Browse Source

[NetApp] Fix hard-coded CA cert path for SSL

NetApp driver is hard-coding the location of CA certificates for SSL
verification during HTTPS requests. This location may change depending
on the environment or/and backend.

This patch adds the `netapp_ssl_cert_path` configuration, enabling
each backend to choose the directory with certificates of trusted CA
or the CA bundle. If set to a directory, it must have been processed
using the c_rehash utility supplied with OpenSSL. If not informed,
it will use the Mozilla's carefully curated collection of Root
Certificates for validating the trustworthiness of SSL certificates.

Closes-Bug: #1900191
Change-Id: Idbed4745104de26af99bb16e07c6890637dfcfd1
(cherry picked from commit 70f7859f98)
(cherry picked from commit 57edaadac1)
changes/30/772730/1
Felipe Rodrigues 10 months ago
committed by Douglas Viroel
parent
commit
ac667519fc
  1. 11
      manila/share/drivers/netapp/dataontap/client/api.py
  2. 1
      manila/share/drivers/netapp/dataontap/client/client_base.py
  3. 1
      manila/share/drivers/netapp/dataontap/cluster_mode/data_motion.py
  4. 1
      manila/share/drivers/netapp/dataontap/cluster_mode/lib_base.py
  5. 10
      manila/share/drivers/netapp/options.py
  6. 1
      manila/tests/share/drivers/netapp/dataontap/client/fakes.py
  7. 7
      manila/tests/share/drivers/netapp/dataontap/cluster_mode/test_data_motion.py
  8. 2
      manila/tests/share/drivers/netapp/dataontap/fakes.py
  9. 20
      releasenotes/notes/1900191-netapp-fix-ssl-cert-path-option-35354c9b7a9c37e6.yaml

11
manila/share/drivers/netapp/dataontap/client/api.py

@ -62,7 +62,6 @@ class NaServer(object):
TRANSPORT_TYPE_HTTP = 'http'
TRANSPORT_TYPE_HTTPS = 'https'
SSL_CERT_DEFAULT = "/etc/ssl/certs/"
SERVER_TYPE_FILER = 'filer'
SERVER_TYPE_DFM = 'dfm'
URL_FILER = 'servlets/netapp.servlets.admin.XMLrequest_filer'
@ -73,7 +72,7 @@ class NaServer(object):
def __init__(self, host, server_type=SERVER_TYPE_FILER,
transport_type=TRANSPORT_TYPE_HTTP,
style=STYLE_LOGIN_PASSWORD, username=None,
style=STYLE_LOGIN_PASSWORD, ssl_cert_path=None, username=None,
password=None, port=None, trace=False,
api_trace_pattern=utils.API_TRACE_PATTERN):
self._host = host
@ -87,6 +86,12 @@ class NaServer(object):
self._trace = trace
self._api_trace_pattern = api_trace_pattern
self._refresh_conn = True
if ssl_cert_path is not None:
self._ssl_verify = ssl_cert_path
else:
# Note(felipe_rodrigues): it will verify with the mozila CA roots,
# given by certifi package.
self._ssl_verify = True
LOG.debug('Using NetApp controller: %s', self._host)
@ -350,7 +355,7 @@ class NaServer(object):
self._session = requests.Session()
self._session.auth = auth_handler
self._session.verify = NaServer.SSL_CERT_DEFAULT
self._session.verify = self._ssl_verify
self._session.headers = {
'Content-Type': 'text/xml', 'charset': 'utf-8'}

1
manila/share/drivers/netapp/dataontap/client/client_base.py

@ -29,6 +29,7 @@ class NetAppBaseClient(object):
self.connection = netapp_api.NaServer(
host=kwargs['hostname'],
transport_type=kwargs['transport_type'],
ssl_cert_path=kwargs['ssl_cert_path'],
port=kwargs['port'],
username=kwargs['username'],
password=kwargs['password'],

1
manila/share/drivers/netapp/dataontap/cluster_mode/data_motion.py

@ -70,6 +70,7 @@ def get_client_for_backend(backend_name, vserver_name=None):
config = get_backend_configuration(backend_name)
client = client_cmode.NetAppCmodeClient(
transport_type=config.netapp_transport_type,
ssl_cert_path=config.netapp_ssl_cert_path,
username=config.netapp_login,
password=config.netapp_password,
hostname=config.netapp_server_hostname,

1
manila/share/drivers/netapp/dataontap/cluster_mode/lib_base.py

@ -175,6 +175,7 @@ class NetAppCmodeFileStorageLibrary(object):
if not client:
client = client_cmode.NetAppCmodeClient(
transport_type=self.configuration.netapp_transport_type,
ssl_cert_path=self.configuration.netapp_ssl_cert_path,
username=self.configuration.netapp_login,
password=self.configuration.netapp_password,
hostname=self.configuration.netapp_server_hostname,

