From 56c08789cbfefa344d457b4a6a3fe7fb8ac9cf08 Mon Sep 17 00:00:00 2001 From: Dmitry Burmistrov Date: Tue, 12 Nov 2013 12:56:41 +0400 Subject: [PATCH] Added patch according to OSCI-862 Change-Id: I49c60ef63eafcdb1bce252bbc412d7b4b22232d0 --- ...s_clients_used_in_Heat_Havana_stable.patch | 482 ++++++++++++++++++ debian/patches/series | 1 + 2 files changed, 483 insertions(+) create mode 100644 debian/patches/SSL_parameters_for_various_clients_used_in_Heat_Havana_stable.patch diff --git a/debian/patches/SSL_parameters_for_various_clients_used_in_Heat_Havana_stable.patch b/debian/patches/SSL_parameters_for_various_clients_used_in_Heat_Havana_stable.patch new file mode 100644 index 00000000..d43d4260 --- /dev/null +++ b/debian/patches/SSL_parameters_for_various_clients_used_in_Heat_Havana_stable.patch @@ -0,0 +1,482 @@ +From 467adeb3dc9a89aa6b39780b83196501d5c31ea7 Mon Sep 17 00:00:00 2001 +From: Serg Melikyan +Date: Tue, 12 Nov 2013 14:33:17 +0400 +Subject: [PATCH] Adds ability to configure SSL params for clients used by the Heat + +--- + etc/heat/heat.conf.sample | 169 ++++++++++++++++++++++++++++++++++++ + heat/common/config.py | 32 ++++++- + heat/common/heat_keystoneclient.py | 18 ++++ + heat/engine/clients.py | 50 +++++++++-- + heat/tests/test_heatclient.py | 36 ++++++-- + 5 files changed, 291 insertions(+), 14 deletions(-) + +diff --git a/etc/heat/heat.conf.sample b/etc/heat/heat.conf.sample +index 1444f9b..376c98e 100644 +--- a/etc/heat/heat.conf.sample ++++ b/etc/heat/heat.conf.sample +@@ -724,3 +724,172 @@ + #password= + + ++[clients_swift] ++ ++# ++# Options defined in heat.common.config ++# ++ ++# Optional CA cert file to use in SSL connections (string ++# value) ++#ca_file= ++ ++# Optional PEM-formatted certificate chain file (string value) ++#cert_file= ++ ++# Optional PEM-formatted file that contains the private key ++# (string value) ++#key_file= ++ ++# If set then the server's certificate will not be verified ++# (boolean value) ++#insecure=false ++ ++# Endpoint type ++#endpoint_type=publicURL ++ ++ ++[clients_cinder] ++ ++# ++# Options defined in heat.common.config ++# ++ ++# Optional CA cert file to use in SSL connections (string ++# value) ++#ca_file= ++ ++# Optional PEM-formatted certificate chain file (string value) ++#cert_file= ++ ++# Optional PEM-formatted file that contains the private key ++# (string value) ++#key_file= ++ ++# If set then the server's certificate will not be verified ++# (boolean value) ++#insecure=false ++ ++# Endpoint type ++#endpoint_type=publicURL ++ ++[clients] ++ ++# ++# Options defined in heat.common.config ++# ++ ++# Optional CA cert file to use in SSL connections (string ++# value) ++#ca_file= ++ ++# Optional PEM-formatted certificate chain file (string value) ++#cert_file= ++ ++# Optional PEM-formatted file that contains the private key ++# (string value) ++#key_file= ++ ++# If set then the server's certificate will not be verified ++# (boolean value) ++#insecure=false ++ ++# Endpoint type ++#endpoint_type=publicURL ++ ++[clients_nova] ++ ++# ++# Options defined in heat.common.config ++# ++ ++# Optional CA cert file to use in SSL connections (string ++# value) ++#ca_file= ++ ++# Optional PEM-formatted certificate chain file (string value) ++#cert_file= ++ ++# Optional PEM-formatted file that contains the private key ++# (string value) ++#key_file= ++ ++# If set then the server's certificate will not be verified ++# (boolean value) ++#insecure=false ++ ++# Endpoint type ++#endpoint_type=publicURL ++ ++[clients_ceilometer] ++ ++# ++# Options defined in heat.common.config ++# ++ ++# Optional CA cert file to use in SSL connections (string ++# value) ++#ca_file= ++ ++# Optional PEM-formatted certificate chain file (string value) ++#cert_file= ++ ++# Optional PEM-formatted file that contains the private key ++# (string value) ++#key_file= ++ ++# If set then the server's certificate will not be verified ++# (boolean value) ++#insecure=false ++ ++# Endpoint type ++#endpoint_type=publicURL ++ ++[clients_neutron] ++ ++# ++# Options defined in heat.common.config ++# ++ ++# Optional CA cert file to use in SSL connections (string ++# value) ++#ca_file= ++ ++# Optional PEM-formatted certificate chain file (string value) ++#cert_file= ++ ++# Optional PEM-formatted file that contains the private key ++# (string value) ++#key_file= ++ ++# If set then the server's certificate will not be verified ++# (boolean value) ++#insecure=false ++ ++# Endpoint type ++#endpoint_type=publicURL ++ ++ ++[clients_keystone] ++ ++# ++# Options defined in heat.common.config ++# ++ ++# Optional CA cert file to use in SSL connections (string ++# value) ++#ca_file= ++ ++# Optional PEM-formatted certificate chain file (string value) ++#cert_file= ++ ++# Optional PEM-formatted file that contains the private key ++# (string value) ++#key_file= ++ ++# If set then the server's certificate will not be verified ++# (boolean value) ++#insecure=false ++ ++# Endpoint type ++#endpoint_type=publicURL +diff --git a/heat/common/config.py b/heat/common/config.py +index 82b4ca5..155d4f4 100644 +--- a/heat/common/config.py ++++ b/heat/common/config.py +@@ -1,4 +1,3 @@ +- + # vim: tabstop=4 shiftwidth=4 softtabstop=4 + + # +@@ -18,6 +17,7 @@ + Routines for configuring Heat + """ + ++import copy + import logging as sys_logging + import os + +@@ -134,6 +134,35 @@ auth_password_opts = [ + 'multi_cloud is enabled. At least one endpoint needs ' + 'to be specified.'))] + ++clients_opts = [ ++ cfg.StrOpt('ca_file', ++ help=_('Optional CA cert file to use in SSL connections')), ++ cfg.StrOpt('cert_file', ++ help=_('Optional PEM-formatted certificate chain file')), ++ cfg.StrOpt('key_file', ++ help=_('Optional PEM-formatted file that contains the ' ++ 'private key')), ++ cfg.BoolOpt('insecure', ++ default=False, ++ help=_("If set then the server's certificate will not " ++ "be verified")), ++ cfg.StrOpt('endpoint_type', ++ default='publicURL', ++ help=_('Endpoint type'))] ++ ++ ++def register_clients_opts(): ++ cfg.CONF.register_opts(clients_opts, group='clients') ++ for client in ('nova', 'swift', 'neutron', 'cinder', ++ 'ceilometer', 'keystone'): ++ client_specific_group = 'clients_' + client ++ # register opts copy and put it to globals in order to ++ # generate_sample.sh to work ++ opts_copy = copy.deepcopy(clients_opts) ++ globals()[client_specific_group + '_opts'] = opts_copy ++ cfg.CONF.register_opts(opts_copy, group=client_specific_group) ++ ++ + cfg.CONF.register_opts(db_opts) + cfg.CONF.register_opts(engine_opts) + cfg.CONF.register_opts(service_opts) +@@ -142,6 +171,7 @@ cfg.CONF.register_group(paste_deploy_group) + cfg.CONF.register_opts(paste_deploy_opts, group=paste_deploy_group) + cfg.CONF.register_group(auth_password_group) + cfg.CONF.register_opts(auth_password_opts, group=auth_password_group) ++register_clients_opts() + + + def rpc_set_default(): +diff --git a/heat/common/heat_keystoneclient.py b/heat/common/heat_keystoneclient.py +index 8fb13f7..8099ef2 100644 +--- a/heat/common/heat_keystoneclient.py ++++ b/heat/common/heat_keystoneclient.py +@@ -100,6 +100,10 @@ class KeystoneClient(object): + logger.error("Keystone v2 API connection failed, no password or " + "auth_token!") + raise exception.AuthorizationFailure() ++ kwargs['cacert'] = self._get_client_option('ca_file') ++ kwargs['insecure'] = self._get_client_option('insecure') ++ kwargs['cert'] = self._get_client_option('cert_file') ++ kwargs['key'] = self._get_client_option('key_file') + client_v2 = kc.Client(**kwargs) + + client_v2.authenticate(**auth_kwargs) +@@ -161,12 +165,26 @@ class KeystoneClient(object): + "auth_token!") + raise exception.AuthorizationFailure() + ++ kwargs['cacert'] = self._get_client_option('ca_file') ++ kwargs['insecure'] = self._get_client_option('insecure') ++ kwargs['cert'] = self._get_client_option('cert_file') ++ kwargs['key'] = self._get_client_option('key_file') ++ + client = kc_v3.Client(**kwargs) + # Have to explicitly authenticate() or client.auth_ref is None + client.authenticate() + + return client + ++ def _get_client_option(self, option): ++ try: ++ cfg.CONF.import_opt(option, 'heat.common.config', ++ group='clients_keystone') ++ return getattr(cfg.CONF.clients_keystone, option) ++ except (cfg.NoSuchGroupError, cfg.NoSuchOptError): ++ cfg.CONF.import_opt(option, 'heat.common.config', group='clients') ++ return getattr(cfg.CONF.clients, option) ++ + def create_trust_context(self): + """ + If cfg.CONF.deferred_auth_method is trusts, we create a +diff --git a/heat/engine/clients.py b/heat/engine/clients.py +index 6deae5b..a9475f7 100644 +--- a/heat/engine/clients.py ++++ b/heat/engine/clients.py +@@ -103,12 +103,16 @@ class OpenStackClients(object): + 'service_type': service_type, + 'username': None, + 'api_key': None, +- 'extensions': extensions ++ 'extensions': extensions, ++ 'cacert': self._get_client_option('nova', 'ca_file'), ++ 'insecure': self._get_client_option('nova', 'insecure') + } + + client = novaclient.Client(1.1, **args) + +- management_url = self.url_for(service_type=service_type) ++ management_url = self.url_for( ++ service_type=service_type, ++ endpoint_type=self._get_client_option('nova', 'endpoint_type')) + client.client.auth_token = self.auth_token + client.client.management_url = management_url + +@@ -133,7 +137,12 @@ class OpenStackClients(object): + 'key': None, + 'authurl': None, + 'preauthtoken': self.auth_token, +- 'preauthurl': self.url_for(service_type='object-store') ++ 'preauthurl': self.url_for( ++ service_type='object-store', ++ endpoint_type=self._get_client_option( ++ 'swift', 'endpoint_type')), ++ 'cacert': self._get_client_option('swift', 'ca_file'), ++ 'insecure': self._get_client_option('swift', 'insecure') + } + self._swift = swiftclient.Connection(**args) + return self._swift +@@ -153,7 +162,12 @@ class OpenStackClients(object): + 'auth_url': con.auth_url, + 'service_type': 'network', + 'token': self.auth_token, +- 'endpoint_url': self.url_for(service_type='network') ++ 'endpoint_url': self.url_for( ++ service_type='network', ++ endpoint_type=self._get_client_option( ++ 'neutron', 'endpoint_type')), ++ 'ca_cert': self._get_client_option('neutron', 'ca_file'), ++ 'insecure': self._get_client_option('neutron', 'insecure') + } + + self._neutron = neutronclient.Client(**args) +@@ -176,11 +190,16 @@ class OpenStackClients(object): + 'auth_url': con.auth_url, + 'project_id': con.tenant, + 'username': None, +- 'api_key': None ++ 'api_key': None, ++ 'cacert': self._get_client_option('cinder', 'ca_file'), ++ 'insecure': self._get_client_option('cinder', 'insecure') + } + + self._cinder = cinderclient.Client('1', **args) +- management_url = self.url_for(service_type='volume') ++ management_url = self.url_for( ++ service_type='volume', ++ endpoint_type=self._get_client_option( ++ 'cinder', 'endpoint_type')) + self._cinder.client.auth_token = self.auth_token + self._cinder.client.management_url = management_url + +@@ -201,7 +220,14 @@ class OpenStackClients(object): + 'service_type': 'metering', + 'project_id': con.tenant, + 'token': lambda: self.auth_token, +- 'endpoint': self.url_for(service_type='metering'), ++ 'endpoint': self.url_for( ++ service_type='metering', ++ endpoint_type=self._get_client_option( ++ 'ceilometer', 'endpoint_type')), ++ 