From d28d311db1da8f0530a4bd08d0e19b8660298331 Mon Sep 17 00:00:00 2001 From: Adam Harwell Date: Fri, 15 Dec 2017 16:28:26 -0800 Subject: [PATCH] Add config for disabling creation of PING type HMs PING is a trap. There is no real-world scenario where PING is the option that makes the most sense, but people are familiar with it, and it seems "simple", so they pick it. This needs to stop. Empower operators to disable this! Change-Id: Ifa80b7a5973361c13f2e6611789aa9798325ece0 --- etc/octavia.conf | 3 +++ octavia/api/v2/controllers/health_monitor.py | 6 ++++++ octavia/common/config.py | 2 ++ .../functional/api/v2/test_health_monitor.py | 15 +++++++++++++++ ...isable-ping-healthchecks-42fd8c3b88edaf35.yaml | 5 +++++ 5 files changed, 31 insertions(+) create mode 100644 releasenotes/notes/allow-operators-to-disable-ping-healthchecks-42fd8c3b88edaf35.yaml diff --git a/etc/octavia.conf b/etc/octavia.conf index cfa5676e68..994fec5ac7 100644 --- a/etc/octavia.conf +++ b/etc/octavia.conf @@ -40,6 +40,9 @@ # Enable/disable ability for users to create TLS Terminated listeners # allow_tls_terminated_listeners = True +# Enable/disable ability for users to create PING type Health Monitors +# allow_ping_health_monitors = True + [database] # This line MUST be changed to actually run the plugin. # Example: diff --git a/octavia/api/v2/controllers/health_monitor.py b/octavia/api/v2/controllers/health_monitor.py index 8ed3fb1eec..de21635d10 100644 --- a/octavia/api/v2/controllers/health_monitor.py +++ b/octavia/api/v2/controllers/health_monitor.py @@ -151,6 +151,12 @@ class HealthMonitorController(base.BaseController): """Creates a health monitor on a pool.""" context = pecan.request.context.get('octavia_context') health_monitor = health_monitor_.healthmonitor + + if (not CONF.api_settings.allow_ping_health_monitors and + health_monitor.type == constants.HEALTH_MONITOR_PING): + raise exceptions.DisabledOption( + option='type', value=constants.HEALTH_MONITOR_PING) + pool = self._get_db_pool(context.session, health_monitor.pool_id) health_monitor.project_id = pool.project_id diff --git a/octavia/common/config.py b/octavia/common/config.py index e69735f54a..a579fddbe8 100644 --- a/octavia/common/config.py +++ b/octavia/common/config.py @@ -100,6 +100,8 @@ api_opts = [ help=_("Expose the v2 API?")), cfg.BoolOpt('allow_tls_terminated_listeners', default=True, help=_("Allow users to create TLS Terminated listeners?")), + cfg.BoolOpt('allow_ping_health_monitors', default=True, + help=_("Allow users to create PING type Health Monitors?")), ] # Options only used by the amphora agent diff --git a/octavia/tests/functional/api/v2/test_health_monitor.py b/octavia/tests/functional/api/v2/test_health_monitor.py index 91b430d188..83353cfe61 100644 --- a/octavia/tests/functional/api/v2/test_health_monitor.py +++ b/octavia/tests/functional/api/v2/test_health_monitor.py @@ -740,6 +740,21 @@ class TestHealthMonitor(base.BaseAPITest): lb_id=self.lb_id, listener_id=self.listener_id, pool_id=self.pool_id) + def test_create_ping_when_ping_disabled(self): + self.conf = self.useFixture(oslo_fixture.Config(cfg.CONF)) + self.conf.config(group='api_settings', + allow_ping_health_monitors=False) + req_dict = {'pool_id': self.pool_id, + 'type': constants.HEALTH_MONITOR_PING, + 'delay': 1, + 'timeout': 1, + 'max_retries_down': 1, + 'max_retries': 1} + self.post(self.HMS_PATH, self._build_body(req_dict), status=400) + self.assert_correct_status( + lb_id=self.lb_id, listener_id=self.listener_id, + pool_id=self.pool_id) + def test_create_with_bad_handler(self): self.handler_mock().health_monitor.create.side_effect = Exception() api_hm = self.create_health_monitor( diff --git a/releasenotes/notes/allow-operators-to-disable-ping-healthchecks-42fd8c3b88edaf35.yaml b/releasenotes/notes/allow-operators-to-disable-ping-healthchecks-42fd8c3b88edaf35.yaml new file mode 100644 index 0000000000..c51d273ca3 --- /dev/null +++ b/releasenotes/notes/allow-operators-to-disable-ping-healthchecks-42fd8c3b88edaf35.yaml @@ -0,0 +1,5 @@ +--- +features: + - | + Cloud deployers can set `api_settings.allow_ping_health_monitors = False` + in `octavia.conf` to disable the ability to create PING health monitors.