Merge "Check if certificates must be verified in the vim"

devstack/local.conf.example

@@ -73,7 +73,6 @@ enable_plugin kuryr-kubernetes https://git.openstack.org/openstack/kuryr-kuberne
 enable_plugin neutron-lbaas git://git.openstack.org/openstack/neutron-lbaas master
 enable_plugin devstack-plugin-container https://git.openstack.org/openstack/devstack-plugin-container master
 
-
 [[post-config|/etc/neutron/dhcp_agent.ini]]
 [DEFAULT]
 enable_isolated_metadata = True

doc/source/install/getting_started.rst

@@ -30,12 +30,16 @@ In Tacker MANO system, the VNF can be onboarded to one target OpenStack, which
 is also called VIM. Get one account on this OpenStack. For example, the below
 is the account information collected in file vim-config.yaml::
 
-    auth_url: 'http://10.1.0.5:5000'
+    auth_url: 'https://10.1.0.5:5000'
     username: 'nfv_user'
     password: 'mySecretPW'
     project_name: 'nfv'
     project_domain_name: 'Default'
     user_domain_name: 'Default'
+    cert_verify: 'True'
+
+By default, cert_verify is set as 'True'. To disable verifying SSL certificate,
+user can set cert_verify parameter to 'False'.
 
 
 2.) Register the VIM that will be used as a default VIM for VNF deployments.

samples/vim/vim_config.yaml

@@ -4,3 +4,4 @@ password: 'mySecretPW'
 project_name: 'nfv'
 project_domain_name: 'Default'
 user_domain_name: 'Default'
+cert_verify: 'False'

tacker/nfvo/drivers/vim/openstack_driver.py

@@ -116,8 +116,11 @@ class OpenStack_Driver(abstract_vim_driver.VimAbstractDriver,
 
         Initialize keystoneclient with provided authentication attributes.
         """
+        verify = 'True' == vim_obj['auth_cred'].get('cert_verify', 'True') \
+                 or False
         auth_url = vim_obj['auth_url']
-        keystone_version = self._validate_auth_url(auth_url)
+        keystone_version = self._validate_auth_url(auth_url=auth_url,
+                                                   verify=verify)
         auth_cred = self._get_auth_creds(keystone_version, vim_obj)
         return self._initialize_keystone(keystone_version, auth_cred)
 
@@ -150,9 +153,9 @@ class OpenStack_Driver(abstract_vim_driver.VimAbstractDriver,
 
         return auth_plugin
 
-    def _validate_auth_url(self, auth_url):
+    def _validate_auth_url(self, auth_url, verify):
         try:
-            keystone_version = self.keystone.get_version(auth_url)
+            keystone_version = self.keystone.get_version(auth_url, verify)
         except Exception as e:
             LOG.error('VIM Auth URL invalid')
             raise nfvo.VimConnectionException(message=str(e))
@@ -331,8 +334,10 @@ class OpenStack_Driver(abstract_vim_driver.VimAbstractDriver,
         :param client_type: openstack client to initialize
         :return: initialized client
         """
+        verify = 'True' == vim_obj.get('cert_verify', 'True') or False
         auth_url = vim_obj['auth_url']
-        keystone_version = self._validate_auth_url(auth_url)
+        keystone_version = self._validate_auth_url(auth_url=auth_url,
+                                                   verify=verify)
         auth_cred = self._get_auth_creds(keystone_version, vim_obj)
         auth_plugin = self._get_auth_plugin(keystone_version, **auth_cred)
         sess = session.Session(auth=auth_plugin)
@@ -537,8 +542,10 @@ class NeutronClient(object):
     """Neutron Client class for networking-sfc driver"""
 
     def __init__(self, auth_attr):
-        auth = identity.Password(**auth_attr)
+        auth_cred = auth_attr.copy()
-        sess = session.Session(auth=auth)
+        verify = 'True' == auth_cred.pop('cert_verify', 'True') or False
+        auth = identity.Password(**auth_cred)
+        sess = session.Session(auth=auth, verify=verify)
         self.client = neutron_client.Client(session=sess)
 
     def flow_classifier_create(self, fc_dict):

