From 3bce8e1dcaab06175b10fb97d9e681e95c9c6103 Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Mon, 11 Mar 2024 01:20:01 +0900 Subject: [PATCH] Make authentication/SSL for redis sentinel optional Change 4954e284b9616f5e0c2cea77d94bbe18e0b8fd39 updated the redis sentinel driver to apply auth/ssl settings for redis sentinel, based on ones of redis, but this change broke the existing usage in kolla deployments, which require redis with authentication enabled and sentinel with authentication DISABLED. This restores the old behavior, which do not enable authentication and ssl for sentinel even when these for redis is enabled. Closes-Bug: #2056656 Change-Id: I3047c80359df3dad64be041db6f4a3a6180479d6 --- .../notes/bug-2056656-f71dca8a61138f95.yaml | 22 +++++++++++++++++++ tooz/drivers/redis.py | 20 ++++++++++++++++- 2 files changed, 41 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/bug-2056656-f71dca8a61138f95.yaml diff --git a/releasenotes/notes/bug-2056656-f71dca8a61138f95.yaml b/releasenotes/notes/bug-2056656-f71dca8a61138f95.yaml new file mode 100644 index 00000000..22ab9aec --- /dev/null +++ b/releasenotes/notes/bug-2056656-f71dca8a61138f95.yaml @@ -0,0 +1,22 @@ +--- +features: + - | + The redis driver now supports the following options. + + - ``sentinel_username`` + - ``sentinel_parameters`` + - ``sentinel_ssl`` + +fixes: + - | + The redis driver no longer enables authentication for redis sentinel when + authentication is enabled in redis. This was the previous behavior before + 6.0.0, and was already required by some deployment tools like kolla. Now + authentication for redis sentinel is controlled by a separate options + (``sentinel_username`` and ``sentinel_password``). + + - | + The redis driver no longer enables SSL for redis sentinel when SSL is + enabled in redis, to restore the compatibility with older versions. Now + SSL for redis sentinel is controlled by the separate ``sentinel_ssl`` + option. diff --git a/tooz/drivers/redis.py b/tooz/drivers/redis.py index ca30a679..084a5d62 100644 --- a/tooz/drivers/redis.py +++ b/tooz/drivers/redis.py @@ -267,6 +267,9 @@ class RedisDriver(coordination.CoordinationDriverCachedRunWatchers, 'ssl_ca_certs', 'sentinel', 'sentinel_fallback', + 'sentinel_username', + 'sentinel_password', + 'sentinel_ssl', ]) """ Keys that we allow to proxy from the coordinator configuration into the @@ -288,6 +291,7 @@ class RedisDriver(coordination.CoordinationDriverCachedRunWatchers, 'retry_on_timeout', 'socket_keepalive', 'ssl', + 'sentinel_ssl', ]) #: Client arguments that are expected to be int convertible. @@ -474,9 +478,23 @@ return 1 ] sentinel_hosts.insert(0, (kwargs.pop('host'), kwargs.pop('port'))) sentinel_name = kwargs.pop('sentinel') + sentinel_kwargs = {} + # NOTE(tkajinam): Copy socket_* options, according to the logic + # in redis-py + for key in kwargs: + if key.startswith('socket_'): + sentinel_kwargs[key] = kwargs[key] + if kwargs.pop('sentinel_ssl', False): + sentinel_kwargs['ssl'] = True + for key in ('ssl_certfile', 'ssl_keyfile', 'ssl_cafile'): + if key in kwargs: + sentinel_kwargs[key] = kwargs[key] + for key in ('username', 'password'): + if 'sentinel_' + key in kwargs: + sentinel_kwargs[key] = kwargs.pop('sentinel_' + key) sentinel_server = sentinel.Sentinel( sentinel_hosts, - sentinel_kwargs=kwargs, + sentinel_kwargs=sentinel_kwargs, **kwargs) master_client = sentinel_server.master_for(sentinel_name) # The master_client is a redis.Redis using a