womax/nova
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9519601401ee116a9197fe3b5d571495a96912e9
nova/nova/conf/glance.py
T
Eric Fried 9519601401 Get auth from context for glance endpoint 
Change the Adapter loading for glance to use the auth from the user
context instead of exposing and requiring it in the conf.  With this
change, it is possible to leave the [glance] conf section empty and
still be able to discover the image API endpoint from the service
catalog.

Note that, when we do this, we often end up with the user auth being a
_ContextAuthPlugin, which doesn't conform to the characteristics of
keystoneauth1.identity.base.BaseIdentityPlugin as augmented in
keystoneauth1 3.1.0.  This requires a series of workarounds until bug
1709118 is fixed.  These, along with workarounds for bugs 1707993 and
1707995, are subsumed with this change set in a (hopefully temporary)
helper method nova.utils.get_endpoint.

This lays the foundation for other services that should use user
context for authentication - those via which Nova is acting on behalf
of the user, i.e. cinder, keystone, and (sometimes) neutron[1].
(Services such as placement and ironic (and sometimes neutron) should
continue to use admin auth context loaded from the conf.)

[1] https://github.com/openstack/nova/blob/bb4faf40dfb02237af119646a5ebd960b072b31e/nova/network/neutronv2/api.py#L149-L160

Co-Authored-By: Eric Fried <efried@us.ibm.com>
Partial-Implements: bp use-ksa-adapter-for-endpoints
Change-Id: I4e755b9c66ec8bc3af0393e81cffd91c56064717
2017-11-21 10:26:42 -06:00

164 lines
6.0 KiB
Python
Raw Blame History

# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from keystoneauth1 import loading as ks_loading
from oslo_config import cfg
from nova.conf import utils as confutils
DEFAULT_SERVICE_TYPE = 'image'
glance_group = cfg.OptGroup(
'glance',
title='Glance Options',
help='Configuration options for the Image service')
glance_opts = [
# NOTE(sdague/efried): there is intentionally no default here. This
# requires configuration if ksa adapter config is not used.
cfg.ListOpt('api_servers',
help="""
List of glance api servers endpoints available to nova.
https is used for ssl-based glance api servers.
NOTE: The preferred mechanism for endpoint discovery is via keystoneauth1
loading options. Only use api_servers if you need multiple endpoints and are
unable to use a load balancer for some reason.
Possible values:
* A list of any fully qualified url of the form "scheme://hostname:port[/path]"
(i.e. "http://10.0.1.0:9292" or "https://my.glance.server/image").
"""),
cfg.IntOpt('num_retries',
default=0,
min=0,
help="""
Enable glance operation retries.
Specifies the number of retries when uploading / downloading
an image to / from glance. 0 means no retries.
"""),
cfg.ListOpt('allowed_direct_url_schemes',
default=[],
help="""
List of url schemes that can be directly accessed.
This option specifies a list of url schemes that can be downloaded
directly via the direct_url. This direct_URL can be fetched from
Image metadata which can be used by nova to get the
image more efficiently. nova-compute could benefit from this by
invoking a copy when it has access to the same file system as glance.
Possible values:
* [file], Empty list (default)
"""),
cfg.BoolOpt('verify_glance_signatures',
default=False,
help="""
Enable image signature verification.
nova uses the image signature metadata from glance and verifies the signature
of a signed image while downloading that image. If the image signature cannot
be verified or if the image signature metadata is either incomplete or
unavailable, then nova will not boot the image and instead will place the
instance into an error state. This provides end users with stronger assurances
of the integrity of the image data they are using to create servers.
Related options:
* The options in the `key_manager` group, as the key_manager is used
for the signature validation.
* Both enable_certificate_validation and default_trusted_certificate_ids
below depend on this option being enabled.
"""),
cfg.BoolOpt('enable_certificate_validation',
default=False,
deprecated_for_removal=True,
deprecated_since='16.0.0',
deprecated_reason="""
This option is intended to ease the transition for deployments leveraging
image signature verification. The intended state long-term is for signature
verification and certificate validation to always happen together.
""",
help="""
Enable certificate validation for image signature verification.
During image signature verification nova will first verify the validity of the
image's signing certificate using the set of trusted certificates associated
with the instance. If certificate validation fails, signature verification
will not be performed and the image will be placed into an error state. This
provides end users with stronger assurances that the image data is unmodified
and trustworthy. If left disabled, image signature verification can still
occur but the end user will not have any assurance that the signing
certificate used to generate the image signature is still trustworthy.
Related options:
* This option only takes effect if verify_glance_signatures is enabled.
* The value of default_trusted_certificate_ids may be used when this option
is enabled.
"""),
cfg.ListOpt('default_trusted_certificate_ids',
default=[],
help="""
List of certificate IDs for certificates that should be trusted.
May be used as a default list of trusted certificate IDs for certificate
validation. The value of this option will be ignored if the user provides a
list of trusted certificate IDs with an instance API request. The value of
this option will be persisted with the instance data if signature verification
and certificate validation are enabled and if the user did not provide an
alternative list. If left empty when certificate validation is enabled the
user must provide a list of trusted certificate IDs otherwise certificate
validation will fail.
Related options:
* The value of this option may be used if both verify_glance_signatures and
enable_certificate_validation are enabled.
"""),
cfg.BoolOpt('debug',
default=False,
help='Enable or disable debug logging with glanceclient.')
]
deprecated_ksa_opts = {
'insecure': [cfg.DeprecatedOpt('api_insecure', group=glance_group.name)],
'cafile': [cfg.DeprecatedOpt('ca_file', group="ssl")],
'certfile': [cfg.DeprecatedOpt('cert_file', group="ssl")],
'keyfile': [cfg.DeprecatedOpt('key_file', group="ssl")],
}
def register_opts(conf):
conf.register_group(glance_group)
conf.register_opts(glance_opts, group=glance_group)
confutils.register_ksa_opts(
conf, glance_group, DEFAULT_SERVICE_TYPE, include_auth=False,
deprecated_opts=deprecated_ksa_opts)
def list_opts():
return {glance_group: (
glance_opts +
ks_loading.get_session_conf_options() +
confutils.get_ksa_adapter_opts(DEFAULT_SERVICE_TYPE,
deprecated_opts=deprecated_ksa_opts))
}
Reference in New Issue View Git Blame Copy Permalink