tacker/tests/unit/db/utils.py

@@ -149,12 +149,12 @@ def get_dummy_vnf_update_config():
 
 
 def get_vim_obj():
-    return {'vim': {'type': 'openstack', 'auth_url':
+    return {'vim': {'type': 'openstack', 'auth_url': 'http://localhost:5000',
-                    'http://localhost:5000', 'vim_project': {'name':
+                    'vim_project': {'name': 'test_project'},
-                    'test_project'}, 'auth_cred': {'username': 'test_user',
+                    'auth_cred': {'username': 'test_user',
-                                                   'password':
+                                  'password': 'test_password',
-                                                       'test_password'},
+                                  'cert_verify': 'True'},
-                            'name': 'VIM0',
+                    'name': 'VIM0',
                     'tenant_id': 'test-project'}}
 
 
@@ -163,6 +163,7 @@ def get_vim_auth_obj():
             'password': 'test_password',
             'project_id': None,
             'project_name': 'test_project',
+            'cert_verify': 'True',
             'auth_url': 'http://localhost:5000/v3',
             'user_domain_name': 'default',
             'project_domain_name': 'default'}

tacker/tests/unit/nfvo/drivers/vim/test_openstack_driver.py

@@ -90,6 +90,7 @@ class TestOpenstack_Driver(base.TestCase):
                 'auth_cred': {'username': 'test_user',
                               'password': 'test_password',
                               'user_domain_name': 'default',
+                              'cert_verify': 'True',
                               'auth_url': 'http://localhost:5000'},
                 'name': 'VIM0',
                 'vim_project': {'name': 'test_project',
@@ -103,6 +104,7 @@ class TestOpenstack_Driver(base.TestCase):
                               'user_domain_name': 'default',
                               'key_type': 'barbican_key',
                               'secret_uuid': 'fake-secret-uuid',
+                              'cert_verify': 'True',
                               'auth_url': 'http://localhost:5000'},
                 'name': 'VIM0',
                 'vim_project': {'name': 'test_project',
@@ -131,8 +133,9 @@ class TestOpenstack_Driver(base.TestCase):
         mock_ks_client = mock.Mock(version='v2.0', **attrs)
         self.keystone.get_version.return_value = keystone_version
         auth_obj = {'tenant_name': 'test_project', 'username': 'test_user',
-                    'password': 'test_password', 'auth_url':
+                    'password': 'test_password', 'cert_verify': 'True',
-                    'http://localhost:5000/v2.0', 'tenant_id': None}
+                    'auth_url': 'http://localhost:5000/v2.0',
+                    'tenant_id': None}
         self._test_register_vim(self.vim_obj, mock_ks_client)
         self.keystone.initialize_client.assert_called_once_with(
             version=keystone_version, **auth_obj)

tacker/vnfm/keystone.py

@@ -36,21 +36,23 @@ class Keystone(object):
     instance such as version, session and client
     """
 
-    def get_version(self, base_url=None):
+    def get_version(self, base_url=None, verify=True):
         try:
-            keystone_client = client.Client(auth_url=base_url)
+            keystone_client = client.Client(auth_url=base_url,
+                                            verify=verify)
         except exceptions.ConnectionError:
             raise
         return keystone_client.version
 
-    def get_session(self, auth_plugin):
+    def get_session(self, auth_plugin, verify):
-        ses = session.Session(auth=auth_plugin)
+        ses = session.Session(auth=auth_plugin, verify=verify)
         return ses
 
     def get_endpoint(self, ses, service_type, region_name=None):
         return ses.get_endpoint(service_type, region_name)
 
     def initialize_client(self, version, **kwargs):
+        verify = 'True' == kwargs.pop('cert_verify', 'True') or False
         if version == 'v2.0':
             from keystoneclient.v2_0 import client
             if 'token' in kwargs:
@@ -63,7 +65,7 @@ class Keystone(object):
                 auth_plugin = identity.v3.Token(**kwargs)
             else:
                 auth_plugin = identity.v3.Password(**kwargs)
-        ses = self.get_session(auth_plugin=auth_plugin)
+        ses = self.get_session(auth_plugin=auth_plugin, verify=verify)
         cli = client.Client(session=ses)
         return cli