Remove VxFlex OS credentials from connection_properties

VxFlex OS password is not stored in block_device_mapping table. Instead of this passwords are stored in separate file and are retrieved during each attach/detach operation. Closes-Bug: #1823200 Change-Id: Ia7cc17472677a693c6162f0b8b0529df62eed7cf
2020-06-01 11:32:38 +03:00 · 2020-06-01 11:32:38 +03:00 · b2c9592281
commit b2c9592281
parent ce5709d0e2
6 changed files with 83 additions and 8 deletions
--- a/cinder/volume/drivers/dell_emc/vxflexos/driver.py
+++ b/cinder/volume/drivers/dell_emc/vxflexos/driver.py
@ -90,9 +90,10 @@ class VxFlexOSDriver(driver.VolumeDriver):
          3.5.1 - Add volume replication v2.1 support for VxFlex OS 3.5.x
          3.5.2 - Add volume migration support
          3.5.3 - Add revert volume to snapshot support
+          3.5.4 - Fix for Bug #1823200. See OSSN-0086 for details.
    """

-    VERSION = "3.5.3"
+    VERSION = "3.5.4"
    # ThirdPartySystems wiki
    CI_WIKI_NAME = "DellEMC_VxFlexOS_CI"

@ -853,6 +854,8 @@ class VxFlexOSDriver(driver.VolumeDriver):
        volume_name = flex_utils.id_to_base64(vol_or_snap.id)
        connection_properties["scaleIO_volname"] = volume_name
        connection_properties["scaleIO_volume_id"] = vol_or_snap.provider_id
+        connection_properties["config_group"] = self.configuration.config_group
+        connection_properties["failed_over"] = self._is_failed_over

        if vol_size is not None:
            extra_specs = self._get_volumetype_extraspecs(vol_or_snap)
@ -1200,6 +1203,8 @@ class VxFlexOSDriver(driver.VolumeDriver):
            volume.id
        )
        connection_properties["scaleIO_volume_id"] = volume.provider_id
+        connection_properties["config_group"] = self.configuration.config_group
+        connection_properties["failed_over"] = self._is_failed_over
        device_info = self.connector.connect_volume(connection_properties)
        return device_info["path"]

@ -1212,6 +1217,9 @@ class VxFlexOSDriver(driver.VolumeDriver):
            volume.id
        )
        connection_properties["scaleIO_volume_id"] = volume.provider_id
+        connection_properties["config_group"] = self.configuration.config_group
+        connection_properties["failed_over"] = self._is_failed_over
+
        self.connector.disconnect_volume(connection_properties, volume)

    def copy_image_to_volume(self, context, volume, image_service, image_id):
--- a/cinder/volume/drivers/dell_emc/vxflexos/rest_client.py
+++ b/cinder/volume/drivers/dell_emc/vxflexos/rest_client.py
@ -70,8 +70,6 @@ class RestClient(object):
            "serverIP": self.rest_ip,
            "serverPort": self.rest_port,
            "serverUsername": self.rest_username,
-            "serverPassword": self.rest_password,
-            "serverToken": self.rest_token,
            "iopsLimit": None,
            "bandwidthLimit": None,
        }
--- a/doc/source/configuration/block-storage/drivers/dell-emc-vxflex-driver.rst
+++ b/doc/source/configuration/block-storage/drivers/dell-emc-vxflex-driver.rst
@ -220,6 +220,35 @@ parameters as follows:
   san_password = SIO_PASSWD
   san_thin_provision = false

+Connector configuration
+~~~~~~~~~~~~~~~~~~~~~~~
+
+Before using attach/detach volume operations VxFlex OS connector must be
+properly configured. On each node where VxFlex OS SDC is installed do the
+following:
+
+#. Create ``/opt/emc/scaleio/openstack/connector.conf`` if it does not
+   exist.
+
+   .. code-block:: console
+
+     $ mkdir -p /opt/emc/scaleio/openstack
+     $ touch /opt/emc/scaleio/openstack/connector.conf
+
+#. For each VxFlex OS section in the ``cinder.conf`` create the same section in
+   the ``/opt/emc/scaleio/openstack/connector.conf`` and populate it with
+   passwords. Example:
+
+   .. code-block:: ini
+
+      [vxflexos]
+      san_password = SIO_PASSWD
+      replicating_san_password = REPLICATION_SYSTEM_SIO_PASSWD # if applicable
+
+      [vxflexos-new]
+      san_password = SIO2_PASSWD
+      replicating_san_password = REPLICATION_SYSTEM_SIO2_PASSWD # if applicable
+
 .. _cg_configuration_options_emc:

