Check if certificates must be verified in the vim

This patch tries to fix the bug: https://bugs.launchpad.net/tacker/+bug/1719841 To disable the verification, a parameter must be included in vim_config.yaml file. cert_verify: 'False' Co-Authored-By: Cong Phuoc Hoang <hoangphuocbk2.07@gmail.com> Closes-Bug: #1719841 Change-Id: If9c8eab81bad2028ae146598d559831bc51cbbf5 Signed-off-by: Manuel Buil <mbuil@suse.com>
2017-12-20 18:02:33 +01:00 · 2017-12-20 18:02:33 +01:00 · e1f3d8285c
parent 23b47b8588
commit e1f3d8285c
7 changed files with 38 additions and 21 deletions
--- a/devstack/local.conf.example
+++ b/devstack/local.conf.example
@ -73,7 +73,6 @@ enable_plugin kuryr-kubernetes https://git.openstack.org/openstack/kuryr-kuberne
 enable_plugin neutron-lbaas git://git.openstack.org/openstack/neutron-lbaas master
 enable_plugin devstack-plugin-container https://git.openstack.org/openstack/devstack-plugin-container master

-
 [[post-config|/etc/neutron/dhcp_agent.ini]]
 [DEFAULT]
 enable_isolated_metadata = True
--- a/doc/source/install/getting_started.rst
+++ b/doc/source/install/getting_started.rst
@ -30,12 +30,16 @@ In Tacker MANO system, the VNF can be onboarded to one target OpenStack, which
 is also called VIM. Get one account on this OpenStack. For example, the below
 is the account information collected in file vim-config.yaml::

-    auth_url: 'http://10.1.0.5:5000'
+    auth_url: 'https://10.1.0.5:5000'
    username: 'nfv_user'
    password: 'mySecretPW'
    project_name: 'nfv'
    project_domain_name: 'Default'
    user_domain_name: 'Default'
+    cert_verify: 'True'
+
+By default, cert_verify is set as 'True'. To disable verifying SSL certificate,
+user can set cert_verify parameter to 'False'.


 2.) Register the VIM that will be used as a default VIM for VNF deployments.
--- a/samples/vim/vim_config.yaml
+++ b/samples/vim/vim_config.yaml
@ -4,3 +4,4 @@ password: 'mySecretPW'
 project_name: 'nfv'
 project_domain_name: 'Default'
 user_domain_name: 'Default'
+cert_verify: 'False'
--- a/tacker/nfvo/drivers/vim/openstack_driver.py
+++ b/tacker/nfvo/drivers/vim/openstack_driver.py
@ -116,8 +116,11 @@ class OpenStack_Driver(abstract_vim_driver.VimAbstractDriver,

        Initialize keystoneclient with provided authentication attributes.
        """
+        verify = 'True' == vim_obj['auth_cred'].get('cert_verify', 'True') \
+                 or False
        auth_url = vim_obj['auth_url']
-        keystone_version = self._validate_auth_url(auth_url)
+        keystone_version = self._validate_auth_url(auth_url=auth_url,
+                                                   verify=verify)
        auth_cred = self._get_auth_creds(keystone_version, vim_obj)
        return self._initialize_keystone(keystone_version, auth_cred)

@ -150,9 +153,9 @@ class OpenStack_Driver(abstract_vim_driver.VimAbstractDriver,

        return auth_plugin

-    def _validate_auth_url(self, auth_url):
+    def _validate_auth_url(self, auth_url, verify):
        try:
-            keystone_version = self.keystone.get_version(auth_url)
+            keystone_version = self.keystone.get_version(auth_url, verify)
        except Exception as e:
            LOG.error('VIM Auth URL invalid')
            raise nfvo.VimConnectionException(message=str(e))
@ -331,8 +334,10 @@ class OpenStack_Driver(abstract_vim_driver.VimAbstractDriver,
        :param client_type: openstack client to initialize
        :return: initialized client
        """
+        verify = 'True' == vim_obj.get('cert_verify', 'True') or False
        auth_url = vim_obj['auth_url']
-        keystone_version = self._validate_auth_url(auth_url)
+        keystone_version = self._validate_auth_url(auth_url=auth_url,
+                                                   verify=verify)
        auth_cred = self._get_auth_creds(keystone_version, vim_obj)
        auth_plugin = self._get_auth_plugin(keystone_version, **auth_cred)
        sess = session.Session(auth=auth_plugin)
@ -537,8 +542,10 @@ class NeutronClient(object):
    """Neutron Client class for networking-sfc driver"""

