Add support to NSXv3 driver to verify certs

NSXv3 driver was missing certification verification. This patch add cert verification DocImpact Closes-Bug: #1488692 Change-Id: I8892103225b62ccc526e91e688f01f4150b42cc6
2015-08-25 16:23:39 -07:00 · 2015-08-25 16:23:39 -07:00 · df460ec6dd
commit df460ec6dd
parent 9054c32d83
4 changed files with 42 additions and 18 deletions
--- a/devstack/lib/vmware_nsx_v3
+++ b/devstack/lib/vmware_nsx_v3
@ -110,6 +110,8 @@ function neutron_plugin_configure_service {
    _nsxv3_ini_set nsx_user $NSX_USER
    _nsxv3_ini_set nsx_password $NSX_PASSWORD
    _nsxv3_ini_set retries $NSX_RETRIES
+    _nsxv3_ini_set insecure $NSX_INSECURE
+    _nsxv3_ini_set ca_file $NSX_CA_FILE
 }

 function neutron_plugin_setup_interface_driver {
--- a/vmware_nsx/etc/nsx.ini
+++ b/vmware_nsx/etc/nsx.ini
@ -315,3 +315,12 @@

 # Maximum number of times to retry API requests
 # retries = 10
+
+# Specify a CA bundle file to use in verifying the NSX Manager
+# server certificate.
+# ca_file =
+
+# If true, the NSX Manager server certificate is not verified. If false,
+# then the default CA truststore is used for verification. This option
+# is ignored if "ca_file" is set.
+# insecure = true
--- a/vmware_nsx/neutron/plugins/vmware/common/config.py
+++ b/vmware_nsx/neutron/plugins/vmware/common/config.py
@ -185,7 +185,16 @@ nsx_v3_opts = [
               help=_("Default edge cluster identifier")),
    cfg.IntOpt('retries',
               default=10,
-               help=_('Maximum number of times to retry API request'))
+               help=_('Maximum number of times to retry API request')),
+    cfg.StrOpt('ca_file',
+               help=_('Specify a CA bundle file to use in verifying the NSX '
+                      'Manager server certificate.')),
+    cfg.BoolOpt('insecure',
+                default=True,
+                help=_('If true, the NSX Manager server certificate is not '
+                       'verified. If false, then the default CA truststore is '
+                       'used for verification. This option is ignored if '
+                       '"ca_file" is set.')),
 ]

 DEFAULT_STATUS_CHECK_INTERVAL = 2000
@ -207,14 +216,14 @@ nsxv_opts = [
               deprecated_group="vcns",
               help=_('uri for vsm')),
    cfg.StrOpt('ca_file',
-               help='Specify a CA bundle file to use in verifying the NSXv '
-                    'server certificate.'),
+               help=_('Specify a CA bundle file to use in verifying the NSXv '
+                      'server certificate.')),
    cfg.BoolOpt('insecure',
                default=True,
-                help='If true, the NSXv server certificate is not verified. '
+                help=_('If true, the NSXv server certificate is not verified. '
                       'If false, then the default CA truststore is used for '
                       'verification. This option is ignored if "ca_file" is '
-                     'set.'),
+                       'set.')),
    cfg.ListOpt('cluster_moid',
                default=[],
                help=_('Parameter listing the IDs of the clusters '
--- a/vmware_nsx/neutron/plugins/vmware/nsxlib/v3/client.py
+++ b/vmware_nsx/neutron/plugins/vmware/nsxlib/v3/client.py
@ -32,7 +32,8 @@ def _get_manager_endpoint():
    manager = _get_manager_ip()
    username = cfg.CONF.nsx_v3.nsx_user
    password = cfg.CONF.nsx_v3.nsx_password
-    return "https://%s" % manager, username, password
+    verify_cert = not cfg.CONF.nsx_v3.insecure
+    return "https://%s" % manager, username, password, verify_cert


 def _get_manager_ip():
@ -65,46 +66,49 @@ def _validate_result(result, expected, operation):


 def get_resource(resource):
-    manager, user, password = _get_manager_endpoint()
+    manager, user, password, verify = _get_manager_endpoint()
    url = manager + "/api/v1/%s" % resource
    headers = {'Accept': 'application/json'}
    result = requests.get(url, auth=auth.HTTPBasicAuth(user, password),
-                          verify=False, headers=headers)
+                          verify=verify, headers=headers,
+                          cert=cfg.CONF.nsx_v3.ca_file)
    _validate_result(result, [requests.codes.ok],
                     _("reading resource: %s") % resource)
    return result.json()


 def create_resource(resource, data):
-    manager, user, password = _get_manager_endpoint()
+    manager, user, password, verify = _get_manager_endpoint()
    url = manager + "/api/v1/%s" % resource
    headers = {'Content-Type': 'application/json',
               'Accept': 'application/json'}
    result = requests.post(url, auth=auth.HTTPBasicAuth(user, password),
-                           verify=False, headers=headers,
-                           data=jsonutils.dumps(data))
+                           verify=verify, headers=headers,
+                           data=jsonutils.dumps(data),
+                           cert=cfg.CONF.nsx_v3.ca_file)
    _validate_result(result, [requests.codes.created],
                     _("creating resource at: %s") % resource)
    return result.json()


 def update_resource(resource, data):
-    manager, user, password = _get_manager_endpoint()
+    manager, user, password, verify = _get_manager_endpoint()
    url = manager + "/api/v1/%s" % resource
    headers = {'Content-Type': 'application/json',
               'Accept': 'application/json'}
    result = requests.put(url, auth=auth.HTTPBasicAuth(user, password),
-                          verify=False, headers=headers,
-                          data=jsonutils.dumps(data))
+                          verify=verify, headers=headers,
+                          data=jsonutils.dumps(data),
+                          cert=cfg.CONF.nsx_v3.ca_file)
    _validate_result(result, [requests.codes.ok],
                     _("updating resource: %s") % resource)
    return result.json()


 def delete_resource(resource):
-    manager, user, password = _get_manager_endpoint()
+    manager, user, password, verify = _get_manager_endpoint()
    url = manager + "/api/v1/%s" % resource
    result = requests.delete(url, auth=auth.HTTPBasicAuth(user, password),
-                             verify=False)
+                             verify=verify, cert=cfg.CONF.nsx_v3.ca_file)
    _validate_result(result, [requests.codes.ok],
                     _("deleting resource: %s") % resource)