[NetApp] Fix hard-coded CA cert path for SSL
NetApp driver is hard-coding the location of CA certificates for SSL verification during HTTPS requests. This location may change depending on the environment or/and backend. This patch adds the `netapp_ssl_cert_path` configuration, enabling each backend to choose the directory with certificates of trusted CA or the CA bundle. If set to a directory, it must have been processed using the c_rehash utility supplied with OpenSSL. If not informed, it will use the Mozilla's carefully curated collection of Root Certificates for validating the trustworthiness of SSL certificates. Closes-Bug: #1900191 Change-Id: Idbed4745104de26af99bb16e07c6890637dfcfd1
This commit is contained in:
Felipe Rodrigues
felipefutty
parent
2d29368bd0
commit
70f7859f98
@ -65,7 +65,6 @@ class NaServer(object):
|
||||
|
||||
TRANSPORT_TYPE_HTTP = 'http'
|
||||
TRANSPORT_TYPE_HTTPS = 'https'
|
||||
SSL_CERT_DEFAULT = "/etc/ssl/certs/"
|
||||
SERVER_TYPE_FILER = 'filer'
|
||||
SERVER_TYPE_DFM = 'dfm'
|
||||
URL_FILER = 'servlets/netapp.servlets.admin.XMLrequest_filer'
|
||||
@ -76,7 +75,7 @@ class NaServer(object):
|
||||
|
||||
def __init__(self, host, server_type=SERVER_TYPE_FILER,
|
||||
transport_type=TRANSPORT_TYPE_HTTP,
|
||||
style=STYLE_LOGIN_PASSWORD, username=None,
|
||||
style=STYLE_LOGIN_PASSWORD, ssl_cert_path=None, username=None,
|
||||
password=None, port=None, trace=False,
|
||||
api_trace_pattern=utils.API_TRACE_PATTERN):
|
||||
self._host = host
|
||||
@ -90,6 +89,12 @@ class NaServer(object):
|
||||
self._trace = trace
|
||||
self._api_trace_pattern = api_trace_pattern
|
||||
self._refresh_conn = True
|
||||
if ssl_cert_path is not None:
|
||||
self._ssl_verify = ssl_cert_path
|
||||
else:
|
||||
# Note(felipe_rodrigues): it will verify with the mozila CA roots,
|
||||
# given by certifi package.
|
||||
self._ssl_verify = True
|
||||
|
||||
LOG.debug('Using NetApp controller: %s', self._host)
|
||||
|
||||
@ -353,7 +358,7 @@ class NaServer(object):
|
||||
|
||||
self._session = requests.Session()
|
||||
self._session.auth = auth_handler
|
||||
self._session.verify = NaServer.SSL_CERT_DEFAULT
|
||||
self._session.verify = self._ssl_verify
|
||||
self._session.headers = {
|
||||
'Content-Type': 'text/xml', 'charset': 'utf-8'}
|
||||
|
||||
|
||||
@ -29,6 +29,7 @@ class NetAppBaseClient(object):
|
||||
self.connection = netapp_api.NaServer(
|
||||
host=kwargs['hostname'],
|
||||
transport_type=kwargs['transport_type'],
|
||||
ssl_cert_path=kwargs['ssl_cert_path'],
|
||||
port=kwargs['port'],
|
||||
username=kwargs['username'],
|
||||
password=kwargs['password'],
|
||||
|
||||
@ -74,6 +74,7 @@ def get_client_for_backend(backend_name, vserver_name=None):
|
||||
config = get_backend_configuration(backend_name)
|
||||
client = client_cmode.NetAppCmodeClient(
|
||||
transport_type=config.netapp_transport_type,
|
||||
ssl_cert_path=config.netapp_ssl_cert_path,
|
||||
username=config.netapp_login,
|
||||
password=config.netapp_password,
|
||||
hostname=config.netapp_server_hostname,
|
||||
|
||||
@ -196,6 +196,7 @@ class NetAppCmodeFileStorageLibrary(object):
|
||||
if not client:
|
||||
client = client_cmode.NetAppCmodeClient(
|
||||
transport_type=self.configuration.netapp_transport_type,
|
||||
ssl_cert_path=self.configuration.netapp_ssl_cert_path,
|
||||
username=self.configuration.netapp_login,
|
||||
password=self.configuration.netapp_password,
|
||||
hostname=self.configuration.netapp_server_hostname,
|
||||
|
||||
@ -45,7 +45,15 @@ netapp_transport_opts = [
|
||||
default='http',
|
||||
help=('The transport protocol used when communicating with '
|
||||
'the storage system or proxy server. Valid values are '
|
||||
'http or https.')), ]
|
||||
'http or https.')),
|
||||
cfg.StrOpt('netapp_ssl_cert_path',
|
||||
help=('The path to a CA_BUNDLE file or directory with '
|
||||
'certificates of trusted CA. If set to a directory, it '
|
||||
'must have been processed using the c_rehash utility '
|
||||
'supplied with OpenSSL. If not informed, it will use the '
