From ee2a3d3032408ff3d12beafd6ae84d75b33f479f Mon Sep 17 00:00:00 2001 From: Pavlo Shchelokovskyy Date: Mon, 18 Mar 2019 18:29:45 +0000 Subject: [PATCH] Re-use swift_store_cacert for Keystone session pass configured cacert for Swift to the keystoneauth's Session as well so that the swift endpoint can be resolved from the catalog when a custom CA bundle is used. Change-Id: I439f6b5af34c685f72c9b4933c7eb0c77cc92e14 Closes-Bug: #1820817 --- glance_store/_drivers/swift/store.py | 12 ++++++++---- glance_store/tests/unit/test_swift_store.py | 6 ++++++ .../tests/unit/test_swift_store_multibackend.py | 7 +++++++ releasenotes/notes/bug-1820817-0ee70781918d232e.yaml | 11 +++++++++++ 4 files changed, 32 insertions(+), 4 deletions(-) create mode 100644 releasenotes/notes/bug-1820817-0ee70781918d232e.yaml diff --git a/glance_store/_drivers/swift/store.py b/glance_store/_drivers/swift/store.py index d7a324eb..7c1d9e67 100644 --- a/glance_store/_drivers/swift/store.py +++ b/glance_store/_drivers/swift/store.py @@ -806,6 +806,10 @@ class BaseStore(driver.Store): self.insecure = glance_conf.swift_store_auth_insecure self.ssl_compression = glance_conf.swift_store_ssl_compression self.cacert = glance_conf.swift_store_cacert + if self.insecure: + self.ks_verify = False + else: + self.ks_verify = self.cacert or True if swiftclient is None: msg = _("Missing dependency python_swiftclient.") raise exceptions.BadStoreConfiguration(store_name="swift", @@ -1454,7 +1458,7 @@ class SingleTenantStore(BaseStore): project_domain_id=self.project_domain_id, project_domain_name=self.project_domain_name) - sess = ks_session.Session(auth=password, verify=not self.insecure) + sess = ks_session.Session(auth=password, verify=self.ks_verify) return ks_client.Client(session=sess) def get_manager(self, store_location, context=None, allow_reauth=False): @@ -1596,7 +1600,7 @@ class MultiTenantStore(BaseStore): token=context.auth_token, project_id=context.tenant) trustor_sess = ks_session.Session(auth=trustor_auth, - verify=not self.insecure) + verify=self.ks_verify) trustor_client = ks_client.Client(session=trustor_sess) auth_ref = trustor_client.session.auth.get_auth_ref(trustor_sess) roles = [t['name'] for t in auth_ref['roles']] @@ -1613,7 +1617,7 @@ class MultiTenantStore(BaseStore): project_domain_id=project_domain_id, project_domain_name=project_domain_name) trustee_sess = ks_session.Session(auth=password, - verify=not self.insecure) + verify=self.ks_verify) trustee_client = ks_client.Client(session=trustee_sess) # request glance user id - we will use it as trustee user @@ -1640,7 +1644,7 @@ class MultiTenantStore(BaseStore): # now we can authenticate against KS # as trustee of user who provided token client_sess = ks_session.Session(auth=client_password, - verify=not self.insecure) + verify=self.ks_verify) return ks_client.Client(session=client_sess) def get_manager(self, store_location, context=None, allow_reauth=False): diff --git a/glance_store/tests/unit/test_swift_store.py b/glance_store/tests/unit/test_swift_store.py index 400fff67..8e11b43a 100644 --- a/glance_store/tests/unit/test_swift_store.py +++ b/glance_store/tests/unit/test_swift_store.py @@ -1260,6 +1260,12 @@ class SwiftTests(object): self._init_client(verify=True, swift_store_multi_tenant=True, swift_store_config_file=None) + def test_init_client_multi_tenant_swift_cacert(self): + """Test that keystone client was initialized with swift cacert""" + self._init_client(verify='/foo/bar', swift_store_multi_tenant=True, + swift_store_config_file=None, + swift_store_cacert='/foo/bar') + def test_init_client_multi_tenant_insecure(self): """ Test that keystone client was initialized correctly with no diff --git a/glance_store/tests/unit/test_swift_store_multibackend.py b/glance_store/tests/unit/test_swift_store_multibackend.py index 9c6931fd..7d217eae 100644 --- a/glance_store/tests/unit/test_swift_store_multibackend.py +++ b/glance_store/tests/unit/test_swift_store_multibackend.py @@ -1255,6 +1255,13 @@ class SwiftTests(object): self._init_client(verify=True, swift_store_multi_tenant=True, swift_store_config_file=None) + def test_init_client_multi_tenant_swift_cacert(self): + """Test that keystone client was initialized with swift cacert""" + with mock.patch.object(swift.MultiTenantStore, '_set_url_prefix'): + self._init_client(verify='/foo/bar', swift_store_multi_tenant=True, + swift_store_config_file=None, + swift_store_cacert='/foo/bar') + def test_init_client_multi_tenant_insecure(self): """ Test that keystone client was initialized correctly with no diff --git a/releasenotes/notes/bug-1820817-0ee70781918d232e.yaml b/releasenotes/notes/bug-1820817-0ee70781918d232e.yaml new file mode 100644 index 00000000..6b78ea19 --- /dev/null +++ b/releasenotes/notes/bug-1820817-0ee70781918d232e.yaml @@ -0,0 +1,11 @@ +--- +fixes: + - | + Swift backend now can use custom CA bundle to verify SSL connection to + Keystone without adding this bundle to global system ones. + For this it re-uses the CA bundle specified as ``swift_store_cacert`` + config option, so this bundle must verify both certificates of Swift and + Keysotne API endpoints. + + For more details see + [`bug 1820817 `_].