From 254fcc4f619fea9f9c4a968eb8ebc06d95038a66 Mon Sep 17 00:00:00 2001
From: Sergey Reshetnyak <sreshetniak@mirantis.com>
Date: Tue, 25 Aug 2015 17:54:43 +0300
Subject: [PATCH] Register SSL cert in Java keystore to access to swift via SSL

Closes-bug: #1488101

Change-Id: I25723e151ffc82e147c986e96e46b05eedb26cb0
---
 sahara/config.py                              |  5 ++-
 sahara/plugins/ambari/plugin.py               |  2 +
 sahara/plugins/cdh/plugin_utils.py            |  2 +
 sahara/plugins/spark/plugin.py                |  3 ++
 sahara/plugins/vanilla/hadoop2/scaling.py     |  2 +
 .../plugins/vanilla/v2_6_0/versionhandler.py  |  4 ++
 .../plugins/vanilla/v2_7_1/versionhandler.py  |  4 ++
 sahara/swift/swift_helper.py                  | 45 +++++++++++++++++++
 8 files changed, 66 insertions(+), 1 deletion(-)

diff --git a/sahara/config.py b/sahara/config.py
index 336374be..7970ecaa 100644
--- a/sahara/config.py
+++ b/sahara/config.py
@@ -130,6 +130,7 @@ def list_opts():
     from sahara import main as sahara_main
     from sahara.service.edp import job_utils
     from sahara.service import periodic
+    from sahara.swift import swift_helper
     from sahara.utils import cluster_progress_ops as cpo
     from sahara.utils.openstack import base
     from sahara.utils.openstack import heat
@@ -175,7 +176,9 @@ def list_opts():
         (keystone.keystone_group.name,
          itertools.chain(keystone.ssl_opts)),
         (base.retries.name,
-         itertools.chain(base.opts))
+         itertools.chain(base.opts)),
+        (swift_helper.public_endpoint_cert_group.name,
+         itertools.chain(swift_helper.opts))
     ]
 
 
diff --git a/sahara/plugins/ambari/plugin.py b/sahara/plugins/ambari/plugin.py
index ee26facb..05bfe4e8 100644
--- a/sahara/plugins/ambari/plugin.py
+++ b/sahara/plugins/ambari/plugin.py
@@ -24,6 +24,7 @@ from sahara.plugins.ambari import edp_engine
 from sahara.plugins.ambari import validation
 from sahara.plugins import provisioning as p
 from sahara.plugins import utils as plugin_utils
+from sahara.swift import swift_helper
 
 
 conductor = conductor.API
@@ -84,6 +85,7 @@ class AmbariPluginProvider(p.ProvisioningPluginBase):
     def start_cluster(self, cluster):
         self._set_cluster_info(cluster)
         deploy.start_cluster(cluster)
+        swift_helper.install_ssl_certs(plugin_utils.get_instances(cluster))
 
     def _set_cluster_info(self, cluster):
         ambari_ip = plugin_utils.get_instance(
diff --git a/sahara/plugins/cdh/plugin_utils.py b/sahara/plugins/cdh/plugin_utils.py
index 7aac592a..d88a3a26 100644
--- a/sahara/plugins/cdh/plugin_utils.py
+++ b/sahara/plugins/cdh/plugin_utils.py
@@ -27,6 +27,7 @@ from sahara.i18n import _
 from sahara.plugins.cdh import commands as cmd
 from sahara.plugins import recommendations_utils as ru
 from sahara.plugins import utils as u
+from sahara.swift import swift_helper
 from sahara.utils import cluster_progress_ops as cpo
 from sahara.utils import edp as edp_u
 from sahara.utils import poll_utils
@@ -254,6 +255,7 @@ class AbstractPluginUtils(object):
                 for i in instances:
                     tg.spawn('cdh-swift-conf-%s' % i.instance_name,
                              self._configure_swift_to_inst, i)
+            swift_helper.install_ssl_certs(instances)
 
