Re-use swift_store_cacert for Keystone session
pass configured cacert for Swift to the keystoneauth's Session as well so that the swift endpoint can be resolved from the catalog when a custom CA bundle is used. Change-Id: I439f6b5af34c685f72c9b4933c7eb0c77cc92e14 Closes-Bug: #1820817
This commit is contained in:
parent
8d6a9ce190
commit
ee2a3d3032
|
@ -806,6 +806,10 @@ class BaseStore(driver.Store):
|
|||
self.insecure = glance_conf.swift_store_auth_insecure
|
||||
self.ssl_compression = glance_conf.swift_store_ssl_compression
|
||||
self.cacert = glance_conf.swift_store_cacert
|
||||
if self.insecure:
|
||||
self.ks_verify = False
|
||||
else:
|
||||
self.ks_verify = self.cacert or True
|
||||
if swiftclient is None:
|
||||
msg = _("Missing dependency python_swiftclient.")
|
||||
raise exceptions.BadStoreConfiguration(store_name="swift",
|
||||
|
@ -1454,7 +1458,7 @@ class SingleTenantStore(BaseStore):
|
|||
project_domain_id=self.project_domain_id,
|
||||
project_domain_name=self.project_domain_name)
|
||||
|
||||
sess = ks_session.Session(auth=password, verify=not self.insecure)
|
||||
sess = ks_session.Session(auth=password, verify=self.ks_verify)
|
||||
return ks_client.Client(session=sess)
|
||||
|
||||
def get_manager(self, store_location, context=None, allow_reauth=False):
|
||||
|
@ -1596,7 +1600,7 @@ class MultiTenantStore(BaseStore):
|
|||
token=context.auth_token,
|
||||
project_id=context.tenant)
|
||||
trustor_sess = ks_session.Session(auth=trustor_auth,
|
||||
verify=not self.insecure)
|
||||
verify=self.ks_verify)
|
||||
trustor_client = ks_client.Client(session=trustor_sess)
|
||||
auth_ref = trustor_client.session.auth.get_auth_ref(trustor_sess)
|
||||
roles = [t['name'] for t in auth_ref['roles']]
|
||||
|
@ -1613,7 +1617,7 @@ class MultiTenantStore(BaseStore):
|
|||
project_domain_id=project_domain_id,
|
||||
project_domain_name=project_domain_name)
|
||||
trustee_sess = ks_session.Session(auth=password,
|
||||
verify=not self.insecure)
|
||||
verify=self.ks_verify)
|
||||
trustee_client = ks_client.Client(session=trustee_sess)
|
||||
|
||||
# request glance user id - we will use it as trustee user
|
||||
|
@ -1640,7 +1644,7 @@ class MultiTenantStore(BaseStore):
|
|||
# now we can authenticate against KS
|
||||
# as trustee of user who provided token
|
||||
client_sess = ks_session.Session(auth=client_password,
|
||||
verify=not self.insecure)
|
||||
verify=self.ks_verify)
|
||||
return ks_client.Client(session=client_sess)
|
||||
|
||||
def get_manager(self, store_location, context=None, allow_reauth=False):
|
||||
|
|
|
@ -1260,6 +1260,12 @@ class SwiftTests(object):
|
|||
self._init_client(verify=True, swift_store_multi_tenant=True,
|
||||
swift_store_config_file=None)
|
||||
|
||||
def test_init_client_multi_tenant_swift_cacert(self):
|
||||
"""Test that keystone client was initialized with swift cacert"""
|
||||
self._init_client(verify='/foo/bar', swift_store_multi_tenant=True,
|
||||
swift_store_config_file=None,
|
||||
swift_store_cacert='/foo/bar')
|
||||
|
||||
def test_init_client_multi_tenant_insecure(self):
|
||||
"""
|
||||
Test that keystone client was initialized correctly with no
|
||||
|
|
|
@ -1255,6 +1255,13 @@ class SwiftTests(object):
|
|||
self._init_client(verify=True, swift_store_multi_tenant=True,
|
||||
swift_store_config_file=None)
|
||||
|
||||
def test_init_client_multi_tenant_swift_cacert(self):
|
||||
"""Test that keystone client was initialized with swift cacert"""
|
||||
with mock.patch.object(swift.MultiTenantStore, '_set_url_prefix'):
|
||||
self._init_client(verify='/foo/bar', swift_store_multi_tenant=True,
|
||||
swift_store_config_file=None,
|
||||
swift_store_cacert='/foo/bar')
|
||||
|
||||
def test_init_client_multi_tenant_insecure(self):
|
||||
"""
|
||||
Test that keystone client was initialized correctly with no
|
||||
|
|
|
@ -0,0 +1,11 @@
|
|||
---
|
||||
fixes:
|
||||
- |
|
||||
Swift backend now can use custom CA bundle to verify SSL connection to
|
||||
Keystone without adding this bundle to global system ones.
|
||||
For this it re-uses the CA bundle specified as ``swift_store_cacert``
|
||||
config option, so this bundle must verify both certificates of Swift and
|
||||
Keysotne API endpoints.
|
||||
|
||||
For more details see
|
||||
[`bug 1820817 <https://bugs.launchpad.net/glance-store/+bug/1820817>`_].
|
Loading…
Reference in New Issue