[Openstack] Keystone Fernet Token
Reza Bakhshayeshi
reza.b2008 at gmail.com
Wed Nov 11 19:06:45 UTC 2015
Dear Adam,
here is the audit.log content:
type=AVC msg=audit(1447271600.161:353): avc: denied { write } for
pid=4616 comm="httpd" name="fernet-keys" dev="dm-1" ino=1706000
scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:etc_t:s0 tclass=dir
type=SYSCALL msg=audit(1447271600.161:353): arch=c000003e syscall=21
success=no exit=-13 a0=7f2ebf240b10 a1=2 a2=7f2ed1d1af88 a3=0 items=0
ppid=2714 pid=4616 auid=4294967295 uid=163 gid=163 euid=163 suid=163
fsuid=163 egid=163 sgid=163 fsgid=163 tty=(none) ses=4294967295
comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0
key=(null)
type=AVC msg=audit(1447271602.313:354): avc: denied { write } for
pid=4648 comm="httpd" name="fernet-keys" dev="dm-1" ino=1706000
scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:etc_t:s0 tclass=dir
type=SYSCALL msg=audit(1447271602.313:354): arch=c000003e syscall=21
success=no exit=-13 a0=7f2ebf60a4c0 a1=2 a2=7f2ed1d1af88 a3=0 items=0
ppid=2714 pid=4648 auid=4294967295 uid=163 gid=163 euid=163 suid=163
fsuid=163 egid=163 sgid=163 fsgid=163 tty=(none) ses=4294967295
comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0
key=(null)
On 9 November 2015 at 18:22, Adam Young <ayoung at redhat.com> wrote:
> On 11/07/2015 01:08 PM, Reza Bakhshayeshi wrote:
>
> Thanks all, specially Rahul,
> I solved the problem temporarily by disabling selinux.
>
>
> What did you have for an AVC? It sounds like the issue was The Keystone
> WSGI process reading the Keys file? Can you post the relevant sections
> from the audit log?
>
>
>
> On 3 November 2015 at 07:43, 张家龙 <zhangjl at awcloud.com> wrote:
>
>> Maybe, you should do like follows:
>>
>> chown -R keystone:keystone /etc/keystone
>>
>> Then, restart the keystone service:
>>
>> systemctl restart openstack-keystone
>>
>>
>>
>>
>>
>> ------------------
>> Best Regards
>>
>> ZhangJialong
>>
>>
>>
>> ------------------ Original ------------------
>> *From: * "Adam Young"< <ayoung at redhat.com>ayoung at redhat.com>;
>> *Date: * Tue, Nov 3, 2015 11:01 AM
>> *To: * "openstack"< <openstack at lists.openstack.org>
>> openstack at lists.openstack.org>;
>> *Subject: * Re: [Openstack] Keystone Fernet Token
>>
>> On 10/28/2015 02:23 PM, Reza Bakhshayeshi wrote:
>>
>> Hi all,
>>
>> I'm going to use fernet token on OpenStack Kilo (only Keystone service is
>> installed),
>> I've configured keystone.conf like:
>>
>> [token]
>> provider = keystone.token.providers.fernet.Provider
>>
>> when I'm running:
>> keystone-manage fernet_setup --keystone-user keystone --keystone-group
>> keystone
>>
>> keys creating successfully in /etc/keystone/fernet-keys directory.
>> But when I'm going to creating a token I receive the following error,
>> here is the complete log:
>>
>> 2015-10-28 21:22:14.680 65218 INFO keystone.common.wsgi [-] GET /?
>> 2015-10-28 23:50:25.343 9377 INFO keystone.token.providers.fernet.utils
>> [-] [fernet_tokens] key_repository does not appear to exist; attempting to
>> create it
>> 2015-10-28 23:50:25.344 9377 INFO keystone.token.providers.fernet.utils
>> [-] Created a new key: /etc/keystone/fernet-keys/0
>> 2015-10-28 23:50:25.344 9377 INFO keystone.token.providers.fernet.utils
>> [-] Starting key rotation with 1 key files: ['/etc/keystone/fernet-keys/0']
>> 2015-10-28 23:50:25.344 9377 INFO keystone.token.providers.fernet.utils
>> [-] Current primary key is: 0
>> 2015-10-28 23:50:25.345 9377 INFO keystone.token.providers.fernet.utils
>> [-] Next primary key will be: 1
>> 2015-10-28 23:50:25.345 9377 INFO keystone.token.providers.fernet.utils
>> [-] Promoted key 0 to be the primary: 1
>> 2015-10-28 23:50:25.345 9377 INFO keystone.token.providers.fernet.utils
>> [-] Created a new key: /etc/keystone/fernet-keys/0
>> 2015-10-28 23:50:25.345 9377 INFO keystone.token.providers.fernet.utils
>> [-] Excess keys to purge: []
>> 2015-10-28 23:50:52.632 8059 INFO keystone.common.wsgi [-] POST /tokens?
>> 2015-10-28 23:50:52.889 8059 ERROR keystone.token.providers.fernet.utils
>> [-] Either [fernet_tokens] key_repository does not exist or Keystone does
>> not have sufficient permission to access it: /etc/keystone/fernet-keys/
>> 2015-10-28 23:50:52.890 8059 WARNING keystone.common.wsgi [-] No
>> encryption keys found; run keystone-manage fernet_setup to bootstrap one.
>>
>> while the permissions seem to be correct:
>>
>> # ls -lah /etc/keystone/
>> total 104K
>> drwxr-x---. 3 root keystone 4.0K Oct 28 23:50 .
>> drwxr-xr-x. 143 root root 12K Oct 28 12:56 ..
>> -rw-r-----. 1 root keystone 1.5K Jul 29 00:21
>> default_catalog.templates
>> drwx------. 2 keystone keystone 4.0K Oct 28 23:50 fernet-keys
>> -rw-r-----. 1 root keystone 57K Oct 28 23:48 keystone.conf
>> -rw-r-----. 1 root keystone 1.1K Jul 29 00:21 logging.conf
>> -rw-r-----. 1 keystone keystone 8.6K Jul 29 00:21 policy.json
>> -rw-r-----. 1 keystone keystone 665 Jul 29 00:21
>> sso_callback_template.html
>>
>> What am I missing?
>>
>>
>> No idea. When I get into these situations, I use rpdb;
>>
>> http://adam.younglogic.com/2015/02/debugging-openstack-with-rpdb/
>>
>>
>> Is there anything in /etc/keystone/fernet-keys ?
>>
>>
>>
>>
>>
>> _______________________________________________
>> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>> Post to : openstack at lists.openstack.org
>> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>
>>
>>
>> _______________________________________________
>> Mailing list:
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>> Post to : openstack at lists.openstack.org
>> Unsubscribe :
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20151111/daf8f2e3/attachment.html>
More information about the Openstack
mailing list