openstack
/
senlin
Code Issues Proposed changes

Add options to choose endpoints and SSL verification 

In case of usage of self-signed SSL certificates for public endpoints,
you will get stuck with senlin usage. So in case of such scenario it's
essential to either choose endpoint type or disable SSL verification.
Both of these options are implemented in most services and are expected.

Change-Id: Ifa475ff146af8b49a762218ff244f0ff0fee9ac0
This commit is contained in:
Dmitriy Rabotyagov 2020-09-04 09:48:15 +03:00 committed by Duc Truong
parent 6ff278642e
commit d4ec93ae55
11 changed files with 59 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
senlin/api/middleware/webhook.py
View File

@ -58,7 +58,10 @@ class WebhookMiddleware(wsgi.Middleware):
'auth_url': svc_ctx['auth_url'],
'username': svc_ctx['username'],
'user_domain_name': svc_ctx['user_domain_name'],
'password': svc_ctx['password']
'password': svc_ctx['password'],
'project_domain_name': svc_ctx['project_domain_name'],
'verify': svc_ctx['verify'],
'interface': svc_ctx['interface'],
}
kwargs.update(receiver['actor'])

6
senlin/conf/authentication.py
View File

@ -16,7 +16,7 @@ from senlin.common.i18n import _
AUTHENTICATION_GROUP = cfg.OptGroup('authentication')
AUTHENTICATION_OPTS = [
cfg.StrOpt('auth_url', default='',
help=_('Complete public identity V3 API endpoint.')),
help=_('Complete identity V3 API endpoint.')),
cfg.StrOpt('service_username', default='senlin',
help=_('Senlin service user name.')),
cfg.StrOpt('service_password', default='', secret=True,
@ -27,6 +27,10 @@ AUTHENTICATION_OPTS = [
help=_('Name of the domain for the service user.')),
cfg.StrOpt('service_project_domain', default='Default',
help=_('Name of the domain for the service project.')),
cfg.BoolOpt('verify_ssl', default=True,
help=_('Verify HTTPS connections.')),
cfg.StrOpt('interface', default='public',
help=_('Interface to use for the API endpoints.')),
]

5
senlin/drivers/os/keystone_v3.py
View File

@ -120,6 +120,8 @@ class KeystoneClient(base.DriverBase):
'user_domain_name': cfg.CONF.authentication.service_user_domain,
'project_domain_name':
cfg.CONF.authentication.service_project_domain,
'verify': cfg.CONF.authentication.verify_ssl,
'interface': cfg.CONF.authentication.interface,
}
creds.update(**kwargs)
return creds
@ -147,8 +149,9 @@ class KeystoneClient(base.DriverBase):
def get_senlin_endpoint(self):
"""Get Senlin service endpoint."""
region = cfg.CONF.default_region_name
interface = cfg.CONF.authentication.interface
base = self.conn.session.get_endpoint(service_type='clustering',
interface='public',
interface=interface,
region_name=region)
return base

5
senlin/engine/notifications/message.py
View File

@ -62,7 +62,10 @@ class Message(object):
'username': service_creds.get('username'),
'password': service_creds.get('password'),
'auth_url': service_creds.get('auth_url'),
'user_domain_name': service_creds.get('user_domain_name')
'user_domain_name': service_creds.get('user_domain_name'),
'project_domain_name': service_creds.get('project_domain_name'),
'verify': service_creds.get('verify'),
'interface': service_creds.get('interface'),
}
cred = co.Credential.get(oslo_context.get_current(), user, project)

5
senlin/engine/receivers/base.py
View File

@ -234,7 +234,10 @@ class Receiver(object):
'username': service_creds.get('username'),
'password': service_creds.get('password'),
'auth_url': service_creds.get('auth_url'),
'user_domain_name': service_creds.get('user_domain_name')
'user_domain_name': service_creds.get('user_domain_name'),
'project_domain_name': service_creds.get('project_domain_name'),
'verify': service_creds.get('verify'),
'interface': service_creds.get('interface'),
}
cred = co.Credential.get(oslo_context.get_current(), user, project)

5
senlin/policies/base.py
View File

@ -233,7 +233,10 @@ class Policy(object):
'username': service_creds.get('username'),
'password': service_creds.get('password'),
'auth_url': service_creds.get('auth_url'),
'user_domain_name': service_creds.get('user_domain_name')
'user_domain_name': service_creds.get('user_domain_name'),
'project_domain_name': service_creds.get('project_domain_name'),
'verify': service_creds.get('verify'),
'interface': service_creds.get('interface'),
}
cred = co.Credential.get(oslo_context.get_current(), user, project)

