Magnum

Add support for SSL for XXX-api

Bug #1614596 reported by hongbin
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Magnum
Fix Released
High
Hieu LE
Zun
Fix Released
High
Unassigned

Bug Description

Devstack generates ssl configuration ("ssl_cert_file", "ssl_key_file", "enabled_ssl_apis"), but Magnum code doesn't use it. Then, there is no way to enable SSL for Magnum API. We need to fix it.

hongbin (hongbin034)
Changed in magnum:
status: New → Triaged
importance: Undecided → High
Hieu LE (hieulq)
Changed in magnum:
assignee: nobody → Hieu LE (hieulq)
Revision history for this message
Hieu LE (hieulq) wrote :

Currently we are using wsgiref simple_server and this does not support either SSL or multi-process. For supporting SSL in m-api service, IMO there are 2 ways for handling this:
1. Remove wsgiref simple_server and use another module such as werkzeug.
2. Use wsgiref simple_server and wrap the socket of server by SSL. For e.g:
srv = simple_server.make_server(host, port, app)
srv.socket = SSLWrapper(..)

How do you think, Hongbin?

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to magnum (master)

Fix proposed to branch: master
Review: https://review.openstack.org/359577

Changed in magnum:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to magnum (master)

Reviewed: https://review.openstack.org/359577
Committed: https://git.openstack.org/cgit/openstack/magnum/commit/?id=70c803bfc1be9457aa51e14e81baf654f7dcf7e8
Submitter: Jenkins
Branch: master

commit 70c803bfc1be9457aa51e14e81baf654f7dcf7e8
Author: Hieu LE <email address hidden>
Date: Tue Aug 23 10:57:24 2016 +0700

    Use werkzeug to run Magnum API with SSL

    wsgiref.simple_server is mono threaded process that can not
    support SSL context. This patch aim to replace wsgiref.simple_server
    with werkzeug for running development API server supporting SSL.

    Change-Id: Ib4360d77030e4cce8abf5ea543d87b7982e0e285
    Closes-Bug: #1614596

Changed in magnum:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/magnum 3.1.0

This issue was fixed in the openstack/magnum 3.1.0 release.

hongbin (hongbin034)
summary: - Add support for SSL for magnum-api
+ Add support for SSL for XXX-api
Changed in zun:
importance: Undecided → Medium
importance: Medium → High
status: New → Triaged
He Xin (hxhehx)
Changed in zun:
assignee: nobody → He Xin (hxhehx)
Revision history for this message
He Xin (hxhehx) wrote :

For Zun, I enable native SSL without any code change of Zun. just when setup devstack environment we need to change the code of stack.sh, making SSL_ENABLED_SERVICES="key,nova,cinder,glance,s-proxy,neutron,zun", seems this is a devstack bug.

Revision history for this message
He Xin (hxhehx) wrote :

Actually, devstack has a bug https://review.openstack.org/#/c/345072/.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to zun (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/437176

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to zun (master)

Reviewed: https://review.openstack.org/437176
Committed: https://git.openstack.org/cgit/openstack/zun/commit/?id=2f4305eea45e155688f743f5ff2ff863448c19dc
Submitter: Jenkins
Branch: master

commit 2f4305eea45e155688f743f5ff2ff863448c19dc
Author: Hongbin Lu <email address hidden>
Date: Wed Feb 22 15:53:00 2017 -0600

    Generate and register ssl config

    Change-Id: I6e6603a53c529675f50907f95fd0c438817b2399
    Related-Bug: #1614596

Revision history for this message
hongbin (hongbin034) wrote :

There is no activity for fixing this bug for a while. I am going to remove assignee so that other contributors can take it.

Changed in zun:
assignee: He Xin (hxhehx) → nobody
hongbin (hongbin034)
Changed in zun:
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.