From 5bc5fd8855f39638522304102e1f839484b9bf81 Mon Sep 17 00:00:00 2001 From: Cian O'Driscoll Date: Wed, 15 May 2013 15:14:01 +0000 Subject: [PATCH] Add ca cert file support to cinder client requests Allow for ca certificates file to be specified when doing cinder client requests. Needed when using custom ca authorities. Change-Id: Ib9aa15df2fc7d96cb8587c13769399e353c032c6 Fixes: bug #1179476 --- etc/nova/nova.conf.sample | 4 ++++ nova/tests/test_cinder.py | 16 +++++++++++++--- nova/volume/cinder.py | 13 +++++++++---- 3 files changed, 26 insertions(+), 7 deletions(-) diff --git a/etc/nova/nova.conf.sample b/etc/nova/nova.conf.sample index 1897d9a6523..2ba888a8624 100644 --- a/etc/nova/nova.conf.sample +++ b/etc/nova/nova.conf.sample @@ -2513,6 +2513,10 @@ # region name of this node (string value) #os_region_name= +# Allow for a ca certificates file to be specified for cinder +# client requests (string value) +#cinder_ca_certificates_file= + # Number of cinderclient retries on failed http calls (integer # value) #cinder_http_retries=3 diff --git a/nova/tests/test_cinder.py b/nova/tests/test_cinder.py index 06eb467abe4..e8dff9a4a30 100644 --- a/nova/tests/test_cinder.py +++ b/nova/tests/test_cinder.py @@ -98,14 +98,16 @@ def get_volumes_5678(self, **kw): class FakeCinderClient(cinder.cinder_client.Client): def __init__(self, username, password, project_id=None, auth_url=None, - insecure=False, retries=None): + insecure=False, retries=None, cacert=None): super(FakeCinderClient, self).__init__(username, password, project_id=project_id, auth_url=auth_url, insecure=insecure, - retries=retries) + retries=retries, + cacert=cacert) self.client = FakeHTTPClient(username, password, project_id, auth_url, - insecure=insecure, retries=retries) + insecure=insecure, retries=retries, + cacert=cacert) # keep a ref to the clients callstack for factory's assert_called self.callstack = self.client.callstack = [] @@ -187,6 +189,14 @@ def test_cinder_api_insecure(self): self.assertEquals( self.fake_client_factory.client.client.verify_cert, False) + def test_cinder_api_cacert_file(self): + cacert = "/etc/ssl/certs/ca-certificates.crt" + self.flags(cinder_ca_certificates_file=cacert) + volume = self.api.get(self.context, '1234') + self.assert_called('GET', '/volumes/1234') + self.assertEquals( + self.fake_client_factory.client.client.verify_cert, cacert) + def test_cinder_http_retries(self): retries = 42 self.flags(cinder_http_retries=retries) diff --git a/nova/volume/cinder.py b/nova/volume/cinder.py index f112f0597cc..5243cdb1f63 100644 --- a/nova/volume/cinder.py +++ b/nova/volume/cinder.py @@ -45,6 +45,10 @@ cfg.StrOpt('os_region_name', default=None, help='region name of this node'), + cfg.StrOpt('cinder_ca_certificates_file', + default=None, + help='Location of ca certicates file to use for cinder client ' + 'requests.'), cfg.IntOpt('cinder_http_retries', default=3, help='Number of cinderclient retries on failed http calls'), @@ -52,9 +56,9 @@ default=False, help='Allow to perform insecure SSL requests to cinder'), cfg.BoolOpt('cinder_cross_az_attach', - default=True, - help='Allow attach between instance and volume in different ' - 'availability zones.'), + default=True, + help='Allow attach between instance and volume in different ' + 'availability zones.'), ] CONF = cfg.CONF @@ -98,7 +102,8 @@ def cinderclient(context): project_id=context.project_id, auth_url=url, insecure=CONF.cinder_api_insecure, - retries=CONF.cinder_http_retries) + retries=CONF.cinder_http_retries, + cacert=CONF.cinder_ca_certificates_file) # noauth extracts user_id:project_id from auth_token c.client.auth_token = context.auth_token or '%s:%s' % (context.user_id, context.project_id)