[NetApp] Fix hard-coded CA cert path for SSL

NetApp driver is hard-coding the location of CA certificates for SSL
verification during HTTPS requests. This location may change depending
on the environment or/and backend.

This patch adds the `netapp_ssl_cert_path` configuration, enabling
each backend to choose the directory with certificates of trusted CA
or the CA bundle. If set to a directory, it must have been processed
using the c_rehash utility supplied with OpenSSL. If not informed,
it will use the Mozilla's carefully curated collection of Root
Certificates for validating the trustworthiness of SSL certificates.

Closes-Bug: #1900191
Change-Id: Idbed4745104de26af99bb16e07c6890637dfcfd1
(cherry picked from commit 70f7859f98)
(cherry picked from commit 57edaadac1)
This commit is contained in:
Felipe Rodrigues 2020-10-06 13:39:58 +00:00 committed by Douglas Viroel
parent 9828e16968
commit ac667519fc
9 changed files with 48 additions and 6 deletions

View File

@ -62,7 +62,6 @@ class NaServer(object):
TRANSPORT_TYPE_HTTP = 'http'
TRANSPORT_TYPE_HTTPS = 'https'
SSL_CERT_DEFAULT = "/etc/ssl/certs/"
SERVER_TYPE_FILER = 'filer'
SERVER_TYPE_DFM = 'dfm'
URL_FILER = 'servlets/netapp.servlets.admin.XMLrequest_filer'
@ -73,7 +72,7 @@ class NaServer(object):
def __init__(self, host, server_type=SERVER_TYPE_FILER,
transport_type=TRANSPORT_TYPE_HTTP,
style=STYLE_LOGIN_PASSWORD, username=None,
style=STYLE_LOGIN_PASSWORD, ssl_cert_path=None, username=None,
password=None, port=None, trace=False,
api_trace_pattern=utils.API_TRACE_PATTERN):
self._host = host
@ -87,6 +86,12 @@ class NaServer(object):
self._trace = trace
self._api_trace_pattern = api_trace_pattern
self._refresh_conn = True
if ssl_cert_path is not None:
self._ssl_verify = ssl_cert_path
else:
# Note(felipe_rodrigues): it will verify with the mozila CA roots,
# given by certifi package.
self._ssl_verify = True
LOG.debug('Using NetApp controller: %s', self._host)
@ -350,7 +355,7 @@ class NaServer(object):
self._session = requests.Session()
self._session.auth = auth_handler
self._session.verify = NaServer.SSL_CERT_DEFAULT
self._session.verify = self._ssl_verify
self._session.headers = {
'Content-Type': 'text/xml', 'charset': 'utf-8'}

View File

@ -29,6 +29,7 @@ class NetAppBaseClient(object):
self.connection = netapp_api.NaServer(
host=kwargs['hostname'],
transport_type=kwargs['transport_type'],
ssl_cert_path=kwargs['ssl_cert_path'],
port=kwargs['port'],
username=kwargs['username'],
password=kwargs['password'],

View File

@ -70,6 +70,7 @@ def get_client_for_backend(backend_name, vserver_name=None):
config = get_backend_configuration(backend_name)
client = client_cmode.NetAppCmodeClient(
transport_type=config.netapp_transport_type,
ssl_cert_path=config.netapp_ssl_cert_path,
username=config.netapp_login,
password=config.netapp_password,
hostname=config.netapp_server_hostname,

View File

@ -175,6 +175,7 @@ class NetAppCmodeFileStorageLibrary(object):
if not client:
client = client_cmode.NetAppCmodeClient(
transport_type=self.configuration.netapp_transport_type,
ssl_cert_path=self.configuration.netapp_ssl_cert_path,
username=self.configuration.netapp_login,
password=self.configuration.netapp_password,
hostname=self.configuration.netapp_server_hostname,