    def __init__(self, auth_attr):
-        auth = identity.Password(**auth_attr)
-        sess = session.Session(auth=auth)
+        auth_cred = auth_attr.copy()
+        verify = 'True' == auth_cred.pop('cert_verify', 'True') or False
+        auth = identity.Password(**auth_cred)
+        sess = session.Session(auth=auth, verify=verify)
        self.client = neutron_client.Client(session=sess)

    def flow_classifier_create(self, fc_dict):
--- a/tacker/tests/unit/db/utils.py
+++ b/tacker/tests/unit/db/utils.py
@ -149,12 +149,12 @@ def get_dummy_vnf_update_config():


 def get_vim_obj():
-    return {'vim': {'type': 'openstack', 'auth_url':
-                    'http://localhost:5000', 'vim_project': {'name':
-                    'test_project'}, 'auth_cred': {'username': 'test_user',
-                                                   'password':
-                                                       'test_password'},
-                            'name': 'VIM0',
+    return {'vim': {'type': 'openstack', 'auth_url': 'http://localhost:5000',
+                    'vim_project': {'name': 'test_project'},
+                    'auth_cred': {'username': 'test_user',
+                                  'password': 'test_password',
+                                  'cert_verify': 'True'},
+                    'name': 'VIM0',
                    'tenant_id': 'test-project'}}


@ -163,6 +163,7 @@ def get_vim_auth_obj():
            'password': 'test_password',
            'project_id': None,
            'project_name': 'test_project',
+            'cert_verify': 'True',
            'auth_url': 'http://localhost:5000/v3',
            'user_domain_name': 'default',
            'project_domain_name': 'default'}
--- a/tacker/tests/unit/nfvo/drivers/vim/test_openstack_driver.py
+++ b/tacker/tests/unit/nfvo/drivers/vim/test_openstack_driver.py
@ -90,6 +90,7 @@ class TestOpenstack_Driver(base.TestCase):
                'auth_cred': {'username': 'test_user',
                              'password': 'test_password',
                              'user_domain_name': 'default',
+                              'cert_verify': 'True',
                              'auth_url': 'http://localhost:5000'},
                'name': 'VIM0',
                'vim_project': {'name': 'test_project',
@ -103,6 +104,7 @@ class TestOpenstack_Driver(base.TestCase):
                              'user_domain_name': 'default',
                              'key_type': 'barbican_key',
                              'secret_uuid': 'fake-secret-uuid',
+                              'cert_verify': 'True',
                              'auth_url': 'http://localhost:5000'},
                'name': 'VIM0',
                'vim_project': {'name': 'test_project',
@ -131,8 +133,9 @@ class TestOpenstack_Driver(base.TestCase):
        mock_ks_client = mock.Mock(version='v2.0', **attrs)
        self.keystone.get_version.return_value = keystone_version
        auth_obj = {'tenant_name': 'test_project', 'username': 'test_user',
-                    'password': 'test_password', 'auth_url':
-                    'http://localhost:5000/v2.0', 'tenant_id': None}
+                    'password': 'test_password', 'cert_verify': 'True',
+                    'auth_url': 'http://localhost:5000/v2.0',
+                    'tenant_id': None}
        self._test_register_vim(self.vim_obj, mock_ks_client)
        self.keystone.initialize_client.assert_called_once_with(
            version=keystone_version, **auth_obj)
--- a/tacker/vnfm/keystone.py
+++ b/tacker/vnfm/keystone.py
@ -36,21 +36,23 @@ class Keystone(object):
    instance such as version, session and client
    """

-    def get_version(self, base_url=None):
+    def get_version(self, base_url=None, verify=True):
        try:
-            keystone_client = client.Client(auth_url=base_url)
+            keystone_client = client.Client(auth_url=base_url,
+                                            verify=verify)
        except exceptions.ConnectionError:
            raise
        return keystone_client.version

-    def get_session(self, auth_plugin):
-        ses = session.Session(auth=auth_plugin)
+    def get_session(self, auth_plugin, verify):
+        ses = session.Session(auth=auth_plugin, verify=verify)
        return ses

    def get_endpoint(self, ses, service_type, region_name=None):
        return ses.get_endpoint(service_type, region_name)

    def initialize_client(self, version, **kwargs):
+        verify = 'True' == kwargs.pop('cert_verify', 'True') or False
        if version == 'v2.0':
            from keystoneclient.v2_0 import client
            if 'token' in kwargs:
@ -63,7 +65,7 @@ class Keystone(object):
                auth_plugin = identity.v3.Token(**kwargs)
            else:
                auth_plugin = identity.v3.Password(**kwargs)
-        ses = self.get_session(auth_plugin=auth_plugin)
+        ses = self.get_session(auth_plugin=auth_plugin, verify=verify)
        cli = client.Client(session=ses)
        return cli