From 447f11d3153237fd5bea636a5f79002cc26c4b82 Mon Sep 17 00:00:00 2001 From: Lisa Zangrando Date: Mon, 16 Jan 2017 12:56:29 +0100 Subject: [PATCH] NovaManager and KeystoneManager are not SSL-enabled NovaManager and KeystoneManager MUST support the HTTPS connections for interacting with the OpenStack services. - added two new manager config options: ssl_ca_file and ssl_cert_file Change-Id: Ibacbf3504badd65a792c72c9134e2c7c13adea69 Sem-Ver: feature --- synergy_scheduler_manager/keystone_manager.py | 36 +++++++++++++++---- synergy_scheduler_manager/nova_manager.py | 36 +++++++++++++++---- 2 files changed, 59 insertions(+), 13 deletions(-) diff --git a/synergy_scheduler_manager/keystone_manager.py b/synergy_scheduler_manager/keystone_manager.py index 52c8dc5..6bdcce8 100644 --- a/synergy_scheduler_manager/keystone_manager.py +++ b/synergy_scheduler_manager/keystone_manager.py @@ -78,11 +78,22 @@ class KeystoneManager(Manager): cfg.IntOpt("clock_skew", help="set the clock skew (seconds)", default=60, + required=False), + cfg.StrOpt("ssl_ca_file", + help="set the PEM encoded Certificate Authority to " + "use when verifying HTTPs connections", + default=None, + required=False), + cfg.StrOpt("ssl_cert_file", + help="set the SSL client certificate (PEM encoded)", + default=None, required=False) ] def setup(self): self.auth_url = CONF.KeystoneManager.auth_url + self.ssl_ca_file = CONF.KeystoneManager.ssl_ca_file + self.ssl_cert_file = CONF.KeystoneManager.ssl_cert_file self.username = CONF.KeystoneManager.username self.password = CONF.KeystoneManager.password self.user_domain_name = CONF.KeystoneManager.user_domain_name @@ -187,7 +198,9 @@ class KeystoneManager(Manager): response = requests.post(url=self.auth_url + "/auth/tokens", headers=headers, data=json.dumps(data), - timeout=self.timeout) + timeout=self.timeout, + verify=self.ssl_ca_file, + cert=self.ssl_cert_file) if response.status_code != requests.codes.ok: response.raise_for_status() @@ -216,7 +229,6 @@ class KeystoneManager(Manager): user = User() user.setId(info["id"]) user.setName(info["name"]) - user.setProjectId(info["tenantId"]) user.setEnabled(info["enabled"]) return user @@ -680,27 +692,37 @@ class KeystoneManager(Manager): response = requests.get(url, headers=headers, params=data, - timeout=self.timeout) + timeout=self.timeout, + verify=self.ssl_ca_file, + cert=self.ssl_cert_file) elif method == "POST": response = requests.post(url, headers=headers, data=json.dumps(data), - timeout=self.timeout) + timeout=self.timeout, + verify=self.ssl_ca_file, + cert=self.ssl_cert_file) elif method == "PUT": response = requests.put(url, headers=headers, data=json.dumps(data), - timeout=self.timeout) + timeout=self.timeout, + verify=self.ssl_ca_file, + cert=self.ssl_cert_file) elif method == "HEAD": response = requests.head(url, headers=headers, data=json.dumps(data), - timeout=self.timeout) + timeout=self.timeout, + verify=self.ssl_ca_file, + cert=self.ssl_cert_file) elif method == "DELETE": response = requests.delete(url, headers=headers, data=json.dumps(data), - timeout=self.timeout) + timeout=self.timeout, + verify=self.ssl_ca_file, + cert=self.ssl_cert_file) else: raise Exception("wrong HTTP method: %s" % method) diff --git a/synergy_scheduler_manager/nova_manager.py b/synergy_scheduler_manager/nova_manager.py index d087504..c06e64b 100644 --- a/synergy_scheduler_manager/nova_manager.py +++ b/synergy_scheduler_manager/nova_manager.py @@ -398,12 +398,23 @@ class NovaManager(Manager): cfg.IntOpt("timeout", help="set the http connection timeout", default=60, + required=False), + cfg.StrOpt("ssl_ca_file", + help="set the PEM encoded Certificate Authority to " + "use when verifying HTTPs connections", + default=None, + required=False), + cfg.StrOpt("ssl_cert_file", + help="set the SSL client certificate (PEM encoded)", + default=None, required=False) ] def setup(self): eventlet.monkey_patch(os=False) + self.ssl_ca_file = CONF.NovaManager.ssl_ca_file + self.ssl_cert_file = CONF.NovaManager.ssl_cert_file self.timeout = CONF.NovaManager.timeout if self.getManager("KeystoneManager") is None: @@ -542,7 +553,10 @@ class NovaManager(Manager): "x-tenant-id": server.getProjectId(), "x-instance-id-signature": digest} - request = requests.get(url, headers=headers, timeout=self.timeout) + request = requests.get(url, headers=headers, + timeout=self.timeout, + verify=self.ssl_ca_file, + cert=self.ssl_cert_file) if request.status_code != requests.codes.ok: if request.status_code == 404: @@ -989,27 +1003,37 @@ class NovaManager(Manager): if method == "GET": request = requests.get(url, headers=headers, - params=data, timeout=self.timeout) + params=data, timeout=self.timeout, + verify=self.ssl_ca_file, + cert=self.ssl_cert_file) elif method == "POST": request = requests.post(url, headers=headers, data=json.dumps(data), - timeout=self.timeout) + timeout=self.timeout, + verify=self.ssl_ca_file, + cert=self.ssl_cert_file) elif method == "PUT": request = requests.put(url, headers=headers, data=json.dumps(data), - timeout=self.timeout) + timeout=self.timeout, + verify=self.ssl_ca_file, + cert=self.ssl_cert_file) elif method == "HEAD": request = requests.head(url, headers=headers, data=json.dumps(data), - timeout=self.timeout) + timeout=self.timeout, + verify=self.ssl_ca_file, + cert=self.ssl_cert_file) elif method == "DELETE": request = requests.delete(url, headers=headers, data=json.dumps(data), - timeout=self.timeout) + timeout=self.timeout, + verify=self.ssl_ca_file, + cert=self.ssl_cert_file) else: raise Exception("wrong HTTP method: %s" % method)