Juju Charms Collection
keystone package

config options use-https and https-service-endpoints cannot change

Bug #1427906 reported by Billy Olsen
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
keystone (Juju Charms Collection)
Fix Released
High
Edward Hope-Morley
Juju Charms Collection 15.04

Bug Description

Deploying keystone with one or more units makes it so that deployers cannot toggle secure endpoints (https) on and off.

This is due to the keystone config-changed charm relying on another trigger when there are peer units, which does not fire.

keystone_hooks.py - L147
...
    # Update relations since SSL may have been configured. If we have peer
    # units we can rely on the sync to do this in cluster relation.
    if is_elected_leader(CLUSTER_RES) and not peer_units():
        update_all_identity_relation_units()
...

[ Recreate Steps ]

1. Deploy 2 or more units of Keystone and relate to a service.
2. Enable/disable https service endpoints (juju set keystone https-service-endpoints=True/False)
3. Watch the endpoint listing. It does not change to the appropriate protocol (https/http). It remains stuck.

Related branches

lp://qastaging/~hopem/charms/trusty/keystone/fix-ssl-disable
Liam Young (community): Approve
Diff: 315 lines (+84/-71)
5 files modified
hooks/keystone_hooks.py (+30/-55)
hooks/keystone_utils.py (+32/-5)
tests/basic_deployment.py (+0/-1)
unit_tests/test_keystone_hooks.py (+7/-4)
unit_tests/test_keystone_utils.py (+15/-6)
lp://qastaging/~hopem/charms/trusty/keystone/stable-fix-ssl-disable
Liam Young (community): Approve
Diff: 317 lines (+83/-74)
5 files modified
hooks/keystone_hooks.py (+29/-55)
hooks/keystone_utils.py (+32/-6)
tests/basic_deployment.py (+0/-1)
unit_tests/test_keystone_hooks.py (+7/-6)
unit_tests/test_keystone_utils.py (+15/-6)
Revision history for this message
Billy Olsen (billy-olsen) wrote :

Note: this was found on the 15.01 release of the openstack charms.

tags: added: backport-potential cts
Revision history for this message
Billy Olsen (billy-olsen) wrote :

The problem is that the action of notifying identity relations upon config-changed hooks is deferred to the send_ssl_sync_request(). However, if SSL is fully disabled by setting both https-service-endpoints or use-https to False, then the promised identity-service relation notification from the ssl sync request never occurs.

Changed in keystone (Juju Charms Collection):
assignee: nobody → Billy Olsen (billy-olsen)
Billy Olsen (billy-olsen)
Changed in keystone (Juju Charms Collection):
status: New → In Progress
Revision history for this message
Edward Hope-Morley (hopem) wrote :

The problem is actually a combination of identity-relation updates not getting fired and peer_echo not updating/removing relation settings that have been unset (since they no longer exist to be echoed - a 'querk' of our peer storage api). The solution to the second problem is to use a value e.g. "null" to represent and cleared settings so that it feeds through. I'll have patches up shortly.

Changed in keystone (Juju Charms Collection):
assignee: Billy Olsen (billy-olsen) → Edward Hope-Morley (hopem)
importance: Undecided → High
tags: added: openstack
Edward Hope-Morley (hopem)
Changed in keystone (Juju Charms Collection):
status: In Progress → Fix Released
Revision history for this message
Felipe Reyes (freyes) wrote :

This was merged on March 10th 2015, marking it as part of milestone 15.04

Changed in keystone (Juju Charms Collection):
milestone: none → 15.04
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.