openstack
/
octavia
Code Issues Proposed changes

Merge "Fix the loss of access to barbican secrets"

This commit is contained in:
Zuul 2019-02-25 06:22:43 +00:00 committed by Gerrit Code Review
parent 68b86f85f5 72b382b46d
commit 6008859476
2 changed files with 6 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
octavia/api/v2/controllers/listener.py
View File

@ -396,45 +396,6 @@ class ListenersController(base.BaseController):
driver_utils.call_provider(driver.name, driver.listener_delete,
provider_listener)
# Revoke access of octavia service user to certificates
tls_refs = []
for sni in db_listener.sni_containers:
filters = {'tls_container_id': sni.tls_container_id}
snis = self.repositories.sni.get_all(context.session, **filters)[0]
if len(snis) == 1:
# referred only once, enqueue for access revoking
tls_refs.append(sni.tls_container_id)
else:
blocking_listeners = [s.listener_id for s in snis if
s.listener_id != id]
LOG.debug("Listeners %s using TLS ref %s. Access to TLS ref "
"will not be revoked.", blocking_listeners,
sni.tls_container_id)
if db_listener.tls_certificate_id:
filters = {'tls_certificate_id': db_listener.tls_certificate_id}
# Note get_all returns the list and links. We only want the list.
listeners = self.repositories.listener.get_all(
context.session, show_deleted=False, **filters)[0]
if len(listeners) == 1:
# referred only once, enqueue for access revoking
tls_refs.append(db_listener.tls_certificate_id)
else:
blocking_listeners = [l.id for l in listeners if l.id != id]
LOG.debug("Listeners %s using TLS ref %s. Access to TLS ref "
"will not be revoked.", blocking_listeners,
db_listener.tls_certificate_id)
for ref in tls_refs:
try:
self.cert_manager.unset_acls(context, ref)
except Exception:
# certificate may have been removed already
pass
@pecan.expose()
def _lookup(self, id, *remainder):
"""Overridden pecan _lookup method for custom routing.

6
releasenotes/notes/remove-bbq-unset-acl-e680020de6a9ad3d.yaml Normal file
View File

@ -0,0 +1,6 @@
---
fixes:
- |
Octavia will no longer automatically revoke access to secrets whenever
load balancing resources no longer require access to them. This may be
added in the future.