python-cephclient disables urllib3 certificate checks
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
StarlingX |
Fix Released
|
Low
|
Daniel Badea |
Bug Description
Brief Description
-----------------
In StarlingX ceph-mgr restful plugin is using self-signed certificate when providing HTTPS access to Ceph REST API. Instead of retrieving and using this certificate python-cephclient takes a shortcut and disables verifying HTTPS requests for the entire requests/urllib3 library. This puts any application using python-cephclient at risk.
Cephclient warns about 'skip checking server certificate' and this message can be seen in the output of config_controller and in sysinv log. It was meant to be temporary shortcut and needs to be replaced with proper handling of ceph-mgr restful plugin HTTPS certificates.
Severity
--------
Minor
Steps to Reproduce
------------------
On active controller run:
python -c 'from cephclient.wrapper import CephWrapper; CephWrapper(
Expected Behavior
------------------
No warning displayed and urllib3.
Actual Behavior
----------------
2019-05-09 20:38:26,953 WARNING ceph_client skip checking server certificate
Reproducibility
---------------
100% reproducible
System Configuration
-------
All systems.
Branch/Pull Time/Commit
-------
master 2019-05-08
Last Pass
---------
N/A
Timestamp/Logs
--------------
N/A
Test Activity
-------------
Developer Testing.
Changed in starlingx: | |
assignee: | nobody → Daniel Badea (daniel.badea) |
Changed in starlingx: | |
importance: | Undecided → Medium |
status: | New → Triaged |
status: | Triaged → New |
tags: | added: stx.storage |
tags: | added: stx.distro.other |
tags: | removed: stx.storage |
tags: | added: stx.storage |
tags: | removed: stx.distro.other |
Changed in starlingx: | |
status: | New → Triaged |
Changed in starlingx: | |
status: | Triaged → In Progress |
To confirm urllib3. disable_ warnins is not called without relying on log messages:
python <<EOF packages. urllib3
func= requests. packages. urllib3. disable_ warnings) : func()) packages. urllib3. disable_ warnings= override ).osd_df( ) requests. packages. urllib3. disable_ warnings( query=True) == 0)
import requests.
from cephclient.wrapper import CephWrapper
def override(calls=[], query=False,
if query:
return len(calls)
return calls.append(
requests.
CephWrapper(
assert(
EOF
should not print AssertionError.
(python mock is not available on controller; this snippet patches disable_warnings(), calls CephWrapper() where HTTPS certificate checks are disabled then asserts disable_warnings() was not called)