10
manila/share/drivers/netapp/options.py

@ -45,7 +45,15 @@ netapp_transport_opts = [
default='http',
help=('The transport protocol used when communicating with '
'the storage system or proxy server. Valid values are '
'http or https.')), ]
'http or https.')),
cfg.StrOpt('netapp_ssl_cert_path',
help=('The path to a CA_BUNDLE file or directory with '
'certificates of trusted CA. If set to a directory, it '
'must have been processed using the c_rehash utility '
'supplied with OpenSSL. If not informed, it will use the '
'Mozilla’s carefully curated collection of Root '
'Certificates for validating the trustworthiness of SSL '
'certificates.')), ]
netapp_basicauth_opts = [
cfg.StrOpt('netapp_login',

1
manila/tests/share/drivers/netapp/dataontap/client/fakes.py

@ -23,6 +23,7 @@ from manila.share.drivers.netapp.dataontap.client import api
CONNECTION_INFO = {
'hostname': 'hostname',
'transport_type': 'https',
'ssl_cert_path': '/etc/ssl/certs/',
'port': 443,
'username': 'admin',
'password': 'passw0rd',

7
manila/tests/share/drivers/netapp/dataontap/cluster_mode/test_data_motion.py

@ -64,6 +64,8 @@ class NetAppCDOTDataMotionTestCase(test.TestCase):
group=self.backend)
CONF.set_override("netapp_server_port", 8866,
group=self.backend)
CONF.set_override("netapp_ssl_cert_path", "/etc/ssl/certs",
group=self.backend)
def test_get_client_for_backend(self):
self.mock_object(data_motion, "get_backend_configuration",
@ -74,7 +76,7 @@ class NetAppCDOTDataMotionTestCase(test.TestCase):
self.mock_cmode_client.assert_called_once_with(
hostname='fake.hostname', password='fake_password',
username='fake_user', transport_type='https', port=8866,
trace=mock.ANY, vserver=None)
ssl_cert_path='/etc/ssl/certs', trace=mock.ANY, vserver=None)
def test_get_client_for_backend_with_vserver(self):
self.mock_object(data_motion, "get_backend_configuration",
@ -88,7 +90,8 @@ class NetAppCDOTDataMotionTestCase(test.TestCase):
self.mock_cmode_client.assert_called_once_with(
hostname='fake.hostname', password='fake_password',
username='fake_user', transport_type='https', port=8866,
trace=mock.ANY, vserver='fake_vserver')
ssl_cert_path='/etc/ssl/certs', trace=mock.ANY,
vserver='fake_vserver')
def test_get_config_for_backend(self):
self.mock_object(data_motion, "CONF")

2
manila/tests/share/drivers/netapp/dataontap/fakes.py

@ -92,6 +92,7 @@ CLIENT_KWARGS = {
'hostname': '127.0.0.1',
'vserver': None,
'transport_type': 'https',
'ssl_cert_path': '/etc/ssl/certs/',
'password': 'pass',
'port': '443',
'api_trace_pattern': '(.*)',
@ -1322,6 +1323,7 @@ def get_config_cmode():
config.netapp_password = CLIENT_KWARGS['password']
config.netapp_server_hostname = CLIENT_KWARGS['hostname']
config.netapp_transport_type = CLIENT_KWARGS['transport_type']
config.netapp_ssl_cert_path = CLIENT_KWARGS['ssl_cert_path']
config.netapp_server_port = CLIENT_KWARGS['port']
config.netapp_volume_name_template = VOLUME_NAME_TEMPLATE
config.netapp_aggregate_name_search_pattern = AGGREGATE_NAME_SEARCH_PATTERN

20
releasenotes/notes/1900191-netapp-fix-ssl-cert-path-option-35354c9b7a9c37e6.yaml

@ -0,0 +1,20 @@
---
upgrade:
- Added a new config option `netapp_ssl_cert_path` for NetApp driver.
This option enables the user to choose the directory with certificates of
trusted CA or the CA bundle. If set to a directory, it must have been
processed using the c_rehash utility supplied with OpenSSL. If not
informed, it will use the Mozilla's carefully curated collection of Root
Certificates for validating the trustworthiness of SSL certificates.
fixes:
- |
Fixed an issue on ONTAP NetApp driver that was forcing the location of
CA certificates for SSL verification during HTTPS requests. It adds the
`netapp_ssl_cert_path` configuration, enabling the user to choose the
directory with certificates of trusted CA or the CA bundle. If set to a
directory, it must have been processed using the c_rehash utility supplied
with OpenSSL. If not informed, it will use the Mozilla's carefully curated
collection of Root Certificates for validating the trustworthiness of SSL
certificates. Please refer to the
`Launchpad bug #1900191 <https://bugs.launchpad.net/manila/+bug/1900191>`_
for more details.
Loading…
Cancel
Save