From e3b0a9ee756b6dc89bb1823d054e4bb52de0618b Mon Sep 17 00:00:00 2001 From: Alexander Deiter Date: Fri, 19 Aug 2022 17:07:56 +0300 Subject: [PATCH] [Infinidat] add support for TLS/SSL communication Infinidat driver doesn't support TLS/SSL communication and uses plain HTTP for storage management operations. This patch adds support for SSL/TLS communication for storage management operations. Use `infinidat_use_ssl` under backend section to enable or disable TLS/SSL communication between the Manila share service and the storage backend. And `infinidat_suppress_ssl_warnings` under backend section to suppress requests library SSL certificate warnings. Closes-Bug: #1986653 Signed-off-by: Alexander Deiter Change-Id: Ia6bbde9aa1702be83f737ab6876a522fa30381c7 (cherry picked from commit 52dac7619469240987171640f6674bef56261fda) (cherry picked from commit fc566dd97b8fad2f8f54e2f23dfbeab95f30f14c) (cherry picked from commit 328af8b24f3d603526ecb829077c4d1c7df355ff) --- manila/share/drivers/infinidat/infinibox.py | 37 +++++++++++++++---- .../share/drivers/infinidat/test_infinidat.py | 30 ++++++++++++++- ...idat-add-ssl-options-ee91f152bbd28080.yaml | 9 +++++ 3 files changed, 67 insertions(+), 9 deletions(-) create mode 100644 releasenotes/notes/bug-1986653-infinidat-add-ssl-options-ee91f152bbd28080.yaml diff --git a/manila/share/drivers/infinidat/infinibox.py b/manila/share/drivers/infinidat/infinibox.py index 2014b26873..4e476f8224 100644 --- a/manila/share/drivers/infinidat/infinibox.py +++ b/manila/share/drivers/infinidat/infinibox.py @@ -1,4 +1,4 @@ -# Copyright 2017 Infinidat Ltd. +# Copyright 2022 Infinidat Ltd. # All Rights Reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); you may @@ -22,6 +22,7 @@ import ipaddress from oslo_config import cfg from oslo_log import log as logging from oslo_utils import units +import requests import six from manila.common import constants @@ -33,9 +34,12 @@ from manila import version try: import capacity - import infinisdk except ImportError: capacity = None + +try: + import infinisdk +except ImportError: infinisdk = None @@ -44,7 +48,14 @@ LOG = logging.getLogger(__name__) infinidat_connection_opts = [ cfg.HostAddressOpt('infinibox_hostname', help='The name (or IP address) for the INFINIDAT ' - 'Infinibox storage system.'), ] + 'Infinibox storage system.'), + cfg.BoolOpt('infinidat_use_ssl', + help='Use SSL to connect to the INFINIDAT Infinibox storage ' + 'system.', + default=False), + cfg.BoolOpt('infinidat_suppress_ssl_warnings', + help='Suppress requests library SSL certificate warnings.', + default=False), ] infinidat_auth_opts = [ cfg.StrOpt('infinibox_login', @@ -104,8 +115,9 @@ class InfiniboxShareDriver(driver.ShareDriver): self.configuration.append_config_values(infinidat_auth_opts) self.configuration.append_config_values(infinidat_general_opts) - def _setup_and_get_system_object(self, management_address, auth): - system = infinisdk.InfiniBox(management_address, auth=auth) + def _setup_and_get_system_object(self, management_address, auth, use_ssl): + system = infinisdk.InfiniBox(management_address, auth=auth, + use_ssl=use_ssl) system.api.add_auto_retry( lambda e: isinstance( e, infinisdk.core.exceptions.APITransportFailure) and @@ -116,11 +128,22 @@ class InfiniboxShareDriver(driver.ShareDriver): def do_setup(self, context): """Driver initialization""" + if capacity is None: + msg = _("Missing 'capacity' python module, ensure the library" + " is installed and available.") + raise exception.ManilaException(message=msg) if infinisdk is None: msg = _("Missing 'infinisdk' python module, ensure the library" " is installed and available.") raise exception.ManilaException(message=msg) + if self.configuration.safe_get('infinidat_suppress_ssl_warnings'): + LOG.warning('Suppressing requests library SSL Warnings') + rpu = requests.packages.urllib3 # pylint: disable=no-member + rpu.disable_warnings(rpu.exceptions.InsecureRequestWarning) + rpu.disable_warnings(rpu.exceptions.InsecurePlatformWarning) + + use_ssl = self.configuration.safe_get('infinidat_use_ssl') infinibox_login = self._safe_get_from_config_or_fail('infinibox_login') infinibox_password = ( self._safe_get_from_config_or_fail('infinibox_password')) @@ -136,8 +159,8 @@ class InfiniboxShareDriver(driver.ShareDriver): self._safe_get_from_config_or_fail( 'infinidat_nas_network_space_name')) - self._system = ( - self._setup_and_get_system_object(management_address, auth)) + self._system = self._setup_and_get_system_object(management_address, + auth, use_ssl) backend_name = self.configuration.safe_get('share_backend_name') self._backend_name = backend_name or self.__class__.__name__ diff --git a/manila/tests/share/drivers/infinidat/test_infinidat.py b/manila/tests/share/drivers/infinidat/test_infinidat.py index dd4e634e41..8d8f346cae 100644 --- a/manila/tests/share/drivers/infinidat/test_infinidat.py +++ b/manila/tests/share/drivers/infinidat/test_infinidat.py @@ -1,4 +1,4 @@ -# Copyright 2017 Infinidat Ltd. +# Copyright 2022 Infinidat Ltd. # All Rights Reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); you may @@ -97,6 +97,8 @@ class InfiniboxDriverTestCaseBase(test.TestCase): self.configuration.infinidat_thin_provision = True self.configuration.infinibox_login = 'user' self.configuration.infinibox_password = 'pass' + self.configuration.infinidat_use_ssl = False + self.configuration.infinidat_suppress_ssl_warnings = False self.configuration.network_config_group = 'test_network_config_group' self.configuration.admin_network_config_group = ( @@ -203,6 +205,11 @@ class InfiniboxDriverTestCase(InfiniboxDriverTestCaseBase): self.assertRaises(exception.ManilaException, self.driver.do_setup, None) + @mock.patch("manila.share.drivers.infinidat.infinibox.capacity", None) + def test_no_capacity_module(self): + self.assertRaises(exception.ManilaException, + self.driver.do_setup, None) + def test_no_auth_parameters(self): self.configuration.infinibox_login = None self.configuration.infinibox_password = None @@ -223,13 +230,32 @@ class InfiniboxDriverTestCase(InfiniboxDriverTestCaseBase): self.configuration.infinibox_password) self.driver._setup_and_get_system_object( - self.configuration.infinibox_hostname, auth) + self.configuration.infinibox_hostname, auth, + self.configuration.infinidat_use_ssl) self._system.api.add_auto_retry.assert_called_once() self._system.api.set_source_identifier.assert_called_once_with( infinibox._INFINIDAT_MANILA_IDENTIFIER) self._system.login.assert_called_once() + @skip_driver_setup + @mock.patch('manila.share.drivers.infinidat.infinibox.' + 'infinisdk.InfiniBox') + @mock.patch('requests.packages.urllib3') + def test_do_setup_ssl_enabled(self, urllib3, infinibox): + auth = (self.configuration.infinibox_login, + self.configuration.infinibox_password) + self.configuration.infinidat_use_ssl = True + self.configuration.infinidat_suppress_ssl_warnings = True + self.driver.do_setup(None) + expected = [ + mock.call(urllib3.exceptions.InsecureRequestWarning), + mock.call(urllib3.exceptions.InsecurePlatformWarning)] + urllib3.disable_warnings.assert_has_calls(expected) + infinibox.assert_called_once_with( + self.configuration.infinibox_hostname, auth=auth, + use_ssl=self.configuration.infinidat_use_ssl) + def test_get_share_stats_refreshes(self): self.driver._update_share_stats() result = self.driver.get_share_stats() diff --git a/releasenotes/notes/bug-1986653-infinidat-add-ssl-options-ee91f152bbd28080.yaml b/releasenotes/notes/bug-1986653-infinidat-add-ssl-options-ee91f152bbd28080.yaml new file mode 100644 index 0000000000..c850c873fd --- /dev/null +++ b/releasenotes/notes/bug-1986653-infinidat-add-ssl-options-ee91f152bbd28080.yaml @@ -0,0 +1,9 @@ +--- +fixes: + - | + Infinidat Driver `bug #1986653 + `_: + Fixed Infinidat driver to use TLS/SSL communication between the Manila + share service and the storage backend. Admin can set `True` or `False` + for the `infinidat_use_ssl` and `infinidat_suppress_ssl_warnings` options + in the driver section of manila.conf to enable or disable these features.