diff --git a/devstack/local.conf.example b/devstack/local.conf.example index d1d06c4d2..bb88a05a9 100644 --- a/devstack/local.conf.example +++ b/devstack/local.conf.example @@ -73,7 +73,6 @@ enable_plugin kuryr-kubernetes https://git.openstack.org/openstack/kuryr-kuberne enable_plugin neutron-lbaas git://git.openstack.org/openstack/neutron-lbaas master enable_plugin devstack-plugin-container https://git.openstack.org/openstack/devstack-plugin-container master - [[post-config|/etc/neutron/dhcp_agent.ini]] [DEFAULT] enable_isolated_metadata = True diff --git a/doc/source/install/getting_started.rst b/doc/source/install/getting_started.rst index e331c1f37..78f629fc4 100644 --- a/doc/source/install/getting_started.rst +++ b/doc/source/install/getting_started.rst @@ -30,12 +30,16 @@ In Tacker MANO system, the VNF can be onboarded to one target OpenStack, which is also called VIM. Get one account on this OpenStack. For example, the below is the account information collected in file vim-config.yaml:: - auth_url: 'http://10.1.0.5:5000' + auth_url: 'https://10.1.0.5:5000' username: 'nfv_user' password: 'mySecretPW' project_name: 'nfv' project_domain_name: 'Default' user_domain_name: 'Default' + cert_verify: 'True' + +By default, cert_verify is set as 'True'. To disable verifying SSL certificate, +user can set cert_verify parameter to 'False'. 2.) Register the VIM that will be used as a default VIM for VNF deployments. diff --git a/samples/vim/vim_config.yaml b/samples/vim/vim_config.yaml index fe2bd65a7..1903d1aeb 100644 --- a/samples/vim/vim_config.yaml +++ b/samples/vim/vim_config.yaml @@ -4,3 +4,4 @@ password: 'mySecretPW' project_name: 'nfv' project_domain_name: 'Default' user_domain_name: 'Default' +cert_verify: 'False' diff --git a/tacker/nfvo/drivers/vim/openstack_driver.py b/tacker/nfvo/drivers/vim/openstack_driver.py index 75d75892c..d16066a1b 100644 --- a/tacker/nfvo/drivers/vim/openstack_driver.py +++ b/tacker/nfvo/drivers/vim/openstack_driver.py @@ -116,8 +116,11 @@ class OpenStack_Driver(abstract_vim_driver.VimAbstractDriver, Initialize keystoneclient with provided authentication attributes. """ + verify = 'True' == vim_obj['auth_cred'].get('cert_verify', 'True') \ + or False auth_url = vim_obj['auth_url'] - keystone_version = self._validate_auth_url(auth_url) + keystone_version = self._validate_auth_url(auth_url=auth_url, + verify=verify) auth_cred = self._get_auth_creds(keystone_version, vim_obj) return self._initialize_keystone(keystone_version, auth_cred) @@ -150,9 +153,9 @@ class OpenStack_Driver(abstract_vim_driver.VimAbstractDriver, return auth_plugin - def _validate_auth_url(self, auth_url): + def _validate_auth_url(self, auth_url, verify): try: - keystone_version = self.keystone.get_version(auth_url) + keystone_version = self.keystone.get_version(auth_url, verify) except Exception as e: LOG.error('VIM Auth URL invalid') raise nfvo.VimConnectionException(message=str(e)) @@ -331,8 +334,10 @@ class OpenStack_Driver(abstract_vim_driver.VimAbstractDriver, :param client_type: openstack client to initialize :return: initialized client """ + verify = 'True' == vim_obj.get('cert_verify', 'True') or False auth_url = vim_obj['auth_url'] - keystone_version = self._validate_auth_url(auth_url) + keystone_version = self._validate_auth_url(auth_url=auth_url, + verify=verify) auth_cred = self._get_auth_creds(keystone_version, vim_obj) auth_plugin = self._get_auth_plugin(keystone_version, **auth_cred) sess = session.Session(auth=auth_plugin) @@ -537,8 +542,10 @@ class NeutronClient(object): """Neutron Client class for networking-sfc driver""" def __init__(self, auth_attr): - auth = identity.Password(**auth_attr) - sess = session.Session(auth=auth) + auth_cred = auth_attr.copy() + verify = 'True' == auth_cred.pop('cert_verify', 'True') or False + auth = identity.Password(**auth_cred) + sess = session.Session(auth=auth, verify=verify) self.client = neutron_client.Client(session=sess) def flow_classifier_create(self, fc_dict): diff --git a/tacker/tests/unit/db/utils.py b/tacker/tests/unit/db/utils.py index b54d52a0a..7a9033eea 100644 --- a/tacker/tests/unit/db/utils.py +++ b/tacker/tests/unit/db/utils.py @@ -149,12 +149,12 @@ def get_dummy_vnf_update_config(): def get_vim_obj(): - return {'vim': {'type': 'openstack', 'auth_url': - 'http://localhost:5000', 'vim_project': {'name': - 'test_project'}, 'auth_cred': {'username': 'test_user', - 'password': - 'test_password'}, - 'name': 'VIM0', + return {'vim': {'type': 'openstack', 'auth_url': 'http://localhost:5000', + 'vim_project': {'name': 'test_project'}, + 'auth_cred': {'username': 'test_user', + 'password': 'test_password', + 'cert_verify': 'True'}, + 'name': 'VIM0', 'tenant_id': 'test-project'}} @@ -163,6 +163,7 @@ def get_vim_auth_obj(): 'password': 'test_password', 'project_id': None, 'project_name': 'test_project', + 'cert_verify': 'True', 'auth_url': 'http://localhost:5000/v3', 'user_domain_name': 'default', 'project_domain_name': 'default'} diff --git a/tacker/tests/unit/nfvo/drivers/vim/test_openstack_driver.py b/tacker/tests/unit/nfvo/drivers/vim/test_openstack_driver.py index 5a4f412ed..a2f65a11d 100644 --- a/tacker/tests/unit/nfvo/drivers/vim/test_openstack_driver.py +++ b/tacker/tests/unit/nfvo/drivers/vim/test_openstack_driver.py @@ -90,6 +90,7 @@ class TestOpenstack_Driver(base.TestCase): 'auth_cred': {'username': 'test_user', 'password': 'test_password', 'user_domain_name': 'default', + 'cert_verify': 'True', 'auth_url': 'http://localhost:5000'}, 'name': 'VIM0', 'vim_project': {'name': 'test_project', @@ -103,6 +104,7 @@ class TestOpenstack_Driver(base.TestCase): 'user_domain_name': 'default', 'key_type': 'barbican_key', 'secret_uuid': 'fake-secret-uuid', + 'cert_verify': 'True', 'auth_url': 'http://localhost:5000'}, 'name': 'VIM0', 'vim_project': {'name': 'test_project', @@ -131,8 +133,9 @@ class TestOpenstack_Driver(base.TestCase): mock_ks_client = mock.Mock(version='v2.0', **attrs) self.keystone.get_version.return_value = keystone_version auth_obj = {'tenant_name': 'test_project', 'username': 'test_user', - 'password': 'test_password', 'auth_url': - 'http://localhost:5000/v2.0', 'tenant_id': None} + 'password': 'test_password', 'cert_verify': 'True', + 'auth_url': 'http://localhost:5000/v2.0', + 'tenant_id': None} self._test_register_vim(self.vim_obj, mock_ks_client) self.keystone.initialize_client.assert_called_once_with( version=keystone_version, **auth_obj) diff --git a/tacker/vnfm/keystone.py b/tacker/vnfm/keystone.py index 5c3ae1888..de5918a37 100644 --- a/tacker/vnfm/keystone.py +++ b/tacker/vnfm/keystone.py @@ -36,21 +36,23 @@ class Keystone(object): instance such as version, session and client """ - def get_version(self, base_url=None): + def get_version(self, base_url=None, verify=True): try: - keystone_client = client.Client(auth_url=base_url) + keystone_client = client.Client(auth_url=base_url, + verify=verify) except exceptions.ConnectionError: raise return keystone_client.version - def get_session(self, auth_plugin): - ses = session.Session(auth=auth_plugin) + def get_session(self, auth_plugin, verify): + ses = session.Session(auth=auth_plugin, verify=verify) return ses def get_endpoint(self, ses, service_type, region_name=None): return ses.get_endpoint(service_type, region_name) def initialize_client(self, version, **kwargs): + verify = 'True' == kwargs.pop('cert_verify', 'True') or False if version == 'v2.0': from keystoneclient.v2_0 import client if 'token' in kwargs: @@ -63,7 +65,7 @@ class Keystone(object): auth_plugin = identity.v3.Token(**kwargs) else: auth_plugin = identity.v3.Password(**kwargs) - ses = self.get_session(auth_plugin=auth_plugin) + ses = self.get_session(auth_plugin=auth_plugin, verify=verify) cli = client.Client(session=ses) return cli