OpenStack Identity (keystone)

update auth_token to default signing_dir w/ os USER as suffix

Bug #1031022 reported by Dan Prince
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
High
Adam Young
OpenStack Identity (keystone) 2012.2 "folsom"

Bug Description

Just had a good discussion with ayoung on IRC:

When running multiple Openstack services (Nova, Glance, Swift, etc.) on the same node it is possible to hit permission exceptions when using auth_token middleware with a 'signing_dir' that is the same name across all services. The default name is currently '/tmp/keystone-signing'. Automatically naming the signing_dir uniquely (per service) would be desirable....

Options include:

 -Using another one of the keystone auth_token parameters in the name (admin_name *could* be used but it might be a security issue since it contains the name used for auth... probably best to avoid it)

 -Adam suggested using the OS 'USERNAME'. Seems like a better solution.

Dan Prince (dan-prince)
Changed in keystone:
status: New → In Progress
assignee: nobody → Dan Prince (dan-prince)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/10560

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/10560
Committed: http://github.com/openstack/keystone/commit/4444577e23cf3365479793d90e3ae337e4638b6a
Submitter: Jenkins
Branch: master

commit 4444577e23cf3365479793d90e3ae337e4638b6a
Author: Dan Prince <email address hidden>
Date: Mon Jul 30 15:15:04 2012 -0400

    Set default signing_dir based on os USER.

    Updates the Keystone auth_token middleware so that it sets the
    default signing_dir name base on the OS username obtained
    from the environment. This should help resolve potential permissions
    issues which can occur when multiple OpenStack services attempt
    to use the same signing directory name.

    Fixes LP Bug #1031022.

    Change-Id: I53bceed27f60721b8f61ffec2d1e91ec2ea464ed

Changed in keystone:
status: In Progress → Fix Committed
Dan Prince (dan-prince)
Changed in keystone:
importance: Undecided → Critical
importance: Critical → High
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/10627

Changed in keystone:
status: Fix Committed → In Progress
Dan Prince (dan-prince)
Changed in keystone:
assignee: Dan Prince (dan-prince) → Adam Young (ayoung)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/10627
Committed: http://github.com/openstack/keystone/commit/ac4dcfd8f64dfe19d607b770eb98dd289498d3ac
Submitter: Jenkins
Branch: master

commit ac4dcfd8f64dfe19d607b770eb98dd289498d3ac
Author: Adam Young <email address hidden>
Date: Tue Jul 31 16:41:47 2012 -0400

    Use user home dir as default for cache

    This is a better and safer default, as it and minimizes the
    possibility that the cache directory will be prepopulated or
    unwritable, while still providing a reasonable value for the
    individual developer

    Creates a better exception for failure to create the cache
    dir

    Logs the name of the cache dir actually used.

    Bug 1031022

    Change-Id: Ia3718107e436ceb034e3a89318ac05265d66d6f1

Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in keystone:
milestone: none → folsom-3
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in keystone:
milestone: folsom-3 → 2012.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.