618637a5bd
Custom SSL handling was introduced because disabling SSL layer compression provided an approximately five fold performance increase in some cases. Without SSL layer compression disabled the image transfer would be CPU bound -- with the CPU performing the DEFLATE algorithm. This would typically limit image transfers to < 20 MB/s. When --no-ssl-compression was specified the client would not negotiate any compression algorithm during the SSL handshake with the server which would remove the CPU bottleneck and transfers could approach wire speed. In order to support '--no-ssl-compression' two totally separate code paths exist depending on whether this is True or False. When SSL compression is disabled, rather than using the standard 'requests' library, we enter some custom code based on pyopenssl and httplib in order to disable compression. This patch/spec proposes removing the custom code because: * It is a burden to maintain Eg adding new code such as keystone session support is more complicated * It can introduce additional failure modes We have seen some bugs related to the 'custom' certificate checking * Newer Operating Systems disable SSL for us. Eg. While Debian 7 defaulted to compression 'on', Debian 8 has compression 'off'. This makes both servers and client less likely to have compression enabled. * Newer combinations of 'requests' and 'python' do this for us Requests disables compression when backed by a version of python which supports it (>= 2.7.9). This makes clients more likely to disable compression out-of-the-box. * It is (in principle) possible to do this on older versions too If pyopenssl, ndg-httpsclient and pyasn1 are installed on older operating system/python combinations, the requests library should disable SSL compression on the client side. * Systems that have SSL compression enabled may be vulnerable to the CRIME (https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4929) attack. Installations which are security conscious should be running the Glance server with SSL disabled. Full Spec: https://review.openstack.org/#/c/187674 Blueprint: remove-custom-client-ssl-handling Change-Id: I7e7761fc91b0d6da03939374eeedd809534f6edf
116 lines
4.8 KiB
Python
116 lines
4.8 KiB
Python
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
import re
|
|
|
|
from tempest_lib import exceptions
|
|
|
|
from glanceclient.tests.functional import base
|
|
|
|
|
|
class SimpleReadOnlyGlanceClientTest(base.ClientTestBase):
|
|
|
|
"""Read only functional python-glanceclient tests.
|
|
|
|
This only exercises client commands that are read only.
|
|
"""
|
|
|
|
def test_list_v1(self):
|
|
out = self.glance('--os-image-api-version 1 image-list')
|
|
endpoints = self.parser.listing(out)
|
|
self.assertTableStruct(endpoints, [
|
|
'ID', 'Name', 'Disk Format', 'Container Format',
|
|
'Size', 'Status'])
|
|
|
|
def test_list_v2(self):
|
|
out = self.glance('--os-image-api-version 2 image-list')
|
|
endpoints = self.parser.listing(out)
|
|
self.assertTableStruct(endpoints, ['ID', 'Name'])
|
|
|
|
def test_fake_action(self):
|
|
self.assertRaises(exceptions.CommandFailed,
|
|
self.glance,
|
|
'this-does-not-exist')
|
|
|
|
def test_member_list_v1(self):
|
|
tenant_name = '--tenant-id %s' % self.tenant_name
|
|
out = self.glance('--os-image-api-version 1 member-list',
|
|
params=tenant_name)
|
|
endpoints = self.parser.listing(out)
|
|
self.assertTableStruct(endpoints,
|
|
['Image ID', 'Member ID', 'Can Share'])
|
|
|
|
def test_member_list_v2(self):
|
|
try:
|
|
# NOTE(flwang): If set disk-format and container-format, Jenkins
|
|
# will raise an error said can't recognize the params, thouhg it
|
|
# works fine at local. Without the two params, Glance will
|
|
# complain. So we just catch the exception can skip it.
|
|
self.glance('--os-image-api-version 2 image-create --name temp')
|
|
except Exception:
|
|
pass
|
|
out = self.glance('--os-image-api-version 2 image-list'
|
|
' --visibility private')
|
|
image_list = self.parser.listing(out)
|
|
# NOTE(flwang): Because the member-list command of v2 is using
|
|
# image-id as required parameter, so we have to get a valid image id
|
|
# based on current environment. If there is no valid image id, we will
|
|
# pass in a fake one and expect a 404 error.
|
|
if len(image_list) > 0:
|
|
param_image_id = '--image-id %s' % image_list[0]['ID']
|
|
out = self.glance('--os-image-api-version 2 member-list',
|
|
params=param_image_id)
|
|
endpoints = self.parser.listing(out)
|
|
self.assertTableStruct(endpoints,
|
|
['Image ID', 'Member ID', 'Status'])
|
|
else:
|
|
param_image_id = '--image-id fake_image_id'
|
|
self.assertRaises(exceptions.CommandFailed,
|
|
self.glance,
|
|
'--os-image-api-version 2 member-list',
|
|
params=param_image_id)
|
|
|
|
def test_help(self):
|
|
help_text = self.glance('help')
|
|
lines = help_text.split('\n')
|
|
self.assertFirstLineStartsWith(lines, 'usage: glance')
|
|
|
|
commands = []
|
|
cmds_start = lines.index('Positional arguments:')
|
|
cmds_end = lines.index('Optional arguments:')
|
|
command_pattern = re.compile('^ {4}([a-z0-9\-\_]+)')
|
|
for line in lines[cmds_start:cmds_end]:
|
|
match = command_pattern.match(line)
|
|
if match:
|
|
commands.append(match.group(1))
|
|
commands = set(commands)
|
|
wanted_commands = set(('image-create', 'image-delete', 'help',
|
|
'image-download', 'image-show', 'image-update',
|
|
'member-create', 'member-delete',
|
|
'member-list', 'image-list'))
|
|
self.assertFalse(wanted_commands - commands)
|
|
|
|
def test_version(self):
|
|
self.glance('', flags='--version')
|
|
|
|
def test_debug_list(self):
|
|
self.glance('image-list', flags='--debug')
|
|
|
|
def test_no_ssl_compression(self):
|
|
# Test deprecating this hasn't broken anything
|
|
out = self.glance('--os-image-api-version 1 '
|
|
'--no-ssl-compression image-list')
|
|
endpoints = self.parser.listing(out)
|
|
self.assertTableStruct(endpoints, [
|
|
'ID', 'Name', 'Disk Format', 'Container Format',
|
|
'Size', 'Status'])
|