Metadata: support proxying loadbalancers
Metadata service identified an instance by its IP address which is stored in X-Forwarded-For header, and the attached router instance which is stored in X-Metadata-Provider header. A generic load balancer will not be able to insert the X-Instance-ID which is identifying the metadata requesting instance. To identify the instance, we use the following algorithm: The load balancer adds an X-Forwared-For header to the HTTP header, with the IP address of the instance. That is not enough to identify the instance as we could have overlapping IPs. The load balancer inserts an additional header - X-Metadata-Provider, which identifies the load balancer. The load balancer is an IP device and therefore cannot have overlapping IPs connected to it. So X-Metadata-Provider with the X-Forwarded-For make a unique pair, which is enough to identify the requesting instance. X-Metadata-Provider-Signature is used to authenticate the load balancer, in a similar way to X-Instance-ID-Signature with X-Instance-ID is authenticated the metadata proxy requests. DocImpact Co-authored-by: Kobi Samoray <ksamoray@vmware.com> This completes the blueprint vmware-nsxv-support Change-Id: I3ab687913acd7301c76632de69c80116c2d99cf6
This commit is contained in:
parent
92bc9abd6a
commit
622a845b75
|
@ -26,10 +26,12 @@ import webob.dec
|
|||
import webob.exc
|
||||
|
||||
from nova.api.metadata import base
|
||||
from nova import context as nova_context
|
||||
from nova import exception
|
||||
from nova.i18n import _
|
||||
from nova.i18n import _LE
|
||||
from nova.i18n import _LW
|
||||
from nova.network.neutronv2 import api as neutronapi
|
||||
from nova.openstack.common import memorycache
|
||||
from nova import utils
|
||||
from nova import wsgi
|
||||
|
@ -118,7 +120,10 @@ class MetadataRequestHandler(wsgi.Application):
|
|||
return req.response
|
||||
|
||||
if CONF.neutron.service_metadata_proxy:
|
||||
meta_data = self._handle_instance_id_request(req)
|
||||
if req.headers.get('X-Metadata-Provider'):
|
||||
meta_data = self._handle_instance_id_request_from_lb(req)
|
||||
else:
|
||||
meta_data = self._handle_instance_id_request(req)
|
||||
else:
|
||||
if req.headers.get('X-Instance-ID'):
|
||||
LOG.warning(
|
||||
|
@ -192,26 +197,114 @@ class MetadataRequestHandler(wsgi.Application):
|
|||
if msg:
|
||||
raise webob.exc.HTTPBadRequest(explanation=msg)
|
||||
|
||||
self._validate_shared_secret(instance_id, signature,
|
||||
remote_address)
|
||||
|
||||
return self._get_meta_by_instance_id(instance_id, tenant_id,
|
||||
remote_address)
|
||||
|
||||
def _get_instance_id_from_lb(self, provider_id, instance_address):
|
||||
# We use admin context, admin=True to lookup the
|
||||
# inter-Edge network port
|
||||
context = nova_context.get_admin_context()
|
||||
neutron = neutronapi.get_client(context, admin=True)
