kolla-ansible

Barbican - ValueError: Fernet key must be 32 url-safe base64-encoded bytes

Bug #1699014 reported by George Zhao
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
kolla-ansible
Fix Released
Medium
Mark Goddard
kolla-ansible pike-3 "pike"

Bug Description

The barbican.conf.j2 should use

kek = '{{ barbican_crypto_key }}'

instead of

kek = '{{ barbican_crypto_password }}'

Eduardo Gonzalez (egonzalez90)
affects: kolla → kolla-ansible
Changed in kolla-ansible:
status: New → Triaged
importance: Undecided → Medium
milestone: none → pike-3
Mark Goddard (mgoddard)
Changed in kolla-ansible:
assignee: nobody → Mark Goddard (mgoddard)
OpenStack Infra (hudson-openstack)
Changed in kolla-ansible:
status: Triaged → In Progress
Revision history for this message
Mark Goddard (mgoddard) wrote :

Review submitted to master: https://review.openstack.org/476090

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (master)

Reviewed: https://review.openstack.org/476090
Committed: https://git.openstack.org/cgit/openstack/kolla-ansible/commit/?id=2e4359069e8a50f83fe0dca1103d935212dd2703
Submitter: Jenkins
Branch: master

commit 2e4359069e8a50f83fe0dca1103d935212dd2703
Author: Mark Goddard <email address hidden>
Date: Wed Jun 21 11:53:14 2017 +0100

    Barbican simple_crypto plugin broken - invalid key

    When using the simple_crypto plugin, barbican expects the
    [simple_crypto_plugin] kek config value to be a base64-encoded 32 byte
    value. However, kolla-ansible is providing a standard autogenerated
    password.

    There are two relevant variables in kolla-ansible -
    barbican_crypto_password (a standard password) and barbican_crypto_key
    (a HMAC-SHA256 key). There is no use of barbican_crypto_key other than
    when it is generated. barbican_crypto_password is used to set the
    [simple_crypto_plugin] kek config value but causes an error when the
    simple_crypto plugin is used as the value is not in the expected format.
    Using barbican_crypto_key instead resolves the error. Clearly there is a
    naming issue here and we should be using barbican_crypto_key instead of
    barbican_crypto_password.

    This change removes the barbican_crypto_password variable and uses
    barbican_crypto_key instead.

    Change-Id: I63e2b381c260265e5901ee88ca0a649d96952bda
    Closes-Bug: #1699014
    Related-Bug: #1683216
    Co-Authored-By: Stig Telfer <email address hidden>

Changed in kolla-ansible:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible 5.0.0.0b3

This issue was fixed in the openstack/kolla-ansible 5.0.0.0b3 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/491251

Revision history for this message
Alessandro Pilotti (alexpilotti) wrote :

This is broken in stable/ocata as well. Here's the cherry-pick: https://review.openstack.org/#/c/491251/

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (stable/ocata)

Reviewed: https://review.openstack.org/491251
Committed: https://git.openstack.org/cgit/openstack/kolla-ansible/commit/?id=24b49ed83eb232f43de5a455a83f35f4cd67e443
Submitter: Zuul
Branch: stable/ocata

commit 24b49ed83eb232f43de5a455a83f35f4cd67e443
Author: Mark Goddard <email address hidden>
Date: Wed Jun 21 11:53:14 2017 +0100

    Barbican simple_crypto plugin broken - invalid key

    When using the simple_crypto plugin, barbican expects the
    [simple_crypto_plugin] kek config value to be a base64-encoded 32 byte
    value. However, kolla-ansible is providing a standard autogenerated
    password.

    There are two relevant variables in kolla-ansible -
    barbican_crypto_password (a standard password) and barbican_crypto_key
    (a HMAC-SHA256 key). There is no use of barbican_crypto_key other than
    when it is generated. barbican_crypto_password is used to set the
    [simple_crypto_plugin] kek config value but causes an error when the
    simple_crypto plugin is used as the value is not in the expected format.
    Using barbican_crypto_key instead resolves the error. Clearly there is a
    naming issue here and we should be using barbican_crypto_key instead of
    barbican_crypto_password.

    This change removes the barbican_crypto_password variable and uses
    barbican_crypto_key instead.

    Change-Id: I63e2b381c260265e5901ee88ca0a649d96952bda
    Closes-Bug: #1699014
    Related-Bug: #1683216
    Co-Authored-By: Stig Telfer <email address hidden>
    (cherry picked from commit 2e4359069e8a50f83fe0dca1103d935212dd2703)

tags: added: in-stable-ocata
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible 4.0.5

This issue was fixed in the openstack/kolla-ansible 4.0.5 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.