Merge "[NetApp] Fix hard-coded CA cert path for SSL"
This commit is contained in:
commit
d7a647e164
@ -65,7 +65,6 @@ class NaServer(object):
|
|||||||
|
|
||||||
TRANSPORT_TYPE_HTTP = 'http'
|
TRANSPORT_TYPE_HTTP = 'http'
|
||||||
TRANSPORT_TYPE_HTTPS = 'https'
|
TRANSPORT_TYPE_HTTPS = 'https'
|
||||||
SSL_CERT_DEFAULT = "/etc/ssl/certs/"
|
|
||||||
SERVER_TYPE_FILER = 'filer'
|
SERVER_TYPE_FILER = 'filer'
|
||||||
SERVER_TYPE_DFM = 'dfm'
|
SERVER_TYPE_DFM = 'dfm'
|
||||||
URL_FILER = 'servlets/netapp.servlets.admin.XMLrequest_filer'
|
URL_FILER = 'servlets/netapp.servlets.admin.XMLrequest_filer'
|
||||||
@ -76,7 +75,7 @@ class NaServer(object):
|
|||||||
|
|
||||||
def __init__(self, host, server_type=SERVER_TYPE_FILER,
|
def __init__(self, host, server_type=SERVER_TYPE_FILER,
|
||||||
transport_type=TRANSPORT_TYPE_HTTP,
|
transport_type=TRANSPORT_TYPE_HTTP,
|
||||||
style=STYLE_LOGIN_PASSWORD, username=None,
|
style=STYLE_LOGIN_PASSWORD, ssl_cert_path=None, username=None,
|
||||||
password=None, port=None, trace=False,
|
password=None, port=None, trace=False,
|
||||||
api_trace_pattern=utils.API_TRACE_PATTERN):
|
api_trace_pattern=utils.API_TRACE_PATTERN):
|
||||||
self._host = host
|
self._host = host
|
||||||
@ -90,6 +89,12 @@ class NaServer(object):
|
|||||||
self._trace = trace
|
self._trace = trace
|
||||||
self._api_trace_pattern = api_trace_pattern
|
self._api_trace_pattern = api_trace_pattern
|
||||||
self._refresh_conn = True
|
self._refresh_conn = True
|
||||||
|
if ssl_cert_path is not None:
|
||||||
|
self._ssl_verify = ssl_cert_path
|
||||||
|
else:
|
||||||
|
# Note(felipe_rodrigues): it will verify with the mozila CA roots,
|
||||||
|
# given by certifi package.
|
||||||
|
self._ssl_verify = True
|
||||||
|
|
||||||
LOG.debug('Using NetApp controller: %s', self._host)
|
LOG.debug('Using NetApp controller: %s', self._host)
|
||||||
|
|
||||||
@ -353,7 +358,7 @@ class NaServer(object):
|
|||||||
|
|
||||||
self._session = requests.Session()
|
self._session = requests.Session()
|
||||||
self._session.auth = auth_handler
|
self._session.auth = auth_handler
|
||||||
self._session.verify = NaServer.SSL_CERT_DEFAULT
|
self._session.verify = self._ssl_verify
|
||||||
self._session.headers = {
|
self._session.headers = {
|
||||||
'Content-Type': 'text/xml', 'charset': 'utf-8'}
|
'Content-Type': 'text/xml', 'charset': 'utf-8'}
|
||||||
|
|
||||||
|
@ -29,6 +29,7 @@ class NetAppBaseClient(object):
|
|||||||
self.connection = netapp_api.NaServer(
|
self.connection = netapp_api.NaServer(
|
||||||
host=kwargs['hostname'],
|
host=kwargs['hostname'],
|
||||||
transport_type=kwargs['transport_type'],
|
transport_type=kwargs['transport_type'],
|
||||||
|
ssl_cert_path=kwargs['ssl_cert_path'],
|
||||||
port=kwargs['port'],
|
port=kwargs['port'],
|
||||||
username=kwargs['username'],
|
username=kwargs['username'],
|
||||||
password=kwargs['password'],
|
password=kwargs['password'],
|
||||||
|
@ -74,6 +74,7 @@ def get_client_for_backend(backend_name, vserver_name=None):
|
|||||||
config = get_backend_configuration(backend_name)
|
config = get_backend_configuration(backend_name)
|
||||||
client = client_cmode.NetAppCmodeClient(
|
client = client_cmode.NetAppCmodeClient(
|
||||||
transport_type=config.netapp_transport_type,
|
transport_type=config.netapp_transport_type,
|
||||||
|
ssl_cert_path=config.netapp_ssl_cert_path,
|
||||||
username=config.netapp_login,
|
username=config.netapp_login,
|
||||||
password=config.netapp_password,
|
password=config.netapp_password,
|
||||||
hostname=config.netapp_server_hostname,
