openstack
/
sahara
Code Issues Proposed changes

Added ability to use other services via HTTPS 

Introduce config section for each of clients.
Pass cacert and insecure parameter to all clients.

Change-Id: I53a7f5d822a7c8db017341a05056060867bda936
Closes-Bug: #1359432
This commit is contained in:
Andrew Lazarev 2015-01-06 12:51:54 -08:00
parent a520e5aa2b
commit 62525aa4fc
10 changed files with 242 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

93
etc/sahara/sahara.conf.sample
View File

@ -82,7 +82,7 @@
#logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s
# List of logger=LEVEL pairs. (list value)
#default_log_levels = amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN
#default_log_levels = amqplib=WARN,qpid.messaging=INFO,stevedore=INFO,eventlet.wsgi.server=WARN,sqlalchemy=WARN,boto=WARN,suds=INFO,keystone=INFO,paramiko=WARN,requests=WARN,iso8601=WARN
# Enables or disables publication of error events. (boolean value)
#publish_errors = false
@ -388,9 +388,6 @@
# Enables sending notifications to Ceilometer (boolean value)
#enable_notifications = false
# Version of the Cinder API to use. (integer value)
#cinder_api_version = 2
# Enables Sahara to use Keystone API v3. If that flag is disabled,
# per-job clusters will not be terminated automatically. (boolean
# value)
@ -460,6 +457,24 @@
#proxy_user_role_names = Member
[cinder]
#
# From sahara.config
#
# Version of the Cinder API to use. (integer value)
# Deprecated group/name - [DEFAULT]/cinder_api_version
#api_version = 2
# Allow to perform insecure SSL requests to cinder. (boolean value)
#api_insecure = false
# Location of ca certificates file to use for cinder client requests.
# (string value)
#ca_file = <None>
[conductor]
#
@ -575,6 +590,34 @@
#db_max_retries = 20
[heat]
#
# From sahara.config
#
# Allow to perform insecure SSL requests to heat. (boolean value)
#api_insecure = false
# Location of ca certificates file to use for heat client requests.
# (string value)
#ca_file = <None>
[keystone]
#
# From sahara.config
#
# Allow to perform insecure SSL requests to keystone. (boolean value)
#api_insecure = false
# Location of ca certificates file to use for keystone client
# requests. (string value)
#ca_file = <None>
[keystone_authtoken]
#
@ -771,6 +814,34 @@
#ringfile = /etc/oslo/matchmaker_ring.json
[neutron]
#
# From sahara.config
#
# Allow to perform insecure SSL requests to neutron. (boolean value)
#api_insecure = false
# Location of ca certificates file to use for neutron client requests.
# (string value)
#ca_file = <None>
[nova]
#
# From sahara.config
#
# Allow to perform insecure SSL requests to nova. (boolean value)
#api_insecure = false
# Location of ca certificates file to use for nova client requests.
# (string value)
#ca_file = <None>
[oslo_concurrency]
#
@ -841,3 +912,17 @@
# Accept clients using either SSL or plain TCP (boolean value)
# Deprecated group/name - [amqp1]/allow_insecure_clients
#allow_insecure_clients = false
[swift]
#
# From sahara.config
#
# Allow to perform insecure SSL requests to swift. (boolean value)
#api_insecure = false
# Location of ca certificates file to use for swift client requests.
# (string value)
#ca_file = <None>

17
sahara/config.py
View File

@ -125,6 +125,10 @@ def list_opts():
from sahara.service.edp import job_utils
from sahara.service import periodic
from sahara.service import volumes
from sahara.utils.openstack import heat
from sahara.utils.openstack import neutron
from sahara.utils.openstack import nova
from sahara.utils.openstack import swift
from sahara.utils import proxy
return [
@ -136,7 +140,6 @@ def list_opts():
plugins_base.opts,
topology_helper.opts,
sender.notifier_opts,
cinder.opts,
keystone.opts,
remote.ssh_opts,
sahara_main.opts,
@ -146,6 +149,18 @@ def list_opts():
proxy.opts)),
(api.conductor_group.name,
itertools.chain(api.conductor_opts)),
(cinder.cinder_group.name,
itertools.chain(cinder.opts)),
(heat.heat_group.name,
itertools.chain(heat.opts)),
(neutron.neutron_group.name,
itertools.chain(neutron.opts)),
(nova.nova_group.name,
itertools.chain(nova.opts)),
(swift.swift_group.name,
itertools.chain(swift.opts)),
(keystone.keystone_group.name,
itertools.chain(keystone.ssl_opts))
]

