starlingx
/
config
Code Issues Proposed changes

Keystone DB sync - add fernet key repo reset API 

This update adds fernet keys repo reset API to sysinv. This API will be
consumed by dcorch to reset fernet keys on subcloud when the subcloud
becomes unmanaged.

Story: 2002842
Task: 22787

Signed-off-by: Andy Ning <andy.ning@windriver.com>
(cherry picked from commit f4bd054b9d)

Change-Id: I09f0bd5a8a7e3d5ade045a8c87bbb6dfccd6798f
This commit is contained in:
Andy Ning 2019-02-22 15:11:10 -05:00
parent c880860c59
commit 9aa9723105
4 changed files with 39 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
sysinv/sysinv/sysinv/sysinv/api/controllers/v1/fernet_repo.py
View File

@ -113,10 +113,12 @@ class FernetKeyController(rest.RestController):
@cutils.synchronized(LOCK_NAME)
@wsme_pecan.wsexpose(None, body=[FernetKey],
status_code=http_client.CREATED)
def post(self, keys):
key_list = [k.as_dict() for k in keys]
def post(self, keys=None):
key_list = None
if keys:
key_list = [k.as_dict() for k in keys]
try:
pecan.request.rpcapi.update_fernet_keys(pecan.request.context,
pecan.request.rpcapi.update_fernet_repo(pecan.request.context,
key_list)
except Exception as e:
LOG.exception(e)
@ -129,7 +131,7 @@ class FernetKeyController(rest.RestController):
def put(self, keys):
key_list = [k.as_dict() for k in keys]
try:
pecan.request.rpcapi.update_fernet_keys(pecan.request.context,
pecan.request.rpcapi.update_fernet_repo(pecan.request.context,
key_list)
except Exception as e:
LOG.exception(e)

25
sysinv/sysinv/sysinv/sysinv/common/fernet.py
View File

@ -5,6 +5,8 @@
#
import os
import shutil
import subprocess
from grp import getgrnam
from pwd import getpwnam
@ -153,6 +155,29 @@ class FernetOperator(object):
LOG.exception(msg)
raise exception.SysinvException(msg)
def reset_fernet_keys(self):
try:
if os.path.isdir(self.key_repository):
LOG.info("Remove fernet repo")
shutil.rmtree(self.key_repository)
except OSError as e:
LOG.exception(e)
with open(os.devnull, "w") as fnull:
try:
LOG.info("Re-setup fernet repo")
subprocess.check_call(['/usr/bin/keystone-manage',
'fernet_setup',
'--keystone-user',
KEYSTONE_USER,
'--keystone-group',
KEYSTONE_GROUP],
stdout=fnull, stderr=fnull)
except subprocess.CalledProcessError as e:
msg = _("Failed to setup fernet keys: %s") % e.message
LOG.exception(msg)
raise exception.SysinvException(msg)
def get_fernet_keys(self, key_id=None):
keys = []
if not self._validate_key_repository():

8
sysinv/sysinv/sysinv/sysinv/conductor/manager.py
View File

@ -10669,14 +10669,18 @@ class ConductorManager(service.PeriodicService):
rpcapi = agent_rpcapi.AgentAPI()
rpcapi.update_host_memory(context, host.uuid)
def update_fernet_keys(self, context, keys):
def update_fernet_repo(self, context, keys=None):
"""Update the fernet repo with the new keys.
:param context: request context.
:param keys: a list of keys
:returns: nothing
"""
self._fernet.update_fernet_keys(keys)
if keys:
self._fernet.update_fernet_keys(keys)
else:
self._fernet.reset_fernet_keys()
def get_fernet_keys(self, context, key_id=None):
"""Get the keys from the fernet repo.

4
sysinv/sysinv/sysinv/sysinv/conductor/rpcapi.py
View File

@ -1723,13 +1723,13 @@ class ConductorAPI(sysinv.openstack.common.rpc.proxy.RpcProxy):
return self.cast(context, self.make_msg('update_host_memory',
host_uuid=host_uuid))
def update_fernet_keys(self, context, keys):
def update_fernet_repo(self, context, keys=None):
"""Synchronously, have the conductor update fernet keys.
:param context: request context.
:param keys: a list of fernet keys
"""
return self.call(context, self.make_msg('update_fernet_keys',
return self.call(context, self.make_msg('update_fernet_repo',
keys=keys))
def get_fernet_keys(self, context, key_id=None):