[patch] Use keystoneclient to check project ID

Another prerequisite for decoupling public network from Openstack internal management network (upstream won't fix it for Pike): - port fix from [1] for using the internal network when connecting to keystone during project ID validation in nova, instead of going through public endpoint (and using SSL). [1] https://bugs.launchpad.net/nova/+bug/1716344 Change-Id: Ic9a307df9af78fcd58cbcc07b5e62a7e07cc8d7d Signed-off-by: Alexandru Avadanii <Alexandru.Avadanii@enea.com>
author: Alexandru Avadanii <Alexandru.Avadanii@enea.com> 2018-01-03 01:03:42 +0100
committer: Alexandru Avadanii <Alexandru.Avadanii@enea.com> 2018-01-03 01:16:02 +0100
commit: 68859c38817fcf5993054796e75d8231f98ed3bb (patch)
tree: bfd11c9433055e660fa7549bf373200984b26565
parent: fddd093d04d2744f5f7a7e09f8ed6f2e3d4d7119 (diff)
2 files changed, 169 insertions, 0 deletions
diff --git a/mcp/patches/0009-controller-Use-keystoneclient-to-check-project-ID.patch b/mcp/patches/0009-controller-Use-keystoneclient-to-check-project-ID.patch
new file mode 100644
index 000000000..ed34e0646
--- /dev/null
+++ b/mcp/patches/0009-controller-Use-keystoneclient-to-check-project-ID.patch
@@ -0,0 +1,168 @@
+::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
+: Copyright (c) 2017 Mirantis Inc., Enea AB and others.
+:
+: All rights reserved. This program and the accompanying materials
+: are made available under the terms of the Apache License, Version 2.0
+: which accompanies this distribution, and is available at
+: http://www.apache.org/licenses/LICENSE-2.0
+::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
+From: Alexandru Avadanii <Alexandru.Avadanii@enea.com>
+Date: Wed, 3 Jan 2018 00:50:50 +0100
+Subject: [PATCH] controller: Use keystoneclient to check project ID
+
+Port fix from [1] for using the internal network when connecting
+to keystone during project ID validation in nova, instead of
+going through public endpoint (and using SSL).
+
+[1] https://bugs.launchpad.net/nova/+bug/1716344
+
+Signed-off-by: Alexandru Avadanii <Alexandru.Avadanii@enea.com>
+---
+ nova/controller.sls                                |  10 ++
+ ...keystoneclient-to-check-project-ID-exists.patch | 116 +++++++++++++++++++++
+ 2 files changed, 126 insertions(+)
+ create mode 100644 nova/files/0001-Use-keystoneclient-to-check-project-ID-exists.patch
+
+diff --git a/nova/controller.sls b/nova/controller.sls
+index a55d037..59af945 100644
+--- a/nova/controller.sls
++++ b/nova/controller.sls
+@@ -71,6 +71,16 @@ contrail_nova_packages:
+
+ {%- endif %}
+
++nova-api-openstack-identity-patch:
++  file.patch:
++  - name: /usr/lib/python2.7/dist-packages
++  - source: salt://nova/files/0001-Use-keystoneclient-to-check-project-ID-exists.patch
++  - hash: False
++  - options: '-p1'
++  - unless: 'test -f /var/cache/salt/minion/files/base/nova/files/0001-Use-keystoneclient-to-check-project-ID-exists.patch && cd /usr/lib/python2.7/dist-packages && patch -p1 -R --dry-run /var/cache/salt/minion/files/base/nova/files/0001-Use-keystoneclient-to-check-project-ID-exists.patch'
++  - require:
++    - pkg: nova_controller_packages
++
+ /etc/nova/nova.conf:
+   file.managed:
+   - source: salt://nova/files/{{ controller.version }}/nova-controller.conf.{{ grains.os_family }}
+diff --git a/nova/files/0001-Use-keystoneclient-to-check-project-ID-exists.patch b/nova/files/0001-Use-keystoneclient-to-check-project-ID-exists.patch
+new file mode 100644
+index 0000000..58d027e
+--- /dev/null
++++ b/nova/files/0001-Use-keystoneclient-to-check-project-ID-exists.patch
+@@ -0,0 +1,116 @@
++From: Christoph Fiehe <fiehe@gmx.de>
++Date: Wed, 3 Jan 2018 00:11:20 +0100
++Subject: [PATCH] Use keystoneclient to check project ID exists
++
++Based on Christoph's implementation proposed in [1].
++
++[1] https://bugs.launchpad.net/nova/+bug/1716344
++
++Signed-off-by: Alexandru Avadanii <Alexandru.Avadanii@enea.com>
++---
++ nova/api/openstack/identity.py | 81 ++++++++++++++++--------------------------
++ 1 file changed, 30 insertions(+), 51 deletions(-)
++
++diff --git a/nova/api/openstack/identity.py b/nova/api/openstack/identity.py
++index 833d3b5..3269cec 100644
++--- a/nova/api/openstack/identity.py
+++++ b/nova/api/openstack/identity.py
++@@ -12,16 +12,15 @@
++ # License for the specific language governing permissions and limitations
++ # under the License.