5
sahara/service/volumes.py
View File

@ -39,7 +39,8 @@ opts = [
CONF = cfg.CONF
CONF.register_opts(opts)
CONF.import_opt('cinder_api_version', 'sahara.utils.openstack.cinder')
CONF.import_opt('api_version', 'sahara.utils.openstack.cinder',
group='cinder')
def attach_to_instances(instances):
@ -87,7 +88,7 @@ def _attach_volumes_to_node(node_group, instance):
def _create_attach_volume(ctx, instance, size, volume_type, name=None,
availability_zone=None):
if CONF.cinder_api_version == 1:
if CONF.cinder.api_version == 1:
kwargs = {'size': size, 'display_name': name}
else:
kwargs = {'size': size, 'name': name}

8
sahara/tests/unit/utils/test_cinder.py
View File

@ -47,7 +47,7 @@ class TestCinder(test_base.SaharaTestCase):
@mock.patch('cinderclient.v2.client.Client')
@mock.patch('cinderclient.v1.client.Client')
def test_get_cinder_client_api_v1(self, patched1, patched2):
self.override_config('cinder_api_version', 1)
self.override_config('api_version', 1, group='cinder')
patched1.return_value = FakeCinderClient(1)
patched2.return_value = FakeCinderClient(2)
@ -57,7 +57,7 @@ class TestCinder(test_base.SaharaTestCase):
@mock.patch('cinderclient.v2.client.Client')
@mock.patch('cinderclient.v1.client.Client')
def test_get_cinder_client_api_v2(self, patched1, patched2):
self.override_config('cinder_api_version', 2)
self.override_config('api_version', 2, group='cinder')
patched1.return_value = FakeCinderClient(1)
patched2.return_value = FakeCinderClient(2)
@ -65,11 +65,11 @@ class TestCinder(test_base.SaharaTestCase):
self.assertEqual(2, client.client.api_version)
def test_cinder_bad_api_version(self):
self.override_config('cinder_api_version', 0)
self.override_config('api_version', 0, group='cinder')
cinder.validate_config()
# Check bad version falls back to latest supported version
self.assertEqual(2, main.CONF.cinder_api_version)
self.assertEqual(2, main.CONF.cinder.api_version)
class FakeCinderClient(object):

