python-keystoneclient

auth_token failure if signing_dir not specified running under upstart

Bug #1078947 reported by Ken Thomas
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-keystoneclient
Fix Released
Medium
Dolph Mathews
python-keystoneclient 0.2.2
Ubuntu
Incomplete
Undecided
Unassigned

Bug Description

We're using upstart (initctl) to fire up our components on THEL 6. If we don't specify signing_dir under [keystone_authtoken], then the os.environ['HOME'] call in auth_token will throw an uncaught KeyError because there is no "HOME" in the environment in that situation.

The work around for us is simple. We'll be adding signing_dir values to our glance api and registry configs, but it would be nice if the code didn't assume that 'HOME' is in the environment, or at least checked for errors when using os.environ.

Revision history for this message
Adam Young (ayoung) wrote :

The code is writtend to *require* the distribution to make a secure decision about the signing dir. The signing dir holds certificates that, on a shared machine, should not be accessable to other users, or there is the potential for a security violation.

The only directory that we can trust be default is $HOME. For Distributions, the signing dir must be specified.

Changed in keystone:
status: New → Invalid
Fabio Marconi (fabiomarconi)
Changed in ubuntu:
status: New → Incomplete
Revision history for this message
Ken Thomas (krt) wrote :

I can understand that signing dir must be specified and I've no problem with the default to $HOME. My main issue with the code is the lack of error checking that causes strange errors.

Shall I change the bug description to "Lack of error checking for required config setting Bad Things to happen"?

Joshua Harlow (harlowja)
Changed in keystone:
status: Invalid → New
Revision history for this message
Ken Thomas (krt) wrote :

BTW, I forgot to mention earlier that I'll be happy to do the code for the error checks.

Joseph Heck (heckj)
Changed in keystone:
status: New → Triaged
Dolph Mathews (dolph)
affects: keystone → python-keystoneclient
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to python-keystoneclient (master)

Fix proposed to branch: master
Review: https://review.openstack.org/18058

Changed in python-keystoneclient:
assignee: nobody → Dolph Mathews (dolph)
status: Triaged → In Progress
OpenStack Infra (hudson-openstack)
Changed in python-keystoneclient:
assignee: Dolph Mathews (dolph) → nobody
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to python-keystoneclient (master)

Reviewed: https://review.openstack.org/18058
Committed: http://github.com/openstack/python-keystoneclient/commit/e9ec399e66a737dd04fed79a2ba23ec34263cca2
Submitter: Jenkins
Branch: master

commit e9ec399e66a737dd04fed79a2ba23ec34263cca2
Author: Dolph Mathews <email address hidden>
Date: Thu Dec 13 12:00:59 2012 -0600

    Use os.path to find ~/keystone-signing (bug 1078947)

    Change-Id: Ie816d34299c92ba7d5cf6acf717ccfbf029f724f

Changed in python-keystoneclient:
status: In Progress → Fix Committed
Dolph Mathews (dolph)
Changed in python-keystoneclient:
milestone: none → 0.2.2
status: Fix Committed → Fix Released
importance: Undecided → Medium
assignee: nobody → Dolph Mathews (dolph)
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.