Merge "Add http basic auth support for neutron api"

2021-09-14 08:54:42 +00:00 · 2021-09-14 08:54:42 +00:00 · 7a6cd0640e
parent 2a6f452a2c 823e4e867b
commit 7a6cd0640e
3 changed files with 53 additions and 8 deletions
--- a/deployment/ironic/ironic-conductor-container-puppet.yaml
+++ b/deployment/ironic/ironic-conductor-container-puppet.yaml
@ -264,7 +264,7 @@ parameters:
    description: Auth strategy to use with neutron.
    default: keystone
    constraints:
-      - allowed_values: ['keystone', 'noauth']
+      - allowed_values: ['keystone', 'noauth', 'http_basic']
  IronicRpcTransport:
    description: The remote procedure call transport between conductor and
                 API processes, such as a messaging broker or JSON RPC.
@ -303,6 +303,8 @@ conditions:
    equals: [{get_param: IronicAuthStrategy}, 'noauth']
  neutron_noauth:
    equals: [{get_param: NeutronAuthStrategy}, 'noauth']
+  neutron_auth_non_default:
+    contains: [{get_param: NeutronAuthStrategy}, ['noauth', 'http_basic']]
  rpc_transport_json_rpc:
    {equals : [{get_param: IronicRpcTransport}, 'json-rpc']}
  json_rpc_with_http_basic:
@ -521,9 +523,13 @@ outputs:
            ironic::pxe::http_root: /var/lib/ironic/httpboot
            ironic::conductor::http_root: /var/lib/ironic/httpboot
          - if:
-              - neutron_noauth
-              - ironic::neutron::endpoint_override: {get_param: [EndpointMap, NeutronInternal, uri_no_suffix]}
-                ironic::neutron::auth_type: 'none'
+              - neutron_auth_non_default
+              - ironic::neutron::auth_type:
+                  if:
+                    - neutron_noauth
+                    - 'none'
+                    - {get_param: NeutronAuthStrategy}
+                ironic::neutron::endpoint_override: {get_param: [EndpointMap, NeutronInternal, uri_no_suffix]}
          - if:
              - auth_strategy_non_default
              - ironic::service_catalog::auth_type:
--- a/deployment/neutron/neutron-api-container-puppet.yaml
+++ b/deployment/neutron/neutron-api-container-puppet.yaml
@ -194,7 +194,11 @@ parameters:
    description: Auth strategy to use with neutron.
    default: 'keystone'
    constraints:
-      - allowed_values: ['keystone', 'noauth']
+      - allowed_values: ['keystone', 'noauth', 'http_basic']
+  AdminPassword: #supplied by tripleo-undercloud-passwords.yaml
+    type: string
+    description: The password for the keystone admin account, used for monitoring, querying neutron etc.
+    hidden: True
  NeutronAgentDownTime:
    default: 600
    type: number
@ -202,7 +206,6 @@ parameters:
      Seconds to regard the agent as down; should be at least twice
      NeutronGlobalReportInterval, to be sure the agent is down for good.

-
 parameter_groups:
 - label: deprecated
  description: |
@ -230,6 +233,8 @@ conditions:
      - {get_param: EnableInternalTLS}
  key_size_override_set:
    not: {equals: [{get_param: NeutronCertificateKeySize}, '']}
+  auth_strategy_http_basic:
+    equals: [{get_param: NeutronAuthStrategy}, 'http_basic']

 resources:
  TLSProxyBase:
@ -403,6 +408,15 @@ outputs:
              tripleo::profile::base::neutron::plugins::ml2::ovn::ovn_sb_certificate: '/etc/pki/tls/certs/neutron_ovn.crt'
              tripleo::profile::base::neutron::plugins::ml2::ovn::ovn_nb_ca_cert: {get_param: InternalTLSCAFile}
              tripleo::profile::base::neutron::plugins::ml2::ovn::ovn_sb_ca_cert: {get_param: InternalTLSCAFile}
+          - if:
+            - auth_strategy_http_basic
+            - neutron::config::api_paste_ini:
+                composite:neutronapi_v2_0/http_basic:
+                  value: 'cors http_proxy_to_wsgi request_id fake_project_id catch_errors osprofiler basic_auth extensions neutronapiapp_v2_0'
+                composite:neutronversions_composite/http_basic:
+                  value: 'cors http_proxy_to_wsgi neutronversions'
+                filter:basic_auth/paste.filter_factory:
+                  value: 'oslo_middleware.basic_auth:BasicAuthMiddleware.factory'
      service_config_settings:
        rsyslog:
          tripleo_logging_sources_neutron_api:
@ -415,6 +429,7 @@ outputs:
          neutron::db::mysql::allowed_hosts:
            - '%'
            - "%{hiera('mysql_bind_host')}"
+
      # BEGIN DOCKER SETTINGS
      puppet_config:
        config_volume: neutron
@ -517,6 +532,10 @@ outputs:
                      - ovn_and_tls
                      - - /etc/pki/tls/certs/neutron_ovn.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/neutron_ovn.crt:ro
                        - /etc/pki/tls/private/neutron_ovn.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/neutron_ovn.key:ro
+                    - if:
+                        - auth_strategy_http_basic
+                        - - /etc/neutron_passwd:/etc/htpasswd:z
+
                environment:
                  map_merge:
                    - {get_param: NeutronApiOptEnvVars}
@ -538,7 +557,27 @@ outputs:
                          - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
                    environment:
                      KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
-      host_prep_tasks: {get_attr: [NeutronLogging, host_prep_tasks]}
+      host_prep_tasks:
+        list_concat:
+          - {get_attr: [NeutronLogging, host_prep_tasks]}
+          - - name: create password file when auth_stragy is 'http_basic'
+              vars:
+                is_http_basic:
+                  if:
+                    - auth_strategy_http_basic
+                    - true
+                    - false
+              copy:
+                dest: /etc/neutron_passwd
+                content:
+                  str_replace:
+                    template: |
+                      admin:{{'$ADMIN_PASSWORD' | password_hash('bcrypt')}}
+                      neutron:{{'$NEUTRON_PASSWORD' | password_hash('bcrypt')}}
+                    params:
+                      $ADMIN_PASSWORD: {get_param: AdminPassword}
+                      $NEUTRON_PASSWORD: {get_param: NeutronPassword}
+              when: is_http_basic | bool
      metadata_settings:
        list_concat:
        - {get_attr: [TLSProxyBase, role_data, metadata_settings]}
--- a/deployment/neutron/neutron-base.yaml
+++ b/deployment/neutron/neutron-base.yaml
@ -115,7 +115,7 @@ parameters:
    description: Auth strategy to use with neutron.
    default: 'keystone'
    constraints:
-      - allowed_values: ['keystone', 'noauth']
+      - allowed_values: ['keystone', 'noauth', 'http_basic']
  NeutronGlobalReportInterval:
    default: 300
    description: >