:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: : Copyright (c) 2017 Mirantis Inc., Enea AB and others. : : All rights reserved. This program and the accompanying materials : are made available under the terms of the Apache License, Version 2.0 : which accompanies this distribution, and is available at : http://www.apache.org/licenses/LICENSE-2.0 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: From: Alexandru Avadanii Date: Wed, 3 Jan 2018 00:50:50 +0100 Subject: [PATCH] controller: Use keystoneclient to check project ID Port fix from [1] for using the internal network when connecting to keystone during project ID validation in nova, instead of going through public endpoint (and using SSL). [1] https://bugs.launchpad.net/nova/+bug/1716344 Signed-off-by: Alexandru Avadanii --- nova/controller.sls | 10 ++ ...keystoneclient-to-check-project-ID-exists.patch | 116 +++++++++++++++++++++ 2 files changed, 126 insertions(+) create mode 100644 nova/files/0001-Use-keystoneclient-to-check-project-ID-exists.patch diff --git a/nova/controller.sls b/nova/controller.sls index a55d037..59af945 100644 --- a/nova/controller.sls +++ b/nova/controller.sls @@ -71,6 +71,16 @@ contrail_nova_packages: {%- endif %} +nova-api-openstack-identity-patch: + file.patch: + - name: /usr/lib/python2.7/dist-packages + - source: salt://nova/files/0001-Use-keystoneclient-to-check-project-ID-exists.patch + - hash: False + - options: '-p1' + - unless: 'test -f /var/cache/salt/minion/files/base/nova/files/0001-Use-keystoneclient-to-check-project-ID-exists.patch && cd /usr/lib/python2.7/dist-packages && patch -p1 -R --dry-run /var/cache/salt/minion/files/base/nova/files/0001-Use-keystoneclient-to-check-project-ID-exists.patch' + - require: + - pkg: nova_controller_packages + /etc/nova/nova.conf: file.managed: - source: salt://nova/files/{{ controller.version }}/nova-controller.conf.{{ grains.os_family }} diff --git a/nova/files/0001-Use-keystoneclient-to-check-project-ID-exists.patch b/nova/files/0001-Use-keystoneclient-to-check-project-ID-exists.patch new file mode 100644 index 0000000..58d027e --- /dev/null +++ b/nova/files/0001-Use-keystoneclient-to-check-project-ID-exists.patch @@ -0,0 +1,116 @@ +From: Christoph Fiehe +Date: Wed, 3 Jan 2018 00:11:20 +0100 +Subject: [PATCH] Use keystoneclient to check project ID exists + +Based on Christoph's implementation proposed in [1]. + +[1] https://bugs.launchpad.net/nova/+bug/1716344 + +Signed-off-by: Alexandru Avadanii +--- + nova/api/openstack/identity.py | 81 ++++++++++++++++-------------------------- + 1 file changed, 30 insertions(+), 51 deletions(-) + +diff --git a/nova/api/openstack/identity.py b/nova/api/openstack/identity.py +index 833d3b5..3269cec 100644 +--- a/nova/api/openstack/identity.py ++++ b/nova/api/openstack/identity.py +@@ -12,16 +12,15 @@ + # License for the specific language governing permissions and limitations + # under the License. + +-from keystoneauth1 import exceptions as kse +-from keystoneauth1 import loading as ks_loading ++from keystoneauth1 import session ++from keystoneclient import exceptions as kse ++from keystoneclient.v3 import client + from oslo_log import log as logging + import webob + +-import nova.conf + from nova.i18n import _ + + +-CONF = nova.conf.CONF + LOG = logging.getLogger(__name__) + + +@@ -32,51 +31,31 @@ def verify_project_id(context, project_id): + an HTTPBadRequest is emitted. + + """ +- sess = ks_loading.load_session_from_conf_options( +- CONF, 'keystone', auth=context.get_auth_plugin()) +- +- failure = webob.exc.HTTPBadRequest( +- explanation=_("Project ID %s is not a valid project.") % +- project_id) ++ auth = context.get_auth_plugin() ++ sess = session.Session(auth=auth) ++ keystone = client.Client(session=sess) + try: +- resp = sess.get('/projects/%s' % project_id, +- endpoint_filter={ +- 'service_type': 'identity', +- 'version': (3, 0) +- }, +- raise_exc=False) +- except kse.EndpointNotFound: +- LOG.error( +- "Keystone identity service version 3.0 was not found. This might " +- "be because your endpoint points to the v2.0 versioned endpoint " +- "which is not supported. Please fix this.") +- raise failure +- except kse.ClientException: +- # something is wrong, like there isn't a keystone v3 endpoint, +- # we'll take the pass and default to everything being ok. +- LOG.exception("Unable to contact keystone to verify project_id") +- return True +- +- if resp: +- # All is good with this 20x status +- return True +- elif resp.status_code == 404: +- # we got access, and we know this project is not there +- raise failure +- elif resp.status_code == 403: +- # we don't have enough permission to verify this, so default +- # to "it's ok". +- LOG.info( +- "Insufficient permissions for user %(user)s to verify " +- "existence of project_id %(pid)s", +- {"user": context.user_id, "pid": project_id}) +- return True +- else: +- LOG.warning( +- "Unexpected response from keystone trying to " +- "verify project_id %(pid)s - resp: %(code)s %(content)s", +- {"pid": project_id, +- "code": resp.status_code, +- "content": resp.content}) +- # realize we did something wrong, but move on with a warning +- return True ++ project = keystone.projects.get(project_id) ++ except kse.ClientException as e: ++ if e.http_status == 404: ++ # we got access, and we know this project is not there ++ raise webob.exc.HTTPBadRequest( ++ explanation=_("Project ID %s is not a valid project.") % ++ project_id) ++ elif e.http_status == 403: ++ # we don't have enough permission to verify this, so default ++ # to "it's ok". ++ LOG.info( ++ "Insufficient permissions for user %(user)s to verify " ++ "existence of project_id %(pid)s", ++ {"user": context.user_id, "pid": project_id}) ++ return True ++ else: ++ LOG.warning( ++ "Unexpected response from keystone trying to " ++ "verify project_id %(pid)s - resp: %(code)s %(content)s", ++ {"pid": project_id, ++ "code": resp.status_code, ++ "content": resp.content}) ++ # realize we did something wrong, but move on with a warning ++ return True