openstack/deb-sahara
Code Issues Proposed changes

honor api_insecure parameters

Browse Source 
Verify and api_insecure have different meanings.
If api_insecure set to False, it means that valid certificate
should be provided. Otherwise, common insecure session can be
used.

We will continue sharing sessions when it's possible. For
that purpose we will introduce insecure session.

Change-Id: I4ed0a505d5c28f96c4b1d6be263a3091844c9489
Closes-bug: 1539498
Related-bug: 1517918
This commit is contained in:
Vitaly Gridnev 2016-02-14 18:37:34 +03:00
parent 0c184f09cb
commit c1d3149c1e
4 changed files with 45 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
releasenotes/notes/api-insecure-cbd4fd5da71b29a3.yaml Normal file
View File

@ -0,0 +1,3 @@
---
fixes:
- Fixed api_insecure handling in sessions. Closed bug 1539498.

2
sahara/config.py
View File

@ -132,7 +132,6 @@ def list_opts():
from sahara.service.heat import heat_engine
from sahara.service.heat import templates
from sahara.service import periodic
from sahara.service import sessions
from sahara.swift import swift_helper
from sahara.utils import cluster_progress_ops as cpo
from sahara.utils.openstack import base
@ -162,7 +161,6 @@ def list_opts():
base.opts,
heat_engine.heat_engine_opts,
templates.heat_engine_opts,
sessions.sessions_opts,
ssh_remote.ssh_config_options,
castellan.opts)),
(poll_utils.timeouts.name,

64
sahara/service/sessions.py
View File

@ -25,21 +25,13 @@ from sahara.i18n import _LE
CONF = cfg.CONF
LOG = logging.getLogger(__name__)
sessions_opts = [
cfg.BoolOpt(
'generic_session_verify', default=True,
help='Option to configure verification of a certificate for generic '
'sessions')
]
CONF.register_opts(sessions_opts)
_SESSION_CACHE = None
SESSION_TYPE_CINDER = 'cinder'
SESSION_TYPE_GENERIC = 'generic'
SESSION_TYPE_KEYSTONE = 'keystone'
SESSION_TYPE_NEUTRON = 'neutron'
SESSION_TYPE_NOVA = 'nova'
SESSION_TYPE_INSECURE = 'insecure'
def cache():
@ -66,10 +58,10 @@ class SessionCache(object):
self._sessions = {}
self._session_funcs = {
SESSION_TYPE_CINDER: self.get_cinder_session,
SESSION_TYPE_GENERIC: self.get_generic_session,
SESSION_TYPE_KEYSTONE: self.get_keystone_session,
SESSION_TYPE_NEUTRON: self.get_neutron_session,
SESSION_TYPE_NOVA: self.get_nova_session,
SESSION_TYPE_INSECURE: self.get_insecure_session,
}
def _set_session(self, session_type, session):
@ -81,10 +73,10 @@ class SessionCache(object):
'''
self._sessions[session_type] = session
def get_session(self, session_type=SESSION_TYPE_GENERIC):
def get_session(self, session_type=SESSION_TYPE_INSECURE):
'''Return a Session for the requested type
:param session_type: the type of Session to get, if None a generic
:param session_type: the type of Session to get, if None an insecure
session will be returned.
:raises SaharaException: if the requested session type is not
@ -101,57 +93,57 @@ class SessionCache(object):
_('Session type {type} not recognized').
format(type=session_type))
def get_insecure_session(self):
session = self._sessions.get(SESSION_TYPE_INSECURE)
if not session:
session = keystone.Session(verify=False)
self._set_session(SESSION_TYPE_INSECURE, session)
return session
def get_cinder_session(self):
session = self._sessions.get(SESSION_TYPE_CINDER)
if not session:
if CONF.cinder.ca_file:
session = keystone.Session(cert=CONF.cinder.ca_file,
verify=CONF.cinder.api_insecure)
if not CONF.cinder.api_insecure and CONF.cinder.ca_file:
session = keystone.Session(
cert=CONF.cinder.ca_file, verify=True)
else:
session = self.get_generic_session()
session = self.get_insecure_session()
self._set_session(SESSION_TYPE_CINDER, session)
return session
def get_generic_session(self):
session = self._sessions.get(SESSION_TYPE_GENERIC)
if not session:
session = keystone.Session(verify=CONF.generic_session_verify)
self._set_session(SESSION_TYPE_GENERIC, session)
return session
def get_keystone_session(self):
session = self._sessions.get(SESSION_TYPE_KEYSTONE)
if not session:
if CONF.keystone.ca_file:
session = keystone.Session(cert=CONF.keystone.ca_file,
verify=CONF.keystone.api_insecure)
if not CONF.keystone.api_insecure and CONF.keystone.ca_file:
session = keystone.Session(
cert=CONF.keystone.ca_file, verify=True)
else:
session = self.get_generic_session()
session = self.get_insecure_session()
self._set_session(SESSION_TYPE_KEYSTONE, session)
return session
def get_neutron_session(self):
session = self._sessions.get(SESSION_TYPE_NEUTRON)
if not session:
if CONF.neutron.ca_file:
session = keystone.Session(cert=CONF.neutron.ca_file,
verify=CONF.neutron.api_insecure)
if not CONF.neutron.api_insecure and CONF.neutron.ca_file:
session = keystone.Session(
cert=CONF.neutron.ca_file, verify=True)
else:
session = self.get_generic_session()
session = self.get_insecure_session()
self._set_session(SESSION_TYPE_NEUTRON, session)
return session
def get_nova_session(self):
session = self._sessions.get(SESSION_TYPE_NOVA)
if not session:
if CONF.nova.ca_file:
session = keystone.Session(cert=CONF.nova.ca_file,
verify=CONF.nova.api_insecure)
if not CONF.nova.api_insecure and CONF.nova.ca_file:
session = keystone.Session(
cert=CONF.nova.ca_file, verify=True)
else:
session = self.get_generic_session()
session = self.get_insecure_session()
self._set_session(SESSION_TYPE_NOVA, session)
return session
def token_for_auth(self, auth):
return self.get_generic_session().get_auth_headers(auth).get(
return self.get_keystone_session().get_auth_headers(auth).get(
'X-Auth-Token')

