think the
known workaround is to use<br>
> keystoneclient==0.3.2.<br>
><br>
><br>
> Is there any other workaround for this issue?<br>
<br>
</div>
Signed certificates.<br>
</blockquote>
<div><br>
</div>
<div>Oh yeah! we use signed cert in our prod environment.
This one is our test bed.</div>
</div>
</div>
</div>
</blockquote>
<br>
I'd like to move toward using certmonger for the client side of
certificate management and certmaster as a simplistic CA<br>
<br>
<a class="moz-txt-link-freetext" href="https://fedorahosted.org/certmonger/">https://fedorahosted.org/certmonger/</a><br>
<a class="moz-txt-link-freetext" href="https://fedorahosted.org/certmaster/">https://fedorahosted.org/certmaster/</a><br>
<br>
<br>
<br>
<br>
<br>
<blockquote
cite="mid:CAK0Yc0495hkGeO8LQRLOZWtPkBV0dz5SVgsXfy+kSOKcT=GOdg@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div><br>
</div>
<div>Thank you,</div>
</div>
<div><br>
</div>
-- <br>
<div dir="ltr">
Regards,<br>
Bhuvan Arumugam
<div><a moz-do-not-send="true"
href="http://www.livecipher.com" target="_blank">www.livecipher.com</a></div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
OpenStack-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<br>
</body>
</html>