Add ssl support for manila API access

Currently, Manila does not support secure access the manila
APIs, obviously, this is a defect for manila service. This
change is to add ssl support for manila project.

Closes-bug: #1732844
Closes-bug: #1730529
Change-Id: I2dbc52ce95933e648cc065b2b2112788bf4484d0
This commit is contained in:
junboli 2017-11-17 13:22:01 +08:00 committed by junbo.li
parent 6985c77ee5
commit fa5b81f903
3 changed files with 20 additions and 6 deletions

View File

@ -18,9 +18,5 @@
- Description
* - **[DEFAULT]**
-
* - ``ssl_ca_file`` = ``None``
- (String) CA certificate file to use to verify connecting clients.
* - ``ssl_cert_file`` = ``None``
- (String) Certificate file to use when starting the server securely.
* - ``ssl_key_file`` = ``None``
- (String) Private key file to use when starting the server securely.
* - ``osapi_share_use_ssl`` = ``False``
- (Boolean) Wraps the socket in a SSL context if True is set.

View File

@ -60,6 +60,10 @@ service_opts = [
cfg.IntOpt('osapi_share_workers',
default=1,
help='Number of workers for OpenStack Share API service.'),
cfg.BoolOpt('osapi_share_use_ssl',
default=False,
help='Wraps the socket in a SSL context if True is set. '
'A certificate file and key file must be specified.'),
]
CONF = cfg.CONF
@ -290,6 +294,7 @@ class WSGIService(service.ServiceBase):
self.host = getattr(CONF, '%s_listen' % name, "0.0.0.0")
self.port = getattr(CONF, '%s_listen_port' % name, 0)
self.workers = getattr(CONF, '%s_workers' % name, None)
self.use_ssl = getattr(CONF, '%s_use_ssl' % name, False)
if self.workers is not None and self.workers < 1:
LOG.warning(
"Value of config option %(name)s_workers must be integer "
@ -302,6 +307,7 @@ class WSGIService(service.ServiceBase):
self.app,
host=self.host,
port=self.port,
use_ssl=self.use_ssl
)
def _get_manager(self):

View File

@ -226,3 +226,15 @@ class TestWSGIService(test.TestCase):
self.test_service.start()
self.assertGreater(self.test_service.server._pool.size, 0)
wsgi.Loader.load_app.assert_called_once_with("test_service")
@mock.patch('oslo_service.wsgi.Server')
@mock.patch('oslo_service.wsgi.Loader')
def test_ssl_enabled(self, mock_loader, mock_server):
self.override_config('osapi_share_use_ssl', True)
service.WSGIService("osapi_share")
mock_server.assert_called_once_with(mock.ANY, mock.ANY, mock.ANY,
port=mock.ANY, host=mock.ANY,
use_ssl=True)
self.assertTrue(mock_loader.called)