From f45309a760e04597bdb379f3c7a1c0a2b28e1f87 Mon Sep 17 00:00:00 2001 From: Alexandru Avadanii Date: Wed, 21 Mar 2018 06:15:49 +0100 Subject: [patch] Drop keystoneclient project ID checking Since we brought back NAT over MaaS PXE/admin, drop out-of-tree patch that was only needed for full network isolation (no cross-talk between public and admin). Change-Id: I577b1116bbdcc19647b3c01fe6f2acb7bb9ce627 Signed-off-by: Alexandru Avadanii --- ...er-Use-keystoneclient-to-check-project-ID.patch | 168 --------------------- mcp/patches/patches.list | 1 - 2 files changed, 169 deletions(-) delete mode 100644 mcp/patches/0009-controller-Use-keystoneclient-to-check-project-ID.patch (limited to 'mcp') diff --git a/mcp/patches/0009-controller-Use-keystoneclient-to-check-project-ID.patch b/mcp/patches/0009-controller-Use-keystoneclient-to-check-project-ID.patch deleted file mode 100644 index b79eee860..000000000 --- a/mcp/patches/0009-controller-Use-keystoneclient-to-check-project-ID.patch +++ /dev/null @@ -1,168 +0,0 @@ -:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -: Copyright (c) 2018 Mirantis Inc., Enea AB and others. -: -: All rights reserved. This program and the accompanying materials -: are made available under the terms of the Apache License, Version 2.0 -: which accompanies this distribution, and is available at -: http://www.apache.org/licenses/LICENSE-2.0 -:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -From: Alexandru Avadanii -Date: Wed, 3 Jan 2018 00:50:50 +0100 -Subject: [PATCH] controller: Use keystoneclient to check project ID - -Port fix from [1] for using the internal network when connecting -to keystone during project ID validation in nova, instead of -going through public endpoint (and using SSL). - -[1] https://bugs.launchpad.net/nova/+bug/1716344 - -Signed-off-by: Alexandru Avadanii ---- - nova/controller.sls | 10 ++ - ...keystoneclient-to-check-project-ID-exists.patch | 116 +++++++++++++++++++++ - 2 files changed, 126 insertions(+) - create mode 100644 nova/files/0001-Use-keystoneclient-to-check-project-ID-exists.patch - -diff --git a/nova/controller.sls b/nova/controller.sls -index a55d037..59af945 100644 ---- a/nova/controller.sls -+++ b/nova/controller.sls -@@ -71,6 +71,16 @@ contrail_nova_packages: - - {%- endif %} - -+nova-api-openstack-identity-patch: -+ file.patch: -+ - name: /usr/lib/python2.7/dist-packages -+ - source: salt://nova/files/0001-Use-keystoneclient-to-check-project-ID-exists.patch -+ - hash: False -+ - options: '-p1' -+ - unless: 'test -f /var/cache/salt/minion/files/base/nova/files/0001-Use-keystoneclient-to-check-project-ID-exists.patch && cd /usr/lib/python2.7/dist-packages && patch -p1 -R --dry-run /var/cache/salt/minion/files/base/nova/files/0001-Use-keystoneclient-to-check-project-ID-exists.patch' -+ - require: -+ - pkg: nova_controller_packages -+ - /etc/nova/nova.conf: - file.managed: - - source: salt://nova/files/{{ controller.version }}/nova-controller.conf.{{ grains.os_family }} -diff --git a/nova/files/0001-Use-keystoneclient-to-check-project-ID-exists.patch b/nova/files/0001-Use-keystoneclient-to-check-project-ID-exists.patch -new file mode 100644 -index 0000000..58d027e ---- /dev/null -+++ b/nova/files/0001-Use-keystoneclient-to-check-project-ID-exists.patch -@@ -0,0 +1,116 @@ -+From: Christoph Fiehe -+Date: Wed, 3 Jan 2018 00:11:20 +0100 -+Subject: [PATCH] Use keystoneclient to check project ID exists -+ -+Based on Christoph's implementation proposed in [1]. -+ -+[1] https://bugs.launchpad.net/nova/+bug/1716344 -+ -+Signed-off-by: Alexandru Avadanii -+--- -+ nova/api/openstack/identity.py | 81 ++++++++++++++++-------------------------- -+ 1 file changed, 30 insertions(+), 51 deletions(-) -+ -+diff --git a/nova/api/openstack/identity.py b/nova/api/openstack/identity.py -+index 833d3b5..3269cec 100644 -+--- a/nova/api/openstack/identity.py -++++ b/nova/api/openstack/identity.py -+@@ -12,16 +12,15 @@ -+ # License for the specific language governing permissions and limitations -+ # under the License. -+ -+-from keystoneauth1 import exceptions as kse -+-from keystoneauth1 import loading as ks_loading -++from keystoneauth1 import session -++from keystoneclient import exceptions as kse -++from keystoneclient.v3 import client -+ from oslo_log import log as logging -+ import webob -+ -+-import nova.conf -+ from nova.i18n import _ -+ -+ -+-CONF = nova.conf.CONF -+ LOG = logging.getLogger(__name__) -+ -+ -+@@ -32,51 +31,31 @@ def verify_project_id(context, project_id): -+ an HTTPBadRequest is emitted. -+ -+ """ -+- sess = ks_loading.load_session_from_conf_options( -+- CONF, 'keystone', auth=context.get_auth_plugin()) -+- -+- failure = webob.exc.HTTPBadRequest( -+- explanation=_("Project ID %s is not a valid project.") % -+- project_id) -++ auth = context.get_auth_plugin() -++ sess = session.Session(auth=auth) -++ keystone = client.Client(session=sess) -+ try: -+- resp = sess.get('/projects/%s' % project_id, -+- endpoint_filter={ -+- 'service_type': 'identity', -+- 'version': (3, 0) -+- }, -+- raise_exc=False) -+- except kse.EndpointNotFound: -+- LOG.error( -+- "Keystone identity service version 3.0 was not found. This might " -+- "be because your endpoint points to the v2.0 versioned endpoint " -+- "which is not supported. Please fix this.") -+- raise failure -+- except kse.ClientException: -+- # something is wrong, like there isn't a keystone v3 endpoint, -+- # we'll take the pass and default to everything being ok. -+- LOG.exception("Unable to contact keystone to verify project_id") -+- return True -+- -+- if resp: -+- # All is good with this 20x status -+- return True -+- elif resp.status_code == 404: -+- # we got access, and we know this project is not there -+- raise failure -+- elif resp.status_code == 403: -+- # we don't have enough permission to verify this, so default -+- # to "it's ok". -+- LOG.info( -+- "Insufficient permissions for user %(user)s to verify " -+- "existence of project_id %(pid)s", -+- {"user": context.user_id, "pid": project_id}) -+- return True -+- else: -+- LOG.warning( -+- "Unexpected response from keystone trying to " -+- "verify project_id %(pid)s - resp: %(code)s %(content)s", -+- {"pid": project_id, -+- "code": resp.status_code, -+- "content": resp.content}) -+- # realize we did something wrong, but move on with a warning -+- return True -++ project = keystone.projects.get(project_id) -++ except kse.ClientException as e: -++ if e.http_status == 404: -++ # we got access, and we know this project is not there -++ raise webob.exc.HTTPBadRequest( -++ explanation=_("Project ID %s is not a valid project.") % -++ project_id) -++ elif e.http_status == 403: -++ # we don't have enough permission to verify this, so default -++ # to "it's ok". -++ LOG.info( -++ "Insufficient permissions for user %(user)s to verify " -++ "existence of project_id %(pid)s", -++ {"user": context.user_id, "pid": project_id}) -++ return True -++ else: -++ LOG.warning( -++ "Unexpected response from keystone trying to " -++ "verify project_id %(pid)s - resp: %(code)s %(content)s", -++ {"pid": project_id, -++ "code": resp.status_code, -++ "content": resp.content}) -++ # realize we did something wrong, but move on with a warning -++ return True diff --git a/mcp/patches/patches.list b/mcp/patches/patches.list index 9c460f8e8..711b0f3a5 100644 --- a/mcp/patches/patches.list +++ b/mcp/patches/patches.list @@ -13,7 +13,6 @@ /usr/share/salt-formulas/env: 0006-maas-module-Add-VLAN-DHCP-enable-support.patch /usr/share/salt-formulas/env: 0007-network.interface-Fix-ifup-OVS-port-with-route.patch /usr/share/salt-formulas/env: 0008-Handle-extra-environment-variables.patch -/usr/share/salt-formulas/env: 0009-controller-Use-keystoneclient-to-check-project-ID.patch /usr/share/salt-formulas/env: 0010-maas-region-allow-timeout-override.patch /usr/share/salt-formulas/env: 0011-system.repo-Debian-Add-keyserver-proxy-support.patch /usr/share/salt-formulas/env: 0012-routes-Skip-network-restart-on-noifupdown.patch -- cgit 1.2.3-korg