|
||||
|
||||
# Tenant, instance ids are found in the following method:
|
||||
# X-Metadata-Provider contains id of the metadata provider, and since
|
||||
# overlapping networks cannot be connected to the same metadata
|
||||
# provider, the combo of tenant's instance IP and the metadata
|
||||
# provider has to be unique.
|
||||
#
|
||||
# The networks which are connected to the metadata provider are
|
||||
# retrieved in the 1st call to neutron.list_subnets()
|
||||
# In the 2nd call we read the ports which belong to any of the
|
||||
# networks retrieved above, and have the X-Forwarded-For IP address.
|
||||
# This combination has to be unique as explained above, and we can
|
||||
# read the instance_id, tenant_id from that port entry.
|
||||
|
||||
# Retrieve networks which are connected to metadata provider
|
||||
md_subnets = neutron.list_subnets(
|
||||
context,
|
||||
advanced_service_providers=[provider_id],
|
||||
fields=['network_id'])
|
||||
|
||||
md_networks = [subnet['network_id']
|
||||
for subnet in md_subnets['subnets']]
|
||||
|
||||
try:
|
||||
# Retrieve the instance data from the instance's port
|
||||
instance_data = neutron.list_ports(
|
||||
context,
|
||||
fixed_ips='ip_address=' + instance_address,
|
||||
network_id=md_networks,
|
||||
fields=['device_id', 'tenant_id'])['ports'][0]
|
||||
except Exception as e:
|
||||
LOG.error(_LE('Failed to get instance id for metadata '
|
||||
'request, provider %(provider)s '
|
||||
'networks %(networks)s '
|
||||
'requester %(requester)s. Error: %(error)s'),
|
||||
{'provider': provider_id,
|
||||
'networks': md_networks,
|
||||
'requester': instance_address,
|
||||
'error': e})
|
||||
msg = _('An unknown error has occurred. '
|
||||
'Please try your request again.')
|
||||
raise webob.exc.HTTPBadRequest(explanation=msg)
|
||||
|
||||
instance_id = instance_data['device_id']
|
||||
tenant_id = instance_data['tenant_id']
|
||||
|
||||
# instance_data is unicode-encoded, while memorycache doesn't like
|
||||
# that. Therefore we convert to str
|
||||
if isinstance(instance_id, unicode):
|
||||
instance_id = instance_id.encode('utf-8')
|
||||
return instance_id, tenant_id
|
||||
|
||||
def _handle_instance_id_request_from_lb(self, req):
|
||||
remote_address = req.headers.get('X-Forwarded-For')
|
||||
if remote_address is None:
|
||||
msg = _('X-Forwarded-For is missing from request.')
|
||||
raise webob.exc.HTTPBadRequest(explanation=msg)
|
||||
provider_id = req.headers.get('X-Metadata-Provider')
|
||||
if provider_id is None:
|
||||
msg = _('X-Metadata-Provider is missing from request.')
|
||||
raise webob.exc.HTTPBadRequest(explanation=msg)
|
||||
instance_address = remote_address.split(',')[0]
|
||||
|
||||
# If authentication token is set, authenticate
|
||||
if CONF.neutron.metadata_proxy_shared_secret:
|
||||
signature = req.headers.get('X-Metadata-Provider-Signature')
|
||||
self._validate_shared_secret(provider_id, signature,
|
||||
instance_address)
|
||||
|
||||
instance_id, tenant_id = self._get_instance_id_from_lb(
|
||||
provider_id, instance_address)
|
||||
|
||||
return self._get_meta_by_instance_id(instance_id, tenant_id,
|
||||
instance_address)
|
||||
|
||||
def _validate_shared_secret(self, requestor_id, signature,
|
||||
requestor_address):
|
||||
expected_signature = hmac.new(
|
||||
CONF.neutron.metadata_proxy_shared_secret,
|
||||
instance_id,
|
||||
hashlib.sha256).hexdigest()
|
||||
requestor_id, hashlib.sha256).hexdigest()
|
||||
|
||||
if not utils.constant_time_compare(expected_signature, signature):
|
||||
if instance_id:
|
||||
if requestor_id:
|
||||
LOG.warning(_LW('X-Instance-ID-Signature: %(signature)s does '
|
||||
'not match the expected value: '
|
||||
'%(expected_signature)s for id: '
|
||||
'%(instance_id)s. Request From: '
|
||||
'%(remote_address)s'),
|
||||
'%(requestor_id)s. Request From: '
|
||||
'%(requestor_address)s'),
|
||||
{'signature': signature,
|
||||
'expected_signature': expected_signature,
|
||||
'instance_id': instance_id,
|
||||
'remote_address': remote_address})
|
||||
'requestor_id': requestor_id,
|
||||
'requestor_address': requestor_address})
|
||||
|
||||
msg = _('Invalid proxy request signature.')
