Revert "Fix Brocade FC SAN lookup MITM vulnerability"

This reverts commit ab4f57212683baec45d5b682bdd3952ff58249ed.

The change is being reverted as it broke the Brocade FC SAN lookup
functionality.  The change uses configuration options from
ssh_utils that are not initialized when the Brocade driver is
run causing an exception to be thrown complaining that
CONF.ssh_hosts_key_file is used before it is initialized.

The right solution is to change the Brocade driver to use ssh_utils to
make SSH connections.

Conflicts:

	cinder/zonemanager/drivers/brocade/brcd_fc_san_lookup_service.py

Change-Id: I7814c3da9c0e6fcf3143969e74304a48cafcb3d1
Closes-bug: 1398488
(cherry-picked from commit 57103807c5e7fad7276f97ac82f8704f17f4b846)

diff --git a/cinder/tests/zonemanager/test_brcd_fc_san_lookup_service.py b/cinder/tests/zonemanager/test_brcd_fc_san_lookup_service.py
index 43aa1e12e3749e321a0aaa57650d8a04f6c04eda..e138d452a026ca0e85530136da8b7616a057d9c2 100644 (file)
--- a/cinder/tests/zonemanager/test_brcd_fc_san_lookup_service.py
+++ b/cinder/tests/zonemanager/test_brcd_fc_san_lookup_service.py
@@ -42,8 +42,6 @@ _device_map_to_verify = {
         'initiator_port_wwn_list': ['10008c7cff523b01'],
         'target_port_wwn_list': ['20240002ac000a50']}}
 
-CONF = cfg.CONF
-
 
 class TestBrcdFCSanLookupService(brcd_lookup.BrcdFCSanLookupService,
                                  test.TestCase):
@@ -79,14 +77,16 @@ class TestBrcdFCSanLookupService(brcd_lookup.BrcdFCSanLookupService,
 
     @mock.patch.object(paramiko.hostkeys.HostKeys, 'load')
     def test_create_ssh_client(self, load_mock):
-        CONF.ssh_hosts_key_file = 'dummy_host_key_file'
-        CONF.strict_ssh_host_key_policy = True
-        ssh_client = self.create_ssh_client()
+        mock_args = {}
+        mock_args['known_hosts_file'] = 'dummy_host_key_file'
+        mock_args['missing_key_policy'] = paramiko.RejectPolicy()
+        ssh_client = self.create_ssh_client(**mock_args)
         self.assertEqual(ssh_client._host_keys_filename, 'dummy_host_key_file')
         self.assertTrue(isinstance(ssh_client._policy, paramiko.RejectPolicy))
-        CONF.strict_ssh_host_key_policy = False
-        ssh_client = self.create_ssh_client()
-        self.assertTrue(isinstance(ssh_client._policy, paramiko.AutoAddPolicy))
+        mock_args = {}
+        ssh_client = self.create_ssh_client(**mock_args)
+        self.assertIsNone(ssh_client._host_keys_filename)
+        self.assertTrue(isinstance(ssh_client._policy, paramiko.WarningPolicy))
 
     @mock.patch.object(brcd_lookup.BrcdFCSanLookupService,
                        'get_nameserver_info')

diff --git a/cinder/zonemanager/drivers/brocade/brcd_fc_san_lookup_service.py b/cinder/zonemanager/drivers/brocade/brcd_fc_san_lookup_service.py
index 8c64cb1784b67ce81cc5f5bcd54b48b866d526b9..b715e53379788cd2bee64c78ad2001dbacf6b906 100644 (file)
--- a/cinder/zonemanager/drivers/brocade/brcd_fc_san_lookup_service.py
+++ b/cinder/zonemanager/drivers/brocade/brcd_fc_san_lookup_service.py
@@ -17,7 +17,6 @@
 #
 
 
-from oslo.config import cfg
 import paramiko
 
 from cinder import exception
@@ -31,8 +30,6 @@ from cinder.zonemanager.fc_san_lookup_service import FCSanLookupService
 
 LOG = logging.getLogger(__name__)
 
-CONF = cfg.CONF
-
 
 class BrcdFCSanLookupService(FCSanLookupService):
     """The SAN lookup service that talks to Brocade switches.
@@ -49,7 +46,7 @@ class BrcdFCSanLookupService(FCSanLookupService):
         super(BrcdFCSanLookupService, self).__init__(**kwargs)
         self.configuration = kwargs.get('configuration', None)
         self.create_configuration()
-        self.client = self.create_ssh_client()
+        self.client = self.create_ssh_client(**kwargs)
 
     def create_configuration(self):
         """Configuration specific to SAN context values."""
@@ -64,16 +61,16 @@ class BrcdFCSanLookupService(FCSanLookupService):
             self.fabric_configs = fabric_opts.load_fabric_configurations(
                 fabric_names)
 
-    def create_ssh_client(self):
+    def create_ssh_client(self, **kwargs):
         ssh_client = paramiko.SSHClient()
-        known_hosts_file = CONF.ssh_hosts_key_file
-        if not known_hosts_file:
-            raise exception.ParameterNotFound(param='ssh_hosts_key_file')
-        ssh_client.load_host_keys(known_hosts_file)
-        if CONF.strict_ssh_host_key_policy:
-            missing_key_policy = paramiko.RejectPolicy()
+        known_hosts_file = kwargs.get('known_hosts_file', None)
+        if known_hosts_file is None:
+            ssh_client.load_system_host_keys()
         else:
-            missing_key_policy = paramiko.AutoAddPolicy()
+            ssh_client.load_host_keys(known_hosts_file)
+        missing_key_policy = kwargs.get('missing_key_policy', None)
+        if missing_key_policy is None:
+            missing_key_policy = paramiko.WarningPolicy()
         ssh_client.set_missing_host_key_policy(missing_key_policy)
         return ssh_client