Browse Source

Add options to choose endpoints and SSL verification

In case of usage of self-signed SSL certificates for public endpoints,
you will get stuck with senlin usage. So in case of such scenario it's
essential to either choose endpoint type or disable SSL verification.
Both of these options are implemented in most services and are expected.

Change-Id: Ifa475ff146af8b49a762218ff244f0ff0fee9ac0
changes/74/749874/11
Dmitriy Rabotyagov 10 months ago
committed by Duc Truong
parent
commit
d4ec93ae55
11 changed files with 59 additions and 12 deletions
  1. +4
    -1
      senlin/api/middleware/webhook.py
  2. +5
    -1
      senlin/conf/authentication.py
  3. +4
    -1
      senlin/drivers/os/keystone_v3.py
  4. +4
    -1
      senlin/engine/notifications/message.py
  5. +4
    -1
      senlin/engine/receivers/base.py
  6. +4
    -1
      senlin/policies/base.py
  7. +2
    -0
      senlin/tests/drivers/os_test/keystone_v3.py
  8. +8
    -1
      senlin/tests/unit/api/middleware/test_webhook.py
  9. +8
    -1
      senlin/tests/unit/drivers/test_keystone_v3.py
  10. +8
    -2
      senlin/tests/unit/engine/receivers/test_receiver.py
  11. +8
    -2
      senlin/tests/unit/policies/test_policy.py

+ 4
- 1
senlin/api/middleware/webhook.py View File

@ -58,7 +58,10 @@ class WebhookMiddleware(wsgi.Middleware):
'auth_url': svc_ctx['auth_url'],
'username': svc_ctx['username'],
'user_domain_name': svc_ctx['user_domain_name'],
'password': svc_ctx['password']
'password': svc_ctx['password'],
'project_domain_name': svc_ctx['project_domain_name'],
'verify': svc_ctx['verify'],
'interface': svc_ctx['interface'],
}
kwargs.update(receiver['actor'])


+ 5
- 1
senlin/conf/authentication.py View File

@ -16,7 +16,7 @@ from senlin.common.i18n import _
AUTHENTICATION_GROUP = cfg.OptGroup('authentication')
AUTHENTICATION_OPTS = [
cfg.StrOpt('auth_url', default='',
help=_('Complete public identity V3 API endpoint.')),
help=_('Complete identity V3 API endpoint.')),
cfg.StrOpt('service_username', default='senlin',
help=_('Senlin service user name.')),
cfg.StrOpt('service_password', default='', secret=True,
@ -27,6 +27,10 @@ AUTHENTICATION_OPTS = [
help=_('Name of the domain for the service user.')),
cfg.StrOpt('service_project_domain', default='Default',
help=_('Name of the domain for the service project.')),
cfg.BoolOpt('verify_ssl', default=True,
help=_('Verify HTTPS connections.')),
cfg.StrOpt('interface', default='public',
help=_('Interface to use for the API endpoints.')),
]


+ 4
- 1
senlin/drivers/os/keystone_v3.py View File

@ -120,6 +120,8 @@ class KeystoneClient(base.DriverBase):
'user_domain_name': cfg.CONF.authentication.service_user_domain,
'project_domain_name':
cfg.CONF.authentication.service_project_domain,
'verify': cfg.CONF.authentication.verify_ssl,
'interface': cfg.CONF.authentication.interface,
}
creds.update(**kwargs)
return creds
@ -147,8 +149,9 @@ class KeystoneClient(base.DriverBase):
def get_senlin_endpoint(self):
"""Get Senlin service endpoint."""
region = cfg.CONF.default_region_name
interface = cfg.CONF.authentication.interface
base = self.conn.session.get_endpoint(service_type='clustering',
interface='public',
interface=interface,
region_name=region)
return base

+ 4
- 1
senlin/engine/notifications/message.py View File

@ -62,7 +62,10 @@ class Message(object):
'username': service_creds.get('username'),
'password': service_creds.get('password'),
'auth_url': service_creds.get('auth_url'),
'user_domain_name': service_creds.get('user_domain_name')
'user_domain_name': service_creds.get('user_domain_name'),
'project_domain_name': service_creds.get('project_domain_name'),
'verify': service_creds.get('verify'),
'interface': service_creds.get('interface'),
}
cred = co.Credential.get(oslo_context.get_current(), user, project)


+ 4
- 1
senlin/engine/receivers/base.py View File

@ -234,7 +234,10 @@ class Receiver(object):
'username': service_creds.get('username'),
'password': service_creds.get('password'),
'auth_url': service_creds.get('auth_url'),
'user_domain_name': service_creds.get('user_domain_name')
'user_domain_name': service_creds.get('user_domain_name'),
'project_domain_name': service_creds.get('project_domain_name'),
'verify': service_creds.get('verify'),
'interface': service_creds.get('interface'),
}
cred = co.Credential.get(oslo_context.get_current(), user, project)