39
sahara/utils/openstack/cinder.py
View File

@ -29,38 +29,53 @@ LOG = logging.getLogger(__name__)
opts = [
cfg.IntOpt('cinder_api_version', default=2,
help='Version of the Cinder API to use.')
cfg.IntOpt('api_version', default=2,
help='Version of the Cinder API to use.',
deprecated_name='cinder_api_version'),
cfg.BoolOpt('api_insecure',
default=False,
help='Allow to perform insecure SSL requests to cinder.'),
cfg.StrOpt('ca_file',
help='Location of ca certificates file to use for cinder '
'client requests.')
]
cinder_group = cfg.OptGroup(name='cinder',
title='Cinder client options')
CONF = cfg.CONF
CONF.register_opts(opts)
CONF.register_group(cinder_group)
CONF.register_opts(opts, group=cinder_group)
def validate_config():
if CONF.cinder_api_version == 1:
if CONF.cinder.api_version == 1:
LOG.warn(_('The Cinder v1 API is deprecated and will be removed after '
'the Juno release. You should set cinder_api_version=2 in '
'the Juno release. You should set cinder.api_version=2 in '
'your sahara.conf file.'))
elif CONF.cinder_api_version != 2:
elif CONF.cinder.api_version != 2:
LOG.warn(_('Unsupported Cinder API version: %(bad)s. Please set a '
'correct value for cinder_api_version in your sahara.conf '
'correct value for cinder.api_version in your sahara.conf '
'file (currently supported versions are: %(supported)s). '
'Falling back to Cinder API version 2.'),
{'bad': CONF.cinder_api_version, 'supported': [1, 2]})
CONF.set_override('cinder_api_version', 2)
{'bad': CONF.cinder.api_version, 'supported': [1, 2]})
CONF.set_override('api_version', 2, group='cinder')
def client():
ctx = context.current()
if CONF.cinder_api_version == 1:
args = {
'insecure': CONF.cinder.api_insecure,
'cacert': CONF.cinder.ca_file
}
if CONF.cinder.api_version == 1:
volume_url = base.url_for(ctx.service_catalog, 'volume')
cinder = cinder_client_v1.Client(ctx.username, ctx.auth_token,
ctx.tenant_id, volume_url)
ctx.tenant_id, volume_url, **args)
else:
volume_url = base.url_for(ctx.service_catalog, 'volumev2')
cinder = cinder_client_v2.Client(ctx.username, ctx.auth_token,
ctx.tenant_id, volume_url)
ctx.tenant_id, volume_url, **args)
cinder.client.auth_token = ctx.auth_token
cinder.client.management_url = volume_url

18
sahara/utils/openstack/heat.py
View File

@ -28,8 +28,22 @@ from sahara.utils import general as g
from sahara.utils.openstack import base
from sahara.utils.openstack import neutron
opts = [
cfg.BoolOpt('api_insecure',
default=False,
help='Allow to perform insecure SSL requests to heat.'),
cfg.StrOpt('ca_file',
help='Location of ca certificates file to use for heat '
'client requests.')
]
heat_group = cfg.OptGroup(name='heat',
title='Heat client options')
CONF = cfg.CONF
CONF.register_group(heat_group)
CONF.register_opts(opts, group=heat_group)
LOG = logging.getLogger(__name__)
SSH_PORT = 22
@ -38,7 +52,9 @@ SSH_PORT = 22
def client():
ctx = context.current()
heat_url = base.url_for(ctx.service_catalog, 'orchestration')
return heat_client.Client('1', heat_url, token=ctx.auth_token)
return heat_client.Client('1', heat_url, token=ctx.auth_token,
cert_file=CONF.heat.ca_file,
insecure=CONF.heat.api_insecure)
def get_stack(stack_name):

24
sahara/utils/openstack/keystone.py
View File

@ -21,8 +21,7 @@ from sahara import context
from sahara.utils.openstack import base
CONF = cfg.CONF
# TODO(alazarev) Move to [keystone] section
opts = [
cfg.BoolOpt('use_identity_api_v3',
default=True,
@ -31,7 +30,23 @@ opts = [
'per-job clusters will not be terminated '
'automatically.')
]
ssl_opts = [
cfg.BoolOpt('api_insecure',
default=False,
help='Allow to perform insecure SSL requests to keystone.'),
cfg.StrOpt('ca_file',
help='Location of ca certificates file to use for keystone '
'client requests.')
]
keystone_group = cfg.OptGroup(name='keystone',
title='Keystone client options')
CONF = cfg.CONF
CONF.register_group(keystone_group)
CONF.register_opts(opts)
CONF.register_opts(ssl_opts, group=keystone_group)
def client():
@ -58,7 +73,10 @@ def _client(username, password=None, token=None, tenant_name=None,
'tenant_id': tenant_id,
'trust_id': trust_id,
'user_domain_name': domain_name,
'auth_url': auth_url}
'auth_url': auth_url,
'cacert': CONF.keystone.ca_file,
'insecure': CONF.keystone.api_insecure
}
if CONF.use_identity_api_v3:
keystone = keystone_client_v3.Client(**client_kwargs)

