Ensure NSXv driver can verify certificates
The NSXv driver was missing code to do certificate verification. In fact, it was intentional turned off. This patch adds the capability to turn it on. DocImpact: Two new options for the NSXv driver: ca_file and insecure. Change-Id: I12ffa2f5e80d4dd357e907631d2bcc76c13a0797 Closes-Bug: #1488265
This commit is contained in:
parent
380ff5d666
commit
16b564346e
@ -84,6 +84,8 @@ function neutron_plugin_configure_service {
|
||||
_nsxv_ini_set vdn_scope_id "$NSXV_VDN_SCOPE_ID"
|
||||
_nsxv_ini_set dvs_id "$NSXV_DVS_ID"
|
||||
_nsxv_ini_set manager_uri "$NSXV_MANAGER_URI"
|
||||
_nsxv_ini_set ca_file "$NSXV_CA_FILE"
|
||||
_nsxv_ini_set insecure "$NSXV_INSECURE"
|
||||
_nsxv_ini_set datacenter_moid "$NSXV_DATACENTER_MOID"
|
||||
_nsxv_ini_set datastore_id "$NSXV_DATASTORE_ID"
|
||||
_nsxv_ini_set resource_pool_id "$NSXV_RESOURCE_POOL_ID"
|
||||
|
@ -58,6 +58,14 @@
|
||||
# Password for NSXv manager
|
||||
# password = default
|
||||
|
||||
# Specify a CA bundle file to use in verifying the NSXv server certificate.
|
||||
# ca_file =
|
||||
|
||||
# If true, the NSXv server certificate is not verified. If false,
|
||||
# then the default CA truststore is used for verification. This option
|
||||
# is ignored if "ca_file" is set.
|
||||
# insecure = true
|
||||
|
||||
# (Required) Datacenter ID for Edge deployment
|
||||
# datacenter_moid =
|
||||
|
||||
|
@ -206,6 +206,15 @@ nsxv_opts = [
|
||||
cfg.StrOpt('manager_uri',
|
||||
deprecated_group="vcns",
|
||||
help=_('uri for vsm')),
|
||||
cfg.StrOpt('ca_file',
|
||||
help='Specify a CA bundle file to use in verifying the NSXv '
|
||||
'server certificate.'),
|
||||
cfg.BoolOpt('insecure',
|
||||
default=True,
|
||||
help='If true, the NSXv server certificate is not verified. '
|
||||
'If false, then the default CA truststore is used for '
|
||||
'verification. This option is ignored if "ca_file" is '
|
||||
'set.'),
|
||||
cfg.ListOpt('cluster_moid',
|
||||
default=[],
|
||||
help=_('Parameter listing the IDs of the clusters '
|
||||
|
@ -73,7 +73,8 @@ class VcnsApiHelper(object):
|
||||
503: exceptions.ServiceUnavailable
|
||||
}
|
||||
|
||||
def __init__(self, address, user, password, format='json'):
|
||||
def __init__(self, address, user, password, format='json', ca_file=None,
|
||||
insecure=True):
|
||||
self.authToken = base64.encodestring(six.b("%s:%s" % (user, password)))
|
||||
self.user = user
|
||||
self.passwd = password
|
||||
@ -83,12 +84,18 @@ class VcnsApiHelper(object):
|
||||
self.encode = jsonutils.dumps
|
||||
else:
|
||||
self.encode = xmldumps
|
||||
self.ca_file = ca_file
|
||||
self.insecure = insecure
|
||||
|
||||
def request(self, method, uri, params=None, headers=None,
|
||||
encodeparams=True):
|
||||
uri = self.address + uri
|
||||
http = httplib2.Http()
|
||||
http.disable_ssl_certificate_validation = True
|
||||
if self.ca_file is not None:
|
||||
http.ca_certs = self.ca_file
|
||||
http.disable_ssl_certificate_validation = False
|
||||
else:
|
||||
http.disable_ssl_certificate_validation = self.insecure
|
||||
if headers is None:
|
||||
headers = {}
|
||||
|
||||
|
@ -72,14 +72,22 @@ def retry_upon_exception(exc, delay=500, max_delay=2000,
|
||||
|
||||
class Vcns(object):
|
||||
|
||||
def __init__(self, address, user, password):
|
||||
def __init__(self, address, user, password, ca_file, insecure):
|
||||
self.address = address
|
||||
self.user = user
|
||||
self.password = password
|
||||
self.ca_file = ca_file
|
||||
self.insecure = insecure
|
||||
self.jsonapi_client = VcnsApiClient.VcnsApiHelper(address, user,
|
||||
password, 'json')
|
||||
password,
|
||||
format='json',
|
||||
ca_file=ca_file,
|
||||
insecure=insecure)
|
||||
self.xmlapi_client = VcnsApiClient.VcnsApiHelper(address, user,
|
||||
password, 'xml')
|
||||
password,
|
||||
format='xml',
|
||||
ca_file=ca_file,
|
||||
insecure=insecure)
|
||||
|
||||
@retry_upon_exception(exceptions.ServiceConflict)
|
||||
def _client_request(self, client, method, uri,
|
||||
|
@ -38,13 +38,16 @@ class VcnsDriver(edge_appliance_driver.EdgeApplianceDriver,
|
||||
self.vcns_uri = cfg.CONF.nsxv.manager_uri
|
||||
self.vcns_user = cfg.CONF.nsxv.user
|
||||
self.vcns_passwd = cfg.CONF.nsxv.password
|
||||
self.ca_file = cfg.CONF.nsxv.ca_file
|
||||
self.insecure = cfg.CONF.nsxv.insecure
|
||||
self.datacenter_moid = cfg.CONF.nsxv.datacenter_moid
|
||||
self.deployment_container_id = cfg.CONF.nsxv.deployment_container_id
|
||||
self.resource_pool_id = cfg.CONF.nsxv.resource_pool_id
|
||||
self.datastore_id = cfg.CONF.nsxv.datastore_id
|
||||
self.external_network = cfg.CONF.nsxv.external_network
|
||||
self._task_manager = None
|
||||
self.vcns = vcns.Vcns(self.vcns_uri, self.vcns_user, self.vcns_passwd)
|
||||
self.vcns = vcns.Vcns(self.vcns_uri, self.vcns_user, self.vcns_passwd,
|
||||
self.ca_file, self.insecure)
|
||||
|
||||
@property
|
||||
def task_manager(self):
|
||||
|
@ -74,7 +74,7 @@ class NsxvLoadbalancerTestCase(base.BaseTestCase):
|
||||
def setUp(self):
|
||||
super(NsxvLoadbalancerTestCase, self).setUp()
|
||||
self._lb = nsxv_loadbalancer.NsxvLoadbalancer()
|
||||
self._vcns = vcns.Vcns(None, None, None)
|
||||
self._vcns = vcns.Vcns(None, None, None, None, True)
|
||||
|
||||
def test_get_edge_loadbalancer(self):
|
||||
h = None
|
||||
|
Loading…
Reference in New Issue
Block a user