From b38f1cb1f737dede90f3df74f3515d63c357fa30 Mon Sep 17 00:00:00 2001 From: Gyorgy Szombathelyi Date: Mon, 19 Dec 2016 13:58:10 +0100 Subject: [PATCH] Use the session loader in keystoneauth1 for designate Using the session loader has the benefit of compatibility with settings in other sections (like keystone_authtoken), and the ability to use client certs and setting the timeout. This changes the designate.ca_cert setting to designate.cafile, but the former is added as a deprecated option, so existing config files will work. DocImpact ca_cert in [designate] is deprecated, use cafile instead. Change-Id: I9f2173b02af5c3929a96ef8c773d587e9b673d62 --- .../conf/services/extdns_designate_driver.py | 14 +++++------ .../externaldns/drivers/designate/driver.py | 8 ++---- .../ml2/extensions/test_dns_integration.py | 25 +++++++++++++------ 3 files changed, 25 insertions(+), 22 deletions(-) diff --git a/neutron/conf/services/extdns_designate_driver.py b/neutron/conf/services/extdns_designate_driver.py index 39c244f5120..fccf2598d3e 100644 --- a/neutron/conf/services/extdns_designate_driver.py +++ b/neutron/conf/services/extdns_designate_driver.py @@ -37,11 +37,6 @@ designate_opts = [ cfg.StrOpt('admin_auth_url', help=_('Authorization URL for connecting to designate in admin ' 'context')), - cfg.BoolOpt('insecure', default=False, - help=_('Skip cert validation for SSL based admin_auth_url')), - cfg.StrOpt('ca_cert', - help=_('CA certificate file to use to verify ' - 'connecting clients')), cfg.BoolOpt('allow_reverse_dns_lookup', default=True, help=_('Allow the creation of PTR records')), cfg.IntOpt('ipv4_ptr_zone_prefix_size', default=24, @@ -61,6 +56,9 @@ designate_opts = [ ] -def register_designate_opts(cfg=cfg.CONF): - cfg.register_opts(designate_opts, 'designate') - loading.conf.register_conf_options(cfg, 'designate') +def register_designate_opts(CONF=cfg.CONF): + CONF.register_opts(designate_opts, 'designate') + loading.register_auth_conf_options(CONF, 'designate') + loading.register_session_conf_options(conf=CONF, + group='designate', + deprecated_opts={'cafile': [cfg.DeprecatedOpt('ca_cert')]}) diff --git a/neutron/services/externaldns/drivers/designate/driver.py b/neutron/services/externaldns/drivers/designate/driver.py index e453fd7020c..4eda5b4df41 100644 --- a/neutron/services/externaldns/drivers/designate/driver.py +++ b/neutron/services/externaldns/drivers/designate/driver.py @@ -19,7 +19,6 @@ from designateclient import exceptions as d_exc from designateclient.v2 import client as d_client from keystoneauth1.identity.generic import password from keystoneauth1 import loading -from keystoneauth1 import session from keystoneauth1 import token_endpoint from neutron_lib import constants from oslo_config import cfg @@ -43,11 +42,8 @@ def get_clients(context): global _SESSION if not _SESSION: - if CONF.designate.insecure: - verify = False - else: - verify = CONF.designate.ca_cert or True - _SESSION = session.Session(verify=verify) + _SESSION = loading.load_session_from_conf_options( + CONF, 'designate') auth = token_endpoint.Token(CONF.designate.url, context.auth_token) client = d_client.Client(session=_SESSION, auth=auth) diff --git a/neutron/tests/unit/plugins/ml2/extensions/test_dns_integration.py b/neutron/tests/unit/plugins/ml2/extensions/test_dns_integration.py index 17fc5de1f23..0c9f855dbd2 100644 --- a/neutron/tests/unit/plugins/ml2/extensions/test_dns_integration.py +++ b/neutron/tests/unit/plugins/ml2/extensions/test_dns_integration.py @@ -16,6 +16,7 @@ import uuid from keystoneauth1 import loading +from keystoneauth1 import session import mock import netaddr from neutron_lib import constants @@ -566,7 +567,7 @@ class TestDesignateClientKeystoneV2(testtools.TestCase): # enforce session recalculation mock.patch.object(driver, '_SESSION', new=None).start() self.driver_session = ( - mock.patch.object(driver.session, 'Session').start()) + mock.patch.object(session, 'Session').start()) self.load_auth = ( mock.patch.object(driver.loading, 'load_auth_from_conf_options').start()) @@ -578,17 +579,21 @@ class TestDesignateClientKeystoneV2(testtools.TestCase): True, group='designate') driver.get_clients(self.TEST_CONTEXT) - self.driver_session.assert_called_with(verify=False) + self.driver_session.assert_called_with(cert=None, + timeout=None, + verify=False) def test_secure_client(self): config.cfg.CONF.set_override('insecure', False, group='designate') - config.cfg.CONF.set_override('ca_cert', + config.cfg.CONF.set_override('cafile', self.TEST_CA_CERT, group='designate') driver.get_clients(self.TEST_CONTEXT) - self.driver_session.assert_called_with(verify=self.TEST_CA_CERT) + self.driver_session.assert_called_with(cert=None, + timeout=None, + verify=self.TEST_CA_CERT) def test_auth_type_not_defined(self): driver.get_clients(self.TEST_CONTEXT) @@ -648,7 +653,7 @@ class TestDesignateClientKeystoneV3(testtools.TestCase): # enforce session recalculation mock.patch.object(driver, '_SESSION', new=None).start() self.driver_session = ( - mock.patch.object(driver.session, 'Session').start()) + mock.patch.object(session, 'Session').start()) self.load_auth = ( mock.patch.object(driver.loading, 'load_auth_from_conf_options').start()) @@ -666,17 +671,21 @@ class TestDesignateClientKeystoneV3(testtools.TestCase): True, group='designate') driver.get_clients(self.TEST_CONTEXT) - self.driver_session.assert_called_with(verify=False) + self.driver_session.assert_called_with(cert=None, + timeout=None, + verify=False) def test_secure_client(self): config.cfg.CONF.set_override('insecure', False, group='designate') - config.cfg.CONF.set_override('ca_cert', + config.cfg.CONF.set_override('cafile', self.TEST_CA_CERT, group='designate') driver.get_clients(self.TEST_CONTEXT) - self.driver_session.assert_called_with(verify=self.TEST_CA_CERT) + self.driver_session.assert_called_with(cert=None, + timeout=None, + verify=self.TEST_CA_CERT) def test_auth_type_password(self): driver.get_clients(self.TEST_CONTEXT)