|
||||
raise webob.exc.HTTPForbidden(explanation=msg)
|
||||
|
||||
def _get_meta_by_instance_id(self, instance_id, tenant_id, remote_address):
|
||||
try:
|
||||
meta_data = self.get_metadata_by_instance_id(instance_id,
|
||||
remote_address)
|
||||
|
|
|
@ -44,6 +44,7 @@ from nova.db.sqlalchemy import api
|
|||
from nova import exception
|
||||
from nova.network import api as network_api
|
||||
from nova.network import model as network_model
|
||||
from nova.network.neutronv2 import api as neutronapi
|
||||
from nova import objects
|
||||
from nova import test
|
||||
from nova.tests.unit.api.openstack import fakes
|
||||
|
@ -763,22 +764,22 @@ class MetadataHandlerTestCase(test.TestCase):
|
|||
|
||||
self.assertEqual(1, mock_compare.call_count)
|
||||
|
||||
def test_user_data_with_neutron_instance_id(self):
|
||||
expected_instance_id = 'a-b-c-d'
|
||||
def _fake_x_get_metadata(self, instance_id, remote_address):
|
||||
if remote_address is None:
|
||||
raise Exception('Expected X-Forwared-For header')
|
||||
elif instance_id == self.expected_instance_id:
|
||||
return self.mdinst
|
||||
else:
|
||||
# raise the exception to aid with 500 response code test
|
||||
raise Exception("Expected instance_id of %s, got %s" %
|
||||
(self.expected_instance_id, instance_id))
|
||||
|
||||
def fake_get_metadata(instance_id, remote_address):
|
||||
if remote_address is None:
|
||||
raise Exception('Expected X-Forwared-For header')
|
||||
elif instance_id == expected_instance_id:
|
||||
return self.mdinst
|
||||
else:
|
||||
# raise the exception to aid with 500 response code test
|
||||
raise Exception("Expected instance_id of %s, got %s" %
|
||||
(expected_instance_id, instance_id))
|
||||
def test_user_data_with_neutron_instance_id(self):
|
||||
self.expected_instance_id = 'a-b-c-d'
|
||||
|
||||
signed = hmac.new(
|
||||
CONF.neutron.metadata_proxy_shared_secret,
|
||||
expected_instance_id,
|
||||
self.expected_instance_id,
|
||||
hashlib.sha256).hexdigest()
|
||||
|
||||
# try a request with service disabled
|
||||
|
@ -798,7 +799,7 @@ class MetadataHandlerTestCase(test.TestCase):
|
|||
self.stubs, self.mdinst,
|
||||
relpath="/2009-04-04/user-data",
|
||||
address="192.192.192.2",
|
||||
fake_get_metadata_by_instance_id=fake_get_metadata,
|
||||
fake_get_metadata_by_instance_id=self._fake_x_get_metadata,
|
||||
headers={'X-Forwarded-For': '192.192.192.2',
|
||||
'X-Instance-ID': 'a-b-c-d',
|
||||
'X-Tenant-ID': 'test',
|
||||
|
@ -815,7 +816,7 @@ class MetadataHandlerTestCase(test.TestCase):
|
|||
self.stubs, self.mdinst,
|
||||
relpath="/2009-04-04/user-data",
|
||||
address="192.192.192.2",
|
||||
fake_get_metadata_by_instance_id=fake_get_metadata,
|
||||
fake_get_metadata_by_instance_id=self._fake_x_get_metadata,
|
||||
headers={'X-Forwarded-For': '192.192.192.2',
|
||||
'X-Instance-ID': 'a-b-c-d',
|
||||
'X-Tenant-ID': 'test',
|
||||
|
@ -828,7 +829,7 @@ class MetadataHandlerTestCase(test.TestCase):
|
|||
self.stubs, self.mdinst,
|
||||
relpath="/2009-04-04/user-data",
|
||||
address="192.192.192.2",
|
||||
fake_get_metadata_by_instance_id=fake_get_metadata,
|
||||
fake_get_metadata_by_instance_id=self._fake_x_get_metadata,
