From 86f5b9012e99fee05ab52ed606e4348324715afc Mon Sep 17 00:00:00 2001 From: Matt Crees Date: Fri, 9 Feb 2024 10:33:15 +0000 Subject: [PATCH] Support SSL verification in creating Blazar client Adds support for SSL verification when ``OPENSTACK_SSL_CACERT`` is set. Explicitly skips verification if ``OPENSTACK_SSL_NO_VERIFY`` is set. This also switches to Session-based instantiation for the Blazar client, away from the deprecated url+token method. Closes-Bug: #2045281 Change-Id: I94aad7590b1e42ddfa1a20fdb184ca4d73587cd6 --- blazar_dashboard/api/client.py | 25 ++++++++++++++----- ...ng-the-blazar-client-603ee30a4356ab52.yaml | 10 ++++++++ 2 files changed, 29 insertions(+), 6 deletions(-) create mode 100644 releasenotes/notes/support-ssl-verification-when-creating-the-blazar-client-603ee30a4356ab52.yaml diff --git a/blazar_dashboard/api/client.py b/blazar_dashboard/api/client.py index 0d696b8..aeeb41d 100644 --- a/blazar_dashboard/api/client.py +++ b/blazar_dashboard/api/client.py @@ -17,8 +17,11 @@ import logging from pytz import UTC from blazar_dashboard import conf +from django.conf import settings from horizon import exceptions from horizon.utils.memoized import memoized +from keystoneauth1.identity import v3 +from keystoneauth1 import session from openstack_dashboard.api import base from blazarclient import client as blazar_client @@ -69,16 +72,26 @@ class Allocation(base.APIDictWrapper): @memoized def blazarclient(request): try: - api_url = base.url_for(request, 'reservation') + _ = base.url_for(request, 'reservation') except exceptions.ServiceCatalogException: LOG.debug('No Reservation service is configured.') return None - LOG.debug('blazarclient connection created using the token "%s" and url' - '"%s"' % (request.user.token.id, api_url)) - return blazar_client.Client( - blazar_url=api_url, - auth_token=request.user.token.id) + auth_url = settings.OPENSTACK_KEYSTONE_URL + project_id = request.user.project_id + domain_id = request.session.get('domain_context') + auth = v3.Token(auth_url, + request.user.token.id, + project_id=project_id, + project_domain_id=domain_id) + insecure = getattr(settings, 'OPENSTACK_SSL_NO_VERIFY', False) + cacert = getattr(settings, 'OPENSTACK_SSL_CACERT', None) + # If 'insecure' is True, 'verify' is False in all cases; otherwise + # pass the cacert path if it is present, or True if no cacert. + verify = not insecure and (cacert or True) + sess = session.Session(auth=auth, verify=verify) + + return blazar_client.Client(session=sess) def lease_list(request): diff --git a/releasenotes/notes/support-ssl-verification-when-creating-the-blazar-client-603ee30a4356ab52.yaml b/releasenotes/notes/support-ssl-verification-when-creating-the-blazar-client-603ee30a4356ab52.yaml new file mode 100644 index 0000000..a0b5a10 --- /dev/null +++ b/releasenotes/notes/support-ssl-verification-when-creating-the-blazar-client-603ee30a4356ab52.yaml @@ -0,0 +1,10 @@ +--- +features: + - | + Adds support for specifying a CA certificate to use to verify SSL + connections with ``OPENSTACK_SSL_CACERT`` and for disabling SSL certificate + checks with ``OPENSTACK_SSL_NO_VERIFY``. +fixes: + - | + Fixes the dashboard not working when ``OPENSTACK_SSL_CACERT`` is set. + `LP#2045281 `__