|
hostname=config.netapp_server_hostname,
|
||||||
|
@ -196,6 +196,7 @@ class NetAppCmodeFileStorageLibrary(object):
|
|||||||
if not client:
|
if not client:
|
||||||
client = client_cmode.NetAppCmodeClient(
|
client = client_cmode.NetAppCmodeClient(
|
||||||
transport_type=self.configuration.netapp_transport_type,
|
transport_type=self.configuration.netapp_transport_type,
|
||||||
|
ssl_cert_path=self.configuration.netapp_ssl_cert_path,
|
||||||
username=self.configuration.netapp_login,
|
username=self.configuration.netapp_login,
|
||||||
password=self.configuration.netapp_password,
|
password=self.configuration.netapp_password,
|
||||||
hostname=self.configuration.netapp_server_hostname,
|
hostname=self.configuration.netapp_server_hostname,
|
||||||
|
@ -45,7 +45,15 @@ netapp_transport_opts = [
|
|||||||
default='http',
|
default='http',
|
||||||
help=('The transport protocol used when communicating with '
|
help=('The transport protocol used when communicating with '
|
||||||
'the storage system or proxy server. Valid values are '
|
'the storage system or proxy server. Valid values are '
|
||||||
'http or https.')), ]
|
'http or https.')),
|
||||||
|
cfg.StrOpt('netapp_ssl_cert_path',
|
||||||
|
help=('The path to a CA_BUNDLE file or directory with '
|
||||||
|
'certificates of trusted CA. If set to a directory, it '
|
||||||
|
'must have been processed using the c_rehash utility '
|
||||||
|
'supplied with OpenSSL. If not informed, it will use the '
|
||||||
|
'Mozilla’s carefully curated collection of Root '
|
||||||
|
'Certificates for validating the trustworthiness of SSL '
|
||||||
|
'certificates.')), ]
|
||||||
|
|
||||||
netapp_basicauth_opts = [
|
netapp_basicauth_opts = [
|
||||||
cfg.StrOpt('netapp_login',
|
cfg.StrOpt('netapp_login',
|
||||||
|
@ -23,6 +23,7 @@ from manila.share.drivers.netapp.dataontap.client import api
|
|||||||
CONNECTION_INFO = {
|
CONNECTION_INFO = {
|
||||||
'hostname': 'hostname',
|
'hostname': 'hostname',
|
||||||
'transport_type': 'https',
|
'transport_type': 'https',
|
||||||
|
'ssl_cert_path': '/etc/ssl/certs/',
|
||||||
'port': 443,
|
'port': 443,
|
||||||
'username': 'admin',
|
'username': 'admin',
|
||||||
'password': 'passw0rd',
|
'password': 'passw0rd',
|
||||||
|
@ -64,6 +64,8 @@ class NetAppCDOTDataMotionTestCase(test.TestCase):
|
|||||||
group=self.backend)
|
group=self.backend)
|
||||||
CONF.set_override("netapp_server_port", 8866,
|
CONF.set_override("netapp_server_port", 8866,
|
||||||
group=self.backend)
|
group=self.backend)
|
||||||
|
CONF.set_override("netapp_ssl_cert_path", "/etc/ssl/certs",
|
||||||
|
group=self.backend)
|
||||||
|
|
||||||
def test_get_client_for_backend(self):
|
def test_get_client_for_backend(self):
|
||||||
self.mock_object(data_motion, "get_backend_configuration",
|
self.mock_object(data_motion, "get_backend_configuration",
|
||||||
@ -74,7 +76,7 @@ class NetAppCDOTDataMotionTestCase(test.TestCase):
|
|||||||
self.mock_cmode_client.assert_called_once_with(
|
self.mock_cmode_client.assert_called_once_with(
|
||||||
hostname='fake.hostname', password='fake_password',
|
hostname='fake.hostname', password='fake_password',
|
||||||
username='fake_user', transport_type='https', port=8866,
|
username='fake_user', transport_type='https', port=8866,
|
||||||
trace=mock.ANY, vserver=None)
|
ssl_cert_path='/etc/ssl/certs', trace=mock.ANY, vserver=None)
|
||||||
|
|
||||||
def test_get_client_for_backend_with_vserver(self):
|
def test_get_client_for_backend_with_vserver(self):
|
||||||
