Add restriction for using CA certificate verification
CA certificate verification should be available only if Bypass verification is disabled. Some changes were made in vmware_attributes_metadata in openstack.yaml so we have to update releases table accordingly during upgrade. Change-Id: Iaeb20b3614ff846b26001f366c2720459cd10bef Closes-bug: #1616438
This commit is contained in:
parent
194e78a8ed
commit
20b8191342
|
@ -32,7 +32,7 @@ from nailgun.utils.migration import drop_enum
|
|||
|
||||
# revision identifiers, used by Alembic.
|
||||
revision = 'c6edea552f1e'
|
||||
down_revision = 'f2314e5d63c9'
|
||||
down_revision = '3763c404ca48'
|
||||
|
||||
|
||||
def upgrade():
|
||||
|
|
|
@ -0,0 +1,173 @@
|
|||
# Copyright 2016 Mirantis, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
"""Fuel 9.2
|
||||
|
||||
Revision ID: 3763c404ca48
|
||||
Revises: f2314e5d63c9
|
||||
Create Date: 2016-10-11 16:33:57.247855
|
||||
|
||||
"""
|
||||
|
||||
from alembic import op
|
||||
from oslo_serialization import jsonutils
|
||||
|
||||
import sqlalchemy as sa
|
||||
|
||||
|
||||
# revision identifiers, used by Alembic.
|
||||
revision = '3763c404ca48'
|
||||
down_revision = 'f2314e5d63c9'
|
||||
|
||||
|
||||
def upgrade():
|
||||
upgrade_vmware_attributes_metadata()
|
||||
|
||||
|
||||
def downgrade():
|
||||
downgrade_vmware_attributes_metadata()
|
||||
|
||||
|
||||
VCENTER_INSECURE = {
|
||||
'name': "vcenter_insecure",
|
||||
'type': "checkbox",
|
||||
'label': "Bypass vCenter certificate verification"
|
||||
}
|
||||
|
||||
VCENTER_SECURITY_DISABLED = {
|
||||
'name': "vcenter_security_disabled",
|
||||
'type': "checkbox",
|
||||
'label': "Bypass vCenter certificate verification"
|
||||
}
|
||||
|
||||
VCENTER_CA_FILE = {
|
||||
'name': "vcenter_ca_file",
|
||||
'type': 'file',
|
||||
'label': "CA file",
|
||||
'description': ('File containing the trusted CA bundle that emitted '
|
||||
'vCenter server certificate. Even if CA bundle is not '
|
||||
'uploaded, certificate verification is turned on.'),
|
||||
'restrictions': [{
|
||||
'message': ('Bypass vCenter certificate verification should be '
|
||||
'disabled.'),
|
||||
'condition': 'current_vcenter:vcenter_security_disabled == true'
|
||||
}]
|
||||
}
|
||||
|
||||
CA_FILE = {
|
||||
'name': "ca_file",
|
||||
'type': 'file',
|
||||
'label': "CA file",
|
||||
'description': ('File containing the trusted CA bundle that emitted '
|
||||
'vCenter server certificate. Even if CA bundle is not '
|
||||
'uploaded, certificate verification is turned on.'),
|
||||
'restrictions': [{
|
||||
'message': ('Bypass vCenter certificate verification should be '
|
||||
'disabled.'),
|
||||
'condition': 'glance:vcenter_security_disabled == true'
|
||||
}]
|
||||
}
|
||||
|
||||
|
||||
def update_vmware_attributes_metadata(upgrade):
|
||||
connection = op.get_bind()
|
||||
select_query = sa.sql.text(
|
||||
"SELECT id, vmware_attributes_metadata FROM releases "
|
||||
"WHERE vmware_attributes_metadata IS NOT NULL")
|
||||
update_query = sa.sql.text(
|
||||
"UPDATE releases SET vmware_attributes_metadata = "
|
||||
":vmware_attributes_metadata WHERE id = :id")
|
||||
|
||||
for id, attrs in connection.execute(select_query):
|
||||
attrs = jsonutils.loads(attrs)
|
||||
editable = attrs.setdefault('editable', {})
|
||||
metadata = editable.setdefault('metadata', [])
|
||||
value = editable.setdefault('value', {})
|
||||
|
||||
for m in metadata:
|
||||
if not isinstance(m, dict):
