Merge "Check if certificates must be verified in the vim"
This commit is contained in:
Zuul
Gerrit Code Review
commit
f166553e66
@ -73,7 +73,6 @@ enable_plugin kuryr-kubernetes https://git.openstack.org/openstack/kuryr-kuberne
|
||||
enable_plugin neutron-lbaas git://git.openstack.org/openstack/neutron-lbaas master
|
||||
enable_plugin devstack-plugin-container https://git.openstack.org/openstack/devstack-plugin-container master
|
||||
|
||||
|
||||
[[post-config|/etc/neutron/dhcp_agent.ini]]
|
||||
[DEFAULT]
|
||||
enable_isolated_metadata = True
|
||||
|
||||
@ -30,12 +30,16 @@ In Tacker MANO system, the VNF can be onboarded to one target OpenStack, which
|
||||
is also called VIM. Get one account on this OpenStack. For example, the below
|
||||
is the account information collected in file vim-config.yaml::
|
||||
|
||||
auth_url: 'http://10.1.0.5:5000'
|
||||
auth_url: 'https://10.1.0.5:5000'
|
||||
username: 'nfv_user'
|
||||
password: 'mySecretPW'
|
||||
project_name: 'nfv'
|
||||
project_domain_name: 'Default'
|
||||
user_domain_name: 'Default'
|
||||
cert_verify: 'True'
|
||||
|
||||
By default, cert_verify is set as 'True'. To disable verifying SSL certificate,
|
||||
user can set cert_verify parameter to 'False'.
|
||||
|
||||
|
||||
2.) Register the VIM that will be used as a default VIM for VNF deployments.
|
||||
|
||||
@ -4,3 +4,4 @@ password: 'mySecretPW'
|
||||
project_name: 'nfv'
|
||||
project_domain_name: 'Default'
|
||||
user_domain_name: 'Default'
|
||||
cert_verify: 'False'
|
||||
|
||||
@ -116,8 +116,11 @@ class OpenStack_Driver(abstract_vim_driver.VimAbstractDriver,
|
||||
|
||||
Initialize keystoneclient with provided authentication attributes.
|
||||
"""
|
||||
verify = 'True' == vim_obj['auth_cred'].get('cert_verify', 'True') \
|
||||
or False
|
||||
auth_url = vim_obj['auth_url']
|
||||
keystone_version = self._validate_auth_url(auth_url)
|
||||
keystone_version = self._validate_auth_url(auth_url=auth_url,
|
||||
verify=verify)
|
||||
auth_cred = self._get_auth_creds(keystone_version, vim_obj)
|
||||
return self._initialize_keystone(keystone_version, auth_cred)
|
||||
|
||||
@ -150,9 +153,9 @@ class OpenStack_Driver(abstract_vim_driver.VimAbstractDriver,
|
||||
|
||||
return auth_plugin
|
||||
|
||||
def _validate_auth_url(self, auth_url):
|
||||
def _validate_auth_url(self, auth_url, verify):
|
||||
try:
|
||||
keystone_version = self.keystone.get_version(auth_url)
|
||||
keystone_version = self.keystone.get_version(auth_url, verify)
|
||||
except Exception as e:
|
||||
LOG.error('VIM Auth URL invalid')
|
||||
raise nfvo.VimConnectionException(message=str(e))
|
||||
@ -331,8 +334,10 @@ class OpenStack_Driver(abstract_vim_driver.VimAbstractDriver,
|
||||
:param client_type: openstack client to initialize
|
||||
:return: initialized client
|
||||
"""
|
||||
verify = 'True' == vim_obj.get('cert_verify', 'True') or False
|
||||
auth_url = vim_obj['auth_url']
|
||||
keystone_version = self._validate_auth_url(auth_url)
|
||||
keystone_version = self._validate_auth_url(auth_url=auth_url,
|
||||
verify=verify)
|
||||
auth_cred = self._get_auth_creds(keystone_version, vim_obj)
|
||||
auth_plugin = self._get_auth_plugin(keystone_version, **auth_cred)
|
||||
sess = session.Session(auth=auth_plugin)
|
||||
@ -537,8 +542,10 @@ class NeutronClient(object):
|
||||
"""Neutron Client class for networking-sfc driver"""
|
||||
|
||||
def __init__(self, auth_attr):
|
||||
auth = identity.Password(**auth_attr)
|
||||
sess = session.Session(auth=auth)
|
||||
auth_cred = auth_attr.copy()
|
||||
verify = 'True' == auth_cred.pop('cert_verify', 'True') or False
|
||||
auth = identity.Password(**auth_cred)
|
||||
sess = session.Session(auth=auth, verify=verify)
|
||||
self.client = neutron_client.Client(session=sess)
|
||||
|
||||
