Add restriction for using CA certificate verification

CA certificate verification should be available only if
Bypass verification is disabled.

Some changes were made in vmware_attributes_metadata
in openstack.yaml so we have to update releases table
accordingly during upgrade.

Change-Id: Iaeb20b3614ff846b26001f366c2720459cd10bef
Closes-bug: #1616438
This commit is contained in:
Alexander Arzhanov 2016-11-09 13:16:16 +03:00
parent 194e78a8ed
commit 20b8191342
8 changed files with 381 additions and 20 deletions

View File

@ -32,7 +32,7 @@ from nailgun.utils.migration import drop_enum
# revision identifiers, used by Alembic.
revision = 'c6edea552f1e'
down_revision = 'f2314e5d63c9'
down_revision = '3763c404ca48'
def upgrade():

View File

@ -0,0 +1,173 @@
# Copyright 2016 Mirantis, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
"""Fuel 9.2
Revision ID: 3763c404ca48
Revises: f2314e5d63c9
Create Date: 2016-10-11 16:33:57.247855
"""
from alembic import op
from oslo_serialization import jsonutils
import sqlalchemy as sa
# revision identifiers, used by Alembic.
revision = '3763c404ca48'
down_revision = 'f2314e5d63c9'
def upgrade():
upgrade_vmware_attributes_metadata()
def downgrade():
downgrade_vmware_attributes_metadata()
VCENTER_INSECURE = {
'name': "vcenter_insecure",
'type': "checkbox",
'label': "Bypass vCenter certificate verification"
}
VCENTER_SECURITY_DISABLED = {
'name': "vcenter_security_disabled",
'type': "checkbox",
'label': "Bypass vCenter certificate verification"
}
VCENTER_CA_FILE = {
'name': "vcenter_ca_file",
'type': 'file',
'label': "CA file",
'description': ('File containing the trusted CA bundle that emitted '
'vCenter server certificate. Even if CA bundle is not '
'uploaded, certificate verification is turned on.'),
'restrictions': [{
'message': ('Bypass vCenter certificate verification should be '
'disabled.'),
'condition': 'current_vcenter:vcenter_security_disabled == true'
}]
}
CA_FILE = {
'name': "ca_file",
'type': 'file',
'label': "CA file",
'description': ('File containing the trusted CA bundle that emitted '
'vCenter server certificate. Even if CA bundle is not '
'uploaded, certificate verification is turned on.'),
'restrictions': [{
'message': ('Bypass vCenter certificate verification should be '
'disabled.'),
'condition': 'glance:vcenter_security_disabled == true'
}]
}
def update_vmware_attributes_metadata(upgrade):
connection = op.get_bind()
select_query = sa.sql.text(
"SELECT id, vmware_attributes_metadata FROM releases "
"WHERE vmware_attributes_metadata IS NOT NULL")
update_query = sa.sql.text(
"UPDATE releases SET vmware_attributes_metadata = "
":vmware_attributes_metadata WHERE id = :id")
for id, attrs in connection.execute(select_query):
attrs = jsonutils.loads(attrs)
editable = attrs.setdefault('editable', {})
metadata = editable.setdefault('metadata', [])
value = editable.setdefault('value', {})
for m in metadata:
if not isinstance(m, dict):
continue
if m.get('name') == 'availability_zones':
fields = m.setdefault('fields', [])
names = [f['name'] for f in fields]
av_z = value.setdefault('availability_zones', {})
update_availability_zones(fields, av_z, names, upgrade)
elif m.get('name') == 'glance':
fields = m.setdefault('fields', [])
names = [f['name'] for f in fields]
glance = value.setdefault('glance', {})
update_glance(fields, glance, names, upgrade)
connection.execute(
update_query,
id=id,
vmware_attributes_metadata=jsonutils.dumps(attrs))
def update_availability_zones(fields, values, names, upgrade):
if upgrade:
if 'vcenter_security_disabled' not in names:
fields.insert(5, VCENTER_SECURITY_DISABLED)
for value in values:
value['vcenter_security_disabled'] = True
if 'vcenter_insecure' in names:
fields.remove(VCENTER_INSECURE)
for value in values:
del value['vcenter_insecure']
for field in fields:
if field['name'] == 'vcenter_ca_file':
field['restrictions'] = VCENTER_CA_FILE['restrictions']
else:
if 'vcenter_insecure' not in names:
fields.insert(5, VCENTER_INSECURE)
for value in values:
value['vcenter_insecure'] = True
if 'vcenter_security_disabled' in names:
fields.remove(VCENTER_SECURITY_DISABLED)
for value in values:
del value['vcenter_security_disabled']
for field in fields:
if field['name'] == 'vcenter_ca_file':
del field['restrictions']
def update_glance(fields, values, names, upgrade):
if upgrade:
if 'vcenter_security_disabled' not in names:
fields.insert(6, VCENTER_SECURITY_DISABLED)
values['vcenter_security_disabled'] = True
if 'vcenter_insecure' in names:
fields.remove(VCENTER_INSECURE)
del values['vcenter_insecure']
for field in fields:
if field['name'] == 'ca_file':
field['restrictions'] = CA_FILE['restrictions']
else:
if 'vcenter_insecure' not in names:
fields.insert(6, VCENTER_INSECURE)
values['vcenter_insecure'] = True
if 'vcenter_security_disabled' in names:
fields.remove(VCENTER_SECURITY_DISABLED)
del values['vcenter_security_disabled']
for field in fields:
if field['name'] == 'ca_file':
del field['restrictions']
def upgrade_vmware_attributes_metadata():
update_vmware_attributes_metadata(upgrade=True)
def downgrade_vmware_attributes_metadata():
update_vmware_attributes_metadata(upgrade=False)

