From 68859c38817fcf5993054796e75d8231f98ed3bb Mon Sep 17 00:00:00 2001 From: Alexandru Avadanii Date: Wed, 3 Jan 2018 01:03:42 +0100 Subject: [PATCH] [patch] Use keystoneclient to check project ID Another prerequisite for decoupling public network from Openstack internal management network (upstream won't fix it for Pike): - port fix from [1] for using the internal network when connecting to keystone during project ID validation in nova, instead of going through public endpoint (and using SSL). [1] https://bugs.launchpad.net/nova/+bug/1716344 Change-Id: Ic9a307df9af78fcd58cbcc07b5e62a7e07cc8d7d Signed-off-by: Alexandru Avadanii --- ...er-Use-keystoneclient-to-check-project-ID.patch | 168 +++++++++++++++++++++ mcp/patches/patches.list | 1 + 2 files changed, 169 insertions(+) create mode 100644 mcp/patches/0009-controller-Use-keystoneclient-to-check-project-ID.patch diff --git a/mcp/patches/0009-controller-Use-keystoneclient-to-check-project-ID.patch b/mcp/patches/0009-controller-Use-keystoneclient-to-check-project-ID.patch new file mode 100644 index 000000000..ed34e0646 --- /dev/null +++ b/mcp/patches/0009-controller-Use-keystoneclient-to-check-project-ID.patch @@ -0,0 +1,168 @@ +:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: +: Copyright (c) 2017 Mirantis Inc., Enea AB and others. +: +: All rights reserved. This program and the accompanying materials +: are made available under the terms of the Apache License, Version 2.0 +: which accompanies this distribution, and is available at +: http://www.apache.org/licenses/LICENSE-2.0 +:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: +From: Alexandru Avadanii +Date: Wed, 3 Jan 2018 00:50:50 +0100 +Subject: [PATCH] controller: Use keystoneclient to check project ID + +Port fix from [1] for using the internal network when connecting +to keystone during project ID validation in nova, instead of +going through public endpoint (and using SSL). + +[1] https://bugs.launchpad.net/nova/+bug/1716344 + +Signed-off-by: Alexandru Avadanii +--- + nova/controller.sls | 10 ++ + ...keystoneclient-to-check-project-ID-exists.patch | 116 +++++++++++++++++++++ + 2 files changed, 126 insertions(+) + create mode 100644 nova/files/0001-Use-keystoneclient-to-check-project-ID-exists.patch + +diff --git a/nova/controller.sls b/nova/controller.sls +index a55d037..59af945 100644 +--- a/nova/controller.sls ++++ b/nova/controller.sls +@@ -71,6 +71,16 @@ contrail_nova_packages: + + {%- endif %} + ++nova-api-openstack-identity-patch: ++ file.patch: ++ - name: /usr/lib/python2.7/dist-packages ++ - source: salt://nova/files/0001-Use-keystoneclient-to-check-project-ID-exists.patch ++ - hash: False ++ - options: '-p1' ++ - unless: 'test -f /var/cache/salt/minion/files/base/nova/files/0001-Use-keystoneclient-to-check-project-ID-exists.patch && cd /usr/lib/python2.7/dist-packages && patch -p1 -R --dry-run /var/cache/salt/minion/files/base/nova/files/0001-Use-keystoneclient-to-check-project-ID-exists.patch' ++ - require: ++ - pkg: nova_controller_packages ++ + /etc/nova/nova.conf: + file.managed: + - source: salt://nova/files/{{ controller.version }}/nova-controller.conf.{{ grains.os_family }} +diff --git a/nova/files/0001-Use-keystoneclient-to-check-project-ID-exists.patch b/nova/files/0001-Use-keystoneclient-to-check-project-ID-exists.patch +new file mode 100644 +index 0000000..58d027e +--- /dev/null ++++ b/nova/files/0001-Use-keystoneclient-to-check-project-ID-exists.patch +@@ -0,0 +1,116 @@ ++From: Christoph Fiehe ++Date: Wed, 3 Jan 2018 00:11:20 +0100 ++Subject: [PATCH] Use keystoneclient to check project ID exists ++ ++Based on Christoph's implementation proposed in [1]. ++ ++[1] https://bugs.launchpad.net/nova/+bug/1716344 ++ ++Signed-off-by: Alexandru Avadanii ++--- ++ nova/api/openstack/identity.py | 81 ++++++++++++++++-------------------------- ++ 1 file changed, 30 insertions(+), 51 deletions(-) ++ ++diff --git a/nova/api/openstack/identity.py b/nova/api/openstack/identity.py ++index 833d3b5..3269cec 100644 ++--- a/nova/api/openstack/identity.py +++++ b/nova/api/openstack/identity.py ++@@ -12,16 +12,15 @@ ++ # License for the specific language governing permissions and limitations ++ # under the License. ++ ++-from keystoneauth1 import exceptions as kse ++-from keystoneauth1 import loading as ks_loading +++from keystoneauth1 import session +++from keystoneclient import exceptions as kse +++from keystoneclient.v3 import client ++ from oslo_log import log as logging ++ import webob ++ ++-import nova.conf ++ from nova.i18n import _ ++ ++ ++-CONF = nova.conf.CONF ++ LOG = logging.getLogger(__name__) ++ ++ ++@@ -32,51 +31,31 @@ def verify_project_id(context, project_id): ++ an HTTPBadRequest is emitted. ++ ++ """ ++- sess = ks_loading.load_session_from_conf_options( ++- CONF, 'keystone', auth=context.get_auth_plugin()) ++- ++- failure = webob.exc.HTTPBadRequest( ++- explanation=_("Project ID %s is not a valid project.") % ++- project_id) +++ auth = context.get_auth_plugin() +++ sess = session.Session(auth=auth) +++ keystone = client.Client(session=sess) ++ try: ++- resp = sess.get('/projects/%s' % project_id, ++- endpoint_filter={ ++- 'service_type': 'identity', ++- 'version': (3, 0) ++- }, ++- raise_exc=False) ++- except kse.EndpointNotFound: ++- LOG.error( ++- "Keystone identity service version 3.0 was not found. This might " ++- "be because your endpoint points to the v2.0 versioned endpoint " ++- "which is not supported. Please fix this.") ++- raise failure ++- except kse.ClientException: ++- # something is wrong, like there isn't a keystone v3 endpoint, ++- # we'll take the pass and default to everything being ok. ++- LOG.exception("Unable to contact keystone to verify project_id") ++- return True ++- ++- if resp: ++- # All is good with this 20x status ++- return True ++- elif resp.status_code == 404: ++- # we got access, and we know this project is not there ++- raise failure ++- elif resp.status_code == 403: ++- # we don't have enough permission to verify this, so default ++- # to "it's ok". ++- LOG.info( ++- "Insufficient permissions for user %(user)s to verify " ++- "existence of project_id %(pid)s", ++- {"user": context.user_id, "pid": project_id}) ++- return True ++- else: ++- LOG.warning( ++- "Unexpected response from keystone trying to " ++- "verify project_id %(pid)s - resp: %(code)s %(content)s", ++- {"pid": project_id, ++- "code": resp.status_code, ++- "content": resp.content}) ++- # realize we did something wrong, but move on with a warning ++- return True +++ project = keystone.projects.get(project_id) +++ except kse.ClientException as e: +++ if e.http_status == 404: +++ # we got access, and we know this project is not there +++ raise webob.exc.HTTPBadRequest( +++ explanation=_("Project ID %s is not a valid project.") % +++ project_id) +++ elif e.http_status == 403: +++ # we don't have enough permission to verify this, so default +++ # to "it's ok". +++ LOG.info( +++ "Insufficient permissions for user %(user)s to verify " +++ "existence of project_id %(pid)s", +++ {"user": context.user_id, "pid": project_id}) +++ return True +++ else: +++ LOG.warning( +++ "Unexpected response from keystone trying to " +++ "verify project_id %(pid)s - resp: %(code)s %(content)s", +++ {"pid": project_id, +++ "code": resp.status_code, +++ "content": resp.content}) +++ # realize we did something wrong, but move on with a warning +++ return True diff --git a/mcp/patches/patches.list b/mcp/patches/patches.list index cc176667e..284f1bcec 100644 --- a/mcp/patches/patches.list +++ b/mcp/patches/patches.list @@ -13,5 +13,6 @@ /usr/share/salt-formulas/env: 0006-maas-module-Add-VLAN-DHCP-enable-support.patch /usr/share/salt-formulas/env: 0007-network.interface-Fix-ifup-OVS-port-with-route.patch /usr/share/salt-formulas/env: 0008-Handle-file_recv-option.patch +/usr/share/salt-formulas/env: 0009-controller-Use-keystoneclient-to-check-project-ID.patch /usr/share/salt-formulas/env: 0010-maas-region-allow-timeout-override.patch /usr/share/salt-formulas/env: 0012-linux.storage.lvm-Disable-filter.patch -- 2.16.6