|
||||
headers={'X-Forwarded-For': '192.192.192.2',
|
||||
'X-Instance-ID': 'a-b-c-d',
|
||||
'X-Instance-ID-Signature': signed})
|
||||
|
@ -840,7 +841,7 @@ class MetadataHandlerTestCase(test.TestCase):
|
|||
self.stubs, self.mdinst,
|
||||
relpath="/2009-04-04/user-data",
|
||||
address="192.192.192.2",
|
||||
fake_get_metadata_by_instance_id=fake_get_metadata,
|
||||
fake_get_metadata_by_instance_id=self._fake_x_get_metadata,
|
||||
headers={'X-Forwarded-For': '192.192.192.2',
|
||||
'X-Instance-ID': 'a-b-c-d',
|
||||
'X-Tenant-ID': 'FAKE',
|
||||
|
@ -853,7 +854,7 @@ class MetadataHandlerTestCase(test.TestCase):
|
|||
self.stubs, self.mdinst,
|
||||
relpath="/2009-04-04/user-data",
|
||||
address="192.192.192.2",
|
||||
fake_get_metadata_by_instance_id=fake_get_metadata,
|
||||
fake_get_metadata_by_instance_id=self._fake_x_get_metadata,
|
||||
headers={'X-Instance-ID': 'a-b-c-d',
|
||||
'X-Tenant-ID': 'test',
|
||||
'X-Instance-ID-Signature': signed})
|
||||
|
@ -870,7 +871,7 @@ class MetadataHandlerTestCase(test.TestCase):
|
|||
self.stubs, self.mdinst,
|
||||
relpath="/2009-04-04/user-data",
|
||||
address="192.192.192.2",
|
||||
fake_get_metadata_by_instance_id=fake_get_metadata,
|
||||
fake_get_metadata_by_instance_id=self._fake_x_get_metadata,
|
||||
headers={'X-Forwarded-For': '192.192.192.2',
|
||||
'X-Instance-ID': 'z-z-z-z',
|
||||
'X-Tenant-ID': 'test',
|
||||
|
@ -974,6 +975,137 @@ class MetadataHandlerTestCase(test.TestCase):
|
|||
self._metadata_handler_with_remote_address(hnd)
|
||||
self.assertEqual(2, get_by_uuid.call_count)
|
||||
|
||||
@mock.patch.object(neutronapi, 'get_client', return_value=mock.Mock())
|
||||
def test_metadata_lb_proxy(self, mock_get_client):
|
||||
|
||||
self.flags(service_metadata_proxy=True, group='neutron')
|
||||
|
||||
self.expected_instance_id = 'a-b-c-d'
|
||||
|
||||
# with X-Metadata-Provider
|
||||
proxy_lb_id = 'edge-x'
|
||||
|
||||
mock_client = mock_get_client()
|
||||
mock_client.list_ports.return_value = {
|
||||
'ports': [{'device_id': 'a-b-c-d', 'tenant_id': 'test'}]}
|
||||
mock_client.list_subnets.return_value = {
|
||||
'subnets': [{'network_id': 'f-f-f-f'}]}
|
||||
|
||||
response = fake_request(
|
||||
self.stubs, self.mdinst,
|
||||
relpath="/2009-04-04/user-data",
|
||||
address="192.192.192.2",
|
||||
fake_get_metadata_by_instance_id=self._fake_x_get_metadata,
|
||||
headers={'X-Forwarded-For': '192.192.192.2',
|
||||
'X-Metadata-Provider': proxy_lb_id})
|
||||
|
||||
self.assertEqual(200, response.status_int)
|
||||
|
||||
@mock.patch.object(neutronapi, 'get_client', return_value=mock.Mock())
|
||||
def test_metadata_lb_proxy_chain(self, mock_get_client):
|
||||
|
||||
self.flags(service_metadata_proxy=True, group='neutron')
|
||||
|
||||
self.expected_instance_id = 'a-b-c-d'
|
||||
|
||||
# with X-Metadata-Provider
|
||||
proxy_lb_id = 'edge-x'
|
||||
|
||||
def fake_list_ports(ctx, **kwargs):
|
||||
if kwargs.get('fixed_ips') == 'ip_address=192.192.192.2':
|
||||
return {
|
||||
'ports': [{
|
||||
'device_id': 'a-b-c-d',
|
||||
'tenant_id': 'test'}]}
|
||||
else:
|
||||
return {'ports':
|
||||
[]}
|
||||
|
||||
mock_client = mock_get_client()
|
||||
mock_client.list_ports.side_effect = fake_list_ports
|
||||
mock_client.list_subnets.return_value = {
|
||||
'subnets': [{'network_id': 'f-f-f-f'}]}
|
||||
|
||||
response = fake_request(
|
||||
self.stubs, self.mdinst,
|
||||
relpath="/2009-04-04/user-data",
|
||||
address="10.10.10.10",
|
||||
fake_get_metadata_by_instance_id=self._fake_x_get_metadata,
|
||||
headers={'X-Forwarded-For': '192.192.192.2, 10.10.10.10',
|
||||
'X-Metadata-Provider': proxy_lb_id})
|
||||
|
||||
self.assertEqual(200, response.status_int)
|
||||
|
||||
@mock.patch.object(neutronapi, 'get_client', return_value=mock.Mock())
|
||||
def test_metadata_lb_proxy_signed(self, mock_get_client):
|
||||
|
||||
shared_secret = "testing1234"
|
||||
self.flags(
|
||||
metadata_proxy_shared_secret=shared_secret,
|
||||
service_metadata_proxy=True, group='neutron')
|
||||
|
||||
self.expected_instance_id = 'a-b-c-d'
|
||||
|
||||
# with X-Metadata-Provider
|
||||
proxy_lb_id = 'edge-x'
|
||||
|
||||
signature = hmac.new(
|
||||
shared_secret,
|
||||
proxy_lb_id,
|
||||
hashlib.sha256).hexdigest()
|
||||
|
||||
mock_client = mock_get_client()
|
||||
mock_client.list_ports.return_value = {
|
||||
'ports': [{'device_id': 'a-b-c-d', 'tenant_id': 'test'}]}
|
||||
mock_client.list_subnets.return_value = {
|
||||
'subnets': [{'network_id': 'f-f-f-f'}]}
|
||||
|
||||
response = fake_request(
|
||||
self.stubs, self.mdinst,
|
||||
relpath="/2009-04-04/user-data",
|
||||
address="192.192.192.2",
|
||||
fake_get_metadata_by_instance_id=self._fake_x_get_metadata,
|
||||
headers={'X-Forwarded-For': '192.192.192.2',
|
||||
'X-Metadata-Provider': proxy_lb_id,
|
||||
'X-Metadata-Provider-Signature': signature})
|
||||
|
||||
self.assertEqual(200, response.status_int)
|
||||
|
||||
@mock.patch.object(neutronapi, 'get_client', return_value=mock.Mock())
|
||||
def test_metadata_lb_proxy_signed_fail(self, mock_get_client):
|
||||
|
||||
shared_secret = "testing1234"
|
||||
bad_secret = "testing3468"
|
||||
self.flags(
|
||||
metadata_proxy_shared_secret=shared_secret,
|
||||
service_metadata_proxy=True, group='neutron')
|
||||
|
||||
self.expected_instance_id = 'a-b-c-d'
|
||||
|
||||
# with X-Metadata-Provider
|
||||
proxy_lb_id = 'edge-x'
|
||||
|
||||
signature = hmac.new(
|
||||
bad_secret,
|
||||
proxy_lb_id,
|
||||
hashlib.sha256).hexdigest()
|
||||
|
||||
mock_client = mock_get_client()
|
||||
mock_client.list_ports.return_value = {
|
||||
'ports': [{'device_id': 'a-b-c-d', 'tenant_id': 'test'}]}
|
||||
mock_client.list_subnets.return_value = {
|
||||
'subnets': [{'network_id': 'f-f-f-f'}]}
|
||||
|
||||
response = fake_request(
|
||||
self.stubs, self.mdinst,
|
||||
relpath="/2009-04-04/user-data",
|
||||
address="192.192.192.2",
|
||||
fake_get_metadata_by_instance_id=self._fake_x_get_metadata,
|
||||
headers={'X-Forwarded-For': '192.192.192.2',
|
||||
'X-Metadata-Provider': proxy_lb_id,
|
||||
'X-Metadata-Provider-Signature': signature})
|
||||
self.assertEqual(403, response.status_int)
|
||||
|
||||
|
||||
class MetadataPasswordTestCase(test.TestCase):
|
||||
def setUp(self):
|
||||
|
|
Loading…
Reference in New Issue