View File

@ -1657,7 +1657,7 @@
source: *non_empty_string
error: "Empty vCenter password"
-
name: "vcenter_unsecure"
name: "vcenter_security_disabled"
type: "checkbox"
label: "Bypass vCenter certificate verification"
-
@ -1666,7 +1666,7 @@
label: "CA file"
description: "File containing the trusted CA bundle that emitted vCenter server certificate. Even if CA bundle is not uploaded, certificate verification is turned on."
restrictions:
- condition: "current_vcenter:vcenter_unsecure == true"
- condition: "current_vcenter:vcenter_security_disabled == true"
message: "Bypass vCenter certificate verification should be disabled."
-
name: "nova_computes"
@ -1750,7 +1750,7 @@
source: *non_empty_string
error: "Invalid datastore"
-
name: "vcenter_unsecure"
name: "vcenter_security_disabled"
type: "checkbox"
label: "Bypass vCenter certificate verification"
-
@ -1759,7 +1759,7 @@
label: "CA file"
description: "File containing the trusted CA bundle that emitted vCenter server certificate. Even if CA bundle is not uploaded, certificate verification is turned on."
restrictions:
- condition: "glance:vcenter_unsecure == true"
- condition: "glance:vcenter_security_disabled == true"
message: "Bypass vCenter certificate verification should be disabled."
value:
availability_zones:
@ -1768,7 +1768,7 @@
vcenter_host: ""
vcenter_username: ""
vcenter_password: ""
vcenter_unsecure: true
vcenter_security_disabled: true
vcenter_ca_file: {}
nova_computes:
-
@ -1788,7 +1788,7 @@
vcenter_password: ""
datacenter: ""
datastore: ""
vcenter_unsecure: true
vcenter_security_disabled: true
ca_file: {}
components_metadata:
- name: hypervisor:qemu

