1 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
2 : Copyright (c) 2017 Mirantis Inc., Enea AB and others.
4 : All rights reserved. This program and the accompanying materials
5 : are made available under the terms of the Apache License, Version 2.0
6 : which accompanies this distribution, and is available at
7 : http://www.apache.org/licenses/LICENSE-2.0
8 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
9 From: Alexandru Avadanii <Alexandru.Avadanii@enea.com>
10 Date: Wed, 3 Jan 2018 00:50:50 +0100
11 Subject: [PATCH] controller: Use keystoneclient to check project ID
13 Port fix from [1] for using the internal network when connecting
14 to keystone during project ID validation in nova, instead of
15 going through public endpoint (and using SSL).
17 [1] https://bugs.launchpad.net/nova/+bug/1716344
19 Signed-off-by: Alexandru Avadanii <Alexandru.Avadanii@enea.com>
21 nova/controller.sls | 10 ++
22 ...keystoneclient-to-check-project-ID-exists.patch | 116 +++++++++++++++++++++
23 2 files changed, 126 insertions(+)
24 create mode 100644 nova/files/0001-Use-keystoneclient-to-check-project-ID-exists.patch
26 diff --git a/nova/controller.sls b/nova/controller.sls
27 index a55d037..59af945 100644
28 --- a/nova/controller.sls
29 +++ b/nova/controller.sls
30 @@ -71,6 +71,16 @@ contrail_nova_packages:
34 +nova-api-openstack-identity-patch:
36 + - name: /usr/lib/python2.7/dist-packages
37 + - source: salt://nova/files/0001-Use-keystoneclient-to-check-project-ID-exists.patch
40 + - unless: 'test -f /var/cache/salt/minion/files/base/nova/files/0001-Use-keystoneclient-to-check-project-ID-exists.patch && cd /usr/lib/python2.7/dist-packages && patch -p1 -R --dry-run /var/cache/salt/minion/files/base/nova/files/0001-Use-keystoneclient-to-check-project-ID-exists.patch'
42 + - pkg: nova_controller_packages
46 - source: salt://nova/files/{{ controller.version }}/nova-controller.conf.{{ grains.os_family }}
47 diff --git a/nova/files/0001-Use-keystoneclient-to-check-project-ID-exists.patch b/nova/files/0001-Use-keystoneclient-to-check-project-ID-exists.patch
49 index 0000000..58d027e
51 +++ b/nova/files/0001-Use-keystoneclient-to-check-project-ID-exists.patch
53 +From: Christoph Fiehe <fiehe@gmx.de>
54 +Date: Wed, 3 Jan 2018 00:11:20 +0100
55 +Subject: [PATCH] Use keystoneclient to check project ID exists
57 +Based on Christoph's implementation proposed in [1].
59 +[1] https://bugs.launchpad.net/nova/+bug/1716344
61 +Signed-off-by: Alexandru Avadanii <Alexandru.Avadanii@enea.com>
63 + nova/api/openstack/identity.py | 81 ++++++++++++++++--------------------------
64 + 1 file changed, 30 insertions(+), 51 deletions(-)
66 +diff --git a/nova/api/openstack/identity.py b/nova/api/openstack/identity.py
67 +index 833d3b5..3269cec 100644
68 +--- a/nova/api/openstack/identity.py
69 ++++ b/nova/api/openstack/identity.py
71 + # License for the specific language governing permissions and limitations
72 + # under the License.
74 +-from keystoneauth1 import exceptions as kse
75 +-from keystoneauth1 import loading as ks_loading
76 ++from keystoneauth1 import session
77 ++from keystoneclient import exceptions as kse
78 ++from keystoneclient.v3 import client
79 + from oslo_log import log as logging
83 + from nova.i18n import _
86 +-CONF = nova.conf.CONF
87 + LOG = logging.getLogger(__name__)
90 +@@ -32,51 +31,31 @@ def verify_project_id(context, project_id):
91 + an HTTPBadRequest is emitted.
94 +- sess = ks_loading.load_session_from_conf_options(
95 +- CONF, 'keystone', auth=context.get_auth_plugin())
97 +- failure = webob.exc.HTTPBadRequest(
98 +- explanation=_("Project ID %s is not a valid project.") %
100 ++ auth = context.get_auth_plugin()
101 ++ sess = session.Session(auth=auth)
102 ++ keystone = client.Client(session=sess)
104 +- resp = sess.get('/projects/%s' % project_id,
106 +- 'service_type': 'identity',
110 +- except kse.EndpointNotFound:
112 +- "Keystone identity service version 3.0 was not found. This might "
113 +- "be because your endpoint points to the v2.0 versioned endpoint "
114 +- "which is not supported. Please fix this.")
116 +- except kse.ClientException:
117 +- # something is wrong, like there isn't a keystone v3 endpoint,
118 +- # we'll take the pass and default to everything being ok.
119 +- LOG.exception("Unable to contact keystone to verify project_id")
123 +- # All is good with this 20x status
125 +- elif resp.status_code == 404:
126 +- # we got access, and we know this project is not there
128 +- elif resp.status_code == 403:
129 +- # we don't have enough permission to verify this, so default
132 +- "Insufficient permissions for user %(user)s to verify "
133 +- "existence of project_id %(pid)s",
134 +- {"user": context.user_id, "pid": project_id})
138 +- "Unexpected response from keystone trying to "
139 +- "verify project_id %(pid)s - resp: %(code)s %(content)s",
140 +- {"pid": project_id,
141 +- "code": resp.status_code,
142 +- "content": resp.content})
143 +- # realize we did something wrong, but move on with a warning
145 ++ project = keystone.projects.get(project_id)
146 ++ except kse.ClientException as e:
147 ++ if e.http_status == 404:
148 ++ # we got access, and we know this project is not there
149 ++ raise webob.exc.HTTPBadRequest(
150 ++ explanation=_("Project ID %s is not a valid project.") %
152 ++ elif e.http_status == 403:
153 ++ # we don't have enough permission to verify this, so default
156 ++ "Insufficient permissions for user %(user)s to verify "
157 ++ "existence of project_id %(pid)s",
158 ++ {"user": context.user_id, "pid": project_id})
162 ++ "Unexpected response from keystone trying to "
163 ++ "verify project_id %(pid)s - resp: %(code)s %(content)s",
164 ++ {"pid": project_id,
165 ++ "code": resp.status_code,
166 ++ "content": resp.content})
167 ++ # realize we did something wrong, but move on with a warning