diff --git a/src/api-lib/vnc_api.py b/src/api-lib/vnc_api.py index 1e06051e150..5e660efb6a5 100644 --- a/src/api-lib/vnc_api.py +++ b/src/api-lib/vnc_api.py @@ -109,8 +109,8 @@ class VncApi(object): # ssl termination on port 8082(default contrail-api port) _DEFAULT_API_SERVER_CONNECT="http" _DEFAULT_API_SERVER_SSL_CONNECT="https" - _DEFAULT_KS_CERT_BUNDLE="/tmp/keystonecertbundle.pem" - _DEFAULT_API_CERT_BUNDLE="/tmp/apiservercertbundle.pem" + _DEFAULT_KS_CERT_BUNDLE="keystonecertbundle.pem" + _DEFAULT_API_CERT_BUNDLE="apiservercertbundle.pem" # Connection to api-server through Quantum _DEFAULT_WEB_PORT = 8082 @@ -130,7 +130,9 @@ def __init__(self, username=None, password=None, tenant_name=None, auth_token=None, auth_host=None, auth_port=None, auth_protocol = None, auth_url=None, auth_type=None, wait_for_connect=False, api_server_use_ssl=False, - domain_name=None): + domain_name=None, apicertfile=None, apikeyfile=None, + apicafile=None, kscertfile=None, kskeyfile=None, + kscafile=None,): # TODO allow for username/password to be present in creds file self._obj_serializer = self._obj_serializer_diff @@ -164,6 +166,12 @@ def __init__(self, username=None, password=None, tenant_name=None, if use_ssl: self._api_connect_protocol = VncApi._DEFAULT_API_SERVER_SSL_CONNECT + if not api_server_host: + self._web_host = _read_cfg(cfg_parser, 'global', 'WEB_SERVER', + self._DEFAULT_WEB_SERVER) + else: + self._web_host = api_server_host + # keystone self._authn_type = auth_type or \ _read_cfg(cfg_parser, 'auth', 'AUTHN_TYPE', @@ -202,22 +210,24 @@ def __init__(self, username=None, password=None, tenant_name=None, ConfigParser.NoOptionError, ConfigParser.NoSectionError): self._apiinsecure = False - apicertfile=_read_cfg(cfg_parser,'global','certfile','') - apikeyfile=_read_cfg(cfg_parser,'global','keyfile','') - apicafile=_read_cfg(cfg_parser,'global','cafile','') + apicertfile = (apicertfile or + _read_cfg(cfg_parser,'global','certfile','')) + apikeyfile = (apikeyfile or + _read_cfg(cfg_parser,'global','keyfile','')) + apicafile = (apicafile or + _read_cfg(cfg_parser,'global','cafile','')) self._use_api_certs=False - if api_server_use_ssl: - certs = [] - if apicafile: - certs.append(apicafile) - if apicertfile: - certs.append(apicertfile) - if apikeyfile: - certs.append(apikeyfile) - if certs: - self._apicertbundle=utils.getCertKeyCaBundle(VncApi._DEFAULT_API_CERT_BUNDLE,certs) - self._use_api_certs=True + if apicafile and api_server_use_ssl: + certs=[apicafile] + if apikeyfile and apicertfile: + certs=[apicertfile, apikeyfile, apicafile] + apicertbundle = os.path.join( + '/tmp', self._web_host.replace('.', '_'), + VncApi._DEFAULT_API_CERT_BUNDLE) + self._apicertbundle=utils.getCertKeyCaBundle(apicertbundle, + certs) + self._use_api_certs=True # keystone SSL support try: @@ -226,22 +236,24 @@ def __init__(self, username=None, password=None, tenant_name=None, ConfigParser.NoOptionError, ConfigParser.NoSectionError): self._ksinsecure = False - kscertfile=_read_cfg(cfg_parser,'auth','certfile','') - kskeyfile=_read_cfg(cfg_parser,'auth','keyfile','') - kscafile=_read_cfg(cfg_parser,'auth','cafile','') + kscertfile = (kscertfile or + _read_cfg(cfg_parser,'auth','certfile','')) + kskeyfile = (kskeyfile or + _read_cfg(cfg_parser,'auth','keyfile','')) + kscafile = (kscafile or + _read_cfg(cfg_parser,'auth','cafile','')) self._use_ks_certs=False - if self._authn_protocol == 