|
||||
continue
|
||||
if m.get('name') == 'availability_zones':
|
||||
fields = m.setdefault('fields', [])
|
||||
names = [f['name'] for f in fields]
|
||||
av_z = value.setdefault('availability_zones', {})
|
||||
update_availability_zones(fields, av_z, names, upgrade)
|
||||
elif m.get('name') == 'glance':
|
||||
fields = m.setdefault('fields', [])
|
||||
names = [f['name'] for f in fields]
|
||||
glance = value.setdefault('glance', {})
|
||||
update_glance(fields, glance, names, upgrade)
|
||||
|
||||
connection.execute(
|
||||
update_query,
|
||||
id=id,
|
||||
vmware_attributes_metadata=jsonutils.dumps(attrs))
|
||||
|
||||
|
||||
def update_availability_zones(fields, values, names, upgrade):
|
||||
if upgrade:
|
||||
if 'vcenter_security_disabled' not in names:
|
||||
fields.insert(5, VCENTER_SECURITY_DISABLED)
|
||||
for value in values:
|
||||
value['vcenter_security_disabled'] = True
|
||||
if 'vcenter_insecure' in names:
|
||||
fields.remove(VCENTER_INSECURE)
|
||||
for value in values:
|
||||
del value['vcenter_insecure']
|
||||
for field in fields:
|
||||
if field['name'] == 'vcenter_ca_file':
|
||||
field['restrictions'] = VCENTER_CA_FILE['restrictions']
|
||||
else:
|
||||
if 'vcenter_insecure' not in names:
|
||||
fields.insert(5, VCENTER_INSECURE)
|
||||
for value in values:
|
||||
value['vcenter_insecure'] = True
|
||||
if 'vcenter_security_disabled' in names:
|
||||
fields.remove(VCENTER_SECURITY_DISABLED)
|
||||
for value in values:
|
||||
del value['vcenter_security_disabled']
|
||||
for field in fields:
|
||||
if field['name'] == 'vcenter_ca_file':
|
||||
del field['restrictions']
|
||||
|
||||
|
||||
def update_glance(fields, values, names, upgrade):
|
||||
if upgrade:
|
||||
if 'vcenter_security_disabled' not in names:
|
||||
fields.insert(6, VCENTER_SECURITY_DISABLED)
|
||||
values['vcenter_security_disabled'] = True
|
||||
if 'vcenter_insecure' in names:
|
||||
fields.remove(VCENTER_INSECURE)
|
||||
del values['vcenter_insecure']
|
||||
for field in fields:
|
||||
if field['name'] == 'ca_file':
|
||||
field['restrictions'] = CA_FILE['restrictions']
|
||||
else:
|
||||
if 'vcenter_insecure' not in names:
|
||||
fields.insert(6, VCENTER_INSECURE)
|
||||
values['vcenter_insecure'] = True
|
||||
if 'vcenter_security_disabled' in names:
|
||||
fields.remove(VCENTER_SECURITY_DISABLED)
|
||||
del values['vcenter_security_disabled']
|
||||
for field in fields:
|
||||
if field['name'] == 'ca_file':
|
||||
del field['restrictions']
|
||||
|
||||
|
||||
def upgrade_vmware_attributes_metadata():
|
||||
update_vmware_attributes_metadata(upgrade=True)
|
||||
|
||||
|
||||
def downgrade_vmware_attributes_metadata():
|
||||
update_vmware_attributes_metadata(upgrade=False)
|
|
@ -1657,7 +1657,7 @@
|
|||
source: *non_empty_string
|
||||
error: "Empty vCenter password"
|
||||
-
|
||||
name: "vcenter_unsecure"
|
||||
name: "vcenter_security_disabled"
|
||||
type: "checkbox"
|
||||
label: "Bypass vCenter certificate verification"
|
||||
-
|
||||
|
@ -1666,7 +1666,7 @@
|
|||
label: "CA file"
|
||||
description: "File containing the trusted CA bundle that emitted vCenter server certificate. Even if CA bundle is not uploaded, certificate verification is turned on."
|
||||
restrictions:
|
||||
- condition: "current_vcenter:vcenter_unsecure == true"
|
||||
- condition: "current_vcenter:vcenter_security_disabled == true"
|
||||
message: "Bypass vCenter certificate verification should be disabled."
