Adds ability to black/whitelist v3 API extensions

Adds a config option which will blacklist specific v3 API extensions from being loaded even if they are detected. Adds a config option which if the list is not empty will stop any v3 API extension from being loaded unless it is in the whitelist. No filtering occurs if the whitelist is empty Creates a config option group osapi_v3 to hold the two new options and osapi_v3_enabled renamed to just enabled within the new group Partially implements blueprint v3-api-extension-framework Change-Id: Iec7fdb073b933791b0110dae485538c9080f2670
author: Chris Yeoh <cyeoh@au1.ibm.com> 2013-05-17 16:53:37 +0930
committer: Chris Yeoh <cyeoh@au1.ibm.com> 2013-06-03 14:27:41 +0930
commit: bb36650f87dd4b30e9ebbbb4409444b4482338b5 (patch)
tree: 3775ebb20bac3b3c50d61eb8a952a56a01de2640
parent: 5ec5dbbf3034c7e092f7513272ed7faf835de550 (diff)
download: nova-bb36650f87dd4b30e9ebbbb4409444b4482338b5.tar.gz
nova-bb36650f87dd4b30e9ebbbb4409444b4482338b5.tar.xz
nova-bb36650f87dd4b30e9ebbbb4409444b4482338b5.zip
4 files changed, 139 insertions, 14 deletions
diff --git a/etc/nova/nova.conf.sample b/etc/nova/nova.conf.sample
index 569c2d391..29778a556 100644
--- a/etc/nova/nova.conf.sample
+++ b/etc/nova/nova.conf.sample
@@ -413,14 +413,6 @@
 
 
 #
-# Options defined in nova.api.openstack
-#
-
-# Whether the V3 API is enabled or not
-#osapi_v3_enabled=False
-
-
-#
 # Options defined in nova.api.openstack.common
 #
 
@@ -2880,4 +2872,25 @@
 #keymap=en-us
 
 
+[osapi_v3]
+
+#
+# Options defined in nova.api.openstack
+#
+
+# Whether the V3 API is enabled or not
+#enabled=False
+
+# If the list is not empty then a v3 API extension
+# will only be loaded if it exists in this list.
+# Specify the extension aliases here
+#extensions_whitelist=
+
+# A list of v3 API extensions to never load.
+# Specify the extension aliases here.
+# Note that if an extension is in both the blacklist and
+# and whitelist then it will not be loaded
+#extensions_blacklist=
+
+
 # Total option count: 584
diff --git a/nova/api/openstack/__init__.py b/nova/api/openstack/__init__.py
index c5181dd0b..96b9f5781 100644
--- a/nova/api/openstack/__init__.py
+++ b/nova/api/openstack/__init__.py
@@ -35,14 +35,25 @@ from nova import wsgi as base_wsgi
 
 
 api_opts = [
-        cfg.BoolOpt('osapi_v3_enabled',
+        cfg.BoolOpt('enabled',
                     default=False,
-                    help='Whether the V3 API is enabled or not')
+                    help='Whether the V3 API is enabled or not'),
+        cfg.ListOpt('extensions_blacklist',
+                    default=[],
+                    help='A list of v3 API extensions to never load. '
+                    'Specify the extension aliases here.'),
+        cfg.ListOpt('extensions_whitelist',
+                    default=[],
+                    help='If the list is not empty then a v3 API extension '
+                    'will only be loaded if it exists in this list. Specify '
+                    'the extension aliases here.')
 ]
+api_opts_group = cfg.OptGroup(name='osapi_v3', title='API v3 Options')
 
 LOG = logging.getLogger(__name__)
 CONF = cfg.CONF
-CONF.register_opts(api_opts)
+CONF.register_group(api_opts_group)
+CONF.register_opts(api_opts, api_opts_group)
 
 
 class FaultWrapper(base_wsgi.Middleware):
@@ -239,15 +250,44 @@ class APIRouterV3(base_wsgi.Router):
             if (self.init_only is None or ext.obj.alias in
                 self.init_only) and isinstance(ext.obj,
                                                extensions.V3APIExtensionBase):
-                return self._register_extension(ext)
+
+                # Check whitelist is either empty or if not then the extension
+                # is in the whitelist
+                if (not CONF.osapi_v3.extensions_whitelist or
+                    ext.obj.alias in CONF.osapi_v3.extensions_whitelist):
+
+                    # Check the extension is not in the blacklist
+                    if ext.obj.alias not in CONF.osapi_v3.extensions_blacklist:
+                        return self._register_extension(ext)
+                    else:
+                        LOG.warning(_("Not loading %s because it is "
+                                      "in the blacklist"), ext.obj.alias)
+                        return False
+                else:
+                    LOG.warning(
+                        _("Not loading %s because it is not in the whitelist"),
+                        ext.obj.alias)
+                    return False
             else:
                 return False
 
