openstack/octavia
Code Issues Proposed changes

Allow operators to disallow creation of TLS Termination listeners

Browse Source 
Change-Id: I93fbc26c775d1a7f6c69a0ab0b5f47a573cb125d
This commit is contained in:
Adam Harwell 2017-06-22 13:43:50 -07:00
parent c764abc355
commit 38a5563abc
6 changed files with 37 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
etc/octavia.conf
View File

@ -37,6 +37,9 @@
# api_v1_enabled = True # api_v1_enabled = True
# api_v2_enabled = True # api_v2_enabled = True
# Enable/disable ability for users to create TLS Terminated listeners
# allow_tls_terminated_listeners = True
[database] [database]
# This line MUST be changed to actually run the plugin. # This line MUST be changed to actually run the plugin.
# Example: # Example:

5
octavia/api/v2/controllers/listener.py
View File

@ -196,6 +196,11 @@ class ListenersController(base.BaseController):
self._auth_validate_action(context, listener.project_id, self._auth_validate_action(context, listener.project_id,
constants.RBAC_POST) constants.RBAC_POST)
if (not CONF.api_settings.allow_tls_terminated_listeners and
listener.protocol == constants.PROTOCOL_TERMINATED_HTTPS):
raise exceptions.DisabledOption(
value=constants.PROTOCOL_TERMINATED_HTTPS, option='protocol')
lock_session = db_api.get_session(autocommit=False) lock_session = db_api.get_session(autocommit=False)
if self.repositories.check_quota_met( if self.repositories.check_quota_met(
context.session, context.session,

2
octavia/common/config.py
View File

@ -95,6 +95,8 @@ api_opts = [
help=_("Expose the v1 API?")), help=_("Expose the v1 API?")),
cfg.BoolOpt('api_v2_enabled', default=True, cfg.BoolOpt('api_v2_enabled', default=True,
help=_("Expose the v2 API?")), help=_("Expose the v2 API?")),
cfg.BoolOpt('allow_tls_terminated_listeners', default=True,
help=_("Allow users to create TLS Terminated listeners?")),
] ]
# Options only used by the amphora agent # Options only used by the amphora agent

6
octavia/common/exceptions.py
View File

@ -80,6 +80,12 @@ class InvalidOption(APIException):
code = 400 code = 400
class DisabledOption(APIException):
msg = _("The selected %(option)s is not allowed in this deployment: "
"%(value)s")
code = 400
class L7RuleValidation(APIException): class L7RuleValidation(APIException):
msg = _("Error parsing L7Rule: %(error)s") msg = _("Error parsing L7Rule: %(error)s")
code = 400 code = 400

21
octavia/tests/functional/api/v2/test_listener.py
View File

@ -1051,8 +1051,8 @@ class TestListener(base.BaseAPITest):
def test_create_with_tls_termination_data(self): def test_create_with_tls_termination_data(self):
cert_id = uuidutils.generate_uuid() cert_id = uuidutils.generate_uuid()
listener = self.create_listener(constants.PROTOCOL_HTTP, 80, listener = self.create_listener(constants.PROTOCOL_TERMINATED_HTTPS,
self.lb_id, 80, self.lb_id,
default_tls_container_ref=cert_id) default_tls_container_ref=cert_id)
listener_path = self.LISTENER_PATH.format( listener_path = self.LISTENER_PATH.format(
listener_id=listener['listener']['id']) listener_id=listener['listener']['id'])
@ -1061,8 +1061,8 @@ class TestListener(base.BaseAPITest):
def test_update_with_tls_termination_data(self): def test_update_with_tls_termination_data(self):
cert_id = uuidutils.generate_uuid() cert_id = uuidutils.generate_uuid()
listener = self.create_listener(constants.PROTOCOL_HTTP, 80, listener = self.create_listener(constants.PROTOCOL_TERMINATED_HTTPS,
self.lb_id) 80, self.lb_id)
self.set_lb_status(self.lb_id) self.set_lb_status(self.lb_id)
listener_path = self.LISTENER_PATH.format( listener_path = self.LISTENER_PATH.format(
listener_id=listener['listener']['id']) listener_id=listener['listener']['id'])
@ -1073,6 +1073,19 @@ class TestListener(base.BaseAPITest):
get_listener = self.get(listener_path).json['listener'] get_listener = self.get(listener_path).json['listener']
self.assertIsNone(get_listener.get('default_tls_container_ref')) self.assertIsNone(get_listener.get('default_tls_container_ref'))
def test_create_with_tls_termination_disabled(self):
self.conf.config(group='api_settings',
allow_tls_terminated_listeners=False)
cert_id = uuidutils.generate_uuid()
listener = self.create_listener(constants.PROTOCOL_TERMINATED_HTTPS,
80, self.lb_id,
default_tls_container_ref=cert_id,
status=400)
self.assertIn(
'The selected protocol is not allowed in this deployment: {0}'
.format(constants.PROTOCOL_TERMINATED_HTTPS),
listener.get('faultstring'))
def test_create_with_sni_data(self): def test_create_with_sni_data(self):
sni_id1 = uuidutils.generate_uuid() sni_id1 = uuidutils.generate_uuid()
sni_id2 = uuidutils.generate_uuid() sni_id2 = uuidutils.generate_uuid()

4
releasenotes/notes/add-ability-to-disable-tls-terminated-listeners-965ec7c1a8a9f732.yaml Normal file
View File

@ -0,0 +1,4 @@
---
features:
- |
Add a config variable to disable creation of TLS Terminated listeners.