View File

@ -30,7 +30,7 @@
},
{
"type": "checkbox",
"name": "vcenter_unsecure",
"name": "vcenter_security_disabled",
"label": "Bypass vCenter certificate verification"
},
{
@ -40,7 +40,7 @@
"label": "CA file",
"restrictions": [
{
"condition": "current_vcenter:vcenter_unsecure == true",
"condition": "current_vcenter:vcenter_security_disabled == true",
"message": "Bypass vCenter certificate verification should be disabled."
}
]
@ -149,7 +149,7 @@
},
{
"type": "checkbox",
"name": "vcenter_unsecure",
"name": "vcenter_security_disabled",
"label": "Bypass vCenter certificate verification"
},
{
@ -159,7 +159,7 @@
"label": "CA file",
"restrictions": [
{
"condition": "glance:vcenter_unsecure == true",
"condition": "glance:vcenter_security_disabled == true",
"message": "Bypass vCenter certificate verification should be disabled."
}
]
@ -182,7 +182,7 @@
"vcenter_host": "1.2.3.4",
"vcenter_username": "admin",
"vcenter_password": "secret",
"vcenter_unsecure": "true",
"vcenter_security_disabled": "true",
"vcenter_ca_file": "file_blob",
"nova_computes": [
{
@ -212,7 +212,7 @@
"vcenter_host": "1.2.3.6",
"vcenter_username": "user$",
"vcenter_password": "pass$word",
"vcenter_unsecure": "true",
"vcenter_security_disabled": "true",
"vcenter_ca_file": "file_blob",
"nova_computes": [
{
@ -234,7 +234,7 @@
"vcenter_password": "secret",
"datacenter": "test_datacenter",
"datastore": "test_datastore",
"vcenter_unsecure": "true",
"vcenter_security_disabled": "true",
"ca_file": "file_blob"
},
"network": {

View File

@ -182,7 +182,8 @@ class VmwareDeploymentSerializerMixin(object):
'vc_host': zone.get('vcenter_host', ''),
'vc_user': vc_user,
'vc_password': vc_password,
'vc_insecure': zone.get('vcenter_unsecure', ''),
'vc_insecure': zone.get('vcenter_security_disabled',
''),
'vc_ca_file': zone.get('vcenter_ca_file', ''),
'service_name': compute.get('service_name', ''),
'vc_cluster': compute.get('vsphere_cluster', ''),
@ -198,7 +199,7 @@ class VmwareDeploymentSerializerMixin(object):
'vc_host': zone.get('vcenter_host', ''),
'vc_user': vc_user,
'vc_password': vc_password,
'vc_insecure': zone.get('vcenter_unsecure', ''),
'vc_insecure': zone.get('vcenter_security_disabled', ''),
'vc_ca_file': zone.get('vcenter_ca_file', '')
}
cinder_instances.append(cinder_item)
@ -231,7 +232,8 @@ class VmwareDeploymentSerializerMixin(object):
'vc_password': glance_password,
'vc_datacenter': glance_instance.get('datacenter', ''),
'vc_datastore': glance_instance.get('datastore', ''),
'vc_insecure': glance_instance.get('vcenter_unsecure', ''),
'vc_insecure': glance_instance.get(
'vcenter_security_disabled', ''),
'vc_ca_file': glance_instance.get('ca_file', '')
}

View File

@ -24,7 +24,7 @@ from nailgun.db import dropdb
from nailgun.db.migration import ALEMBIC_CONFIG
from nailgun.test import base
_prepare_revision = 'f2314e5d63c9'
_prepare_revision = '3763c404ca48'
_test_revision = 'c6edea552f1e'
JSON_TASKS = [