|
||||
-
|
||||
name: "nova_computes"
|
||||
|
@ -1750,7 +1750,7 @@
|
|||
source: *non_empty_string
|
||||
error: "Invalid datastore"
|
||||
-
|
||||
name: "vcenter_unsecure"
|
||||
name: "vcenter_security_disabled"
|
||||
type: "checkbox"
|
||||
label: "Bypass vCenter certificate verification"
|
||||
-
|
||||
|
@ -1759,7 +1759,7 @@
|
|||
label: "CA file"
|
||||
description: "File containing the trusted CA bundle that emitted vCenter server certificate. Even if CA bundle is not uploaded, certificate verification is turned on."
|
||||
restrictions:
|
||||
- condition: "glance:vcenter_unsecure == true"
|
||||
- condition: "glance:vcenter_security_disabled == true"
|
||||
message: "Bypass vCenter certificate verification should be disabled."
|
||||
value:
|
||||
availability_zones:
|
||||
|
@ -1768,7 +1768,7 @@
|
|||
vcenter_host: ""
|
||||
vcenter_username: ""
|
||||
vcenter_password: ""
|
||||
vcenter_unsecure: true
|
||||
vcenter_security_disabled: true
|
||||
vcenter_ca_file: {}
|
||||
nova_computes:
|
||||
-
|
||||
|
@ -1788,7 +1788,7 @@
|
|||
vcenter_password: ""
|
||||
datacenter: ""
|
||||
datastore: ""
|
||||
vcenter_unsecure: true
|
||||
vcenter_security_disabled: true
|
||||
ca_file: {}
|
||||
components_metadata:
|
||||
- name: hypervisor:qemu
|
||||
|
|
|
@ -30,7 +30,7 @@
|
|||
},
|
||||
{
|
||||
"type": "checkbox",
|
||||
"name": "vcenter_unsecure",
|
||||
"name": "vcenter_security_disabled",
|
||||
"label": "Bypass vCenter certificate verification"
|
||||
},
|
||||
{
|
||||
|
@ -40,7 +40,7 @@
|
|||
"label": "CA file",
|
||||
"restrictions": [
|
||||
{
|
||||
"condition": "current_vcenter:vcenter_unsecure == true",
|
||||
"condition": "current_vcenter:vcenter_security_disabled == true",
|
||||
"message": "Bypass vCenter certificate verification should be disabled."
|
||||
}
|
||||
]
|
||||
|
@ -149,7 +149,7 @@
|
|||
},
|
||||
{
|
||||
"type": "checkbox",
|
||||
"name": "vcenter_unsecure",
|
||||
"name": "vcenter_security_disabled",
|
||||
"label": "Bypass vCenter certificate verification"
|
||||
},
|
||||
{
|
||||
|
@ -159,7 +159,7 @@
|
|||
"label": "CA file",
|
||||
"restrictions": [
|
||||
{
|
||||
"condition": "glance:vcenter_unsecure == true",
|
||||
"condition": "glance:vcenter_security_disabled == true",
|
||||
"message": "Bypass vCenter certificate verification should be disabled."
|
||||
}
|
||||
]
|
||||
|
@ -182,7 +182,7 @@
|
|||
"vcenter_host": "1.2.3.4",
|
||||
"vcenter_username": "admin",
|
||||
"vcenter_password": "secret",
|
||||
"vcenter_unsecure": "true",
|
||||
"vcenter_security_disabled": "true",
|
||||
"vcenter_ca_file": "file_blob",
|
||||
"nova_computes": [
|
||||
{
|
||||
|
@ -212,7 +212,7 @@
|
|||
"vcenter_host": "1.2.3.6",
|
||||
"vcenter_username": "user$",
|
||||
"vcenter_password": "pass$word",
|
||||
"vcenter_unsecure": "true",
|
||||
"vcenter_security_disabled": "true",
|
||||
"vcenter_ca_file": "file_blob",
|
||||
"nova_computes": [
|
||||
{
|
||||
|
@ -234,7 +234,7 @@
|
|||
"vcenter_password": "secret",
|
||||
"datacenter": "test_datacenter",
|
||||
"datastore": "test_datastore",
|
||||
"vcenter_unsecure": "true",
|
||||
"vcenter_security_disabled": "true",
|
||||
"ca_file": "file_blob"
|
||||
},
|
||||
"network": {
|
||||
|
|
|
@ -182,7 +182,8 @@ class VmwareDeploymentSerializerMixin(object):