++
++-from keystoneauth1 import exceptions as kse
++-from keystoneauth1 import loading as ks_loading
+++from keystoneauth1 import session
+++from keystoneclient import exceptions as kse
+++from keystoneclient.v3 import client
++ from oslo_log import log as logging
++ import webob
++
++-import nova.conf
++ from nova.i18n import _
++
++
++-CONF = nova.conf.CONF
++ LOG = logging.getLogger(__name__)
++
++
++@@ -32,51 +31,31 @@ def verify_project_id(context, project_id):
++     an HTTPBadRequest is emitted.
++
++     """
++-    sess = ks_loading.load_session_from_conf_options(
++-        CONF, 'keystone', auth=context.get_auth_plugin())
++-
++-    failure = webob.exc.HTTPBadRequest(
++-            explanation=_("Project ID %s is not a valid project.") %
++-            project_id)
+++    auth = context.get_auth_plugin()
+++    sess = session.Session(auth=auth)
+++    keystone = client.Client(session=sess)
++     try:
++-        resp = sess.get('/projects/%s' % project_id,
++-                        endpoint_filter={
++-                            'service_type': 'identity',
++-                            'version': (3, 0)
++-                        },
++-                        raise_exc=False)
++-    except kse.EndpointNotFound:
++-        LOG.error(
++-            "Keystone identity service version 3.0 was not found. This might "
++-            "be because your endpoint points to the v2.0 versioned endpoint "
++-            "which is not supported. Please fix this.")
++-        raise failure
++-    except kse.ClientException:
++-        # something is wrong, like there isn't a keystone v3 endpoint,
++-        # we'll take the pass and default to everything being ok.
++-        LOG.exception("Unable to contact keystone to verify project_id")
++-        return True
++-
++-    if resp:
++-        # All is good with this 20x status
++-        return True
++-    elif resp.status_code == 404:
++-        # we got access, and we know this project is not there
++-        raise failure
++-    elif resp.status_code == 403:
++-        # we don't have enough permission to verify this, so default
++-        # to "it's ok".
++-        LOG.info(
++-            "Insufficient permissions for user %(user)s to verify "
++-            "existence of project_id %(pid)s",
++-            {"user": context.user_id, "pid": project_id})
++-        return True
++-    else:
++-        LOG.warning(
++-            "Unexpected response from keystone trying to "
++-            "verify project_id %(pid)s - resp: %(code)s %(content)s",
++-            {"pid": project_id,
++-             "code": resp.status_code,
++-             "content": resp.content})
++-        # realize we did something wrong, but move on with a warning
++-        return True
+++        project = keystone.projects.get(project_id)
+++    except kse.ClientException as e:
+++        if e.http_status == 404:
+++            # we got access, and we know this project is not there
+++            raise webob.exc.HTTPBadRequest(
+++                explanation=_("Project ID %s is not a valid project.") %
+++                project_id)
+++        elif e.http_status == 403:
+++            # we don't have enough permission to verify this, so default
+++            # to "it's ok".
+++            LOG.info(
+++                "Insufficient permissions for user %(user)s to verify "
+++                "existence of project_id %(pid)s",
+++                {"user": context.user_id, "pid": project_id})
+++            return True
+++        else:
+++            LOG.warning(
+++                "Unexpected response from keystone trying to "
+++                "verify project_id %(pid)s - resp: %(code)s %(content)s",
+++                {"pid": project_id,
+++                 "code": resp.status_code,
+++                 "content": resp.content})
+++            # realize we did something wrong, but move on with a warning
+++            return True
diff --git a/mcp/patches/patches.list b/mcp/patches/patches.list
index cc176667e..284f1bcec 100644
--- a/mcp/patches/patches.list
+++ b/mcp/patches/patches.list
@@ -13,5 +13,6 @@
 /usr/share/salt-formulas/env: 0006-maas-module-Add-VLAN-DHCP-enable-support.patch
 /usr/share/salt-formulas/env: 0007-network.interface-Fix-ifup-OVS-port-with-route.patch
 /usr/share/salt-formulas/env: 0008-Handle-file_recv-option.patch
+/usr/share/salt-formulas/env: 0009-controller-Use-keystoneclient-to-check-project-ID.patch
 /usr/share/salt-formulas/env: 0010-maas-region-allow-timeout-override.patch
 /usr/share/salt-formulas/env: 0012-linux.storage.lvm-Disable-filter.patch
author	Alexandru Avadanii <Alexandru.Avadanii@enea.com>	2018-01-03 01:03:42 +0100
committer	Alexandru Avadanii <Alexandru.Avadanii@enea.com>	2018-01-03 01:16:02 +0100
commit	68859c38817fcf5993054796e75d8231f98ed3bb (patch)
tree	bfd11c9433055e660fa7549bf373200984b26565
parent	fddd093d04d2744f5f7a7e09f8ed6f2e3d4d7119 (diff)