Remove custom glance client SSL handling

Deprecate special httplib code paths. Blueprint: https://blueprints.launchpad.net/python-glanceclient/+spec/remove-custom-client-ssl-handling Change-Id: I5d192cc8c192b87d1e668041e97de5e0afe25394
2015-06-02 16:47:38 +00:00 · 2015-06-02 16:47:38 +00:00 · 7084fa286e
commit 7084fa286e
parent a9001fce65
1 changed files with 196 additions and 0 deletions
--- a/specs/liberty/remove-special-client-ssl-handling.rst
+++ b/specs/liberty/remove-special-client-ssl-handling.rst
@ -0,0 +1,196 @@
+..
+ This work is licensed under a Creative Commons Attribution 3.0 Unported
+ License.
+
+ http://creativecommons.org/licenses/by/3.0/legalcode
+
+=================================
+Remove custom client SSL handling
+=================================
+
+https://blueprints.launchpad.net/python-glanceclient/+spec/remove-custom-client-ssl-handling
+
+The Glance client currently supports disabling SSL compression via
+the --no-ssl-compression argument. This spec proposes deprecating this
+special handling of SSL.
+
+Note: This is transport layer compression, not application layer (http)
+compression.
+
+
+Problem description
+===================
+
+Custom SSL handling was introduced because disabling SSL layer compression
+provided an approximately five fold performance increase in some
+cases. Without SSL layer compression disabled the image transfer would be
+CPU bound -- with the CPU performing the DEFLATE algorithm.  This would
+typically limit image transfers to < 20 MB/s. When --no-ssl-compression
+was specified the client would not negotiate any compression algorithm
+during the SSL handshake with the server which would remove the CPU
+bottleneck and transfers could approach wire speed.
+
+In order to support '--no-ssl-compression' two totally separate code
+paths exist depending on whether this is True or False.  When SSL
+compression is disabled, rather than using the standard 'requests'
+library, we enter some custom code based on pyopenssl and httplib in
+order to disable compression.
+
+This spec proposes removing the custom code because:
+
+* It is a burden to maintain
+
+ Eg adding new code such as keystone session support is more complicated
+
+* It can introduce additional failure modes
+
+ We have seen some bugs related to the 'custom' certificate checking
+
+* Newer Operating Systems disable SSL for us.
+
+ Eg. While Debian 7 defaulted to compression 'on', Debian 8 has compression
+ 'off'. This makes both servers and client less likely to have compression
+ enabled.
+
+* Newer combinations of 'requests' and 'python' do this for us
+
+ Requests disables compression when backed by a version of python which
+ supports it (>= 2.7.9). This makes clients more likely to disable
+ compression out-of-the-box.
+
+* It is (in principle) possible to do this on older versions too
+
+ If pyopenssl, ndg-httpsclient and pyasn1 are installed on older
+ operating system/python combinations, the requests library should
+ disable SSL compression on the client side.
+
+
+Proposed change
+===============
+
+Deprecate the '--no-ssl-compression' option. Remove the custom http
+handling code and print a warning when '--no-ssl-compression' is
+specified.
+
+
+Alternatives
+------------
+
+* Do not deprecate
+
+The cost/benefit of not deprecating would mean that custom code paths
+would have to be maintained for a small number of corner cases (that
+can be addressed by other means).
+
+* Add dependencies on ndg-httpsclient and pyasn1.
+
+This is a possibility for legacy installations, but this should not
+be needed for the vast majority of cases.
+
+
+Data model impact
+-----------------
+
+None
+
+
+REST API impact
+---------------
+
+None
+
+
+Security impact
+---------------
+
+Certificate checking will no longer be done by custom glance client code,
+but by the 'requests' library. I verified that for older python installs
+(2.7) certificate checking is performed correctly by the requests library.
+
+Systems that have SSL compression enabled may be vulnerable to the CRIME
+(https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4929) attack.
+Installations which are security conscious should be running the Glance
+server with SSL disabled.
+
+
+Notifications impact
+--------------------
+
+None
+
+
+Other end user impact
+---------------------
+
+SSL potentially not being disabled.
+A new deprecation warning.
+
+
+Performance Impact
+------------------
+
+If SSL is not disabled user's will experience a performance hit -- until
+they use one of the alternative methods to disable it.
+
+
+Other deployer impact
+---------------------
+
+Deprecation warnings.
+Will need to use an alternative method to disable SSL if appropriate.
+
+
+Developer impact
+----------------
+
+Should simplify things.
+
+
+Implementation
+==============
+
+Assignee(s)
+-----------
+
+Stuart McLaren
+
+
+Reviewers
+---------
+
+Ian Cordasco
+
+
+Work Items
+----------
+
+* Client change
+* (small) nova/cinder changes
+
+Dependencies
+============
+
+None
+
+
+Testing
+=======
+
+There is limited https testing in the gate by default.
+Some manual functional testing will be done, and devstack will be
+spun up with https enabled.
+
+
+Documentation Impact
+====================
+
+The cli help will be updated. Any relevant .rst docs will be updated also.
+
+
+References
+==========
+
+Previous effort:
+
+https://review.openstack.org/#/c/23424
+