Add support to NSXv3 driver to verify certs

NSXv3 driver was missing certification verification. This patch
add cert verification

DocImpact
Closes-Bug: #1488692

Change-Id: I8892103225b62ccc526e91e688f01f4150b42cc6
This commit is contained in:
Amey Bhide 2015-08-25 16:23:39 -07:00
parent 9054c32d83
commit df460ec6dd
4 changed files with 42 additions and 18 deletions

View File

@ -110,6 +110,8 @@ function neutron_plugin_configure_service {
_nsxv3_ini_set nsx_user $NSX_USER
_nsxv3_ini_set nsx_password $NSX_PASSWORD
_nsxv3_ini_set retries $NSX_RETRIES
_nsxv3_ini_set insecure $NSX_INSECURE
_nsxv3_ini_set ca_file $NSX_CA_FILE
}
function neutron_plugin_setup_interface_driver {

View File

@ -315,3 +315,12 @@
# Maximum number of times to retry API requests
# retries = 10
# Specify a CA bundle file to use in verifying the NSX Manager
# server certificate.
# ca_file =
# If true, the NSX Manager server certificate is not verified. If false,
# then the default CA truststore is used for verification. This option
# is ignored if "ca_file" is set.
# insecure = true

View File

@ -185,7 +185,16 @@ nsx_v3_opts = [
help=_("Default edge cluster identifier")),
cfg.IntOpt('retries',
default=10,
help=_('Maximum number of times to retry API request'))
help=_('Maximum number of times to retry API request')),
cfg.StrOpt('ca_file',
help=_('Specify a CA bundle file to use in verifying the NSX '
'Manager server certificate.')),
cfg.BoolOpt('insecure',
default=True,
help=_('If true, the NSX Manager server certificate is not '
'verified. If false, then the default CA truststore is '
'used for verification. This option is ignored if '
'"ca_file" is set.')),
]
DEFAULT_STATUS_CHECK_INTERVAL = 2000
@ -207,14 +216,14 @@ nsxv_opts = [
deprecated_group="vcns",
help=_('uri for vsm')),
cfg.StrOpt('ca_file',
help='Specify a CA bundle file to use in verifying the NSXv '
'server certificate.'),
help=_('Specify a CA bundle file to use in verifying the NSXv '
'server certificate.')),
cfg.BoolOpt('insecure',
default=True,
help='If true, the NSXv server certificate is not verified. '
'If false, then the default CA truststore is used for '
'verification. This option is ignored if "ca_file" is '
'set.'),
help=_('If true, the NSXv server certificate is not verified. '
'If false, then the default CA truststore is used for '
'verification. This option is ignored if "ca_file" is '
'set.')),
cfg.ListOpt('cluster_moid',
default=[],
help=_('Parameter listing the IDs of the clusters '

View File

@ -32,7 +32,8 @@ def _get_manager_endpoint():
manager = _get_manager_ip()
username = cfg.CONF.nsx_v3.nsx_user
password = cfg.CONF.nsx_v3.nsx_password
return "https://%s" % manager, username, password
verify_cert = not cfg.CONF.nsx_v3.insecure
return "https://%s" % manager, username, password, verify_cert
def _get_manager_ip():
@ -65,46 +66,49 @@ def _validate_result(result, expected, operation):
def get_resource(resource):
manager, user, password = _get_manager_endpoint()
manager, user, password, verify = _get_manager_endpoint()
url = manager + "/api/v1/%s" % resource
headers = {'Accept': 'application/json'}
result = requests.get(url, auth=auth.HTTPBasicAuth(user, password),
verify=False, headers=headers)
verify=verify, headers=headers,
cert=cfg.CONF.nsx_v3.ca_file)
_validate_result(result, [requests.codes.ok],
_("reading resource: %s") % resource)
return result.json()
def create_resource(resource, data):
manager, user, password = _get_manager_endpoint()
manager, user, password, verify = _get_manager_endpoint()
url = manager + "/api/v1/%s" % resource
headers = {'Content-Type': 'application/json',
'Accept': 'application/json'}
result = requests.post(url, auth=auth.HTTPBasicAuth(user, password),
verify=False, headers=headers,
data=jsonutils.dumps(data))
verify=verify, headers=headers,
data=jsonutils.dumps(data),
cert=cfg.CONF.nsx_v3.ca_file)
_validate_result(result, [requests.codes.created],
_("creating resource at: %s") % resource)
return result.json()
def update_resource(resource, data):
manager, user, password = _get_manager_endpoint()
manager, user, password, verify = _get_manager_endpoint()
url = manager + "/api/v1/%s" % resource
headers = {'Content-Type': 'application/json',
'Accept': 'application/json'}
result = requests.put(url, auth=auth.HTTPBasicAuth(user, password),
verify=False, headers=headers,
data=jsonutils.dumps(data))
verify=verify, headers=headers,
data=jsonutils.dumps(data),
cert=cfg.CONF.nsx_v3.ca_file)
_validate_result(result, [requests.codes.ok],
_("updating resource: %s") % resource)
return result.json()
def delete_resource(resource):
manager, user, password = _get_manager_endpoint()
manager, user, password, verify = _get_manager_endpoint()
url = manager + "/api/v1/%s" % resource
result = requests.delete(url, auth=auth.HTTPBasicAuth(user, password),
verify=False)
verify=verify, cert=cfg.CONF.nsx_v3.ca_file)
_validate_result(result, [requests.codes.ok],
_("deleting resource: %s") % resource)