29
sahara/tests/unit/service/test_sessions.py
View File

@ -36,7 +36,7 @@ class TestSessionCache(base.SaharaTestCase):
def test_get_keystone_session(self, keystone_session):
sc = sessions.SessionCache()
self.override_config('ca_file', '/some/cacert', group='keystone')
self.override_config('api_insecure', True, group='keystone')
self.override_config('api_insecure', False, group='keystone')
sc.get_session(sessions.SESSION_TYPE_KEYSTONE)
keystone_session.assert_called_once_with(cert='/some/cacert',
verify=True)
@ -44,9 +44,9 @@ class TestSessionCache(base.SaharaTestCase):
sc = sessions.SessionCache()
keystone_session.reset_mock()
self.override_config('ca_file', None, group='keystone')
self.override_config('api_insecure', None, group='keystone')
self.override_config('api_insecure', True, group='keystone')
sc.get_session(sessions.SESSION_TYPE_KEYSTONE)
keystone_session.assert_called_once_with(verify=True)
keystone_session.assert_called_once_with(verify=False)
keystone_session.reset_mock()
sc.get_session(sessions.SESSION_TYPE_KEYSTONE)
@ -56,7 +56,7 @@ class TestSessionCache(base.SaharaTestCase):
def test_get_nova_session(self, keystone_session):
sc = sessions.SessionCache()
self.override_config('ca_file', '/some/cacert', group='nova')
self.override_config('api_insecure', True, group='nova')
self.override_config('api_insecure', False, group='nova')
sc.get_session(sessions.SESSION_TYPE_NOVA)
keystone_session.assert_called_once_with(cert='/some/cacert',
verify=True)
@ -64,9 +64,9 @@ class TestSessionCache(base.SaharaTestCase):
sc = sessions.SessionCache()
keystone_session.reset_mock()
self.override_config('ca_file', None, group='nova')
self.override_config('api_insecure', None, group='nova')
self.override_config('api_insecure', True, group='nova')
sc.get_session(sessions.SESSION_TYPE_NOVA)
keystone_session.assert_called_once_with(verify=True)
keystone_session.assert_called_once_with(verify=False)
keystone_session.reset_mock()
sc.get_session(sessions.SESSION_TYPE_NOVA)
@ -76,7 +76,7 @@ class TestSessionCache(base.SaharaTestCase):
def test_get_cinder_session(self, keystone_session):
sc = sessions.SessionCache()
self.override_config('ca_file', '/some/cacert', group='cinder')
self.override_config('api_insecure', True, group='cinder')
self.override_config('api_insecure', False, group='cinder')
sc.get_session(sessions.SESSION_TYPE_CINDER)
keystone_session.assert_called_once_with(cert='/some/cacert',
verify=True)
@ -84,9 +84,9 @@ class TestSessionCache(base.SaharaTestCase):
sc = sessions.SessionCache()
keystone_session.reset_mock()
self.override_config('ca_file', None, group='cinder')
self.override_config('api_insecure', None, group='cinder')
self.override_config('api_insecure', True, group='cinder')
sc.get_session(sessions.SESSION_TYPE_CINDER)
keystone_session.assert_called_once_with(verify=True)
keystone_session.assert_called_once_with(verify=False)
keystone_session.reset_mock()
sc.get_session(sessions.SESSION_TYPE_CINDER)
@ -96,7 +96,7 @@ class TestSessionCache(base.SaharaTestCase):
def test_get_neutron_session(self, keystone_session):
sc = sessions.SessionCache()
self.override_config('ca_file', '/some/cacert', group='neutron')
self.override_config('api_insecure', True, group='neutron')
self.override_config('api_insecure', False, group='neutron')
sc.get_session(sessions.SESSION_TYPE_NEUTRON)
keystone_session.assert_called_once_with(cert='/some/cacert',
verify=True)
@ -104,17 +104,16 @@ class TestSessionCache(base.SaharaTestCase):
sc = sessions.SessionCache()
keystone_session.reset_mock()
self.override_config('ca_file', None, group='neutron')
self.override_config('api_insecure', None, group='neutron')
self.override_config('api_insecure', True, group='neutron')
sc.get_session(sessions.SESSION_TYPE_NEUTRON)
keystone_session.assert_called_once_with(verify=True)
keystone_session.assert_called_once_with(verify=False)
keystone_session.reset_mock()
sc.get_session(sessions.SESSION_TYPE_NEUTRON)
self.assertFalse(keystone_session.called)
@mock.patch('keystoneclient.session.Session')
def test_generic_session_no_verify(self, session):
def test_insecure_session(self, session):
sc = sessions.SessionCache()
self.override_config('generic_session_verify', False)
sc.get_session(sessions.SESSION_TYPE_GENERIC)
sc.get_session(sessions.SESSION_TYPE_INSECURE)
session.assert_called_once_with(verify=False)