From 9cd95366a035b29001ce75515d291cf72d07d0c3 Mon Sep 17 00:00:00 2001 From: imran malik Date: Wed, 8 Jun 2016 02:45:32 -0700 Subject: [PATCH] Fix designate dns driver for SSL based endpoints Allow setting options in designate section to specify if want to skip SSL cert check. This makes it possible to work with HTTPS based endpoints, the default behavior of keystoneclient is to always set verify=True however in current code, one cannot either provide a valid CA cert or skip the verification. DocImpact: Introduce two additional options for `[designate]` section in neutron.conf CONF.designate.insecure to allow insecure connections over SSL. CONF.designate.ca_cert for a valid cert when connecting over SSL Change-Id: Ic371cc11d783618c38ee40a18206b0c2a197bb3e Closes-Bug: #1588067 --- .../externaldns/drivers/designate/driver.py | 11 +++- .../ml2/extensions/test_dns_integration.py | 59 +++++++++++++++++++ ...e-driver-ssl-options-169c299c96f2aff0.yaml | 16 +++++ 3 files changed, 85 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/add-designate-driver-ssl-options-169c299c96f2aff0.yaml diff --git a/neutron/services/externaldns/drivers/designate/driver.py b/neutron/services/externaldns/drivers/designate/driver.py index 89d11cdd84f..0681482e360 100644 --- a/neutron/services/externaldns/drivers/designate/driver.py +++ b/neutron/services/externaldns/drivers/designate/driver.py @@ -55,6 +55,11 @@ designate_opts = [ cfg.StrOpt('admin_auth_url', help=_('Authorization URL for connecting to designate in admin ' 'context')), + cfg.BoolOpt('insecure', default=False, + help=_('Skip cert validation for SSL based admin_auth_url')), + cfg.StrOpt('ca_cert', + help=_('CA certificate file to use to verify ' + 'connecting clients')), cfg.BoolOpt('allow_reverse_dns_lookup', default=True, help=_('Allow the creation of PTR records')), cfg.IntOpt('ipv4_ptr_zone_prefix_size', default=24, @@ -83,7 +88,11 @@ def get_clients(context): global _SESSION if not _SESSION: - _SESSION = session.Session() + if CONF.designate.insecure: + verify = False + else: + verify = CONF.designate.ca_cert or True + _SESSION = session.Session(verify=verify) auth = token_endpoint.Token(CONF.designate.url, context.auth_token) client = d_client.Client(session=_SESSION, auth=auth) diff --git a/neutron/tests/unit/plugins/ml2/extensions/test_dns_integration.py b/neutron/tests/unit/plugins/ml2/extensions/test_dns_integration.py index 364ebfe15e8..821ea9e8d39 100644 --- a/neutron/tests/unit/plugins/ml2/extensions/test_dns_integration.py +++ b/neutron/tests/unit/plugins/ml2/extensions/test_dns_integration.py @@ -13,9 +13,12 @@ # License for the specific language governing permissions and limitations # under the License. +import uuid + import mock import netaddr from neutron_lib import constants +import testtools from neutron import context from neutron.db import dns_db @@ -24,6 +27,7 @@ from neutron.extensions import providernet as pnet from neutron import manager from neutron.plugins.ml2 import config from neutron.plugins.ml2.extensions import dns_integration +from neutron.services.externaldns.drivers.designate import driver from neutron.tests.unit.plugins.ml2 import test_plugin @@ -497,3 +501,58 @@ class DNSIntegrationTestCase(test_plugin.Ml2PluginV2TestCase): config.cfg.CONF.set_override('dns_domain', DNSDOMAIN) net, port, dns_data_db = self._create_port_for_test() self._verify_port_dns(net, port, dns_data_db) + + +class TestDesignateClient(testtools.TestCase): + """Test case for designate clients """ + + TEST_URL = 'http://127.0.0.1:9001/v2' + TEST_ADMIN_USERNAME = uuid.uuid4().hex + TEST_ADMIN_PASSWORD = uuid.uuid4().hex + TEST_ADMIN_TENANT_NAME = uuid.uuid4().hex + TEST_ADMIN_TENANT_ID = uuid.uuid4().hex + TEST_ADMIN_AUTH_URL = 'http://127.0.0.1:35357/v2.0' + TEST_CA_CERT = uuid.uuid4().hex + + TEST_CONTEXT = mock.Mock() + TEST_CONTEXT.auth_token = uuid.uuid4().hex + + def setUp(self): + super(TestDesignateClient, self).setUp() + config.cfg.CONF.set_override('url', + self.TEST_URL, + group='designate') + config.cfg.CONF.set_override('admin_username', + self.TEST_ADMIN_USERNAME, + group='designate') + config.cfg.CONF.set_override('admin_password', + self.TEST_ADMIN_PASSWORD, + group='designate') + config.cfg.CONF.set_override('admin_auth_url', + self.TEST_ADMIN_AUTH_URL, + group='designate') + config.cfg.CONF.set_override('admin_tenant_id', + self.TEST_ADMIN_TENANT_ID, + group='designate') + config.cfg.CONF.set_override('admin_tenant_name', + self.TEST_ADMIN_TENANT_NAME, + group='designate') + + driver.session.Session = mock.MagicMock() + + def test_insecure_client(self): + config.cfg.CONF.set_override('insecure', + True, + group='designate') + driver.get_clients(self.TEST_CONTEXT) + driver.session.Session.assert_called_with(verify=False) + + def test_secure_client(self): + config.cfg.CONF.set_override('insecure', + False, + group='designate') + config.cfg.CONF.set_override('ca_cert', + self.TEST_CA_CERT, + group='designate') + driver.get_clients(self.TEST_CONTEXT) + driver.session.Session.assert_called_with(verify=self.TEST_CA_CERT) diff --git a/releasenotes/notes/add-designate-driver-ssl-options-169c299c96f2aff0.yaml b/releasenotes/notes/add-designate-driver-ssl-options-169c299c96f2aff0.yaml new file mode 100644 index 00000000000..03d3da592dc --- /dev/null +++ b/releasenotes/notes/add-designate-driver-ssl-options-169c299c96f2aff0.yaml @@ -0,0 +1,16 @@ +--- +prelude: > + Add options to designate external dns driver + of neutron for SSL based connections. This makes + it possible to use neutron with designate in scenario + where endpoints are SSL based. Users can specify to + skip cert validation or specify path to a valid cert + in [designate] section of neutron.conf file. +features: + - Two new options are added to `[designate]` section to + support SSL. + - First option `insecure` allows to skip SSL validation + when creating a keystone session to initate a designate client. + Default value is False, which means to always verify connection. + - Second option `ca_cert` allows setting path to a valid cert file. + Default is None.