[Yahoo-eng-team] [Bug 1611171] Re: re-runs self via sudo

2018-03-24 Thread OpenStack Infra
Reviewed:  https://review.openstack.org/371920
Committed: 
https://git.openstack.org/cgit/openstack/manila/commit/?id=0d4438368fd769a0e6b83bfdaf1cb980f888c504
Submitter: Zuul
Branch:master

commit 0d4438368fd769a0e6b83bfdaf1cb980f888c504
Author: Iswarya_Vakati 
Date:   Sat Sep 17 17:07:16 2016 +0530

Don't attempt to escalate manila-manage privileges

Remove code which allowed manila-manage to attempt to escalate
privileges so that configuration files can be read by users who
normally wouldn't have access, but do have sudo access.

Change-Id: Ie3bf9a81ee8d723cd8618643fa9d7382462aae42
Closes-Bug:#1611171


** Changed in: manila
   Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1611171

Title:
  re-runs self via sudo

Status in Cinder:
  Fix Released
Status in Designate:
  Fix Released
Status in ec2-api:
  Fix Released
Status in gce-api:
  Fix Released
Status in Manila:
  Fix Released
Status in masakari:
  Fix Released
Status in OpenStack Compute (nova):
  Fix Released
Status in OpenStack Compute (nova) newton series:
  Fix Committed
Status in OpenStack Security Advisory:
  Won't Fix
Status in Rally:
  Fix Released

Bug description:
  Hello, I'm looking through Designate source code to determine if is
  appropriate to include in Ubuntu Main. This isn't a full security
  audit.

  This looks like trouble:

  ./designate/cmd/manage.py

  def main():
  CONF.register_cli_opt(category_opt)

  try:
  utils.read_config('designate', sys.argv)
  logging.setup(CONF, 'designate')
  except cfg.ConfigFilesNotFoundError:
  cfgfile = CONF.config_file[-1] if CONF.config_file else None
  if cfgfile and not os.access(cfgfile, os.R_OK):
  st = os.stat(cfgfile)
  print(_("Could not read %s. Re-running with sudo") % cfgfile)
  try:
  os.execvp('sudo', ['sudo', '-u', '#%s' % st.st_uid] + 
sys.argv)
  except Exception:
  print(_('sudo failed, continuing as if nothing happened'))

  print(_('Please re-run designate-manage as root.'))
  sys.exit(2)

  
  This is an interesting decision -- if the configuration file is _not_ 
readable by the user in question, give the executing user complete privileges 
of the user that owns the unreadable file.

  I'm not a fan of hiding privilege escalation / modifications in
  programs -- if a user had recently used sudo and thus had the
  authentication token already stored for their terminal, this 'hidden'
  use of sudo may be unexpected and unwelcome, especially since it
  appears that argv from the first call leaks through to the sudo call.

  Is this intentional OpenStack style? Or unexpected for you guys too?

  (Feel free to make this public at your convenience.)

  Thanks

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1611171/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp


[Yahoo-eng-team] [Bug 1743922] Re: Choice of image source even when file is the only option

2018-03-24 Thread OpenStack Infra
Reviewed:  https://review.openstack.org/554504
Committed: 
https://git.openstack.org/cgit/openstack/horizon/commit/?id=63ab3606c049429d9294a28ef2d6d0b2e0ac3d85
Submitter: Zuul
Branch:master

commit 63ab3606c049429d9294a28ef2d6d0b2e0ac3d85
Author: Dongjx 
Date:   Tue Mar 20 19:01:05 2018 +0800

Delete choice of image source when file is the only option

Change-Id: I4b4960722a48b7fb7758062539d7dd6a70f933df
Closes-Bug: #1743922


** Changed in: horizon
   Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1743922

Title:
  Choice of image source even when file is the only option

Status in OpenStack Dashboard (Horizon):
  Fix Released

Bug description:
  the current default settings only allow for an image to be uploaded by
  file, not URL as was relevant in older versions of cinder, but horizon
  still shows a selector on the create images page.

  If the option for upload via URL is not enabled, a selector should not
  be shown.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1743922/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp


[Yahoo-eng-team] [Bug 1754359] Re: Apache configuration missing

2018-03-24 Thread Colleen Murphy
The default configuration provided by Ubuntu is correct. We are
discouraging creating a vhost on port 35357 because it is not needed as
of the Queens release. This is also not a documentation bug, if there is
a problem with Ubuntu's packaging it should be addressed with the Ubuntu
cloud team. In this case I do not believe there is a problem with the
default Apache file they've provided.

** Changed in: keystone
   Status: Triaged => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1754359

Title:
  Apache configuration missing

Status in OpenStack Identity (keystone):
  Invalid

Bug description:
  - [ ] This doc is inaccurate in this way: __
  - [X] This is a doc addition request.
  - [ ] I have a fix to the document that I can paste below including example: 
input and output.

