From b5891702cc24b0c9cedf6961d3223a37830341b9 Mon Sep 17 00:00:00 2001 From: Ivan Pchelintsev Date: Mon, 1 Jun 2020 11:59:06 +0300 Subject: [PATCH] Remove VxFlex OS credentials from connection_properties VxFlex OS password is not stored in block_device_mapping table. Instead of this passwords are stored in separate file and are retrieved during each attach/detach operation. Closes-Bug: #1823200 Change-Id: I89bd58d79e5cd74cf283d026ada486b7f7122980 --- os_brick/initiator/connectors/scaleio.py | 18 ++++++++++-- os_brick/privileged/scaleio.py | 27 +++++++++++++++++ .../initiator/connectors/test_scaleio.py | 7 +++-- .../bug-1823200-stein-c797a41d5b03cebc.yaml | 29 +++++++++++++++++++ 4 files changed, 77 insertions(+), 4 deletions(-) create mode 100644 releasenotes/notes/bug-1823200-stein-c797a41d5b03cebc.yaml diff --git a/os_brick/initiator/connectors/scaleio.py b/os_brick/initiator/connectors/scaleio.py index 0f65b960d..afe3dc88a 100644 --- a/os_brick/initiator/connectors/scaleio.py +++ b/os_brick/initiator/connectors/scaleio.py @@ -30,6 +30,7 @@ from os_brick import utils LOG = logging.getLogger(__name__) DEVICE_SCAN_ATTEMPTS_DEFAULT = 3 +CONNECTOR_CONF_PATH = '/opt/emc/scaleio/openstack/connector.conf' synchronized = lockutils.synchronized_with_prefix('os-brick-') @@ -86,6 +87,18 @@ class ScaleIOConnector(base.BaseLinuxConnector): LOG.error(msg) raise exception.BrickException(message=msg) + @staticmethod + def _get_connector_password(config_group): + LOG.info("Get ScaleIO connector password from configuration file") + try: + return priv_scaleio.get_connector_password(CONNECTOR_CONF_PATH, + config_group) + except Exception as e: + msg = _("Error getting ScaleIO connector password from " + "configuration file: %s") % e + LOG.error(msg) + raise exception.BrickException(message=msg) + def _rescan_vols(self): LOG.info("ScaleIO rescan volumes") @@ -306,8 +319,9 @@ class ScaleIOConnector(base.BaseLinuxConnector): self.server_ip = connection_properties['serverIP'] self.server_port = connection_properties['serverPort'] self.server_username = connection_properties['serverUsername'] - self.server_password = connection_properties['serverPassword'] - self.server_token = connection_properties['serverToken'] + self.server_password = self._get_connector_password( + connection_properties['config_group'], + ) self.iops_limit = connection_properties['iopsLimit'] self.bandwidth_limit = connection_properties['bandwidthLimit'] device_info = {'type': 'block', diff --git a/os_brick/privileged/scaleio.py b/os_brick/privileged/scaleio.py index 322289e3f..4ef7c0ee3 100644 --- a/os_brick/privileged/scaleio.py +++ b/os_brick/privileged/scaleio.py @@ -17,6 +17,9 @@ import os import struct import uuid +from six.moves import configparser + +from os_brick import exception from os_brick import privileged SCINI_DEVICE_PATH = '/dev/scini' @@ -70,3 +73,27 @@ def rescan_vols(op_code): with open_scini_device() as fd: ioctl(fd, op_code, struct.pack('Q', 0)) + + +@privileged.default.entrypoint +def get_connector_password(filename, config_group): + """Read ScaleIO connector configuration file and get appropriate password. + + :param filename: path to connector configuration file + :type filename: str + :param config_group: name of section in configuration file + :type config_group: str + :return: connector password + :rtype: str + """ + + if not os.path.isfile(filename): + msg = ( + "ScaleIO connector configuration file " + "is not found in path %s." % filename + ) + raise exception.BrickException(message=msg) + + conf = configparser.ConfigParser() + conf.read(filename) + return conf[config_group]["san_password"] diff --git a/os_brick/tests/initiator/connectors/test_scaleio.py b/os_brick/tests/initiator/connectors/test_scaleio.py index 14e45b2df..aafdfef36 100644 --- a/os_brick/tests/initiator/connectors/test_scaleio.py +++ b/os_brick/tests/initiator/connectors/test_scaleio.py @@ -45,8 +45,7 @@ class ScaleIOConnectorTestCase(test_connector.ConnectorTestCase): 'scaleIO_volume_id': self.vol['provider_id'], 'serverPort': 443, 'serverUsername': 'test', - 'serverPassword': 'fake', - 'serverToken': 'fake_token', + 'config_group': 'test', 'iopsLimit': None, 'bandwidthLimit': None } @@ -83,6 +82,9 @@ class ScaleIOConnectorTestCase(test_connector.ConnectorTestCase): return_value=["emc-vol-{}".format(self.vol['id'])]) # Patch scaleio privileged calls + self.get_password_mock = self.mock_object(scaleio.priv_scaleio, + 'get_connector_password', + return_value='fake_password') self.get_guid_mock = self.mock_object(scaleio.priv_scaleio, 'get_guid', return_value=self.fake_guid) self.rescan_vols_mock = self.mock_object(scaleio.priv_scaleio, @@ -168,6 +170,7 @@ class ScaleIOConnectorTestCase(test_connector.ConnectorTestCase): self.connector.connect_volume(self.fake_connection_properties) self.get_guid_mock.assert_called_once_with( self.connector.GET_GUID_OP_CODE) + self.get_password_mock.assert_called_once() def test_connect_volume_without_volume_id(self): """Successful connect to volume without a Volume Id""" diff --git a/releasenotes/notes/bug-1823200-stein-c797a41d5b03cebc.yaml b/releasenotes/notes/bug-1823200-stein-c797a41d5b03cebc.yaml new file mode 100644 index 000000000..5204cbde0 --- /dev/null +++ b/releasenotes/notes/bug-1823200-stein-c797a41d5b03cebc.yaml @@ -0,0 +1,29 @@ +--- +security: + - | + Dell EMC VxFlex OS driver: This release contains a fix for + `Bug #1823200 `_. + See `OSSN-0086 `_ + for details. +upgrade: + - | + The fix for `Bug #1823200 + `_ requires that a + configuration file be deployed on compute nodes, cinder nodes, and + anywhere you would perform a volume attachment in your deployment, + when using Cinder with a Dell EMC VxFlex OS backend. See the + `Dell EMC VxFlex OS (ScaleIO) Storage driver + `_ + documentation for details about this configuration file. +fixes: + - | + `Bug #1823200 `_: + This release contains an updated connector for use with the Dell EMC + VxFlex OS backend. It requires that a configuration file be deployed + on compute nodes, cinder nodes, and anywhere you would perform a + volume attachment in your deployment. See the + `Dell EMC VxFlex OS (ScaleIO) Storage driver + `_ + documentation for details about the configuration file, and see + `OSSN-0086 `_ for + more information about the security vulnerability.