+ 4
- 1
senlin/policies/base.py View File

@ -233,7 +233,10 @@ class Policy(object):
'username': service_creds.get('username'),
'password': service_creds.get('password'),
'auth_url': service_creds.get('auth_url'),
'user_domain_name': service_creds.get('user_domain_name')
'user_domain_name': service_creds.get('user_domain_name'),
'project_domain_name': service_creds.get('project_domain_name'),
'verify': service_creds.get('verify'),
'interface': service_creds.get('interface'),
}
cred = co.Credential.get(oslo_context.get_current(), user, project)


+ 2
- 0
senlin/tests/drivers/os_test/keystone_v3.py View File

@ -118,6 +118,8 @@ class KeystoneClient(base.DriverBase):
'user_domain_name': cfg.CONF.authentication.service_user_domain,
'project_domain_name':
cfg.CONF.authentication.service_project_domain,
'verify': cfg.CONF.authentication.verify_ssl,
'interface': cfg.CONF.authentication.interface,
}
creds.update(**kwargs)
return creds


+ 8
- 1
senlin/tests/unit/api/middleware/test_webhook.py View File

@ -148,8 +148,14 @@ class TestWebhookMiddleware(base.SenlinTestCase):
group='authentication')
cfg.CONF.set_override('service_user_domain', 'DOMAIN',
group='authentication')
cfg.CONF.set_override('service_project_domain', 'DOMAIN1',
group='authentication')
cfg.CONF.set_override('service_password', 'PASSWORD',
group='authentication')
cfg.CONF.set_override('verify_ssl', False,
group='authentication')
cfg.CONF.set_override('interface', 'admin',
group='authentication')
req = mock.Mock()
req.method = 'POST'
@ -185,7 +191,8 @@ class TestWebhookMiddleware(base.SenlinTestCase):
mock_extract.assert_called_once_with('http://url1/v1')
mock_token.assert_called_once_with(
auth_url='AUTH_URL', password='PASSWORD', username='USERNAME',
user_domain_name='DOMAIN', foo='bar')
user_domain_name='DOMAIN', foo='bar', verify=False,
project_domain_name='DOMAIN1', interface='admin')
mock_parse.assert_called_once_with('ReceiverGetRequest', req,
{'identity': 'WEBHOOK'})


+ 8
- 1
senlin/tests/unit/drivers/test_keystone_v3.py View File

@ -187,13 +187,20 @@ class TestKeystoneV3(base.SenlinTestCase):
group='authentication')
cfg.CONF.set_override('service_project_domain', 'FAKE_DOMAIN_2',
group='authentication')
cfg.CONF.set_override('verify_ssl', False,
group='authentication')
cfg.CONF.set_override('interface', 'internal',
group='authentication')
expected = {
'auth_url': 'FAKE_URL',
'username': 'FAKE_USERNAME',
'password': 'FAKE_PASSWORD',
'project_name': 'FAKE_PROJECT',
'user_domain_name': 'FAKE_DOMAIN_1',
'project_domain_name': 'FAKE_DOMAIN_2'
'project_domain_name': 'FAKE_DOMAIN_2',
'verify': False,
'interface': 'internal',
}
actual = kv3.KeystoneClient.get_service_credentials()


+ 8
- 2
senlin/tests/unit/engine/receivers/test_receiver.py View File

@ -345,7 +345,10 @@ class TestReceiver(base.SenlinTestCase):
'auth_url': 'AUTH_URL',
'username': 'senlin',
'user_domain_name': 'default',
'password': '123'
'password': '123',
'project_domain_name': 'default',
'verify': True,
'interface': 'internal',
}
current_ctx = {
'auth_url': 'auth_url',
@ -372,7 +375,10 @@ class TestReceiver(base.SenlinTestCase):
'username': 'senlin',
'user_domain_name': 'default',
'password': '123',
'trust_id': 'TRUST_ID'
'trust_id': 'TRUST_ID',
'project_domain_name': 'default',
'verify': True,
'interface': 'internal',
}
res = receiver._build_conn_params(user, project)
self.assertEqual(expected_result, res)


+ 8
- 2
senlin/tests/unit/policies/test_policy.py View File

@ -537,7 +537,10 @@ class TestPolicyBase(base.SenlinTestCase):
'auth_url': 'AUTH_URL',
'username': 'senlin',
'user_domain_name': 'default',
'password': '123'
'password': '123',
'project_domain_name': 'Domain',
'verify': True,
'interface': 'Public',
}
current_ctx = {
'auth_url': 'auth_url',
@ -564,7 +567,10 @@ class TestPolicyBase(base.SenlinTestCase):
'username': 'senlin',
'user_domain_name': 'default',
'password': '123',
'trust_id': 'TRUST_ID'
'trust_id': 'TRUST_ID',
'project_domain_name': 'Domain',
'verify': True,
'interface': 'Public',
}
self.assertEqual(expected_result, res)
mock_get_service_creds.assert_called_once_with()


Loading…
Cancel
Save