113 lines
4.2 KiB
Python
113 lines
4.2 KiB
Python
|
|
from ostack_validator.common import Inspection, Issue, find
|
|
|
|
AUTHTOKEN_FILTER_FACTORY = ('keystoneclient.middleware.auth_token:'
|
|
'filter_factory')
|
|
|
|
|
|
class KeystoneAuthtokenSettingsInspection(Inspection):
|
|
name = 'Keystone auth'
|
|
description = 'Validate correctness of keystone settings'
|
|
|
|
def inspect(self, openstack):
|
|
components = []
|
|
for host in openstack.hosts:
|
|
components.extend(host.components)
|
|
|
|
keystones = [c for c in components if c.name == 'keystone']
|
|
if len(keystones) == 0:
|
|
openstack.report_issue(
|
|
Issue(Issue.FATAL, 'No keystone service found'))
|
|
return
|
|
|
|
keystone = keystones[0]
|
|
keystone_addresses = [keystone.config['bind_host']]
|
|
if keystone_addresses == ['0.0.0.0']:
|
|
keystone_addresses = keystone.host.network_addresses
|
|
|
|
for nova in [c for c in components if c.name == 'nova-api']:
|
|
if nova.config['auth_strategy'] != 'keystone':
|
|
continue
|
|
|
|
(authtoken_section, _) = find(
|
|
nova.paste_config.items(),
|
|
lambda name_values: name_values[0].startswith('filter:') and
|
|
name_values[1].get(
|
|
'paste.filter_factory') == AUTHTOKEN_FILTER_FACTORY
|
|
)
|
|
|
|
if not authtoken_section:
|
|
continue
|
|
|
|
authtoken_settings = nova.paste_config.section(authtoken_section)
|
|
|
|
def get_value(name):
|
|
return (
|
|
authtoken_settings[
|
|
name] or nova.config[
|
|
'keystone_authtoken.%s' %
|
|
name]
|
|
)
|
|
|
|
auth_host = get_value('auth_host')
|
|
auth_port = get_value('auth_port')
|
|
auth_protocol = get_value('auth_protocol')
|
|
admin_user = get_value('admin_user')
|
|
# admin_password = get_value('admin_password')
|
|
admin_tenant_name = get_value('admin_tenant_name')
|
|
admin_token = get_value('admin_token')
|
|
|
|
msg = ('Service "%s" on host "%s" %%s'
|
|
'in keystone authtoken config' %
|
|
(nova.name, nova.host.name))
|
|
|
|
def missing_param_issue(param):
|
|
return Issue(Issue.ERROR,
|
|
msg % (' miss "%s" setting' % param))
|
|
|
|
def incorrect_param_issue(param):
|
|
return Issue(Issue.ERROR,
|
|
msg % (' has incorrect "%s" setting' % param))
|
|
|
|
if not auth_host:
|
|
nova.report_issue(missing_param_issue('auth_host'))
|
|
elif not auth_host in keystone_addresses:
|
|
nova.report_issue(incorrect_param_issue('auth_host'))
|
|
|
|
if not auth_port:
|
|
nova.report_issue(missing_param_issue('auth_port'))
|
|
elif auth_port != keystone.config['admin_port']:
|
|
nova.report_issue(incorrect_param_issue('auth_port'))
|
|
|
|
if not auth_protocol:
|
|
nova.report_issue(missing_param_issue('auth_protocol'))
|
|
elif not auth_protocol in ['http', 'https']:
|
|
nova.report_issue(incorrect_param_issue('auth_protocol'))
|
|
|
|
if not admin_user:
|
|
nova.report_issue(missing_param_issue('admin_user'))
|
|
else:
|
|
user = find(
|
|
keystone.db['users'],
|
|
lambda u: u['name'] == admin_user)
|
|
if not user:
|
|
nova.report_issue(
|
|
Issue(Issue.ERROR, msg %
|
|
' has "admin_user" that is missing'))
|
|
|
|
if not admin_tenant_name:
|
|
nova.report_issue(missing_param_issue('admin_tenant_name'))
|
|
else:
|
|
tenant = find(keystone.db['tenants'],
|
|
lambda t: t['name'] == admin_tenant_name)
|
|
if not tenant:
|
|
nova.report_issue(
|
|
Issue(Issue.ERROR, msg %
|
|
' has "admin_tenant_name" that is missing'))
|
|
|
|
if admin_token:
|
|
nova.report_issue(
|
|
Issue(
|
|
Issue.WARNING,
|
|
msg % ' uses insecure admin_token for authentication'))
|