25
sahara/utils/openstack/neutron.py
View File

@ -15,6 +15,7 @@
from neutronclient.neutron import client as neutron_cli
from oslo.config import cfg
from sahara import context
from sahara import exceptions as ex
@ -23,6 +24,22 @@ from sahara.openstack.common import log as logging
from sahara.utils.openstack import base
opts = [
cfg.BoolOpt('api_insecure',
default=False,
help='Allow to perform insecure SSL requests to neutron.'),
cfg.StrOpt('ca_file',
help='Location of ca certificates file to use for neutron '
'client requests.')
]
neutron_group = cfg.OptGroup(name='neutron',
title='Neutron client options')
CONF = cfg.CONF
CONF.register_group(neutron_group)
CONF.register_opts(opts, group=neutron_group)
LOG = logging.getLogger(__name__)
@ -33,7 +50,9 @@ def client():
'tenant_name': ctx.tenant_name,
'tenant_id': ctx.tenant_id,
'token': ctx.auth_token,
'endpoint_url': base.url_for(ctx.service_catalog, 'network')
'endpoint_url': base.url_for(ctx.service_catalog, 'network'),
'ca_cert': CONF.neutron.ca_file,
'insecure': CONF.neutron.api_insecure
}
return neutron_cli.Client('2.0', **args)
@ -46,7 +65,9 @@ class NeutronClient(object):
self.neutron = neutron_cli.Client('2.0',
endpoint_url=uri,
token=token,
tenant_name=tenant_name)
tenant_name=tenant_name,
ca_cert=CONF.neutron.ca_file,
insecure=CONF.neutron.api_insecure)
self.network = network
def get_router(self):

22
sahara/utils/openstack/nova.py
View File

@ -15,12 +15,30 @@
from novaclient import exceptions as nova_ex
from novaclient.v1_1 import client as nova_client
from oslo.config import cfg
from sahara import context
import sahara.utils.openstack.base as base
from sahara.utils.openstack import images
opts = [
cfg.BoolOpt('api_insecure',
default=False,
help='Allow to perform insecure SSL requests to nova.'),
cfg.StrOpt('ca_file',
help='Location of ca certificates file to use for nova '
'client requests.')
]
nova_group = cfg.OptGroup(name='nova',
title='Nova client options')
CONF = cfg.CONF
CONF.register_group(nova_group)
CONF.register_opts(opts, group=nova_group)
def client():
ctx = context.current()
auth_url = base.retrieve_auth_url()
@ -29,7 +47,9 @@ def client():
nova = nova_client.Client(username=ctx.username,
api_key=None,
project_id=ctx.tenant_id,
auth_url=auth_url)
auth_url=auth_url,
cacert=CONF.nova.ca_file,
insecure=CONF.nova.api_insecure)
nova.client.auth_token = ctx.auth_token
nova.client.management_url = compute_url

22
sahara/utils/openstack/swift.py
View File

@ -13,12 +13,29 @@
# See the License for the specific language governing permissions and
# limitations under the License.
from oslo.config import cfg
import swiftclient
from sahara.swift import swift_helper as sh
from sahara.swift import utils as su
from sahara.utils.openstack import keystone as k
opts = [
cfg.BoolOpt('api_insecure',
default=False,
help='Allow to perform insecure SSL requests to swift.'),
cfg.StrOpt('ca_file',
help='Location of ca certificates file to use for swift '
'client requests.')
]
swift_group = cfg.OptGroup(name='swift',
title='Swift client options')
CONF = cfg.CONF
CONF.register_group(swift_group)
CONF.register_opts(opts, group=swift_group)
def client(username, password, trust_id=None):
'''return a Swift client
@ -36,7 +53,10 @@ def client(username, password, trust_id=None):
:returns: A Swift client object
'''
client_kwargs = dict(auth_version='2.0')
client_kwargs = dict(
auth_version='2.0',
cacert=CONF.swift.ca_file,
insecure=CONF.swift.api_insecure)
if trust_id:
proxyclient = k.client_for_proxy_user(username, password, trust_id)
client_kwargs.update(preauthurl=su.retrieve_preauth_url(),