|
|||
'vc_host': zone.get('vcenter_host', ''),
|
||||
'vc_user': vc_user,
|
||||
'vc_password': vc_password,
|
||||
'vc_insecure': zone.get('vcenter_unsecure', ''),
|
||||
'vc_insecure': zone.get('vcenter_security_disabled',
|
||||
''),
|
||||
'vc_ca_file': zone.get('vcenter_ca_file', ''),
|
||||
'service_name': compute.get('service_name', ''),
|
||||
'vc_cluster': compute.get('vsphere_cluster', ''),
|
||||
|
@ -198,7 +199,7 @@ class VmwareDeploymentSerializerMixin(object):
|
|||
'vc_host': zone.get('vcenter_host', ''),
|
||||
'vc_user': vc_user,
|
||||
'vc_password': vc_password,
|
||||
'vc_insecure': zone.get('vcenter_unsecure', ''),
|
||||
'vc_insecure': zone.get('vcenter_security_disabled', ''),
|
||||
'vc_ca_file': zone.get('vcenter_ca_file', '')
|
||||
}
|
||||
cinder_instances.append(cinder_item)
|
||||
|
@ -231,7 +232,8 @@ class VmwareDeploymentSerializerMixin(object):
|
|||
'vc_password': glance_password,
|
||||
'vc_datacenter': glance_instance.get('datacenter', ''),
|
||||
'vc_datastore': glance_instance.get('datastore', ''),
|
||||
'vc_insecure': glance_instance.get('vcenter_unsecure', ''),
|
||||
'vc_insecure': glance_instance.get(
|
||||
'vcenter_security_disabled', ''),
|
||||
'vc_ca_file': glance_instance.get('ca_file', '')
|
||||
}
|
||||
|
||||
|
|
|
@ -24,7 +24,7 @@ from nailgun.db import dropdb
|
|||
from nailgun.db.migration import ALEMBIC_CONFIG
|
||||
from nailgun.test import base
|
||||
|
||||
_prepare_revision = 'f2314e5d63c9'
|
||||
_prepare_revision = '3763c404ca48'
|
||||
_test_revision = 'c6edea552f1e'
|
||||
|
||||
JSON_TASKS = [
|
||||
|
|
|
@ -0,0 +1,186 @@
|
|||
# Copyright 2016 Mirantis, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
import datetime
|
||||
|
||||
import alembic
|
||||
from oslo_serialization import jsonutils
|
||||
import sqlalchemy as sa
|
||||
|
||||
from nailgun.db import db
|
||||
from nailgun.db import dropdb
|
||||
from nailgun.db.migration import ALEMBIC_CONFIG
|
||||
from nailgun.test import base
|
||||
|
||||
_prepare_revision = 'f2314e5d63c9'
|
||||
_test_revision = '3763c404ca48'
|
||||
|
||||
|
||||
VMWARE_ATTRIBUTES_METADATA = {
|
||||
'editable': {
|
||||
'metadata': [
|
||||
{
|
||||
'name': 'availability_zones',
|
||||
'fields': []
|
||||
},
|
||||
{
|
||||
'name': 'glance',
|
||||
'fields': []
|
||||
},
|
||||
],
|
||||
'value': {
|
||||
'availability_zones': [{}, {}],
|
||||
'glance': {},
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
def setup_module():
|
||||
dropdb()
|
||||
alembic.command.upgrade(ALEMBIC_CONFIG, _prepare_revision)
|
||||
prepare()
|
||||
alembic.command.upgrade(ALEMBIC_CONFIG, _test_revision)
|
||||
|
||||
|
||||
def prepare():
|
||||
meta = base.reflect_db_metadata()
|
||||
result = db.execute(
|
||||
meta.tables['releases'].insert(),
|
||||
[{
|
||||
'name': 'test_name',
|
||||
'version': '2015.1-10.0',
|
||||
'operating_system': 'ubuntu',
|
||||
'state': 'available',
|
||||
'deployment_tasks': '{}',
|
||||
'roles': jsonutils.dumps([
|
||||
'controller',
|
||||
'compute',
|
||||
'virt',
|
||||
'compute-vmware',
|
||||
'ironic',
|
||||
'cinder',
|
||||
'cinder-block-device',
|
||||
'cinder-vmware',
|
||||
'ceph-osd',
|
||||
'mongo',
|
||||
'base-os',
|
||||
]),
|
||||
'roles_metadata': jsonutils.dumps({
|
||||
