openstack/nova
Code Issues Proposed changes

Remove V3 API version of coverage extension

Browse Source 
As discussed at the summit in the QA session, this removes
the coverage extension from the V3 API. The coverage extension
doesn't work properly and has security issues. An alternative technique,
though more limited in nature will soon be proposed.

Partially implements blueprint nova-v3-api

Change-Id: Ib4296288fefeb7e1e11bb6e44bd1cf355f29b9b9
This commit is contained in:
Christopher Yeoh 2013-11-11 09:40:19 +11:00 committed by Chris Yeoh
parent 6fbb0b1719
commit 97ed2a0f78
5 changed files with 0 additions and 526 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
etc/nova/policy.json
View File

@ -79,8 +79,6 @@
"compute_extension:v3:os-remote-consoles": "", "compute_extension:v3:os-remote-consoles": "",
"compute_extension:v3:os-remote-consoles:discoverable": "", "compute_extension:v3:os-remote-consoles:discoverable": "",
"compute_extension:coverage_ext": "rule:admin_api", "compute_extension:coverage_ext": "rule:admin_api",
"compute_extension:v3:os-coverage": "rule:admin_api",
"compute_extension:v3:os-coverage:discoverable": "",
"compute_extension:createserverext": "", "compute_extension:createserverext": "",
"compute_extension:deferred_delete": "", "compute_extension:deferred_delete": "",
"compute_extension:v3:os-deferred-delete": "", "compute_extension:v3:os-deferred-delete": "",

325
nova/api/openstack/compute/plugins/v3/coverage.py
View File

@ -1,325 +0,0 @@
# vim: tabstop=4 shiftwidth=4 softtabstop=4
# Copyright 2012 IBM Corp.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
# See: http://wiki.openstack.org/Nova/CoverageExtension for more information
# and usage explanation for this API extension
import imp
import os
import re
import socket
import sys
import telnetlib
import tempfile
from oslo.config import cfg
from webob import exc
from nova.api.openstack import extensions
from nova.api.openstack import wsgi
from nova import baserpc
from nova import db
from nova.openstack.common.gettextutils import _
from nova.openstack.common import log as logging
from nova.openstack.common.rpc import common as rpc_common
LOG = logging.getLogger(__name__)
ALIAS = "os-coverage"
authorize = extensions.extension_authorizer('compute', 'v3:' + ALIAS)
CONF = cfg.CONF
def _import_coverage():
"""This function ensures loading coverage module from python-coverage."""
try:
path = sys.path[:]
if os.getcwd() in path:
# To avoid importing this module itself, it need to remove current
# directory from search path.
path.remove(os.getcwd())
coverage_mod = imp.find_module('coverage', path)
return imp.load_module('coverage', *coverage_mod)
except ImportError as e:
LOG.warning(_("Can't load coverage module: %s"), e)
return None
coverage = _import_coverage()
class CoverageController(wsgi.Controller):
"""The Coverage report API controller for the OpenStack API."""
def __init__(self):
self.data_path = None
self.services = []
self.combine = False
self._cover_inst = None
self.host = CONF.host
super(CoverageController, self).__init__()
@property
def coverInst(self):
if not self._cover_inst:
if self.data_path is None:
self.data_path = tempfile.mkdtemp(prefix='nova-coverage_')
data_out = os.path.join(self.data_path, '.nova-coverage.api')
self._cover_inst = coverage.coverage(data_file=data_out)
return self._cover_inst
def _find_services(self, req):
"""Returns a list of services."""
context = req.environ['nova.context']
services = db.service_get_all(context)
hosts = []
for serv in services:
hosts.append({"service": serv["topic"], "host": serv["host"]})
return hosts
def _find_ports(self, req, hosts):
"""Return a list of backdoor ports for all services in the list."""
context = req.environ['nova.context']
ports = []
#TODO(mtreinish): Figure out how to bind the backdoor socket to 0.0.0.0
# Currently this will only work if the host is resolved as loopback on
# the same host as api-server
for host in hosts:
base = baserpc.BaseAPI(host['service'])
_host = host
try:
_host['port'] = base.get_backdoor_port(context, host['host'])
except rpc_common.UnsupportedRpcVersion:
_host['port'] = None
#NOTE(mtreinish): if the port is None then it wasn't set in
# the configuration file for this service. However, that
# doesn't necessarily mean that we don't have backdoor ports
# for all the services. So, skip the telnet connection for
# this service.
if _host['port']:
ports.append(_host)
else:
LOG.warning(_("Can't connect to service: %s, no port"
"specified\n"), host['service'])
return ports
def _start_coverage_telnet(self, tn, service):
data_file = os.path.join(self.data_path,
'.nova-coverage.%s' % str(service))
tn.write('from __future__ import print_function\n')
tn.write('import sys\n')
tn.write('from coverage import coverage\n')
tn.write("coverInst = coverage(data_file='%s') "
"if 'coverInst' not in locals() "
"else coverInst\n" % data_file)
tn.write('coverInst.skipModules = sys.modules.keys()\n')
tn.write("coverInst.start()\n")
tn.write("print('finished')\n")
tn.expect([re.compile('finished')])
def _check_coverage_module_loaded(self):
if not self.coverInst:
msg = _("Python coverage module is not installed.")
raise exc.HTTPServiceUnavailable(explanation=msg)
@extensions.expected_errors(503)
@wsgi.action('start')
@wsgi.response(204)
def _start_coverage(self, req, body):
'''Begin recording coverage information.'''
authorize(req.environ['nova.context'])
self._check_coverage_module_loaded()
LOG.debug(_("Coverage begin"))
body = body['start']
self.combine = False
if 'combine' in body.keys():
self.combine = bool(body['combine'])
self.coverInst.skipModules = sys.modules.keys()
self.coverInst.start()
hosts = self._find_services(req)
ports = self._find_ports(req, hosts)
self.services = []
for service in ports:
try:
service['telnet'] = telnetlib.Telnet(service['host'],
service['port'])
# NOTE(mtreinish): Fallback to try connecting to lo if
# ECONNREFUSED is raised. If using the hostname that is returned
# for the service from the service_get_all() DB query raises
# ECONNREFUSED it most likely means that the hostname in the DB
# doesn't resolve to 127.0.0.1. Currently backdoors only open on
# loopback so this is for covering the common single host use case
except socket.error as e:
exc_info = sys.exc_info()
if 'ECONNREFUSED' in e and service['host'] == self.host:
service['telnet'] = telnetlib.Telnet('127.0.0.1',
service['port'])
else:
raise exc_info[0], exc_info[1], exc_info[2]
self.services.append(service)
self._start_coverage_telnet(service['telnet'], service['service'])
def _stop_coverage_telnet(self, tn):
tn.write("coverInst.stop()\n")
tn.write("coverInst.save()\n")
tn.write("print('finished')\n")
tn.expect([re.compile('finished')])
def _check_coverage(self):
try:
self.coverInst.stop()
self.coverInst.save()
except AssertionError:
return True
return False
@extensions.expected_errors((409, 503))
@wsgi.action('stop')
def _stop_coverage(self, req, body):
authorize(req.environ['nova.context'])
self._check_coverage_module_loaded()
for service in self.services:
self._stop_coverage_telnet(service['telnet'])
if self._check_coverage():
msg = _("Coverage not running")
raise exc.HTTPConflict(explanation=msg)
return {'path': self.data_path}
def _report_coverage_telnet(self, tn, path, xml=False):
if xml:
execute = str("coverInst.xml_report(outfile='%s')\n" % path)
tn.write(execute)
tn.write("print('finished')\n")
tn.expect([re.compile('finished')])
else:
execute = str("output = open('%s', 'w')\n" % path)
tn.write(execute)
tn.write("coverInst.report(file=output)\n")
tn.write("output.close()\n")
tn.write("print('finished')\n")
tn.expect([re.compile('finished')])
tn.close()
@extensions.expected_errors((400, 409, 503))
@wsgi.action('report')
def _report_coverage(self, req, body):
authorize(req.environ['nova.context'])
self._check_coverage_module_loaded()
self._stop_coverage(req, {'stop': {}})
xml = False
html = False
path = None
body = body['report']
if 'file' in body.keys():
path = body['file']
if path != os.path.basename(path):
msg = _("Invalid path")
raise exc.HTTPBadRequest(explanation=msg)
path = os.path.join(self.data_path, path)
else:
msg = _("No path given for report file")
raise exc.HTTPBadRequest(explanation=msg)
if 'xml' in body.keys():
xml = body['xml']
elif 'html' in body.keys():
if not self.combine:
msg = _("You can't use html reports without combining")
raise exc.HTTPBadRequest(explanation=msg)
html = body['html']
if self.combine:
data_out = os.path.join(self.data_path, '.nova-coverage')
import coverage
coverInst = coverage.coverage(data_file=data_out)
coverInst.combine()
if xml:
coverInst.xml_report(outfile=path)
elif html:
if os.path.isdir(path):
msg = _("Directory conflict: %s already exists") % path
raise exc.HTTPBadRequest(explanation=msg)
coverInst.html_report(directory=path)
else:
output = open(path, 'w')
coverInst.report(file=output)
output.close()
for service in self.services:
service['telnet'].close()
else:
if xml:
apipath = path + '.api'
self.coverInst.xml_report(outfile=apipath)
for service in self.services:
self._report_coverage_telnet(service['telnet'],
path + '.%s'
% service['service'],
xml=True)
else:
output = open(path + '.api', 'w')
self.coverInst.report(file=output)
for service in self.services:
self._report_coverage_telnet(service['telnet'],
path + '.%s' % service['service'])
output.close()
return {'path': path}
def _reset_coverage_telnet(self, tn):
tn.write("coverInst.erase()\n")
tn.write("print('finished')\n")
tn.expect([re.compile('finished')])
@extensions.expected_errors(503)
@wsgi.action('reset')
@wsgi.response(204)
def _reset_coverage(self, req, body):
authorize(req.environ['nova.context'])
self._check_coverage_module_loaded()
# Reopen telnet connections if they are closed.
for service in self.services:
if not service['telnet'].get_socket():
service['telnet'].open(service['host'], service['port'])
# Stop coverage if it is started.
try:
self._stop_coverage(req, {'stop': {}})
except exc.HTTPConflict:
pass
for service in self.services:
self._reset_coverage_telnet(service['telnet'])
service['telnet'].close()
self.coverInst.erase()
class Coverage(extensions.V3APIExtensionBase):
"""Enable Nova Coverage."""
name = "Coverage"
alias = ALIAS
namespace = ("http://docs.openstack.org/compute/ext/"
"coverage/api/v3")
version = 1
def get_resources(self):
resources = []
res = extensions.ResourceExtension(ALIAS,
controller=CoverageController(),
collection_actions={"action": "POST"})
resources.append(res)
return resources
def get_controller_extensions(self):
return []

197
nova/tests/api/openstack/compute/plugins/v3/test_coverage.py
View File

@ -1,197 +0,0 @@
# vim: tabstop=4 shiftwidth=4 softtabstop=4
# Copyright 2012 IBM Corp.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import telnetlib
import coverage
import webob
from nova.api.openstack.compute.plugins.v3 import coverage as coverage_ext
from nova import context
from nova.openstack.common import jsonutils
from nova import test
from nova.tests.api.openstack import fakes
def fake_telnet(self, data):
return
def fake_check_coverage(self):
return False
class FakeCoverage(object):
def __init__(self, data_file=None):
self.started = False
return super(FakeCoverage, self).__init__()
def save(self):
pass
def start(self):
self.started = True
def stop(self):
if not self.started:
raise AssertionError()
self.started = False
def report(self, file):
pass
def xml_report(self, outfile):
pass
def erase(self):
pass
class CoverageExtensionTest(test.TestCase):
def setUp(self):
super(CoverageExtensionTest, self).setUp()
self.stubs.Set(telnetlib.Telnet, 'write', fake_telnet)
self.stubs.Set(telnetlib.Telnet, 'expect', fake_telnet)
self.stubs.Set(coverage, 'coverage', FakeCoverage)
self.admin_context = context.RequestContext('fakeadmin_0',
'fake',
is_admin=True)
self.user_context = context.RequestContext('fakeadmin_0',
'fake',
is_admin=False)
def _make_request(self, url, body, admin=True):
req = webob.Request.blank('/v3/os-coverage/action')
req.method = "POST"
req.body = jsonutils.dumps(body)
context = self.admin_context
if not admin:
context = self.user_context
req.headers["content-type"] = "application/json"
return req.get_response(fakes.wsgi_app_v3(
fake_auth_context=context,
init_only=('servers', 'os-coverage')))
def test_not_admin(self):
body = {'start': {}}
url = '/v3/os-coverage/action'
res = self._make_request(url, body, False)
self.assertEqual(res.status_int, 403)
def test_start_coverage_action(self):
body = {'start': {}}
url = '/v3/os-coverage/action'
res = self._make_request(url, body)
self.assertEqual(res.status_int, 204)
def test_stop_coverage_action(self):
self.stubs.Set(coverage_ext.CoverageController,
'_check_coverage', fake_check_coverage)
body = {'stop': {}}
url = '/v3/os-coverage/action'
res = self._make_request(url, body)
self.assertEqual(res.status_int, 200)
resp_dict = jsonutils.loads(res.body)
self.assertIn('path', resp_dict)
def test_report_coverage_action_file(self):
self.stubs.Set(coverage_ext.CoverageController,
'_check_coverage', fake_check_coverage)
self.test_start_coverage_action()
body = {
'report': {
'file': 'coverage-unit-test.report',
},
}
url = '/v3/os-coverage/action'
res = self._make_request(url, body)
self.assertEqual(res.status_int, 200)
resp_dict = jsonutils.loads(res.body)
self.assertIn('path', resp_dict)
self.assertIn('coverage-unit-test.report', resp_dict['path'])
def test_report_coverage_action_xml_file(self):
self.stubs.Set(coverage_ext.CoverageController,
'_check_coverage', fake_check_coverage)
body = {
'report': {
'file': 'coverage-xml-unit-test.report',
'xml': 'True',
},
}
url = '/v3/os-coverage/action'
res = self._make_request(url, body)
self.assertEqual(res.status_int, 200)
resp_dict = jsonutils.loads(res.body)
self.assertIn('path', resp_dict)
self.assertIn('coverage-xml-unit-test.report', resp_dict['path'])
def test_report_coverage_action_nofile(self):
self.stubs.Set(coverage_ext.CoverageController,
'_check_coverage', fake_check_coverage)
body = {'report': {}}
url = '/v3/os-coverage/action'
res = self._make_request(url, body)
self.assertEqual(res.status_int, 400)
def test_coverage_bad_body(self):
body = {}
url = '/v3/os-coverage/action'
res = self._make_request(url, body)
self.assertEqual(res.status_int, 400)
def test_coverage_report_bad_path(self):
self.stubs.Set(coverage_ext.CoverageController,
'_check_coverage', fake_check_coverage)
body = {
'report': {
'file': '/tmp/coverage-xml-unit-test.report',
}
}
url = '/v3/os-coverage/action'
res = self._make_request(url, body)
self.assertEqual(res.status_int, 400)
def test_stop_coverage_action_nostart(self):
body = {'stop': {}}
req = webob.Request.blank('/v3/os-coverage/action')
req.method = "POST"
req.body = jsonutils.dumps(body)
req.headers["content-type"] = "application/json"
res = req.get_response(fakes.wsgi_app_v3(
fake_auth_context=self.admin_context))
self.assertEqual(res.status_int, 409)
def test_report_coverage_action_nostart(self):
body = {'report': {}}
url = '/v3/os-coverage/action'
res = self._make_request(url, body)
self.assertEqual(res.status_int, 409)
def test_reset_coverage_action_while_coverage_running(self):
self.stubs.Set(coverage_ext.CoverageController,
'_check_coverage', fake_check_coverage)
body = {'reset': {}}
url = '/v3/os-coverage/action'
res = self._make_request(url, body)
self.assertEqual(res.status_int, 204)
def test_reset_coverage_action_while_coverage_stopped(self):
body = {'reset': {}}
url = '/v3/os-coverage/action'
res = self._make_request(url, body)
self.assertEqual(res.status_int, 204)

1
nova/tests/fake_policy.py
View File

@ -149,7 +149,6 @@ policy_data = """
"compute_extension:consoles": "", "compute_extension:consoles": "",
"compute_extension:v3:os-remote-consoles": "", "compute_extension:v3:os-remote-consoles": "",
"compute_extension:coverage_ext": "is_admin:True", "compute_extension:coverage_ext": "is_admin:True",
"compute_extension:v3:os-coverage": "is_admin:True",
"compute_extension:createserverext": "", "compute_extension:createserverext": "",
"compute_extension:deferred_delete": "", "compute_extension:deferred_delete": "",
"compute_extension:v3:os-deferred-delete": "", "compute_extension:v3:os-deferred-delete": "",

1
setup.cfg
View File

@ -69,7 +69,6 @@ nova.api.v3.extensions =
config_drive = nova.api.openstack.compute.plugins.v3.config_drive:ConfigDrive config_drive = nova.api.openstack.compute.plugins.v3.config_drive:ConfigDrive
console_output = nova.api.openstack.compute.plugins.v3.console_output:ConsoleOutput console_output = nova.api.openstack.compute.plugins.v3.console_output:ConsoleOutput
consoles = nova.api.openstack.compute.plugins.v3.consoles:Consoles consoles = nova.api.openstack.compute.plugins.v3.consoles:Consoles
coverage = nova.api.openstack.compute.plugins.v3.coverage:Coverage
deferred_delete = nova.api.openstack.compute.plugins.v3.deferred_delete:DeferredDelete deferred_delete = nova.api.openstack.compute.plugins.v3.deferred_delete:DeferredDelete
disk_config = nova.api.openstack.compute.plugins.v3.disk_config:DiskConfig disk_config = nova.api.openstack.compute.plugins.v3.disk_config:DiskConfig
evacuate = nova.api.openstack.compute.plugins.v3.evacuate:Evacuate evacuate = nova.api.openstack.compute.plugins.v3.evacuate:Evacuate