StarlingX

Bug #1828470
Comment #8

Comment 8 for bug 1828470

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-09-16: Fix merged to utilities (master)

Reviewed: https://review.opendev.org/680920
Committed: https://git.openstack.org/cgit/starlingx/utilities/commit/?id=9f73cd4f9bf4a8f284642b7940ac41d22b637d3e
Submitter: Zuul
Branch: master

commit 9f73cd4f9bf4a8f284642b7940ac41d22b637d3e
Author: Daniel Badea <email address hidden>
Date: Fri Sep 6 15:12:46 2019 +0000

python-cephclient: use configured restful api plugin

ceph-mgr restful plugin is using self-signed certificate when providing
HTTPS access to Ceph REST API.

    Instead of retrieving and using this certificate python-cephclient is
    currently a shortcut and disables verifying HTTPS requests for the
    entire requests/urllib3 library. This was meant to be temporary shortcut
    until proper handling of ceph-mgr restful plugin HTTPS certificates is
    implemented.

    This commit implements automatic python-cephclient restful plugin
    certificate retrieval such that it is no longer necessary to disable
    requests/urllib3 certificates verification.

Two options were available:

    1. provide path to certificate file when creating an instance of
       CephClient() or CephWrapper() then use that value when creating
       a request session ('verify' attribute).

       This delegates the responsibility of providing a valid certificate to
       the caller/user of python-cephclient library. Because it implies an
       API update all StarlingX components using python-cephclient need to
       be updated.

       The certificate file itself is created when mgr-restful-plugin
       is started before ceph-mgr restful plugin service is configured
       to use it.

    2. add support for retrieving the certificate by using 'ceph' commands
       similar to how user credentials and restful plugin endpoint are
       discovered.

       If there is an error in getting the certificate then the session
       certificate verification is temporarily disabled until the next
       request is made. This means that if the corresponding Ceph config-key
       'mgr/restful/{hostname}/crt' is removed then python-cephclient will
       incur the overhead of running 'ceph config-key get' before each
       request but this is an unlikely scenario in our case.

Option #2 was selected because it doesn't change existing API.

    Change-Id: I68acb3e1d2fb8e2bb07c8d67e65b02d55a6716ca
    Depends-on: I6e8ca93c7b51546d134a6eb221c282961ba50afa
    Closes-bug: 1828470
    Signed-off-by: Daniel Badea <email address hidden>

Reviewed:  https://review.opendev.org/680920
Committed: https://git.openstack.org/cgit/starlingx/utilities/commit/?id=9f73cd4f9bf4a8f284642b7940ac41d22b637d3e
Submitter: Zuul
Branch:    master

commit 9f73cd4f9bf4a8f284642b7940ac41d22b637d3e
Author: Daniel Badea <daniel.badea@windriver.com>
Date:   Fri Sep 6 15:12:46 2019 +0000

python-cephclient: use configured restful api plugin
    
    ceph-mgr restful plugin is using self-signed certificate when providing
    HTTPS access to Ceph REST API.
    
    Instead of retrieving and using this certificate python-cephclient is
    currently a shortcut and disables verifying HTTPS requests for the
    entire requests/urllib3 library. This was meant to be temporary shortcut
    until proper handling of ceph-mgr restful plugin HTTPS certificates is
    implemented.
    
    This commit implements automatic python-cephclient restful plugin
    certificate retrieval such that it is no longer necessary to disable
    requests/urllib3 certificates verification.
    
    Two options were available:
    
    1. provide path to certificate file when creating an instance of
       CephClient() or CephWrapper() then use that value when creating
       a request session ('verify' attribute).
    
       This delegates the responsibility of providing a valid certificate to
       the caller/user of python-cephclient library. Because it implies an
       API update all StarlingX components using python-cephclient need to
       be updated.
    
       The certificate file itself is created when mgr-restful-plugin
       is started before ceph-mgr restful plugin service is configured
       to use it.
    
    2. add support for retrieving the certificate by using 'ceph' commands
       similar to how user credentials and restful plugin endpoint are
       discovered.
    
       If there is an error in getting the certificate then the session
       certificate verification is temporarily disabled until the next
       request is made. This means that if the corresponding Ceph config-key
       'mgr/restful/{hostname}/crt' is removed then python-cephclient will
       incur the overhead of running 'ceph config-key get' before each
       request but this is an unlikely scenario in our case.
    
    Option #2 was selected because it doesn't change existing API.
    
    Change-Id: I68acb3e1d2fb8e2bb07c8d67e65b02d55a6716ca
    Depends-on: I6e8ca93c7b51546d134a6eb221c282961ba50afa
    Closes-bug: 1828470
    Signed-off-by: Daniel Badea <daniel.badea@windriver.com>