From df460ec6dd221219033a5cc81607b1d07cb06b90 Mon Sep 17 00:00:00 2001 From: Amey Bhide Date: Tue, 25 Aug 2015 16:23:39 -0700 Subject: [PATCH] Add support to NSXv3 driver to verify certs NSXv3 driver was missing certification verification. This patch add cert verification DocImpact Closes-Bug: #1488692 Change-Id: I8892103225b62ccc526e91e688f01f4150b42cc6 --- devstack/lib/vmware_nsx_v3 | 2 ++ vmware_nsx/etc/nsx.ini | 9 +++++++ .../neutron/plugins/vmware/common/config.py | 23 +++++++++++----- .../plugins/vmware/nsxlib/v3/client.py | 26 +++++++++++-------- 4 files changed, 42 insertions(+), 18 deletions(-) diff --git a/devstack/lib/vmware_nsx_v3 b/devstack/lib/vmware_nsx_v3 index 319103a1cc..d4200edc47 100644 --- a/devstack/lib/vmware_nsx_v3 +++ b/devstack/lib/vmware_nsx_v3 @@ -110,6 +110,8 @@ function neutron_plugin_configure_service { _nsxv3_ini_set nsx_user $NSX_USER _nsxv3_ini_set nsx_password $NSX_PASSWORD _nsxv3_ini_set retries $NSX_RETRIES + _nsxv3_ini_set insecure $NSX_INSECURE + _nsxv3_ini_set ca_file $NSX_CA_FILE } function neutron_plugin_setup_interface_driver { diff --git a/vmware_nsx/etc/nsx.ini b/vmware_nsx/etc/nsx.ini index 2866b5922e..426ccabe1b 100644 --- a/vmware_nsx/etc/nsx.ini +++ b/vmware_nsx/etc/nsx.ini @@ -315,3 +315,12 @@ # Maximum number of times to retry API requests # retries = 10 + +# Specify a CA bundle file to use in verifying the NSX Manager +# server certificate. +# ca_file = + +# If true, the NSX Manager server certificate is not verified. If false, +# then the default CA truststore is used for verification. This option +# is ignored if "ca_file" is set. +# insecure = true diff --git a/vmware_nsx/neutron/plugins/vmware/common/config.py b/vmware_nsx/neutron/plugins/vmware/common/config.py index e3ece388de..02e4791bd7 100644 --- a/vmware_nsx/neutron/plugins/vmware/common/config.py +++ b/vmware_nsx/neutron/plugins/vmware/common/config.py @@ -185,7 +185,16 @@ nsx_v3_opts = [ help=_("Default edge cluster identifier")), cfg.IntOpt('retries', default=10, - help=_('Maximum number of times to retry API request')) + help=_('Maximum number of times to retry API request')), + cfg.StrOpt('ca_file', + help=_('Specify a CA bundle file to use in verifying the NSX ' + 'Manager server certificate.')), + cfg.BoolOpt('insecure', + default=True, + help=_('If true, the NSX Manager server certificate is not ' + 'verified. If false, then the default CA truststore is ' + 'used for verification. This option is ignored if ' + '"ca_file" is set.')), ] DEFAULT_STATUS_CHECK_INTERVAL = 2000 @@ -207,14 +216,14 @@ nsxv_opts = [ deprecated_group="vcns", help=_('uri for vsm')), cfg.StrOpt('ca_file', - help='Specify a CA bundle file to use in verifying the NSXv ' - 'server certificate.'), + help=_('Specify a CA bundle file to use in verifying the NSXv ' + 'server certificate.')), cfg.BoolOpt('insecure', default=True, - help='If true, the NSXv server certificate is not verified. ' - 'If false, then the default CA truststore is used for ' - 'verification. This option is ignored if "ca_file" is ' - 'set.'), + help=_('If true, the NSXv server certificate is not verified. ' + 'If false, then the default CA truststore is used for ' + 'verification. This option is ignored if "ca_file" is ' + 'set.')), cfg.ListOpt('cluster_moid', default=[], help=_('Parameter listing the IDs of the clusters ' diff --git a/vmware_nsx/neutron/plugins/vmware/nsxlib/v3/client.py b/vmware_nsx/neutron/plugins/vmware/nsxlib/v3/client.py index 1acde1c1db..a66cdd672b 100644 --- a/vmware_nsx/neutron/plugins/vmware/nsxlib/v3/client.py +++ b/vmware_nsx/neutron/plugins/vmware/nsxlib/v3/client.py @@ -32,7 +32,8 @@ def _get_manager_endpoint(): manager = _get_manager_ip() username = cfg.CONF.nsx_v3.nsx_user password = cfg.CONF.nsx_v3.nsx_password - return "https://%s" % manager, username, password + verify_cert = not cfg.CONF.nsx_v3.insecure + return "https://%s" % manager, username, password, verify_cert def _get_manager_ip(): @@ -65,46 +66,49 @@ def _validate_result(result, expected, operation): def get_resource(resource): - manager, user, password = _get_manager_endpoint() + manager, user, password, verify = _get_manager_endpoint() url = manager + "/api/v1/%s" % resource headers = {'Accept': 'application/json'} result = requests.get(url, auth=auth.HTTPBasicAuth(user, password), - verify=False, headers=headers) + verify=verify, headers=headers, + cert=cfg.CONF.nsx_v3.ca_file) _validate_result(result, [requests.codes.ok], _("reading resource: %s") % resource) return result.json() def create_resource(resource, data): - manager, user, password = _get_manager_endpoint() + manager, user, password, verify = _get_manager_endpoint() url = manager + "/api/v1/%s" % resource headers = {'Content-Type': 'application/json', 'Accept': 'application/json'} result = requests.post(url, auth=auth.HTTPBasicAuth(user, password), - verify=False, headers=headers, - data=jsonutils.dumps(data)) + verify=verify, headers=headers, + data=jsonutils.dumps(data), + cert=cfg.CONF.nsx_v3.ca_file) _validate_result(result, [requests.codes.created], _("creating resource at: %s") % resource) return result.json() def update_resource(resource, data): - manager, user, password = _get_manager_endpoint() + manager, user, password, verify = _get_manager_endpoint() url = manager + "/api/v1/%s" % resource headers = {'Content-Type': 'application/json', 'Accept': 'application/json'} result = requests.put(url, auth=auth.HTTPBasicAuth(user, password), - verify=False, headers=headers, - data=jsonutils.dumps(data)) + verify=verify, headers=headers, + data=jsonutils.dumps(data), + cert=cfg.CONF.nsx_v3.ca_file) _validate_result(result, [requests.codes.ok], _("updating resource: %s") % resource) return result.json() def delete_resource(resource): - manager, user, password = _get_manager_endpoint() + manager, user, password, verify = _get_manager_endpoint() url = manager + "/api/v1/%s" % resource result = requests.delete(url, auth=auth.HTTPBasicAuth(user, password), - verify=False) + verify=verify, cert=cfg.CONF.nsx_v3.ca_file) _validate_result(result, [requests.codes.ok], _("deleting resource: %s") % resource)