mcp/patches/0009-controller-Use-keystoneclient-to-check-project-ID.patch

   1 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
   2 : Copyright (c) 2018 Mirantis Inc., Enea AB and others.
   3 :
   4 : All rights reserved. This program and the accompanying materials
   5 : are made available under the terms of the Apache License, Version 2.0
   6 : which accompanies this distribution, and is available at
   7 : http://www.apache.org/licenses/LICENSE-2.0
   8 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
   9 From: Alexandru Avadanii <Alexandru.Avadanii@enea.com>
  10 Date: Wed, 3 Jan 2018 00:50:50 +0100
  11 Subject: [PATCH] controller: Use keystoneclient to check project ID
  12
  13 Port fix from [1] for using the internal network when connecting
  14 to keystone during project ID validation in nova, instead of
  15 going through public endpoint (and using SSL).
  16
  17 [1] https://bugs.launchpad.net/nova/+bug/1716344
  18
  19 Signed-off-by: Alexandru Avadanii <Alexandru.Avadanii@enea.com>
  20 ---
  21  nova/controller.sls                                |  10 ++
  22  ...keystoneclient-to-check-project-ID-exists.patch | 116 +++++++++++++++++++++
  23  2 files changed, 126 insertions(+)
  24  create mode 100644 nova/files/0001-Use-keystoneclient-to-check-project-ID-exists.patch
  25
  26 diff --git a/nova/controller.sls b/nova/controller.sls
  27 index a55d037..59af945 100644
  28 --- a/nova/controller.sls
  29 +++ b/nova/controller.sls
  30 @@ -71,6 +71,16 @@ contrail_nova_packages:
  31
  32  {%- endif %}
  33
  34 +nova-api-openstack-identity-patch:
  35 +  file.patch:
  36 +  - name: /usr/lib/python2.7/dist-packages
  37 +  - source: salt://nova/files/0001-Use-keystoneclient-to-check-project-ID-exists.patch
  38 +  - hash: False
  39 +  - options: '-p1'
  40 +  - unless: 'test -f /var/cache/salt/minion/files/base/nova/files/0001-Use-keystoneclient-to-check-project-ID-exists.patch && cd /usr/lib/python2.7/dist-packages && patch -p1 -R --dry-run /var/cache/salt/minion/files/base/nova/files/0001-Use-keystoneclient-to-check-project-ID-exists.patch'
  41 +  - require:
  42 +    - pkg: nova_controller_packages
  43 +
  44  /etc/nova/nova.conf:
  45    file.managed:
  46    - source: salt://nova/files/{{ controller.version }}/nova-controller.conf.{{ grains.os_family }}
  47 diff --git a/nova/files/0001-Use-keystoneclient-to-check-project-ID-exists.patch b/nova/files/0001-Use-keystoneclient-to-check-project-ID-exists.patch
  48 new file mode 100644
  49 index 0000000..58d027e
  50 --- /dev/null
  51 +++ b/nova/files/0001-Use-keystoneclient-to-check-project-ID-exists.patch
  52 @@ -0,0 +1,116 @@
  53 +From: Christoph Fiehe <fiehe@gmx.de>
  54 +Date: Wed, 3 Jan 2018 00:11:20 +0100
  55 +Subject: [PATCH] Use keystoneclient to check project ID exists
  56 +
  57 +Based on Christoph's implementation proposed in [1].
  58 +
  59 +[1] https://bugs.launchpad.net/nova/+bug/1716344
  60 +
  61 +Signed-off-by: Alexandru Avadanii <Alexandru.Avadanii@enea.com>
  62 +---
  63 + nova/api/openstack/identity.py | 81 ++++++++++++++++--------------------------
  64 + 1 file changed, 30 insertions(+), 51 deletions(-)
  65 +
  66 +diff --git a/nova/api/openstack/identity.py b/nova/api/openstack/identity.py
  67 +index 833d3b5..3269cec 100644
  68 +--- a/nova/api/openstack/identity.py
  69 ++++ b/nova/api/openstack/identity.py
  70 +@@ -12,16 +12,15 @@
  71 + # License for the specific language governing permissions and limitations
  72 + # under the License.