View File

@ -0,0 +1,186 @@
# Copyright 2016 Mirantis, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import datetime
import alembic
from oslo_serialization import jsonutils
import sqlalchemy as sa
from nailgun.db import db
from nailgun.db import dropdb
from nailgun.db.migration import ALEMBIC_CONFIG
from nailgun.test import base
_prepare_revision = 'f2314e5d63c9'
_test_revision = '3763c404ca48'
VMWARE_ATTRIBUTES_METADATA = {
'editable': {
'metadata': [
{
'name': 'availability_zones',
'fields': []
},
{
'name': 'glance',
'fields': []
},
],
'value': {
'availability_zones': [{}, {}],
'glance': {},
}
}
}
def setup_module():
dropdb()
alembic.command.upgrade(ALEMBIC_CONFIG, _prepare_revision)
prepare()
alembic.command.upgrade(ALEMBIC_CONFIG, _test_revision)
def prepare():
meta = base.reflect_db_metadata()
result = db.execute(
meta.tables['releases'].insert(),
[{
'name': 'test_name',
'version': '2015.1-10.0',
'operating_system': 'ubuntu',
'state': 'available',
'deployment_tasks': '{}',
'roles': jsonutils.dumps([
'controller',
'compute',
'virt',
'compute-vmware',
'ironic',
'cinder',
'cinder-block-device',
'cinder-vmware',
'ceph-osd',
'mongo',
'base-os',
]),
'roles_metadata': jsonutils.dumps({
'controller': {
'name': 'Controller',
},
'compute': {
'name': 'Compute',
},
'virt': {
'name': 'Virtual',
},
'compute-vmware': {
'name': 'Compute VMware',
},
'ironic': {
'name': 'Ironic',
},
'cinder': {
'name': 'Cinder',
},
'cinder-block-device': {
'name': 'Cinder Block Device',
},
'cinder-vmware': {
'name': 'Cinder Proxy to VMware Datastore',
},
'ceph-osd': {
'name': 'Ceph OSD',
},
'mongo': {
'name': 'Telemetry - MongoDB',
},
'base-os': {
'name': 'Operating System',
}
}),
'is_deployable': True,
'vmware_attributes_metadata':
jsonutils.dumps(VMWARE_ATTRIBUTES_METADATA)
}])
release_id = result.inserted_primary_key[0]
result = db.execute(
meta.tables['clusters'].insert(),
[{
'name': 'test',
'release_id': release_id,
'mode': 'ha_compact',
'status': 'new',
'net_provider': 'neutron',
'grouping': 'roles',
'fuel_version': '10.0',
'deployment_tasks': '{}'
}])
cluster_id = result.inserted_primary_key[0]
node_id = 1
db.execute(
meta.tables['nodes'].insert(),
[{
'id': node_id,
'uuid': 'fcd49872-3917-4a18-98f9-3f5acfe3fdec',
'cluster_id': cluster_id,
'group_id': None,
'status': 'ready',
'roles': ['controller', 'ceph-osd'],
'meta': '{}',
'mac': 'bb:aa:aa:aa:aa:aa',
'timestamp': datetime.datetime.utcnow(),
}]
)
db.commit()
class TestReleasesUpdate(base.BaseAlembicMigrationTest):
def test_vmware_attributes_metadata_update(self):
result = db.execute(sa.select([
self.meta.tables['releases']])).first()
attrs = jsonutils.loads(result['vmware_attributes_metadata'])
fields = attrs['editable']['metadata'][0]['fields']
self.assertItemsEqual(['vcenter_security_disabled'],
[f['name'] for f in fields])
fields = attrs['editable']['metadata'][1]['fields']
self.assertItemsEqual(['vcenter_security_disabled'],
[f['name'] for f in fields])
self.assertEqual(
attrs['editable']['value'],
{
'availability_zones':
[
{
'vcenter_security_disabled': True,
},
{
'vcenter_security_disabled': True,
}
],
'glance':
{
'vcenter_security_disabled': True,
}
})

View File

@ -346,7 +346,7 @@ class TestVmwareAttributesRestriction(base.BaseTestCase):
"vcenter_host": "",
"vcenter_username": "",
"vcenter_password": "",
"vcenter_unsecure": "",
"vcenter_security_disabled": "",
"vcenter_ca_file": {},
"nova_computes": [
{
@ -366,7 +366,7 @@ class TestVmwareAttributesRestriction(base.BaseTestCase):
"vcenter_password": "",
"datacenter": "",
"datastore": "",
"vcenter_unsecure": "",
"vcenter_security_disabled": "",
"ca_file": {}
}
}