self.mock_object(data_motion, "get_backend_configuration",
|
self.mock_object(data_motion, "get_backend_configuration",
|
||||||
@ -88,7 +90,8 @@ class NetAppCDOTDataMotionTestCase(test.TestCase):
|
|||||||
self.mock_cmode_client.assert_called_once_with(
|
self.mock_cmode_client.assert_called_once_with(
|
||||||
hostname='fake.hostname', password='fake_password',
|
hostname='fake.hostname', password='fake_password',
|
||||||
username='fake_user', transport_type='https', port=8866,
|
username='fake_user', transport_type='https', port=8866,
|
||||||
trace=mock.ANY, vserver='fake_vserver')
|
ssl_cert_path='/etc/ssl/certs', trace=mock.ANY,
|
||||||
|
vserver='fake_vserver')
|
||||||
|
|
||||||
def test_get_config_for_backend(self):
|
def test_get_config_for_backend(self):
|
||||||
self.mock_object(data_motion, "CONF")
|
self.mock_object(data_motion, "CONF")
|
||||||
|
@ -99,6 +99,7 @@ CLIENT_KWARGS = {
|
|||||||
'hostname': '127.0.0.1',
|
'hostname': '127.0.0.1',
|
||||||
'vserver': None,
|
'vserver': None,
|
||||||
'transport_type': 'https',
|
'transport_type': 'https',
|
||||||
|
'ssl_cert_path': '/etc/ssl/certs/',
|
||||||
'password': 'pass',
|
'password': 'pass',
|
||||||
'port': '443',
|
'port': '443',
|
||||||
'api_trace_pattern': '(.*)',
|
'api_trace_pattern': '(.*)',
|
||||||
@ -1599,6 +1600,7 @@ def get_config_cmode():
|
|||||||
config.netapp_password = CLIENT_KWARGS['password']
|
config.netapp_password = CLIENT_KWARGS['password']
|
||||||
config.netapp_server_hostname = CLIENT_KWARGS['hostname']
|
config.netapp_server_hostname = CLIENT_KWARGS['hostname']
|
||||||
config.netapp_transport_type = CLIENT_KWARGS['transport_type']
|
config.netapp_transport_type = CLIENT_KWARGS['transport_type']
|
||||||
|
config.netapp_ssl_cert_path = CLIENT_KWARGS['ssl_cert_path']
|
||||||
config.netapp_server_port = CLIENT_KWARGS['port']
|
config.netapp_server_port = CLIENT_KWARGS['port']
|
||||||
config.netapp_volume_name_template = VOLUME_NAME_TEMPLATE
|
config.netapp_volume_name_template = VOLUME_NAME_TEMPLATE
|
||||||
config.netapp_aggregate_name_search_pattern = AGGREGATE_NAME_SEARCH_PATTERN
|
config.netapp_aggregate_name_search_pattern = AGGREGATE_NAME_SEARCH_PATTERN
|
||||||
|
@ -0,0 +1,20 @@
|
|||||||
|
---
|
||||||
|
upgrade:
|
||||||
|
- Added a new config option `netapp_ssl_cert_path` for NetApp driver.
|
||||||
|
This option enables the user to choose the directory with certificates of
|
||||||
|
trusted CA or the CA bundle. If set to a directory, it must have been
|
||||||
|
processed using the c_rehash utility supplied with OpenSSL. If not
|
||||||
|
informed, it will use the Mozilla's carefully curated collection of Root
|
||||||
|
Certificates for validating the trustworthiness of SSL certificates.
|
||||||
|
fixes:
|
||||||
|
- |
|
||||||
|
Fixed an issue on ONTAP NetApp driver that was forcing the location of
|
||||||
|
CA certificates for SSL verification during HTTPS requests. It adds the
|
||||||
|
`netapp_ssl_cert_path` configuration, enabling the user to choose the
|
||||||
|
directory with certificates of trusted CA or the CA bundle. If set to a
|
||||||
|
directory, it must have been processed using the c_rehash utility supplied
|
||||||
|
with OpenSSL. If not informed, it will use the Mozilla's carefully curated
|
||||||
|
collection of Root Certificates for validating the trustworthiness of SSL
|
||||||
|
certificates. Please refer to the
|
||||||
|
`Launchpad bug #1900191 <https://bugs.launchpad.net/manila/+bug/1900191>`_
|
||||||
|
for more details.
|
Loading…
Reference in New Issue
Block a user