  Bellow the good apache2 configuration for keystone :

  File : /etc/apache2/sites-available/keystone.conf

  Listen 5000
  Listen 35357

  
  WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone 
group=keystone display-name=%{GROUP}
  WSGIProcessGroup keystone-public
  WSGIScriptAlias / /usr/bin/keystone-wsgi-public
  WSGIApplicationGroup %{GLOBAL}
  WSGIPassAuthorization On
  ErrorLogFormat "%{cu}t %M"
  ErrorLog /var/log/apache2/keystone.log
  CustomLog /var/log/apache2/keystone_access.log combined

  
  Require all granted
  
  

  
  WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone 
group=keystone display-name=%{GROUP}
  WSGIProcessGroup keystone-admin
  WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
  WSGIApplicationGroup %{GLOBAL}
  WSGIPassAuthorization On
  ErrorLogFormat "%{cu}t %M"
  ErrorLog /var/log/apache2/keystone.log
  CustomLog /var/log/apache2/keystone_access.log combined

  
  Require all granted
  
  

  Default configuration but wrong :

  Listen 5000

  
  WSGIScriptAlias / /usr/bin/keystone-wsgi-public
  WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone 
group=keystone display-name=%{GROUP}
  WSGIProcessGroup keystone-public
  WSGIApplicationGroup %{GLOBAL}
  WSGIPassAuthorization On
  LimitRequestBody 114688

  = 2.4>
    ErrorLogFormat "%{cu}t %M"
  

  ErrorLog /var/log/apache2/keystone.log
  CustomLog /var/log/apache2/keystone_access.log combined

  
  = 2.4>
  Require all granted
  
  
  Order allow,deny
  Allow from all
  
  
  

  Alias /identity /usr/bin/keystone-wsgi-public
  
  SetHandler wsgi-script
  Options +ExecCGI

  WSGIProcessGroup keystone-public
  WSGIApplicationGroup %{GLOBAL}
  WSGIPassAuthorization On
  

  DISTRIB_DESCRIPTION="Ubuntu 16.04.4 LTS"
  OpenStack Version : Queens

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1754359/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp


[Yahoo-eng-team] [Bug 1758486] Re: nova cant attach volume, unathorized

2018-03-24 Thread Huy Doan
** Also affects: cinder
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1758486

Title:
  nova cant attach volume, unathorized

Status in Cinder:
  New
Status in OpenStack Compute (nova):
  New

Bug description:
  ater upgrade to queens, nova unable to attach volume from cinder.

  
  ```
  2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi 
[req-6cb77dfe-f718-42d5-a83a-10fa80dea989 fa4ca618dd5247a0841adeac574b54d6 
7265d9424e8e4719aa192b08b6d0227b - default default] Unexpected exception in API 
method: Unauthorized: The request you have made requires authentication. (HTTP 
401)
  2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi Traceback (most 
recent call last):
  2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi   File 
"/usr/lib/python2.7/dist-packages/nova/api/openstack/wsgi.py", line 788, in 
wrapped
  2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi return 
f(*args, **kwargs)
  2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi   File 
"/usr/lib/python2.7/dist-packages/nova/api/validation/__init__.py", line 108, 
in wrapper
  2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi return 
func(*args, **kwargs)
  2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi   File 
"/usr/lib/python2.7/dist-packages/nova/api/validation/__init__.py", line 108, 
in wrapper
  2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi return 
func(*args, **kwargs)
  2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi   File 
"/usr/lib/python2.7/dist-packages/nova/api/openstack/compute/volumes.py", line 
336, in create
  2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi 
supports_multiattach=supports_multiattach)
  2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi   File 
"/usr/lib/python2.7/dist-packages/nova/compute/api.py", line 203, in inner
  2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi return 
function(self, context, instance, *args, **kwargs)
  2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi   File 
"/usr/lib/python2.7/dist-packages/nova/compute/api.py", line 151, in inner
  2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi return 
f(self, context, instance, *args, **kw)
  2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi   File 
"/usr/lib/python2.7/dist-packages/nova/compute/api.py", line 3940, in 
attach_volume
  2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi volume = 
self.volume_api.get(context, volume_id)
  2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi   File 
"/usr/lib/python2.7/dist-packages/nova/volume/cinder.py", line 291, in wrapper
  2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi res = 
method(self, ctx, *args, **kwargs)
  2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi   File 
"/usr/lib/python2.7/dist-packages/nova/volume/cinder.py", line 313, in wrapper
  2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi res = 
method(self, ctx, volume_id, *args, **kwargs)
  2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi   File 
"/usr/lib/python2.7/dist-packages/nova/volume/cinder.py", line 379, in get
  2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi context, 
microversion=microversion).volumes.get(volume_id)
  2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi   File 
"/usr/local/lib/python2.7/dist-packages/cinderclient/v2/volumes.py", line 308, 
in get
  2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi return 
self._get("/volumes/%s" % volume_id, "volume")
  2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi   File 
"/usr/local/lib/python2.7/dist-packages/cinderclient/base.py", line 321, in _get
  2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi resp, body = 
self.api.client.get(url)
  2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi   File 
"/usr/local/lib/python2.7/dist-packages/cinderclient/client.py", line 199, in 
get
  2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi return 
self._cs_request(url, 'GET', **kwargs)
  2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi   File 
"/usr/local/lib/python2.7/dist-packages/cinderclient/client.py", line 190, in 
_cs_request
  2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi return 
self.request(url, method, **kwargs)
  2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi   File 
"/usr/local/lib/python2.7/dist-packages/cinderclient/client.py", line 176, in 
request
  2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi raise 
exceptions.from_response(resp, body)
  2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi Unauthorized: The 
request you have made requires authentication. (HTTP 401)
  2018-03-24 09:24:12.781