OpenStack Identity (keystone)

Certificates cannot be retrieved from the V3 API

Bug #1259011 reported by Jamie Lennox on 2013-12-09

This bug affects 2 people

	Status	Importance	Assigned to	Milestone
OpenStack Identity (keystone)	Fix Released	Wishlist	Jamie Lennox	OpenStack Identity (keystone) 2014.1 "icehouse"
keystonemiddleware	Won't Fix	Wishlist	Unassigned
openstack-api-site	Fix Released	Wishlist	Jamie Lennox

Bug Description

Auth_token middleware relies upon the V2 api to provide the certificates that are required to validate PKI tokens because this information is not provided by the V3 API.

Longer term i think we should be encouraging deployers to handle their own certificate distribution as fetching the certificates from the same source that is issuing tokens is not secure, however for the mean time we need some way of providing these certificates to token validators.

Tags:

Revision history for this message

Jamie Lennox (jamielennox) wrote on 2013-12-09:

Added keystoneclient as it should be able to make use of the certificates from a v3 api.

Revision history for this message

Dolph Mathews (dolph) wrote on 2013-12-09:

Isn't this exposed on v3 but not documented... again?

Changed in keystone:
importance:	Undecided → Wishlist
Changed in python-keystoneclient:
importance:	Undecided → Wishlist

Revision history for this message

Jamie Lennox (jamielennox) wrote on 2013-12-09:

No, i don't think it's exposed on the v3 API at all. On v2 it's /v2.0/certificates/signing /v3/certificates/signing doesn't exist and i can't find anywhere else that it is exposed.

It's definitely not used via the 3.0 API, documented or not.

Revision history for this message

Dolph Mathews (dolph) wrote on 2013-12-11:

Well, that's good to hear. Adam has an abandoned API review to spec this out.

Revision history for this message

Jamie Lennox (jamielennox) wrote on 2013-12-11:

He does, I remember commenting on it but it's been abandoned for a while and was tied in with revocation. So i just put in a new one: https://review.openstack.org/#/c/60727/

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-12-18: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/62810

Changed in keystone:
assignee:	nobody → Jamie Lennox (jamielennox)
status:	New → In Progress

Revision history for this message

Jamie Lennox (jamielennox) wrote on 2013-12-18:

https://review.openstack.org/#/c/60727/

Changed in openstack-api-site:
assignee:	nobody → Jamie Lennox (jamielennox)
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-12-18: Fix merged to identity-api (master)

Reviewed: https://review.openstack.org/60727
Committed: https://git.openstack.org/cgit/openstack/identity-api/commit/?id=602aa6b90adb11103e2683a34fa4e0e13a3e8c69
Submitter: Jenkins
Branch: master

commit 602aa6b90adb11103e2683a34fa4e0e13a3e8c69
Author: Jamie Lennox <email address hidden>
Date: Mon Dec 9 11:41:03 2013 +1000

Add OS-SIMPLE-CERT extension

    This provides a very basic mechanism for retrieving the CA and signing
    certificate from the identity service. It aims to simply replicate the
    functionality provided by the v2.0 API.

    SecurityImpact
    Change-Id: I24c77188ebb05ef57b378798584e3829d55827f2
    Partial-Bug: #1259011

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-01-20: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/67785

Revision history for this message

Jamie Lennox (jamielennox) wrote on 2014-01-21:

#10

Identity API bug closed by: https://review.openstack.org/#/c/60727/

Changed in keystone:
milestone:	none → icehouse-2
Changed in openstack-api-site:
status:	In Progress → Fix Committed

Dolph Mathews (dolph) on 2014-01-22

Changed in keystone:
milestone:	icehouse-2 → icehouse-3

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-01-24: Fix merged to keystone (master)

#11

Reviewed: https://review.openstack.org/67785
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=4f9c7e22291b38c88601b757503840ba5806c215
Submitter: Jenkins
Branch: master

commit 4f9c7e22291b38c88601b757503840ba5806c215
Author: Jamie Lennox <email address hidden>
Date: Mon Jan 20 17:56:17 2014 +1000

Simple Certificate Extension

Implement the Simple Certificate Extension for retrieving token signing
certificates from a server.

Change-Id: I653c527ca2b39628658a24b4d484683d1ac6acf2
Closes-Bug: #1259011

Changed in keystone:
status:	In Progress → Fix Committed

Andreas Jaeger (jaegerandi) on 2014-02-09

Changed in openstack-api-site:
status:	Fix Committed → Fix Released
importance:	Undecided → Wishlist

Thierry Carrez (ttx) on 2014-03-05

Changed in keystone:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2014-04-17

Changed in keystone:
milestone:	icehouse-3 → 2014.1

Dolph Mathews (dolph) on 2014-06-25

Changed in keystonemiddleware:
importance:	Undecided → Wishlist
status:	New → Triaged
no longer affects:	python-keystoneclient

Steve Martinelli (stevemar) on 2015-11-27

tags:

added: pki

Revision history for this message

Morgan Fainberg (mdrnstm) wrote on 2016-04-18:

#12

With PKI tokens being deprecated, I am going to mark this as "wont fix", prefering Fernet and/or UUID tokens to PKI

Changed in keystonemiddleware:
status:	Triaged → Won't Fix

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

Bug #1202330

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.