Package list python-castellan / 89f311d
add "verify_ssl_path" config for barbican key manager Now we cann't use the verify_ssl if we set True, so we add the "verify_ssl_path" config to solve it. Closes-Bug: #1876102 Change-Id: I83bafe5b7e0c4cca67f773858007fb59d98a93a5 ramboman 1 year, 4 months ago
4 changed file(s) with 30 addition(s) and 5 deletion(s). Raw diff Collapse all Expand all
6363 cfg.BoolOpt('verify_ssl',
6464 default=True,
6565 help='Specifies if insecure TLS (https) requests. If False, '
66 'the server\'s certificate will not be validated'),
66 'the server\'s certificate will not be validated, if '
67 'True, we can set the verify_ssl_path config meanwhile.'),
68 cfg.StrOpt('verify_ssl_path',
69 default=None,
70 help='A path to a bundle or CA certs to check against, or '
71 'None for requests to attempt to locate and use '
72 'certificates which verify_ssh is True. If verify_ssl '
73 'is False, this is ignored.'),
6774 cfg.StrOpt('barbican_endpoint_type',
6875 default='public',
6976 choices=['public', 'internal', 'admin'],
108115
109116 try:
110117 auth = self._get_keystone_auth(context)
111 sess = session.Session(auth=auth,
112 verify=self.conf.barbican.verify_ssl)
118 verify_ssl = self.conf.barbican.verify_ssl
119 verify_ssl_path = self.conf.barbican.verify_ssl_path
120 verify = verify_ssl and verify_ssl_path or verify_ssl
121 sess = session.Session(auth=auth, verify=verify)
113122
114123 self._barbican_endpoint = self._get_barbican_endpoint(auth, sess)
115124 self._barbican_client = barbican_client_import.Client(
4040 def set_defaults(conf, backend=None, barbican_endpoint=None,
4141 barbican_api_version=None, auth_endpoint=None,
4242 retry_delay=None, number_of_retries=None, verify_ssl=None,
43 verify_ssl_path=None,
4344 api_class=None, vault_root_token_id=None,
4445 vault_approle_role_id=None, vault_approle_secret_id=None,
4546 vault_kv_mountpoint=None, vault_url=None,
5657 :param retry_delay: Use this attribute to set retry delay.
5758 :param number_of_retries: Use this attribute to set number of retries.
5859 :param verify_ssl: Use this to specify if ssl should be verified.
60 :param verify_ssl_path: Use this to specify the CA path.
5961 :param vault_root_token_id: Use this for the root token id for vault.
6062 :param vault_approle_role_id: Use this for the approle role_id for vault.
6163 :param vault_approle_secret_id: Use this for the approle secret_id
101103 group=bkm._BARBICAN_OPT_GROUP)
102104 if verify_ssl is not None:
103105 conf.set_default('verify_ssl', verify_ssl,
106 group=bkm._BARBICAN_OPT_GROUP)
107 if verify_ssl_path is not None:
108 conf.set_default('verify_ssl_path', verify_ssl_path,
104109 group=bkm._BARBICAN_OPT_GROUP)
105110 if barbican_endpoint_type is not None:
106111 conf.set_default('barbican_endpoint_type', barbican_endpoint_type,
6161 self.assertEqual(number_of_retries,
6262 conf.barbican.number_of_retries)
6363
64 verify_ssl = True
65 options.set_defaults(conf, verify_ssl=True)
64 verify_ssl = False
65 options.set_defaults(conf, verify_ssl=False)
6666 self.assertEqual(verify_ssl,
6767 conf.barbican.verify_ssl)
68
69 verify_ssl_path = '/mnt'
70 options.set_defaults(conf, verify_ssl_path='/mnt')
71 self.assertEqual(verify_ssl_path,
72 conf.barbican.verify_ssl_path)
6873
6974 barbican_endpoint_type = 'internal'
7075 options.set_defaults(conf, barbican_endpoint_type='internal')
0 ---
1 fixes:
2 - |
3 Add a new parameter, ``verify_ssl_path``, that can be used to
4 configure the path to CA certs when verifying requests to
5 Barbican.