[Yahoo-eng-team] [Bug 1619758] Re: Credential Encryption breaks deployments without Fernet

Emilien Macchi Fri, 02 Sep 2016 11:36:44 -0700

I'm adding TripleO because we need to automate the process of upgrade regarding:
http://docs.openstack.org/releasenotes/keystone/unreleased.html#upgrade-notes


"Keystone now supports encrypted credentials at rest. In order to
upgrade successfully to Newton, deployers must encrypt all credentials
currently stored before contracting the database. Deployers must run
keystone-manage credential_setup in order to use the credential API
within Newton, or finish the upgrade from Mitaka to Newton. This will
result in a service outage for the credential API where credentials will
be read-only for the duration of the upgrade process. Once the database
is contracted credentials will be writeable again. Database contraction
phases only apply to rolling upgrades."

So I'm going to try to make it transparent in puppet-keystone but for
sure TripleO will have to run the command in the upgrade scripts.

** Also affects: tripleo
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1619758

Title:
  Credential Encryption breaks deployments without Fernet

Status in OpenStack Identity (keystone):
  New
Status in tripleo:
  New

Bug description:
  A recent change to encrypt credetials broke RDO/Tripleo deployments:


  2016-09-02 17:16:55.074 17619 ERROR keystone.common.fernet_utils 
[req-31d60075-7e0e-401e-a93f-58297cd5439b f2caffbaf10d4e3da294c6366fe19a36 
fd71b607cfa84539bf0440915ea2d94b - default default] Either [fernet_tokens] 
key_repository does not exist or Keystone does not have sufficient permission 
to access it: /etc/keystone/credential-keys/
  2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi 
[req-31d60075-7e0e-401e-a93f-58297cd5439b f2caffbaf10d4e3da294c6366fe19a36 
fd71b607cfa84539bf0440915ea2d94b - default default] MultiFernet requires at 
least one Fernet instance
  2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi Traceback (most 
recent call last):
  2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi   File 
"/usr/lib/python2.7/site-packages/keystone/common/wsgi.py", line 225, in 
__call__
  2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi     result = 
method(req, **params)
  2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi   File 
"/usr/lib/python2.7/site-packages/keystone/common/controller.py", line 164, in 
inner
  2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi     return f(self, 
request, *args, **kwargs)
  2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi   File 
"/usr/lib/python2.7/site-packages/keystone/credential/controllers.py", line 69, 
in create_credential
  2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi     ref = 
self.credential_api.create_credential(ref['id'], ref)
  2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi   File 
"/usr/lib/python2.7/site-packages/keystone/common/manager.py", line 124, in 
wrapped
  2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi     __ret_val = 
__f(*args, **kwargs)
  2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi   File 
"/usr/lib/python2.7/site-packages/keystone/credential/core.py", line 106, in 
create_credential
  2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi     credential_copy 
= self._encrypt_credential(credential)
  2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi   File 
"/usr/lib/python2.7/site-packages/keystone/credential/core.py", line 72, in 
_encrypt_credential
  2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi     
json.dumps(credential['blob'])
  2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi   File 
"/usr/lib/python2.7/site-packages/keystone/credential/providers/fernet/core.py",
 line 68, in encrypt
  2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi     crypto, keys = 
get_multi_fernet_keys()
  2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi   File 
"/usr/lib/python2.7/site-packages/keystone/credential/providers/fernet/core.py",
 line 49, in get_multi_fernet_keys
  2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi     crypto = 
fernet.MultiFernet(fernet_keys)
  2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi   File 
"/usr/lib64/python2.7/site-packages/cryptography/fernet.py", line 128, in 
__init__
  2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi     "MultiFernet 
requires at least one Fernet instance"
  2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi ValueError: 
MultiFernet requires at least one Fernet instance
  2016-09-02 17:16:55.074 17619 ERROR keystone.common.wsgi

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1619758/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

[Yahoo-eng-team] [Bug 1619758] Re: Credential Encryption breaks deployments without Fernet

Reply via email to