View File

@ -45,7 +45,15 @@ netapp_transport_opts = [
default='http',
help=('The transport protocol used when communicating with '
'the storage system or proxy server. Valid values are '
'http or https.')), ]
'http or https.')),
cfg.StrOpt('netapp_ssl_cert_path',
help=('The path to a CA_BUNDLE file or directory with '
'certificates of trusted CA. If set to a directory, it '
'must have been processed using the c_rehash utility '
'supplied with OpenSSL. If not informed, it will use the '
'Mozillas carefully curated collection of Root '
'Certificates for validating the trustworthiness of SSL '
'certificates.')), ]
netapp_basicauth_opts = [
cfg.StrOpt('netapp_login',

View File

@ -23,6 +23,7 @@ from manila.share.drivers.netapp.dataontap.client import api
CONNECTION_INFO = {
'hostname': 'hostname',
'transport_type': 'https',
'ssl_cert_path': '/etc/ssl/certs/',
'port': 443,
'username': 'admin',
'password': 'passw0rd',

View File

@ -64,6 +64,8 @@ class NetAppCDOTDataMotionTestCase(test.TestCase):
group=self.backend)
CONF.set_override("netapp_server_port", 8866,
group=self.backend)
CONF.set_override("netapp_ssl_cert_path", "/etc/ssl/certs",
group=self.backend)
def test_get_client_for_backend(self):
self.mock_object(data_motion, "get_backend_configuration",
@ -74,7 +76,7 @@ class NetAppCDOTDataMotionTestCase(test.TestCase):
self.mock_cmode_client.assert_called_once_with(
hostname='fake.hostname', password='fake_password',
username='fake_user', transport_type='https', port=8866,
trace=mock.ANY, vserver=None)
ssl_cert_path='/etc/ssl/certs', trace=mock.ANY, vserver=None)
def test_get_client_for_backend_with_vserver(self):
self.mock_object(data_motion, "get_backend_configuration",
@ -88,7 +90,8 @@ class NetAppCDOTDataMotionTestCase(test.TestCase):
self.mock_cmode_client.assert_called_once_with(
hostname='fake.hostname', password='fake_password',
username='fake_user', transport_type='https', port=8866,
trace=mock.ANY, vserver='fake_vserver')
ssl_cert_path='/etc/ssl/certs', trace=mock.ANY,
vserver='fake_vserver')
def test_get_config_for_backend(self):
self.mock_object(data_motion, "CONF")

View File

@ -92,6 +92,7 @@ CLIENT_KWARGS = {
'hostname': '127.0.0.1',
'vserver': None,
'transport_type': 'https',
'ssl_cert_path': '/etc/ssl/certs/',
'password': 'pass',
'port': '443',
'api_trace_pattern': '(.*)',
@ -1322,6 +1323,7 @@ def get_config_cmode():
config.netapp_password = CLIENT_KWARGS['password']
config.netapp_server_hostname = CLIENT_KWARGS['hostname']
config.netapp_transport_type = CLIENT_KWARGS['transport_type']
config.netapp_ssl_cert_path = CLIENT_KWARGS['ssl_cert_path']
config.netapp_server_port = CLIENT_KWARGS['port']
config.netapp_volume_name_template = VOLUME_NAME_TEMPLATE
config.netapp_aggregate_name_search_pattern = AGGREGATE_NAME_SEARCH_PATTERN

View File

@ -0,0 +1,20 @@
---
upgrade:
- Added a new config option `netapp_ssl_cert_path` for NetApp driver.
This option enables the user to choose the directory with certificates of
trusted CA or the CA bundle. If set to a directory, it must have been
processed using the c_rehash utility supplied with OpenSSL. If not
informed, it will use the Mozilla's carefully curated collection of Root
Certificates for validating the trustworthiness of SSL certificates.
fixes:
- |
Fixed an issue on ONTAP NetApp driver that was forcing the location of
CA certificates for SSL verification during HTTPS requests. It adds the
`netapp_ssl_cert_path` configuration, enabling the user to choose the
directory with certificates of trusted CA or the CA bundle. If set to a
directory, it must have been processed using the c_rehash utility supplied
with OpenSSL. If not informed, it will use the Mozilla's carefully curated
collection of Root Certificates for validating the trustworthiness of SSL
certificates. Please refer to the
`Launchpad bug #1900191 <https://bugs.launchpad.net/manila/+bug/1900191>`_
for more details.