Remove VxFlex OS credentials from connection_properties
VxFlex OS password is not stored in block_device_mapping table. Instead of this passwords are stored in separate file and are retrieved during each attach/detach operation. Closes-Bug: #1823200 Change-Id: I89bd58d79e5cd74cf283d026ada486b7f7122980
This commit is contained in:
parent
7168bdce5b
commit
b5891702cc
@ -30,6 +30,7 @@ from os_brick import utils
|
|||||||
|
|
||||||
LOG = logging.getLogger(__name__)
|
LOG = logging.getLogger(__name__)
|
||||||
DEVICE_SCAN_ATTEMPTS_DEFAULT = 3
|
DEVICE_SCAN_ATTEMPTS_DEFAULT = 3
|
||||||
|
CONNECTOR_CONF_PATH = '/opt/emc/scaleio/openstack/connector.conf'
|
||||||
synchronized = lockutils.synchronized_with_prefix('os-brick-')
|
synchronized = lockutils.synchronized_with_prefix('os-brick-')
|
||||||
|
|
||||||
|
|
||||||
@ -86,6 +87,18 @@ class ScaleIOConnector(base.BaseLinuxConnector):
|
|||||||
LOG.error(msg)
|
LOG.error(msg)
|
||||||
raise exception.BrickException(message=msg)
|
raise exception.BrickException(message=msg)
|
||||||
|
|
||||||
|
@staticmethod
|
||||||
|
def _get_connector_password(config_group):
|
||||||
|
LOG.info("Get ScaleIO connector password from configuration file")
|
||||||
|
try:
|
||||||
|
return priv_scaleio.get_connector_password(CONNECTOR_CONF_PATH,
|
||||||
|
config_group)
|
||||||
|
except Exception as e:
|
||||||
|
msg = _("Error getting ScaleIO connector password from "
|
||||||
|
"configuration file: %s") % e
|
||||||
|
LOG.error(msg)
|
||||||
|
raise exception.BrickException(message=msg)
|
||||||
|
|
||||||
def _rescan_vols(self):
|
def _rescan_vols(self):
|
||||||
LOG.info("ScaleIO rescan volumes")
|
LOG.info("ScaleIO rescan volumes")
|
||||||
|
|
||||||
@ -306,8 +319,9 @@ class ScaleIOConnector(base.BaseLinuxConnector):
|
|||||||
self.server_ip = connection_properties['serverIP']
|
self.server_ip = connection_properties['serverIP']
|
||||||
self.server_port = connection_properties['serverPort']
|
self.server_port = connection_properties['serverPort']
|
||||||
self.server_username = connection_properties['serverUsername']
|
self.server_username = connection_properties['serverUsername']
|
||||||
self.server_password = connection_properties['serverPassword']
|
self.server_password = self._get_connector_password(
|
||||||
self.server_token = connection_properties['serverToken']
|
connection_properties['config_group'],
|
||||||
|
)
|
||||||
self.iops_limit = connection_properties['iopsLimit']
|
self.iops_limit = connection_properties['iopsLimit']
|
||||||
self.bandwidth_limit = connection_properties['bandwidthLimit']
|
self.bandwidth_limit = connection_properties['bandwidthLimit']
|
||||||
device_info = {'type': 'block',
|
device_info = {'type': 'block',
|
||||||
|
@ -17,6 +17,9 @@ import os
|
|||||||
import struct
|
import struct
|
||||||
import uuid
|
import uuid
|
||||||
|
|
||||||
|
from six.moves import configparser
|
||||||
|
|
||||||
|
from os_brick import exception
|
||||||
from os_brick import privileged
|
from os_brick import privileged
|
||||||
|
|
||||||
SCINI_DEVICE_PATH = '/dev/scini'
|
SCINI_DEVICE_PATH = '/dev/scini'
|
||||||
@ -70,3 +73,27 @@ def rescan_vols(op_code):
|
|||||||
|
|
||||||
with open_scini_device() as fd:
|
with open_scini_device() as fd:
|
||||||
ioctl(fd, op_code, struct.pack('Q', 0))
|
ioctl(fd, op_code, struct.pack('Q', 0))
|
||||||
|
|
||||||
|
|
||||||
|
@privileged.default.entrypoint
|
||||||
|
def get_connector_password(filename, config_group):
|
||||||
|
"""Read ScaleIO connector configuration file and get appropriate password.