|
||||
'Mozilla’s carefully curated collection of Root '
|
||||
'Certificates for validating the trustworthiness of SSL '
|
||||
'certificates.')), ]
|
||||
|
||||
netapp_basicauth_opts = [
|
||||
cfg.StrOpt('netapp_login',
|
||||
|
||||
@ -23,6 +23,7 @@ from manila.share.drivers.netapp.dataontap.client import api
|
||||
CONNECTION_INFO = {
|
||||
'hostname': 'hostname',
|
||||
'transport_type': 'https',
|
||||
'ssl_cert_path': '/etc/ssl/certs/',
|
||||
'port': 443,
|
||||
'username': 'admin',
|
||||
'password': 'passw0rd',
|
||||
|
||||
@ -64,6 +64,8 @@ class NetAppCDOTDataMotionTestCase(test.TestCase):
|
||||
group=self.backend)
|
||||
CONF.set_override("netapp_server_port", 8866,
|
||||
group=self.backend)
|
||||
CONF.set_override("netapp_ssl_cert_path", "/etc/ssl/certs",
|
||||
group=self.backend)
|
||||
|
||||
def test_get_client_for_backend(self):
|
||||
self.mock_object(data_motion, "get_backend_configuration",
|
||||
@ -74,7 +76,7 @@ class NetAppCDOTDataMotionTestCase(test.TestCase):
|
||||
self.mock_cmode_client.assert_called_once_with(
|
||||
hostname='fake.hostname', password='fake_password',
|
||||
username='fake_user', transport_type='https', port=8866,
|
||||
trace=mock.ANY, vserver=None)
|
||||
ssl_cert_path='/etc/ssl/certs', trace=mock.ANY, vserver=None)
|
||||
|
||||
def test_get_client_for_backend_with_vserver(self):
|
||||
self.mock_object(data_motion, "get_backend_configuration",
|
||||
@ -88,7 +90,8 @@ class NetAppCDOTDataMotionTestCase(test.TestCase):
|
||||
self.mock_cmode_client.assert_called_once_with(
|
||||
hostname='fake.hostname', password='fake_password',
|
||||
username='fake_user', transport_type='https', port=8866,
|
||||
trace=mock.ANY, vserver='fake_vserver')
|
||||
ssl_cert_path='/etc/ssl/certs', trace=mock.ANY,
|
||||
vserver='fake_vserver')
|
||||
|
||||
def test_get_config_for_backend(self):
|
||||
self.mock_object(data_motion, "CONF")
|
||||
|
||||
@ -99,6 +99,7 @@ CLIENT_KWARGS = {
|
||||
'hostname': '127.0.0.1',
|
||||
'vserver': None,
|
||||
'transport_type': 'https',
|
||||
'ssl_cert_path': '/etc/ssl/certs/',
|
||||
'password': 'pass',
|
||||
'port': '443',
|
||||
'api_trace_pattern': '(.*)',
|
||||
@ -1599,6 +1600,7 @@ def get_config_cmode():
|
||||
config.netapp_password = CLIENT_KWARGS['password']
|
||||
config.netapp_server_hostname = CLIENT_KWARGS['hostname']
|
||||
config.netapp_transport_type = CLIENT_KWARGS['transport_type']
|
||||
config.netapp_ssl_cert_path = CLIENT_KWARGS['ssl_cert_path']
|
||||
config.netapp_server_port = CLIENT_KWARGS['port']
|
||||
config.netapp_volume_name_template = VOLUME_NAME_TEMPLATE
|
||||
config.netapp_aggregate_name_search_pattern = AGGREGATE_NAME_SEARCH_PATTERN
|
||||
|
||||
@ -0,0 +1,20 @@
|
||||
---
|
||||
upgrade:
|
||||
- Added a new config option `netapp_ssl_cert_path` for NetApp driver.
|
||||
This option enables the user to choose the directory with certificates of
|
||||
trusted CA or the CA bundle. If set to a directory, it must have been
|
||||
processed using the c_rehash utility supplied with OpenSSL. If not
|
||||
informed, it will use the Mozilla's carefully curated collection of Root
|
||||
Certificates for validating the trustworthiness of SSL certificates.
|
||||
fixes:
|
||||
- |
|
||||
Fixed an issue on ONTAP NetApp driver that was forcing the location of
|
||||
CA certificates for SSL verification during HTTPS requests. It adds the
|
||||
`netapp_ssl_cert_path` configuration, enabling the user to choose the
|
||||
directory with certificates of trusted CA or the CA bundle. If set to a
|
||||
directory, it must have been processed using the c_rehash utility supplied
|
||||
with OpenSSL. If not informed, it will use the Mozilla's carefully curated
|
||||
collection of Root Certificates for validating the trustworthiness of SSL
|
||||
certificates. Please refer to the
|
||||
`Launchpad bug #1900191 <https://bugs.launchpad.net/manila/+bug/1900191>`_
|
||||
for more details.
|
||||
Loading…
x
Reference in New Issue
Block a user