Remove VxFlex OS credentials from connection_properties
VxFlex OS password is not stored in block_device_mapping table. Instead of this passwords are stored in separate file and are retrieved during each attach/detach operation. Closes-Bug: #1823200 Change-Id: Ia1d2b2151e5676037d40bfaf388b54023fc37093
This commit is contained in:
parent
36b207239b
commit
55fc998521
@ -30,6 +30,7 @@ from os_brick import utils
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
DEVICE_SCAN_ATTEMPTS_DEFAULT = 3
|
||||
CONNECTOR_CONF_PATH = '/opt/emc/scaleio/openstack/connector.conf'
|
||||
synchronized = lockutils.synchronized_with_prefix('os-brick-')
|
||||
|
||||
|
||||
@ -86,6 +87,18 @@ class ScaleIOConnector(base.BaseLinuxConnector):
|
||||
LOG.error(msg)
|
||||
raise exception.BrickException(message=msg)
|
||||
|
||||
@staticmethod
|
||||
def _get_connector_password(config_group):
|
||||
LOG.info("Get ScaleIO connector password from configuration file")
|
||||
try:
|
||||
return priv_scaleio.get_connector_password(CONNECTOR_CONF_PATH,
|
||||
config_group)
|
||||
except Exception as e:
|
||||
msg = _("Error getting ScaleIO connector password from "
|
||||
"configuration file: %s") % e
|
||||
LOG.error(msg)
|
||||
raise exception.BrickException(message=msg)
|
||||
|
||||
def _rescan_vols(self):
|
||||
LOG.info("ScaleIO rescan volumes")
|
||||
|
||||
@ -306,8 +319,9 @@ class ScaleIOConnector(base.BaseLinuxConnector):
|
||||
self.server_ip = connection_properties['serverIP']
|
||||
self.server_port = connection_properties['serverPort']
|
||||
self.server_username = connection_properties['serverUsername']
|
||||
self.server_password = connection_properties['serverPassword']
|
||||
self.server_token = connection_properties['serverToken']
|
||||
self.server_password = self._get_connector_password(
|
||||
connection_properties['config_group'],
|
||||
)
|
||||
self.iops_limit = connection_properties['iopsLimit']
|
||||
self.bandwidth_limit = connection_properties['bandwidthLimit']
|
||||
device_info = {'type': 'block',
|
||||
|
@ -17,6 +17,9 @@ import os
|
||||
import struct
|
||||
import uuid
|
||||
|
||||
from six.moves import configparser
|
||||
|
||||
from os_brick import exception
|
||||
from os_brick import privileged
|
||||
|
||||
SCINI_DEVICE_PATH = '/dev/scini'
|
||||
@ -70,3 +73,27 @@ def rescan_vols(op_code):
|
||||
|
||||
with open_scini_device() as fd:
|
||||
ioctl(fd, op_code, struct.pack('Q', 0))
|
||||
|
||||
|
||||
@privileged.default.entrypoint
|
||||
def get_connector_password(filename, config_group):
|
||||
"""Read ScaleIO connector configuration file and get appropriate password.
|
||||
|
||||
:param filename: path to connector configuration file
|
||||
:type filename: str
|
||||
:param config_group: name of section in configuration file
|
||||
:type config_group: str
|
||||
:return: connector password
|
||||
:rtype: str
|
||||
"""
|
||||
|
||||
if not os.path.isfile(filename):
|
||||
msg = (
|
||||
"ScaleIO connector configuration file "
|
||||
"is not found in path %s." % filename
|
||||
)
|
||||
raise exception.BrickException(message=msg)
|
||||
|
||||
conf = configparser.ConfigParser()
|
||||
conf.read(filename)
|
||||
return conf[config_group]["san_password"]
|
||||
|
@ -45,8 +45,7 @@ class ScaleIOConnectorTestCase(test_connector.ConnectorTestCase):
|
||||
'scaleIO_volume_id': self.vol['provider_id'],
|
||||
'serverPort': 443,
|
||||
'serverUsername': 'test',
|
||||
'serverPassword': 'fake',
|
||||
'serverToken': 'fake_token',
|
||||
'config_group': 'test',
|
||||
'iopsLimit': None,
|
||||
'bandwidthLimit': None
|
||||
}
|
||||
@ -83,6 +82,9 @@ class ScaleIOConnectorTestCase(test_connector.ConnectorTestCase):
|
||||
return_value=["emc-vol-{}".format(self.vol['id'])])
|
||||
|
||||
# Patch scaleio privileged calls
|
||||
self.get_password_mock = self.mock_object(scaleio.priv_scaleio,
|
||||
'get_connector_password',
|
||||
return_value='fake_password')
|
||||
self.get_guid_mock = self.mock_object(scaleio.priv_scaleio, 'get_guid',
|
||||
return_value=self.fake_guid)
|
||||
self.rescan_vols_mock = self.mock_object(scaleio.priv_scaleio,
|
||||
@ -168,6 +170,7 @@ class ScaleIOConnectorTestCase(test_connector.ConnectorTestCase):
|
||||
self.connector.connect_volume(self.fake_connection_properties)
|
||||
self.get_guid_mock.assert_called_once_with(
|
||||
self.connector.GET_GUID_OP_CODE)
|
||||
self.get_password_mock.assert_called_once()
|
||||
|
||||
def test_connect_volume_without_volume_id(self):
|
||||
"""Successful connect to volume without a Volume Id"""
|
||||
|
29
releasenotes/notes/bug-1823200-train-10d7cec0746705df.yaml
Normal file
29
releasenotes/notes/bug-1823200-train-10d7cec0746705df.yaml
Normal file
@ -0,0 +1,29 @@
|
||||
---
|
||||
security:
|
||||
- |
|
||||
Dell EMC VxFlex OS driver: This release contains a fix for
|
||||
`Bug #1823200 <https://bugs.launchpad.net/cinder/+bug/1823200>`_.
|
||||
See `OSSN-0086 <https://wiki.openstack.org/wiki/OSSN/OSSN-0086>`_
|
||||
for details.
|
||||
upgrade:
|
||||
- |
|
||||
The fix for `Bug #1823200
|
||||
<https://bugs.launchpad.net/cinder/+bug/1823200>`_ requires that a
|
||||
configuration file be deployed on compute nodes, cinder nodes, and
|
||||
anywhere you would perform a volume attachment in your deployment,
|
||||
when using Cinder with a Dell EMC VxFlex OS backend. See the
|
||||
`Dell EMC VxFlex OS (ScaleIO) Storage driver
|
||||
<https://docs.openstack.org/cinder/train/configuration/block-storage/drivers/dell-emc-vxflex-driver.html>`_
|
||||
documentation for details about this configuration file.
|
||||
fixes:
|
||||
- |
|
||||
`Bug #1823200 <https://bugs.launchpad.net/cinder/+bug/1823200>`_:
|
||||
This release contains an updated connector for use with the Dell EMC
|
||||
VxFlex OS backend. It requires that a configuration file be deployed
|
||||
on compute nodes, cinder nodes, and anywhere you would perform a
|
||||
volume attachment in your deployment. See the
|
||||
`Dell EMC VxFlex OS (ScaleIO) Storage driver
|
||||
<https://docs.openstack.org/cinder/train/configuration/block-storage/drivers/dell-emc-vxflex-driver.html>`_
|
||||
documentation for details about the configuration file, and see
|
||||
`OSSN-0086 <https://wiki.openstack.org/wiki/OSSN/OSSN-0086>`_ for
|
||||
more information about the security vulnerability.
|
Loading…
Reference in New Issue
Block a user