     @cpo.event_wrapper(True)
     def _configure_swift_to_inst(self, instance):
diff --git a/sahara/plugins/spark/plugin.py b/sahara/plugins/spark/plugin.py
index af86f732..f5d22060 100644
--- a/sahara/plugins/spark/plugin.py
+++ b/sahara/plugins/spark/plugin.py
@@ -32,6 +32,7 @@ from sahara.plugins.spark import run_scripts as run
 from sahara.plugins.spark import scaling as sc
 from sahara.plugins.spark import shell_engine
 from sahara.plugins import utils
+from sahara.swift import swift_helper
 from sahara.topology import topology_helper as th
 from sahara.utils import cluster_progress_ops as cpo
 from sahara.utils import files as f
@@ -153,6 +154,7 @@ class SparkProvider(p.ProvisioningPluginBase):
 
         # start spark nodes
         self.start_spark(cluster)
+        swift_helper.install_ssl_certs(utils.get_instances(cluster))
 
         LOG.info(_LI('Cluster has been started successfully'))
         self._set_cluster_info(cluster)
@@ -448,6 +450,7 @@ class SparkProvider(p.ProvisioningPluginBase):
                         'datanode' in instance.node_group.node_processes]
         self._start_datanode_processes(dn_instances)
 
+        swift_helper.install_ssl_certs(instances)
         run.start_spark_master(r_master, self._spark_home(cluster))
         LOG.info(_LI("Spark master service has been restarted"))
 
diff --git a/sahara/plugins/vanilla/hadoop2/scaling.py b/sahara/plugins/vanilla/hadoop2/scaling.py
index 769416eb..d904d618 100644
--- a/sahara/plugins/vanilla/hadoop2/scaling.py
+++ b/sahara/plugins/vanilla/hadoop2/scaling.py
@@ -20,6 +20,7 @@ from sahara.plugins.vanilla.hadoop2 import config_helper as c_helper
 from sahara.plugins.vanilla.hadoop2 import run_scripts as run
 from sahara.plugins.vanilla.hadoop2 import utils as pu
 from sahara.plugins.vanilla import utils as vu
+from sahara.swift import swift_helper
 from sahara.utils import cluster_progress_ops as cpo
 from sahara.utils import poll_utils
 
@@ -37,6 +38,7 @@ def scale_cluster(pctx, cluster, instances):
 
     config.configure_topology_data(pctx, cluster)
     run.start_dn_nm_processes(instances)
+    swift_helper.install_ssl_certs(instances)
 
 
 def _get_instances_with_service(instances, service):
diff --git a/sahara/plugins/vanilla/v2_6_0/versionhandler.py b/sahara/plugins/vanilla/v2_6_0/versionhandler.py
index 0d35042d..e9a638ac 100644
--- a/sahara/plugins/vanilla/v2_6_0/versionhandler.py
+++ b/sahara/plugins/vanilla/v2_6_0/versionhandler.py
@@ -31,6 +31,8 @@ from sahara.plugins.vanilla.hadoop2 import validation as vl
 from sahara.plugins.vanilla import utils as vu
 from sahara.plugins.vanilla.v2_6_0 import config_helper as c_helper
 from sahara.plugins.vanilla.v2_6_0 import edp_engine
+from sahara.swift import swift_helper
+from sahara.utils import cluster as cluster_utils
 
 
 conductor = conductor.API
@@ -82,6 +84,8 @@ class VersionHandler(avm.AbstractVersionHandler):
         s_scripts.start_oozie(self.pctx, cluster)
         s_scripts.start_hiveserver(self.pctx, cluster)
 