def flow_classifier_create(self, fc_dict):
|
||||
|
||||
@ -149,12 +149,12 @@ def get_dummy_vnf_update_config():
|
||||
|
||||
|
||||
def get_vim_obj():
|
||||
return {'vim': {'type': 'openstack', 'auth_url':
|
||||
'http://localhost:5000', 'vim_project': {'name':
|
||||
'test_project'}, 'auth_cred': {'username': 'test_user',
|
||||
'password':
|
||||
'test_password'},
|
||||
'name': 'VIM0',
|
||||
return {'vim': {'type': 'openstack', 'auth_url': 'http://localhost:5000',
|
||||
'vim_project': {'name': 'test_project'},
|
||||
'auth_cred': {'username': 'test_user',
|
||||
'password': 'test_password',
|
||||
'cert_verify': 'True'},
|
||||
'name': 'VIM0',
|
||||
'tenant_id': 'test-project'}}
|
||||
|
||||
|
||||
@ -163,6 +163,7 @@ def get_vim_auth_obj():
|
||||
'password': 'test_password',
|
||||
'project_id': None,
|
||||
'project_name': 'test_project',
|
||||
'cert_verify': 'True',
|
||||
'auth_url': 'http://localhost:5000/v3',
|
||||
'user_domain_name': 'default',
|
||||
'project_domain_name': 'default'}
|
||||
|
||||
@ -90,6 +90,7 @@ class TestOpenstack_Driver(base.TestCase):
|
||||
'auth_cred': {'username': 'test_user',
|
||||
'password': 'test_password',
|
||||
'user_domain_name': 'default',
|
||||
'cert_verify': 'True',
|
||||
'auth_url': 'http://localhost:5000'},
|
||||
'name': 'VIM0',
|
||||
'vim_project': {'name': 'test_project',
|
||||
@ -103,6 +104,7 @@ class TestOpenstack_Driver(base.TestCase):
|
||||
'user_domain_name': 'default',
|
||||
'key_type': 'barbican_key',
|
||||
'secret_uuid': 'fake-secret-uuid',
|
||||
'cert_verify': 'True',
|
||||
'auth_url': 'http://localhost:5000'},
|
||||
'name': 'VIM0',
|
||||
'vim_project': {'name': 'test_project',
|
||||
@ -131,8 +133,9 @@ class TestOpenstack_Driver(base.TestCase):
|
||||
mock_ks_client = mock.Mock(version='v2.0', **attrs)
|
||||
self.keystone.get_version.return_value = keystone_version
|
||||
auth_obj = {'tenant_name': 'test_project', 'username': 'test_user',
|
||||
'password': 'test_password', 'auth_url':
|
||||
'http://localhost:5000/v2.0', 'tenant_id': None}
|
||||
'password': 'test_password', 'cert_verify': 'True',
|
||||
'auth_url': 'http://localhost:5000/v2.0',
|
||||
'tenant_id': None}
|
||||
self._test_register_vim(self.vim_obj, mock_ks_client)
|
||||
self.keystone.initialize_client.assert_called_once_with(
|
||||
version=keystone_version, **auth_obj)
|
||||
|
||||
@ -36,21 +36,23 @@ class Keystone(object):
|
||||
instance such as version, session and client
|
||||
"""
|
||||
|
||||
def get_version(self, base_url=None):
|
||||
def get_version(self, base_url=None, verify=True):
|
||||
try:
|
||||
keystone_client = client.Client(auth_url=base_url)
|
||||
keystone_client = client.Client(auth_url=base_url,
|
||||
verify=verify)
|
||||
except exceptions.ConnectionError:
|
||||
raise
|
||||
return keystone_client.version
|
||||
|
||||
def get_session(self, auth_plugin):
|
||||
ses = session.Session(auth=auth_plugin)
|
||||
def get_session(self, auth_plugin, verify):
|
||||
ses = session.Session(auth=auth_plugin, verify=verify)
|
||||
return ses
|
||||
|
||||
def get_endpoint(self, ses, service_type, region_name=None):
|
||||
return ses.get_endpoint(service_type, region_name)
|
||||
|
||||
def initialize_client(self, version, **kwargs):
|
||||
verify = 'True' == kwargs.pop('cert_verify', 'True') or False
|
||||
if version == 'v2.0':
|
||||
from keystoneclient.v2_0 import client
|
||||
if 'token' in kwargs:
|
||||
@ -63,7 +65,7 @@ class Keystone(object):
|
||||
auth_plugin = identity.v3.Token(**kwargs)
|
||||
else:
|
||||
auth_plugin = identity.v3.Password(**kwargs)
|
||||
ses = self.get_session(auth_plugin=auth_plugin)
|
||||
ses = self.get_session(auth_plugin=auth_plugin, verify=verify)
|
||||
cli = client.Client(session=ses)
|
||||
return cli
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user