-        if not CONF.osapi_v3_enabled:
+        if not CONF.osapi_v3.enabled:
             LOG.warning("V3 API has been disabled by configuration")
             return
 
         self.init_only = init_only
+        LOG.debug(_("v3 API Extension Blacklist: %s"),
+                  CONF.osapi_v3.extensions_blacklist)
+        LOG.debug(_("v3 API Extension Whitelist: %s"),
+                  CONF.osapi_v3.extensions_whitelist)
+
+        in_blacklist_and_whitelist = set(
+            CONF.osapi_v3.extensions_whitelist).intersection(
+                CONF.osapi_v3.extensions_blacklist)
+        if len(in_blacklist_and_whitelist) != 0:
+            LOG.warning(_("Extensions in both blacklist and whitelist: %s"),
+                        list(in_blacklist_and_whitelist))
+
         self.api_extension_manager = stevedore.enabled.EnabledExtensionManager(
             namespace=self.API_EXTENSION_NAMESPACE,
             check_func=_check_load_extension,
diff --git a/nova/test.py b/nova/test.py
index ac056ad1c..0d49f6d92 100644
--- a/nova/test.py
+++ b/nova/test.py
@@ -227,7 +227,7 @@ class TestCase(testtools.TestCase):
         self.useFixture(fixtures.EnvironmentVariable('http_proxy'))
         self.policy = self.useFixture(policy_fixture.PolicyFixture())
         CONF.set_override('fatal_exception_format_errors', True)
-        CONF.set_override('osapi_v3_enabled', True)
+        CONF.set_override('enabled', True, 'osapi_v3')
 
     def _clear_attrs(self):
         # Delete attributes that don't start with _ so they don't pin
diff --git a/nova/tests/api/openstack/compute/test_v3_extensions.py b/nova/tests/api/openstack/compute/test_v3_extensions.py
new file mode 100644
index 000000000..f7c1bf39c
--- /dev/null
+++ b/nova/tests/api/openstack/compute/test_v3_extensions.py
@@ -0,0 +1,72 @@
+# vim: tabstop=4 shiftwidth=4 softtabstop=4
+
+# Copyright 2013 IBM Corp.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo.config import cfg
+
+from nova.api.openstack import compute
+from nova.api.openstack.compute import plugins
+from nova import test
+
+CONF = cfg.CONF
+
+
+class fake_bad_extension(object):
+    name = "fake_bad_extension"
+    alias = "fake-bad"
+
+
+class ExtensionLoadingTestCase(test.TestCase):
+
+    def test_extensions_loaded(self):
+        app = compute.APIRouterV3()
+        self.assertIn('servers', app._loaded_extension_info.extensions)
+
+    def test_check_bad_extension(self):
+        extension_info = plugins.LoadedExtensionInfo()
+        self.assertFalse(extension_info._check_extension(fake_bad_extension))
+
+    def test_extensions_blacklist(self):
+        app = compute.APIRouterV3()
+        self.assertIn('os-fixed-ips', app._loaded_extension_info.extensions)
+        CONF.set_override('extensions_blacklist', 'os-fixed-ips', 'osapi_v3')
+        app = compute.APIRouterV3()
+        self.assertNotIn('os-fixed-ips', app._loaded_extension_info.extensions)
+
+    def test_extensions_whitelist_accept(self):
+        app = compute.APIRouterV3()
+        self.assertIn('os-fixed-ips', app._loaded_extension_info.extensions)
+        CONF.set_override('extensions_whitelist', 'servers,os-fixed-ips',
+                          'osapi_v3')
+        app = compute.APIRouterV3()
+        self.assertIn('os-fixed-ips', app._loaded_extension_info.extensions)
+
+    def test_extensions_whitelist_block(self):
+        app = compute.APIRouterV3()
+        self.assertIn('os-fixed-ips', app._loaded_extension_info.extensions)
+        CONF.set_override('extensions_whitelist', 'servers', 'osapi_v3')
+        app = compute.APIRouterV3()
+        self.assertNotIn('os-fixed-ips', app._loaded_extension_info.extensions)
+
+    def test_blacklist_overrides_whitelist(self):
+        app = compute.APIRouterV3()
+        self.assertIn('os-fixed-ips', app._loaded_extension_info.extensions)
+        CONF.set_override('extensions_whitelist', 'servers,os-fixed-ips',
+                          'osapi_v3')
+        CONF.set_override('extensions_blacklist', 'os-fixed-ips', 'osapi_v3')
+        app = compute.APIRouterV3()
+        self.assertNotIn('os-fixed-ips', app._loaded_extension_info.extensions)
+        self.assertIn('servers', app._loaded_extension_info.extensions)
+        self.assertEqual(len(app._loaded_extension_info.extensions), 1)
author	Chris Yeoh <cyeoh@au1.ibm.com>	2013-05-17 16:53:37 +0930
committer	Chris Yeoh <cyeoh@au1.ibm.com>	2013-06-03 14:27:41 +0930
commit	bb36650f87dd4b30e9ebbbb4409444b4482338b5 (patch)
tree	3775ebb20bac3b3c50d61eb8a952a56a01de2640
parent	5ec5dbbf3034c7e092f7513272ed7faf835de550 (diff)
download	nova-bb36650f87dd4b30e9ebbbb4409444b4482338b5.tar.gz nova-bb36650f87dd4b30e9ebbbb4409444b4482338b5.tar.xz nova-bb36650f87dd4b30e9ebbbb4409444b4482338b5.zip