 Configuration options
@ -504,6 +533,22 @@ Volume migration is performed by issuing the following command:
 Using VxFlex OS Storage with a containerized overcloud
 ------------------------------------------------------

-When using a containerized overcloud, such as one deployed via TripleO or
-Red Hat OpenStack version 13 and above, install the Storage Data Client
-(SDC) on all nodes after deploying the overcloud.
+#. Create a file with below contents:
+
+   .. code-block:: yaml
+
+      parameter_defaults:
+        NovaComputeOptVolumes:
+          - /opt/emc/scaleio:/opt/emc/scaleio
+        CinderVolumeOptVolumes:
+          - /opt/emc/scaleio:/opt/emc/scaleio
+        GlanceApiOptVolumes:
+          - /opt/emc/scaleio:/opt/emc/scaleio
+
+
+   Name it whatever you like, e.g. ``vxflexos_volumes.yml``.
+
+#. Use ``-e`` to include this customization file to deploy command.
+
+#. Install the Storage Data Client (SDC) on all nodes after deploying
+   the overcloud.
--- a/lower-constraints.txt
+++ b/lower-constraints.txt
@ -62,7 +62,7 @@ netifaces==0.10.7
 networkx==1.11
 oauth2client==1.5.0
 os-api-ref==1.4.0
-os-brick==2.2.0
+os-brick==3.1.0
 os-client-config==1.29.0
 os-win==3.0.0
 oslo.cache==1.29.0
--- a/releasenotes/notes/bug-1823200-victoria-ecd2d99c9223d84b.yaml
+++ b/releasenotes/notes/bug-1823200-victoria-ecd2d99c9223d84b.yaml
@ -0,0 +1,24 @@
+---
+upgrade:
+  - |
+    The fix for `Bug #1823200
+    <https://bugs.launchpad.net/cinder/+bug/1823200>`_ requires
+    ``os-brick`` version 3.1.0 or greater.
+security:
+  - |
+    Dell EMC VxFlex OS driver: This release contains a fix for
+    `Bug #1823200 <https://bugs.launchpad.net/cinder/+bug/1823200>`_.
+    See `OSSN-0086 <https://wiki.openstack.org/wiki/OSSN/OSSN-0086>`_
+    for details.
+fixes:
+  - |
+    `Bug #1823200 <https://bugs.launchpad.net/cinder/+bug/1823200>`_:
+    This release contains an updated Dell EMC VxFlex OS driver.  It must
+    be used with ``os-brick`` version 3.1.0 or greater and requires that
+    a new configuration file be deployed on compute nodes, cinder nodes,
+    and anywhere you would perform a volume attachment in your deployment.
+    See the `Dell EMC VxFlex OS (ScaleIO) Storage driver
+    <https://docs.openstack.org/cinder/latest/configuration/block-storage/drivers/dell-emc-vxflex-driver.html>`_
+    documentation for details about the configuration file, and see
+    `OSSN-0086 <https://wiki.openstack.org/wiki/OSSN/OSSN-0086>`_ for
+    more information about the security vulnerability.
--- a/requirements.txt
+++ b/requirements.txt
@ -54,7 +54,7 @@ tenacity>=6.0.0 # Apache-2.0
 WebOb>=1.7.1 # MIT
 oslo.i18n>=3.24.0 # Apache-2.0
 oslo.vmware>=2.35.0 # Apache-2.0
-os-brick>=2.2.0 # Apache-2.0
+os-brick>=3.1.0 # Apache-2.0
 os-win>=3.0.0 # Apache-2.0
 tooz>=1.58.0 # Apache-2.0
 google-api-python-client>=1.4.2 # Apache-2.0