'controller': {
|
||||
'name': 'Controller',
|
||||
},
|
||||
'compute': {
|
||||
'name': 'Compute',
|
||||
},
|
||||
'virt': {
|
||||
'name': 'Virtual',
|
||||
},
|
||||
'compute-vmware': {
|
||||
'name': 'Compute VMware',
|
||||
},
|
||||
'ironic': {
|
||||
'name': 'Ironic',
|
||||
},
|
||||
'cinder': {
|
||||
'name': 'Cinder',
|
||||
},
|
||||
'cinder-block-device': {
|
||||
'name': 'Cinder Block Device',
|
||||
},
|
||||
'cinder-vmware': {
|
||||
'name': 'Cinder Proxy to VMware Datastore',
|
||||
},
|
||||
'ceph-osd': {
|
||||
'name': 'Ceph OSD',
|
||||
},
|
||||
'mongo': {
|
||||
'name': 'Telemetry - MongoDB',
|
||||
},
|
||||
'base-os': {
|
||||
'name': 'Operating System',
|
||||
}
|
||||
}),
|
||||
'is_deployable': True,
|
||||
'vmware_attributes_metadata':
|
||||
jsonutils.dumps(VMWARE_ATTRIBUTES_METADATA)
|
||||
}])
|
||||
|
||||
release_id = result.inserted_primary_key[0]
|
||||
|
||||
result = db.execute(
|
||||
meta.tables['clusters'].insert(),
|
||||
[{
|
||||
'name': 'test',
|
||||
'release_id': release_id,
|
||||
'mode': 'ha_compact',
|
||||
'status': 'new',
|
||||
'net_provider': 'neutron',
|
||||
'grouping': 'roles',
|
||||
'fuel_version': '10.0',
|
||||
'deployment_tasks': '{}'
|
||||
}])
|
||||
|
||||
cluster_id = result.inserted_primary_key[0]
|
||||
|
||||
node_id = 1
|
||||
db.execute(
|
||||
meta.tables['nodes'].insert(),
|
||||
[{
|
||||
'id': node_id,
|
||||
'uuid': 'fcd49872-3917-4a18-98f9-3f5acfe3fdec',
|
||||
'cluster_id': cluster_id,
|
||||
'group_id': None,
|
||||
'status': 'ready',
|
||||
'roles': ['controller', 'ceph-osd'],
|
||||
'meta': '{}',
|
||||
'mac': 'bb:aa:aa:aa:aa:aa',
|
||||
'timestamp': datetime.datetime.utcnow(),
|
||||
}]
|
||||
)
|
||||
|
||||
db.commit()
|
||||
|
||||
|
||||
class TestReleasesUpdate(base.BaseAlembicMigrationTest):
|
||||
def test_vmware_attributes_metadata_update(self):
|
||||
result = db.execute(sa.select([
|
||||
self.meta.tables['releases']])).first()
|
||||
attrs = jsonutils.loads(result['vmware_attributes_metadata'])
|
||||
|
||||
fields = attrs['editable']['metadata'][0]['fields']
|
||||
self.assertItemsEqual(['vcenter_security_disabled'],
|
||||
[f['name'] for f in fields])
|
||||
|
||||
fields = attrs['editable']['metadata'][1]['fields']
|
||||
self.assertItemsEqual(['vcenter_security_disabled'],
|
||||
[f['name'] for f in fields])
|
||||
|
||||
self.assertEqual(
|
||||
attrs['editable']['value'],
|
||||
{
|
||||
'availability_zones':
|
||||
[
|
||||
{
|
||||
'vcenter_security_disabled': True,
|
||||
},
|
||||
{
|
||||
'vcenter_security_disabled': True,
|
||||
}
|
||||
],
|
||||
'glance':
|
||||
{
|
||||
'vcenter_security_disabled': True,
|
||||
}
|
||||
})
|
|
@ -346,7 +346,7 @@ class TestVmwareAttributesRestriction(base.BaseTestCase):
|
|||
"vcenter_host": "",
|
||||
"vcenter_username": "",
|
||||
"vcenter_password": "",
|
||||
"vcenter_unsecure": "",
|
||||
"vcenter_security_disabled": "",
|
||||
"vcenter_ca_file": {},
|
||||
"nova_computes": [
|
||||
{
|
||||
|
@ -366,7 +366,7 @@ class TestVmwareAttributesRestriction(base.BaseTestCase):
|
|||
"vcenter_password": "",
|
||||
"datacenter": "",
|
||||
"datastore": "",
|
||||
"vcenter_unsecure": "",
|
||||
"vcenter_security_disabled": "",
|
||||
"ca_file": {}
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue