From c705e2f9f6c7b4a9db4a80a764268e490ea41f01 Mon Sep 17 00:00:00 2001 From: imran malik Date: Wed, 8 Jun 2016 02:45:32 -0700 Subject: [PATCH] Fix designate dns driver for SSL based endpoints Allow setting options in designate section to specify if want to skip SSL cert check. This makes it possible to work with HTTPS based endpoints, the default behavior of keystoneclient is to always set verify=True however in current code, one cannot either provide a valid CA cert or skip the verification. DocImpact: Introduce two additional options for `[designate]` section in neutron.conf CONF.designate.insecure to allow insecure connections over SSL. CONF.designate.ca_cert for a valid cert when connecting over SSL Change-Id: Ic371cc11d783618c38ee40a18206b0c2a197bb3e Closes-Bug: #1588067 --- .../externaldns/drivers/designate/driver.py | 11 +++- .../ml2/extensions/test_dns_integration.py | 59 +++++++++++++++++++ ...e-driver-ssl-options-169c299c96f2aff0.yaml | 16 +++++ 3 files changed, 85 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/add-designate-driver-ssl-options-169c299c96f2aff0.yaml diff --git a/neutron/services/externaldns/drivers/designate/driver.py b/neutron/services/externaldns/drivers/designate/driver.py index f9248cb406c..0feb0be903c 100644 --- a/neutron/services/externaldns/drivers/designate/driver.py +++ b/neutron/services/externaldns/drivers/designate/driver.py @@ -54,6 +54,11 @@ designate_opts = [ cfg.StrOpt('admin_auth_url', help=_('Authorization URL for connecting to designate in admin ' 'context')), + cfg.BoolOpt('insecure', default=False, + help=_('Skip cert validation for SSL based admin_auth_url')), + cfg.StrOpt('ca_cert', + help=_('CA certificate file to use to verify ' + 'connecting clients')), cfg.BoolOpt('allow_reverse_dns_lookup', default=True, help=_('Allow the creation of PTR records')), cfg.IntOpt('ipv4_ptr_zone_prefix_size', default=24, @@ -82,7 +87,11 @@ def get_clients(context): global _SESSION if not _SESSION: - _SESSION = session.Session() + if CONF.designate.insecure: + verify = False + else: + verify = CONF.designate.ca_cert or True + _SESSION = session.Session(verify=verify) auth = token_endpoint.Token(CONF.designate.url, context.auth_token) client = d_client.Client(session=_SESSION, auth=auth) diff --git a/neutron/tests/unit/plugins/ml2/extensions/test_dns_integration.py b/neutron/tests/unit/plugins/ml2/extensions/test_dns_integration.py index 60f4cf7f690..642d83aaf81 100644 --- a/neutron/tests/unit/plugins/ml2/extensions/test_dns_integration.py +++ b/neutron/tests/unit/plugins/ml2/extensions/test_dns_integration.py @@ -13,8 +13,11 @@ # License for the specific language governing permissions and limitations # under the License. +import uuid + import mock import netaddr +import testtools from neutron import context from neutron.db import dns_db @@ -22,6 +25,7 @@ from neutron.extensions import dns from neutron.extensions import providernet as pnet from neutron.plugins.ml2 import config from neutron.plugins.ml2.extensions import dns_integration +from neutron.services.externaldns.drivers.designate import driver from neutron.tests.unit.plugins.ml2 import test_plugin @@ -461,3 +465,58 @@ class DNSIntegrationTestCase(test_plugin.Ml2PluginV2TestCase): config.cfg.CONF.set_override('dns_domain', DNSDOMAIN) net, port, dns_data_db = self._create_port_for_test() self._verify_port_dns(net, port, dns_data_db) + + +class TestDesignateClient(testtools.TestCase): + """Test case for designate clients """ + + TEST_URL = 'http://127.0.0.1:9001/v2' + TEST_ADMIN_USERNAME = uuid.uuid4().hex + TEST_ADMIN_PASSWORD = uuid.uuid4().hex + TEST_ADMIN_TENANT_NAME = uuid.uuid4().hex + TEST_ADMIN_TENANT_ID = uuid.uuid4().hex + TEST_ADMIN_AUTH_URL = 'http://127.0.0.1:35357/v2.0' + TEST_CA_CERT = uuid.uuid4().hex + + TEST_CONTEXT = mock.Mock() + TEST_CONTEXT.auth_token = uuid.uuid4().hex + + def setUp(self): + super(TestDesignateClient, self).setUp() + config.cfg.CONF.set_override('url', + self.TEST_URL, + group='designate') + config.cfg.CONF.set_override('admin_username', + self.TEST_ADMIN_USERNAME, + group='designate') + config.cfg.CONF.set_override('admin_password', + self.TEST_ADMIN_PASSWORD, + group='designate') + config.cfg.CONF.set_override('admin_auth_url', + self.TEST_ADMIN_AUTH_URL, + group='designate') + config.cfg.CONF.set_override('admin_tenant_id', + self.TEST_ADMIN_TENANT_ID, + group='designate') + config.cfg.CONF.set_override('admin_tenant_name', + self.TEST_ADMIN_TENANT_NAME, + group='designate') + + driver.session.Session = mock.MagicMock() + + def test_insecure_client(self): + config.cfg.CONF.set_override('insecure', + True, + group='designate') + driver.get_clients(self.TEST_CONTEXT) + driver.session.Session.assert_called_with(verify=False) + + def test_secure_client(self): + config.cfg.CONF.set_override('insecure', + False, + group='designate') + config.cfg.CONF.set_override('ca_cert', + self.TEST_CA_CERT, + group='designate') + driver.get_clients(self.TEST_CONTEXT) + driver.session.Session.assert_called_with(verify=self.TEST_CA_CERT) diff --git a/releasenotes/notes/add-designate-driver-ssl-options-169c299c96f2aff0.yaml b/releasenotes/notes/add-designate-driver-ssl-options-169c299c96f2aff0.yaml new file mode 100644 index 00000000000..03d3da592dc --- /dev/null +++ b/releasenotes/notes/add-designate-driver-ssl-options-169c299c96f2aff0.yaml @@ -0,0 +1,16 @@ +--- +prelude: > + Add options to designate external dns driver + of neutron for SSL based connections. This makes + it possible to use neutron with designate in scenario + where endpoints are SSL based. Users can specify to + skip cert validation or specify path to a valid cert + in [designate] section of neutron.conf file. +features: + - Two new options are added to `[designate]` section to + support SSL. + - First option `insecure` allows to skip SSL validation + when creating a keystone session to initate a designate client. + Default value is False, which means to always verify connection. + - Second option `ca_cert` allows setting path to a valid cert file. + Default is None.