Re-use swift_store_cacert for Keystone session

pass configured cacert for Swift to the keystoneauth's Session as well so that the swift endpoint can be resolved from the catalog when a custom CA bundle is used. Change-Id: I439f6b5af34c685f72c9b4933c7eb0c77cc92e14 Closes-Bug: #1820817
2019-03-18 18:29:45 +00:00 · 2019-03-18 18:29:45 +00:00 · ee2a3d3032
parent 8d6a9ce190
commit ee2a3d3032
4 changed files with 32 additions and 4 deletions
--- a/glance_store/_drivers/swift/store.py
+++ b/glance_store/_drivers/swift/store.py
@ -806,6 +806,10 @@ class BaseStore(driver.Store):
        self.insecure = glance_conf.swift_store_auth_insecure
        self.ssl_compression = glance_conf.swift_store_ssl_compression
        self.cacert = glance_conf.swift_store_cacert
+        if self.insecure:
+            self.ks_verify = False
+        else:
+            self.ks_verify = self.cacert or True
        if swiftclient is None:
            msg = _("Missing dependency python_swiftclient.")
            raise exceptions.BadStoreConfiguration(store_name="swift",
@ -1454,7 +1458,7 @@ class SingleTenantStore(BaseStore):
            project_domain_id=self.project_domain_id,
            project_domain_name=self.project_domain_name)

-        sess = ks_session.Session(auth=password, verify=not self.insecure)
+        sess = ks_session.Session(auth=password, verify=self.ks_verify)
        return ks_client.Client(session=sess)

    def get_manager(self, store_location, context=None, allow_reauth=False):
@ -1596,7 +1600,7 @@ class MultiTenantStore(BaseStore):
                                           token=context.auth_token,
                                           project_id=context.tenant)
        trustor_sess = ks_session.Session(auth=trustor_auth,
-                                          verify=not self.insecure)
+                                          verify=self.ks_verify)
        trustor_client = ks_client.Client(session=trustor_sess)
        auth_ref = trustor_client.session.auth.get_auth_ref(trustor_sess)
        roles = [t['name'] for t in auth_ref['roles']]
@ -1613,7 +1617,7 @@ class MultiTenantStore(BaseStore):
            project_domain_id=project_domain_id,
            project_domain_name=project_domain_name)
        trustee_sess = ks_session.Session(auth=password,
-                                          verify=not self.insecure)
+                                          verify=self.ks_verify)
        trustee_client = ks_client.Client(session=trustee_sess)

        # request glance user id - we will use it as trustee user
@ -1640,7 +1644,7 @@ class MultiTenantStore(BaseStore):
        # now we can authenticate against KS
        # as trustee of user who provided token
        client_sess = ks_session.Session(auth=client_password,
-                                         verify=not self.insecure)
+                                         verify=self.ks_verify)
        return ks_client.Client(session=client_sess)

    def get_manager(self, store_location, context=None, allow_reauth=False):
--- a/glance_store/tests/unit/test_swift_store.py
+++ b/glance_store/tests/unit/test_swift_store.py
@ -1260,6 +1260,12 @@ class SwiftTests(object):
        self._init_client(verify=True, swift_store_multi_tenant=True,
                          swift_store_config_file=None)

+    def test_init_client_multi_tenant_swift_cacert(self):
+        """Test that keystone client was initialized with swift cacert"""
+        self._init_client(verify='/foo/bar', swift_store_multi_tenant=True,
+                          swift_store_config_file=None,
+                          swift_store_cacert='/foo/bar')
+
    def test_init_client_multi_tenant_insecure(self):
        """
        Test that keystone client was initialized correctly with no
--- a/glance_store/tests/unit/test_swift_store_multibackend.py
+++ b/glance_store/tests/unit/test_swift_store_multibackend.py
@ -1255,6 +1255,13 @@ class SwiftTests(object):
            self._init_client(verify=True, swift_store_multi_tenant=True,
                              swift_store_config_file=None)

+    def test_init_client_multi_tenant_swift_cacert(self):
+        """Test that keystone client was initialized with swift cacert"""
+        with mock.patch.object(swift.MultiTenantStore, '_set_url_prefix'):
+            self._init_client(verify='/foo/bar', swift_store_multi_tenant=True,
+                              swift_store_config_file=None,
+                              swift_store_cacert='/foo/bar')
+
    def test_init_client_multi_tenant_insecure(self):
        """
        Test that keystone client was initialized correctly with no
--- a/releasenotes/notes/bug-1820817-0ee70781918d232e.yaml
+++ b/releasenotes/notes/bug-1820817-0ee70781918d232e.yaml
@ -0,0 +1,11 @@
+---
+fixes:
+  - |
+    Swift backend now can use custom CA bundle to verify SSL connection to
+    Keystone without adding this bundle to global system ones.
+    For this it re-uses the CA bundle specified as ``swift_store_cacert``
+    config option, so this bundle must verify both certificates of Swift and
+    Keysotne API endpoints.
+
+    For more details see
+    [`bug 1820817 <https://bugs.launchpad.net/glance-store/+bug/1820817>`_].