|
||||||
|
|
||||||
|
:param filename: path to connector configuration file
|
||||||
|
:type filename: str
|
||||||
|
:param config_group: name of section in configuration file
|
||||||
|
:type config_group: str
|
||||||
|
:return: connector password
|
||||||
|
:rtype: str
|
||||||
|
"""
|
||||||
|
|
||||||
|
if not os.path.isfile(filename):
|
||||||
|
msg = (
|
||||||
|
"ScaleIO connector configuration file "
|
||||||
|
"is not found in path %s." % filename
|
||||||
|
)
|
||||||
|
raise exception.BrickException(message=msg)
|
||||||
|
|
||||||
|
conf = configparser.ConfigParser()
|
||||||
|
conf.read(filename)
|
||||||
|
return conf[config_group]["san_password"]
|
||||||
|
@ -45,8 +45,7 @@ class ScaleIOConnectorTestCase(test_connector.ConnectorTestCase):
|
|||||||
'scaleIO_volume_id': self.vol['provider_id'],
|
'scaleIO_volume_id': self.vol['provider_id'],
|
||||||
'serverPort': 443,
|
'serverPort': 443,
|
||||||
'serverUsername': 'test',
|
'serverUsername': 'test',
|
||||||
'serverPassword': 'fake',
|
'config_group': 'test',
|
||||||
'serverToken': 'fake_token',
|
|
||||||
'iopsLimit': None,
|
'iopsLimit': None,
|
||||||
'bandwidthLimit': None
|
'bandwidthLimit': None
|
||||||
}
|
}
|
||||||
@ -83,6 +82,9 @@ class ScaleIOConnectorTestCase(test_connector.ConnectorTestCase):
|
|||||||
return_value=["emc-vol-{}".format(self.vol['id'])])
|
return_value=["emc-vol-{}".format(self.vol['id'])])
|
||||||
|
|
||||||
# Patch scaleio privileged calls
|
# Patch scaleio privileged calls
|
||||||
|
self.get_password_mock = self.mock_object(scaleio.priv_scaleio,
|
||||||
|
'get_connector_password',
|
||||||
|
return_value='fake_password')
|
||||||
self.get_guid_mock = self.mock_object(scaleio.priv_scaleio, 'get_guid',
|
self.get_guid_mock = self.mock_object(scaleio.priv_scaleio, 'get_guid',
|
||||||
return_value=self.fake_guid)
|
return_value=self.fake_guid)
|
||||||
self.rescan_vols_mock = self.mock_object(scaleio.priv_scaleio,
|
self.rescan_vols_mock = self.mock_object(scaleio.priv_scaleio,
|
||||||
@ -168,6 +170,7 @@ class ScaleIOConnectorTestCase(test_connector.ConnectorTestCase):
|
|||||||
self.connector.connect_volume(self.fake_connection_properties)
|
self.connector.connect_volume(self.fake_connection_properties)
|
||||||
self.get_guid_mock.assert_called_once_with(
|
self.get_guid_mock.assert_called_once_with(
|
||||||
self.connector.GET_GUID_OP_CODE)
|
self.connector.GET_GUID_OP_CODE)
|
||||||
|
self.get_password_mock.assert_called_once()
|
||||||
|
|
||||||
def test_connect_volume_without_volume_id(self):
|
def test_connect_volume_without_volume_id(self):
|
||||||
"""Successful connect to volume without a Volume Id"""
|
"""Successful connect to volume without a Volume Id"""
|
||||||
|
29
releasenotes/notes/bug-1823200-stein-c797a41d5b03cebc.yaml
Normal file
29
releasenotes/notes/bug-1823200-stein-c797a41d5b03cebc.yaml
Normal file
@ -0,0 +1,29 @@
|
|||||||
|
---
|
||||||
|
security:
|
||||||
|
- |
|
||||||
|
Dell EMC VxFlex OS driver: This release contains a fix for
|
||||||
|
`Bug #1823200 <https://bugs.launchpad.net/cinder/+bug/1823200>`_.
|
||||||
|
See `OSSN-0086 <https://wiki.openstack.org/wiki/OSSN/OSSN-0086>`_
|
||||||
|
for details.
|
||||||
|
upgrade:
|
||||||
|
- |
|
||||||
|
The fix for `Bug #1823200
|
||||||
|
<https://bugs.launchpad.net/cinder/+bug/1823200>`_ requires that a
|
||||||
|
configuration file be deployed on compute nodes, cinder nodes, and
|
||||||
|
anywhere you would perform a volume attachment in your deployment,
|
||||||
|
when using Cinder with a Dell EMC VxFlex OS backend. See the
|
||||||
|
`Dell EMC VxFlex OS (ScaleIO) Storage driver
|
||||||
|
<https://docs.openstack.org/cinder/stein/configuration/block-storage/drivers/dell-emc-vxflex-driver.html>`_
|
||||||
|
documentation for details about this configuration file.
|
||||||
|
fixes:
|
||||||
|
- |
|
||||||
|
`Bug #1823200 <https://bugs.launchpad.net/cinder/+bug/1823200>`_:
|
||||||
|
This release contains an updated connector for use with the Dell EMC
|
||||||
|
VxFlex OS backend. It requires that a configuration file be deployed
|
||||||
|
on compute nodes, cinder nodes, and anywhere you would perform a
|
||||||
|
volume attachment in your deployment. See the
|
||||||
|
`Dell EMC VxFlex OS (ScaleIO) Storage driver
|
||||||
|
<https://docs.openstack.org/cinder/stein/configuration/block-storage/drivers/dell-emc-vxflex-driver.html>`_
|
||||||
|
documentation for details about the configuration file, and see
|
||||||
|
`OSSN-0086 <https://wiki.openstack.org/wiki/OSSN/OSSN-0086>`_ for
|
||||||
|
more information about the security vulnerability.
|
Loading…
Reference in New Issue
Block a user