'https': - certs = [] - if kscafile: - certs.append(kscafile) - if kscertfile: - certs.append(kscertfile) - if kskeytfile: - certs.append(kskeyfile) - if certs: - self._kscertbundle=utils.getCertKeyCaBundle(VncApi._DEFAULT_KS_CERT_BUNDLE,certs) - self._use_ks_certs=True + if kscafile and self._authn_protocol == 'https': + certs=[kscafile] + if kskeyfile and kscertfile: + certs=[kscertfile, kskeyfile, kscafile] + kscertbundle = os.path.join( + '/tmp', self._web_host.replace('.', '_'), + VncApi._DEFAULT_KS_CERT_BUNDLE) + self._kscertbundle=utils.getCertKeyCaBundle(kscertbundle, + certs) + self._use_ks_certs=True if 'v2' in self._authn_url: self._authn_body = \ @@ -271,12 +283,6 @@ def __init__(self, username=None, password=None, tenant_name=None, '}' self._user_info = user_info - if not api_server_host: - self._web_host = _read_cfg(cfg_parser, 'global', 'WEB_SERVER', - self._DEFAULT_WEB_SERVER) - else: - self._web_host = api_server_host - if not api_server_port: self._web_port = _read_cfg(cfg_parser, 'global', 'WEB_PORT', self._DEFAULT_WEB_PORT) diff --git a/src/config/api-server/vnc_auth_keystone.py b/src/config/api-server/vnc_auth_keystone.py index 4278e499731..b1c7766d31d 100644 --- a/src/config/api-server/vnc_auth_keystone.py +++ b/src/config/api-server/vnc_auth_keystone.py @@ -139,10 +139,11 @@ class AuthServiceKeystone(object): def __init__(self, server_mgr, args): _kscertbundle='' - if args.certfile and args.keyfile and args.cafile \ - and args.auth_protocol == 'https': - certs=[args.certfile, args.keyfile, args.cafile] - _kscertbundle=cfgmutils.getCertKeyCaBundle(_DEFAULT_KS_CERT_BUNDLE,certs) + if args.auth_protocol == 'https' and args.cafile: + certs=[args.cafile] + if args.keyfile and args.certfile: + certs=[args.certfile, args.keyfile, args.cafile] + _kscertbundle=cfgmutils.getCertKeyCaBundle(_DEFAULT_KS_CERT_BUNDLE,certs) identity_uri = '%s://%s:%s' % (args.auth_protocol, args.auth_host, args.auth_port) self._conf_info = { 'auth_host': args.auth_host, diff --git a/src/config/common/utils.py b/src/config/common/utils.py index e1382ccb582..78ee5daaa49 100644 --- a/src/config/common/utils.py +++ b/src/config/common/utils.py @@ -22,6 +22,7 @@ import os +import errno import urllib from collections import OrderedDict import sys @@ -148,6 +149,11 @@ def getCertKeyCaBundle(bundle, certs): if not bundle_is_stale: return bundle + try: + os.makedirs(os.path.dirname(bundle)) + except OSError as e: + if e.errno != errno.EEXIST: + raise with open(bundle, 'w') as ofile: for cert in certs: with open(cert) as ifile: diff --git a/src/config/vnc_openstack/vnc_openstack/__init__.py b/src/config/vnc_openstack/vnc_openstack/__init__.py index 1f6b28e9089..d29e6cf47ae 100644 --- a/src/config/vnc_openstack/vnc_openstack/__init__.py +++ b/src/config/vnc_openstack/vnc_openstack/__init__.py @@ -78,10 +78,12 @@ def fill_keystone_opts(obj, conf_sections): obj._kscertbundle='' obj._use_certs=False - if obj._certfile and obj._keyfile and obj._cafile: - certs=[obj._certfile,obj._keyfile,obj._cafile] - obj._kscertbundle=cfgmutils.getCertKeyCaBundle(_DEFAULT_KS_CERT_BUNDLE,certs) - obj._use_certs=True + if obj._certfile: + certs = [obj._certfile] + if obj._keyfile and obj._cafile: + certs=[obj._certfile,obj._keyfile,obj._cafile] + obj._kscertbundle=cfgmutils.getCertKeyCaBundle(_DEFAULT_KS_CERT_BUNDLE,certs) + obj._use_certs=True try: obj._auth_url = conf_sections.get('KEYSTONE', 'auth_url')