2
senlin/tests/drivers/os_test/keystone_v3.py
View File

@ -118,6 +118,8 @@ class KeystoneClient(base.DriverBase):
'user_domain_name': cfg.CONF.authentication.service_user_domain,
'project_domain_name':
cfg.CONF.authentication.service_project_domain,
'verify': cfg.CONF.authentication.verify_ssl,
'interface': cfg.CONF.authentication.interface,
}
creds.update(**kwargs)
return creds

9
senlin/tests/unit/api/middleware/test_webhook.py
View File

@ -148,8 +148,14 @@ class TestWebhookMiddleware(base.SenlinTestCase):
group='authentication')
cfg.CONF.set_override('service_user_domain', 'DOMAIN',
group='authentication')
cfg.CONF.set_override('service_project_domain', 'DOMAIN1',
group='authentication')
cfg.CONF.set_override('service_password', 'PASSWORD',
group='authentication')
cfg.CONF.set_override('verify_ssl', False,
group='authentication')
cfg.CONF.set_override('interface', 'admin',
group='authentication')
req = mock.Mock()
req.method = 'POST'
@ -185,7 +191,8 @@ class TestWebhookMiddleware(base.SenlinTestCase):
mock_extract.assert_called_once_with('http://url1/v1')
mock_token.assert_called_once_with(
auth_url='AUTH_URL', password='PASSWORD', username='USERNAME',
user_domain_name='DOMAIN', foo='bar')
user_domain_name='DOMAIN', foo='bar', verify=False,
project_domain_name='DOMAIN1', interface='admin')
mock_parse.assert_called_once_with('ReceiverGetRequest', req,
{'identity': 'WEBHOOK'})

9
senlin/tests/unit/drivers/test_keystone_v3.py
View File

@ -187,13 +187,20 @@ class TestKeystoneV3(base.SenlinTestCase):
group='authentication')
cfg.CONF.set_override('service_project_domain', 'FAKE_DOMAIN_2',
group='authentication')
cfg.CONF.set_override('verify_ssl', False,
group='authentication')
cfg.CONF.set_override('interface', 'internal',
group='authentication')
expected = {
'auth_url': 'FAKE_URL',
'username': 'FAKE_USERNAME',
'password': 'FAKE_PASSWORD',
'project_name': 'FAKE_PROJECT',
'user_domain_name': 'FAKE_DOMAIN_1',
'project_domain_name': 'FAKE_DOMAIN_2'
'project_domain_name': 'FAKE_DOMAIN_2',
'verify': False,
'interface': 'internal',
}
actual = kv3.KeystoneClient.get_service_credentials()

10
senlin/tests/unit/engine/receivers/test_receiver.py
View File

@ -345,7 +345,10 @@ class TestReceiver(base.SenlinTestCase):
'auth_url': 'AUTH_URL',
'username': 'senlin',
'user_domain_name': 'default',
'password': '123'
'password': '123',
'project_domain_name': 'default',
'verify': True,
'interface': 'internal',
}
current_ctx = {
'auth_url': 'auth_url',
@ -372,7 +375,10 @@ class TestReceiver(base.SenlinTestCase):
'username': 'senlin',
'user_domain_name': 'default',
'password': '123',
'trust_id': 'TRUST_ID'
'trust_id': 'TRUST_ID',
'project_domain_name': 'default',
'verify': True,
'interface': 'internal',
}
res = receiver._build_conn_params(user, project)
self.assertEqual(expected_result, res)

10
senlin/tests/unit/policies/test_policy.py
View File

@ -537,7 +537,10 @@ class TestPolicyBase(base.SenlinTestCase):
'auth_url': 'AUTH_URL',
'username': 'senlin',
'user_domain_name': 'default',
'password': '123'
'password': '123',
'project_domain_name': 'Domain',
'verify': True,
'interface': 'Public',
}
current_ctx = {
'auth_url': 'auth_url',
@ -564,7 +567,10 @@ class TestPolicyBase(base.SenlinTestCase):
'username': 'senlin',
'user_domain_name': 'default',
'password': '123',
'trust_id': 'TRUST_ID'
'trust_id': 'TRUST_ID',
'project_domain_name': 'Domain',
'verify': True,
'interface': 'Public',
}
self.assertEqual(expected_result, res)
mock_get_service_creds.assert_called_once_with()