Project

General

Profile

Bug #14853

radosgw has no option to work with "insecure" ssl from keystone

Added by Anonymous about 8 years ago. Updated about 8 years ago.

Status:
Resolved
Priority:
Normal
Target version:
-
% Done:

0%

Source:
other
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):

History

#1 Updated by Abhishek Lekshmanan about 8 years ago

Basically all openstack services have clients with a `--insecure` switch, which allow deployments with self signed ssl certs to work. In this case if keystone is terminated with ssl, then radosgw can't communicate it with it as we dont have a switch to use the curl insecure option. Relevant logs:

rgw logs:
2016-02-22 10:11:50.151555 7f34ac7d8700  1 ====== starting new request req=0x7f348c01a840 =====
2016-02-22 10:11:50.151576 7f34ac7d8700  2 req 2:0.000022::GET /swift/v1::initializing for trans_id = tx000000000000000000002-0056cadee6-ebf2-default
2016-02-22 10:11:50.151583 7f34ac7d8700 10 host=d52-54-77-77-77-01.keystone.com
2016-02-22 10:11:50.151585 7f34ac7d8700 20 subdomain= domain= in_hosted_domain=0
2016-02-22 10:11:50.151622 7f34ac7d8700 10 ver=v1 first= req=
2016-02-22 10:11:50.151624 7f34ac7d8700 10 s->object=<NULL> s->bucket=<NULL>
2016-02-22 10:11:50.151630 7f34ac7d8700  2 req 2:0.000076:swift:GET /swift/v1::getting op
2016-02-22 10:11:50.151635 7f34ac7d8700  2 req 2:0.000080:swift:GET /swift/v1:list_buckets:authorizing
2016-02-22 10:11:50.151639 7f34ac7d8700 20 token_id=aa73088ebd5f4584a5eeea8ec29a82c7
2016-02-22 10:11:50.151699 7f34ac7d8700 20 sending request to https://d52-54-77-77-77-01.keystone.com:35357/v2.0/tokens/aa73088ebd5f4584a5eeea8ec29a82c7
2016-02-22 10:11:50.162738 7f34ac7d8700  0 curl_easy_performed returned error: SSL certificate problem: self signed certificate in certificate chain
2016-02-22 10:11:50.162853 7f34ac7d8700 10 failed to authorize request
2016-02-22 10:11:50.162958 7f34ac7d8700  2 req 2:0.011402:swift:GET /swift/v1:list_buckets:http status=401
2016-02-22 10:11:50.162966 7f34ac7d8700  1 ====== req done req=0x7f348c01a840 http_status=401 ======

swift logs:

swift --insecure list
/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:789: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html
  InsecureRequestWarning)
/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:789: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html
  InsecureRequestWarning)
Account GET failed: http://d52-54-77-77-77-01.g17.cloud.suse.de:8080/swift/v1?format=json 401 Unauthorized   {"Code":"AccessDenied"}

#2 Updated by Abhishek Lekshmanan about 8 years ago

  • Status changed from New to In Progress
  • Assignee set to Abhishek Lekshmanan

#3 Updated by Abhishek Lekshmanan about 8 years ago

  • Status changed from In Progress to Fix Under Review

#4 Updated by Abhishek Lekshmanan about 8 years ago

  • Status changed from Fix Under Review to Resolved

Also available in: Atom PDF