From: Tom Barron Date: Fri, 2 Oct 2015 20:49:46 +0000 (-0400) Subject: Add insecure option for swift backup X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=cdb7749e64eb88a8b558d0366cba0c792f7869d9;p=openstack-build%2Fcinder-build.git Add insecure option for swift backup When running backups with the swift backup driver and an https url for the swift endpoint, the config option backup_swift_ca_cert_file must point to a valid server side cert. For test purposes, it is useful to be able to ignore cert errors while still making a SSL/TLS connection, the way one can with https:// urls and the curl command and the swift client itself. This commit adds a boolean CONFIG option, 'backup_swift_auth_insecure', whose default value is False, in which case there is no change from current behavior. If this option is set to True, however, cert validation is skipped for SSL/TLS. DocImpact Change-Id: I1ca88d8e083d95c2bdb86ae79a4d66e04f521ddb --- diff --git a/cinder/backup/drivers/swift.py b/cinder/backup/drivers/swift.py index 8570ad2c5..68a9f3e51 100644 --- a/cinder/backup/drivers/swift.py +++ b/cinder/backup/drivers/swift.py @@ -35,6 +35,8 @@ None (to disable), zlib and bz2 (default: zlib) :backup_swift_ca_cert_file: The location of the CA certificate file to use for swift client requests (default: None) +:backup_swift_auth_insecure: If true, bypass verification of server's + certificate for SSL connections (default: False) """ import hashlib @@ -107,6 +109,10 @@ swiftbackup_service_opts = [ default=None, help='Location of the CA certificate file to use for swift ' 'client requests.'), + cfg.BoolOpt('backup_swift_auth_insecure', + default=False, + help='Bypass verification of server certificate when ' + 'making SSL connection to Swift.'), ] CONF = cfg.CONF @@ -153,6 +159,7 @@ class SwiftBackupDriver(chunkeddriver.ChunkedBackupDriver): self.swift_backoff = CONF.backup_swift_retry_backoff LOG.debug('Connect to %s in "%s" mode', CONF.backup_swift_url, CONF.backup_swift_auth) + self.backup_swift_auth_insecure = CONF.backup_swift_auth_insecure if CONF.backup_swift_auth == 'single_user': if CONF.backup_swift_user is None: LOG.error(_LE("single_user auth mode enabled, " @@ -167,12 +174,15 @@ class SwiftBackupDriver(chunkeddriver.ChunkedBackupDriver): key=CONF.backup_swift_key, retries=self.swift_attempts, starting_backoff=self.swift_backoff, + insecure=self.backup_swift_auth_insecure, cacert=CONF.backup_swift_ca_cert_file) else: self.conn = swift.Connection(retries=self.swift_attempts, preauthurl=self.swift_url, preauthtoken=self.context.auth_token, starting_backoff=self.swift_backoff, + insecure= ( + self.backup_swift_auth_insecure), cacert=CONF.backup_swift_ca_cert_file) class SwiftObjectWriter(object): diff --git a/cinder/tests/unit/test_backup_swift.py b/cinder/tests/unit/test_backup_swift.py index c5d639923..5c57b2b28 100644 --- a/cinder/tests/unit/test_backup_swift.py +++ b/cinder/tests/unit/test_backup_swift.py @@ -18,6 +18,7 @@ Tests for Backup swift code. """ import bz2 +import ddt import filecmp import hashlib import os @@ -42,6 +43,8 @@ from cinder.tests.unit.backup import fake_swift_client2 CONF = cfg.CONF +ANY = mock.ANY + def fake_md5(arg): class result(object): @@ -52,6 +55,7 @@ def fake_md5(arg): return ret +@ddt.ddt class BackupSwiftTestCase(test.TestCase): """Test Case for swift.""" @@ -125,6 +129,41 @@ class BackupSwiftTestCase(test.TestCase): swift_dr.SwiftBackupDriver, self.ctxt) + @ddt.data( + {'auth': 'single_user', 'insecure': True}, + {'auth': 'single_user', 'insecure': False}, + {'auth': 'per_user', 'insecure': True}, + {'auth': 'per_user', 'insecure': False}, + ) + @ddt.unpack + def test_backup_swift_auth_insecure(self, auth, insecure): + self.override_config("backup_swift_auth_insecure", insecure) + self.override_config('backup_swift_auth', auth) + if auth == 'single_user': + self.override_config('backup_swift_user', 'swift-user') + + mock_connection = self.mock_object(swift, 'Connection') + + swift_dr.SwiftBackupDriver(self.ctxt) + + if auth == 'single_user': + mock_connection.assert_called_once_with(insecure=insecure, + authurl=ANY, + auth_version=ANY, + tenant_name=ANY, + user=ANY, + key=ANY, + retries=ANY, + starting_backoff=ANY, + cacert=ANY) + else: + mock_connection.assert_called_once_with(insecure=insecure, + retries=ANY, + preauthurl=ANY, + preauthtoken=ANY, + starting_backoff=ANY, + cacert=ANY) + def test_backup_uncompressed(self): self._create_backup_db_entry() self.flags(backup_compression_algorithm='none')