'ca_file': self._get_client_option('ceilometer', 'ca_file'), ++ 'cert_file': self._get_client_option('ceilometer', 'cert_file'), ++ 'key_file': self._get_client_option('ceilometer', 'key_file'), ++ 'insecure': self._get_client_option('ceilometer', 'insecure') + } + + client = ceilometerclient.Client(**args) +@@ -209,6 +235,15 @@ class OpenStackClients(object): + self._ceilometer = client + return self._ceilometer + ++ def _get_client_option(self, client, option): ++ try: ++ group_name = 'clients_' + client ++ cfg.CONF.import_opt(option, 'heat.common.config', ++ group=group_name) ++ return getattr(getattr(cfg.CONF, group_name), option) ++ except (cfg.NoSuchGroupError, cfg.NoSuchOptError): ++ cfg.CONF.import_opt(option, 'heat.common.config', group='clients') ++ return getattr(cfg.CONF.clients, option) + + if cfg.CONF.cloud_backend: + cloud_backend_module = importutils.import_module(cfg.CONF.cloud_backend) +@@ -217,3 +252,4 @@ else: + Clients = OpenStackClients + + logger.debug('Using backend %s' % Clients) ++ +diff --git a/heat/tests/test_heatclient.py b/heat/tests/test_heatclient.py +index 7e195dc..712ffa5 100644 +--- a/heat/tests/test_heatclient.py ++++ b/heat/tests/test_heatclient.py +@@ -51,7 +51,11 @@ class KeystoneClientTest(HeatTestCase): + self.mock_ks_client = heat_keystoneclient.kc.Client( + auth_url=mox.IgnoreArg(), + tenant_name='test_tenant', +- token='abcd1234') ++ token='abcd1234', ++ cacert=None, ++ cert=None, ++ insecure=False, ++ key=None) + self.mock_ks_client.authenticate().AndReturn(auth_ok) + elif method == 'password': + self.mock_ks_client = heat_keystoneclient.kc.Client( +@@ -59,14 +63,22 @@ class KeystoneClientTest(HeatTestCase): + tenant_name='test_tenant', + tenant_id='test_tenant_id', + username='test_username', +- password='password') ++ password='password', ++ cacert=None, ++ cert=None, ++ insecure=False, ++ key=None) + self.mock_ks_client.authenticate().AndReturn(auth_ok) + if method == 'trust': + self.mock_ks_client = heat_keystoneclient.kc.Client( + auth_url='http://server.test:5000/v2.0', + password='verybadpass', + tenant_name='service', +- username='heat') ++ username='heat', ++ cacert=None, ++ cert=None, ++ insecure=False, ++ key=None) + self.mock_ks_client.authenticate(trust_id='atrust123', + tenant_id='test_tenant_id' + ).AndReturn(auth_ok) +@@ -81,7 +93,11 @@ class KeystoneClientTest(HeatTestCase): + self.mock_ks_v3_client = heat_keystoneclient.kc_v3.Client( + token='abcd1234', project_name='test_tenant', + auth_url='http://server.test:5000/v3', +- endpoint='http://server.test:5000/v3') ++ endpoint='http://server.test:5000/v3', ++ cacert=None, ++ cert=None, ++ insecure=False, ++ key=None) + elif method == 'password': + self.mock_ks_v3_client = heat_keystoneclient.kc_v3.Client( + username='test_username', +@@ -89,13 +105,21 @@ class KeystoneClientTest(HeatTestCase): + project_name='test_tenant', + project_id='test_tenant_id', + auth_url='http://server.test:5000/v3', +- endpoint='http://server.test:5000/v3') ++ endpoint='http://server.test:5000/v3', ++ cacert=None, ++ cert=None, ++ insecure=False, ++ key=None) + elif method == 'trust': + self.mock_ks_v3_client = heat_keystoneclient.kc_v3.Client( + username='heat', + password='verybadpass', + project_name='service', +- auth_url='http://server.test:5000/v3') ++ auth_url='http://server.test:5000/v3', ++ cacert=None, ++ cert=None, ++ insecure=False, ++ key=None) + self.mock_ks_v3_client.authenticate().AndReturn(auth_ok) + + def test_username_length(self): +-- +1.7.9.5 + diff --git a/debian/patches/series b/debian/patches/series index 2b6b02c4..f1f090a3 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ default-sqlite.patch +SSL_parameters_for_various_clients_used_in_Heat_Havana_stable.patch -- 2.45.2