+        swift_helper.install_ssl_certs(cluster_utils.get_instances(cluster))
+
         self._set_cluster_info(cluster)
 
     def decommission_nodes(self, cluster, instances):
diff --git a/sahara/plugins/vanilla/v2_7_1/versionhandler.py b/sahara/plugins/vanilla/v2_7_1/versionhandler.py
index 9deaaf0d..e052fa28 100644
--- a/sahara/plugins/vanilla/v2_7_1/versionhandler.py
+++ b/sahara/plugins/vanilla/v2_7_1/versionhandler.py
@@ -29,6 +29,8 @@ from sahara.plugins.vanilla.hadoop2 import validation as vl
 from sahara.plugins.vanilla import utils as vu
 from sahara.plugins.vanilla.v2_7_1 import config_helper as c_helper
 from sahara.plugins.vanilla.v2_7_1 import edp_engine
+from sahara.swift import swift_helper
+from sahara.utils import cluster as cluster_utils
 
 
 conductor = conductor.API
@@ -77,6 +79,8 @@ class VersionHandler(avm.AbstractVersionHandler):
         s_scripts.start_oozie(self.pctx, cluster)
         s_scripts.start_hiveserver(self.pctx, cluster)
 
+        swift_helper.install_ssl_certs(cluster_utils.get_instances(cluster))
+
         self._set_cluster_info(cluster)
 
     def decommission_nodes(self, cluster, instances):
diff --git a/sahara/swift/swift_helper.py b/sahara/swift/swift_helper.py
index 51339245..89dee667 100644
--- a/sahara/swift/swift_helper.py
+++ b/sahara/swift/swift_helper.py
@@ -32,6 +32,21 @@ HADOOP_SWIFT_REGION = 'fs.swift.service.sahara.region'
 HADOOP_SWIFT_TRUST_ID = 'fs.swift.service.sahara.trust.id'
 HADOOP_SWIFT_DOMAIN_NAME = 'fs.swift.service.sahara.domain.name'
 
+opts = [
+    cfg.StrOpt("public_identity_ca_file",
+               help=("Location of ca certificate file to use for identity "
+                     "client requests via public endpoint")),
+    cfg.StrOpt("public_object_store_ca_file",
+               help=("Location of ca certificate file to use for object-store "
+                     "client requests via public endpoint"))
+]
+
+public_endpoint_cert_group = cfg.OptGroup(
+    name="object_store_access", title="Auth options for Swift access from VM")
+
+CONF.register_group(public_endpoint_cert_group)
+CONF.register_opts(opts, group=public_endpoint_cert_group)
+
 
 def retrieve_tenant():
     return context.current().tenant_name
@@ -55,3 +70,33 @@ def get_swift_configs():
 
 def read_default_swift_configs():
     return x.load_hadoop_xml_defaults('swift/resources/conf-template.xml')
+
+
+def install_ssl_certs(instances):
+    certs = []
+    if CONF.object_store_access.public_identity_ca_file:
+        certs.append(CONF.object_store_access.public_identity_ca_file)
+    if CONF.object_store_access.public_object_store_ca_file:
+        certs.append(CONF.object_store_access.public_object_store_ca_file)
+    if not certs:
+        return
+    with context.ThreadGroup() as tg:
+        for inst in instances:
+            tg.spawn("configure-ssl-cert-%s" % inst.instance_id,
+                     _install_ssl_certs, inst, certs)
+
+
+def _install_ssl_certs(instance, certs):
+    register_cmd = (
+        "sudo su - -c \"keytool -import -alias sahara-%d -keystore "
+        "`cut -f2 -d \\\"=\\\" /etc/profile.d/99-java.sh | head -1`"
+        "/lib/security/cacerts -file /tmp/cert.pem -noprompt -storepass "
+        "changeit\"")
+    with instance.remote() as r:
+        for idx, cert in enumerate(certs):
+            data = open(cert).read()
+            r.write_file_to("/tmp/cert.pem", data)
+            try:
+                r.execute_command(register_cmd % idx)
+            finally:
+                r.execute_command("rm /tmp/cert.pem")