  73 +
  74 +-from keystoneauth1 import exceptions as kse
  75 +-from keystoneauth1 import loading as ks_loading
  76 ++from keystoneauth1 import session
  77 ++from keystoneclient import exceptions as kse
  78 ++from keystoneclient.v3 import client
  79 + from oslo_log import log as logging
  80 + import webob
  81 +
  82 +-import nova.conf
  83 + from nova.i18n import _
  84 +
  85 +
  86 +-CONF = nova.conf.CONF
  87 + LOG = logging.getLogger(__name__)
  88 +
  89 +
  90 +@@ -32,51 +31,31 @@ def verify_project_id(context, project_id):
  91 +     an HTTPBadRequest is emitted.
  92 +
  93 +     """
  94 +-    sess = ks_loading.load_session_from_conf_options(
  95 +-        CONF, 'keystone', auth=context.get_auth_plugin())
  96 +-
  97 +-    failure = webob.exc.HTTPBadRequest(
  98 +-            explanation=_("Project ID %s is not a valid project.") %
  99 +-            project_id)
 100 ++    auth = context.get_auth_plugin()
 101 ++    sess = session.Session(auth=auth)
 102 ++    keystone = client.Client(session=sess)
 103 +     try:
 104 +-        resp = sess.get('/projects/%s' % project_id,
 105 +-                        endpoint_filter={
 106 +-                            'service_type': 'identity',
 107 +-                            'version': (3, 0)
 108 +-                        },
 109 +-                        raise_exc=False)
 110 +-    except kse.EndpointNotFound:
 111 +-        LOG.error(
 112 +-            "Keystone identity service version 3.0 was not found. This might "
 113 +-            "be because your endpoint points to the v2.0 versioned endpoint "
 114 +-            "which is not supported. Please fix this.")
 115 +-        raise failure
 116 +-    except kse.ClientException:
 117 +-        # something is wrong, like there isn't a keystone v3 endpoint,
 118 +-        # we'll take the pass and default to everything being ok.
 119 +-        LOG.exception("Unable to contact keystone to verify project_id")
 120 +-        return True
 121 +-
 122 +-    if resp:
 123 +-        # All is good with this 20x status
 124 +-        return True
 125 +-    elif resp.status_code == 404:
 126 +-        # we got access, and we know this project is not there
 127 +-        raise failure
 128 +-    elif resp.status_code == 403:
 129 +-        # we don't have enough permission to verify this, so default
 130 +-        # to "it's ok".
 131 +-        LOG.info(
 132 +-            "Insufficient permissions for user %(user)s to verify "
 133 +-            "existence of project_id %(pid)s",
 134 +-            {"user": context.user_id, "pid": project_id})
 135 +-        return True
 136 +-    else:
 137 +-        LOG.warning(
 138 +-            "Unexpected response from keystone trying to "
 139 +-            "verify project_id %(pid)s - resp: %(code)s %(content)s",
 140 +-            {"pid": project_id,
 141 +-             "code": resp.status_code,
 142 +-             "content": resp.content})
 143 +-        # realize we did something wrong, but move on with a warning
 144 +-        return True
 145 ++        project = keystone.projects.get(project_id)
 146 ++    except kse.ClientException as e:
 147 ++        if e.http_status == 404:
 148 ++            # we got access, and we know this project is not there
 149 ++            raise webob.exc.HTTPBadRequest(
 150 ++                explanation=_("Project ID %s is not a valid project.") %
 151 ++                project_id)
 152 ++        elif e.http_status == 403:
 153 ++            # we don't have enough permission to verify this, so default
 154 ++            # to "it's ok".
 155 ++            LOG.info(
 156 ++                "Insufficient permissions for user %(user)s to verify "
 157 ++                "existence of project_id %(pid)s",
 158 ++                {"user": context.user_id, "pid": project_id})
 159 ++            return True
 160 ++        else:
 161 ++            LOG.warning(
 162 ++                "Unexpected response from keystone trying to "
 163 ++                "verify project_id %(pid)s - resp: %(code)s %(content)s",
 164 ++                {"pid": project_id,
 165 ++                 "code": resp.status_code,
 166 ++                 "content": resp.content})
 167 ++            # realize we did something wrong, but move on with a warning
 168 ++            return True