x/vmtp
Code Issues Proposed changes

Add support for TLS enabled endpoints

Browse Source 
OpenStack supports endpoints that are protected by TLS.  URLs with
the https:// prefix can be found in the openrc file and also returned
from the keystone endpoint list.

VMTP, as a client, should be ready to send TLS enabled requests to
OpenStack and also verify the server side certificate that is sent
by the endpoint.

To validate a server side certificate, a client needs a copy of the
CA certificate representings the signing authority of the server
certificate.  For OpenStack, this CA certificat is pointed to by
the environment variable OS_CACERT.

The OpenStack client implementations accept the value in kwargs,
as either 'cacert' or 'ca_cert'.

Change-Id: I5b093d38ed51430d7c1ad09c65ec4961db818825
This commit is contained in:
Dave McCowan 2016-02-09 23:50:06 -05:00
parent 3f37c83765
commit 8481315c4e
2 changed files with 10 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
vmtp/credentials.py
View File

@ -27,6 +27,8 @@ class Credentials(object):
dct['password'] = self.rc_password
dct['auth_url'] = self.rc_auth_url
dct['tenant_name'] = self.rc_tenant_name
dct['cacert'] = self.rc_cacert
dct['ca_cert'] = self.rc_cacert
return dct
def get_nova_credentials(self):
@ -35,6 +37,7 @@ class Credentials(object):
dct['api_key'] = self.rc_password
dct['auth_url'] = self.rc_auth_url
dct['project_id'] = self.rc_tenant_name
dct['cacert'] = self.rc_cacert
return dct
def get_nova_credentials_v2(self):
@ -51,6 +54,7 @@ class Credentials(object):
self.rc_username = None
self.rc_tenant_name = None
self.rc_auth_url = None
self.rc_cacert = None
success = True
if openrc_file:
@ -79,6 +83,8 @@ class Credentials(object):
self.rc_auth_url = value
elif name == 'TENANT_NAME':
self.rc_tenant_name = value
elif name == "CACERT":
self.rc_cacert = value
else:
print 'Error: rc file does not exist %s' % (openrc_file)
success = False
@ -94,6 +100,8 @@ class Credentials(object):
self.rc_username = os.environ['OS_USERNAME']
self.rc_auth_url = os.environ['OS_AUTH_URL']
self.rc_tenant_name = os.environ['OS_TENANT_NAME']
if 'OS_CACERT' in os.environ:
self.rc_cacert = os.environ['OS_CACERT']
# always override with CLI argument if provided
if pwd:

3
vmtp/vmtp.py
View File

@ -215,7 +215,8 @@ class VmtpTest(object):
glance_endpoint = keystone.service_catalog.url_for(
service_type='image', endpoint_type='publicURL')
self.glance_client = glanceclient.Client(
glance_endpoint, token=keystone.auth_token)
glance_endpoint, token=keystone.auth_token,
cacert=creds['cacert'])
self.comp.upload_image_via_url(
self.glance_client,
self.config.image_name,