diff options
| author | Chris Behrens <cbehrens@codestud.com> | 2013-03-13 19:52:43 +0000 |
|---|---|---|
| committer | Chris Behrens <cbehrens@codestud.com> | 2013-03-19 21:54:00 +0000 |
| commit | c02d3aec3b005640c28b321b22ec0f0f992981ec (patch) | |
| tree | d207a4331af1196e6102bb14cd5d86acb851b98d /nova/consoleauth | |
| parent | 98f9f735d7e6ac32a8736971f4aab0d81c56131e (diff) | |
| download | nova-c02d3aec3b005640c28b321b22ec0f0f992981ec.tar.gz nova-c02d3aec3b005640c28b321b22ec0f0f992981ec.tar.xz nova-c02d3aec3b005640c28b321b22ec0f0f992981ec.zip | |
Fix console support with cells
The (relatively recent) security fixes for consoleauth do not work
with cells because consoleauth and the compute manager for the instance
talk to different rabbit servers. consoleauth is in the API cell and
the compute manager is in a child cell.
This patch adds code to proxy the following via cells:
1) compute -> consoleauth's delete_tokens_for_instance()
2) consoleauth -> compute's validate_console_port()
Also: On instance deletion when the compute manager tells consoleauth to
delete tokens for the instance, it's not necessary to do an rpc.call and
block. The only purpose it could serve would be log a traceback on failure
on the compute manager side, but that seems unnecessary. There's no
return value. This patch changes it to an rpc.cast instead.
Fixes bug 1154755
Change-Id: Ic763f2a5c0dcff7b7ccfac5927680e7881605f61
Diffstat (limited to 'nova/consoleauth')
| -rw-r--r-- | nova/consoleauth/manager.py | 15 | ||||
| -rw-r--r-- | nova/consoleauth/rpcapi.py | 2 |
2 files changed, 14 insertions, 3 deletions
diff --git a/nova/consoleauth/manager.py b/nova/consoleauth/manager.py index fe5bfd861..80a6d447f 100644 --- a/nova/consoleauth/manager.py +++ b/nova/consoleauth/manager.py @@ -22,6 +22,7 @@ import time from oslo.config import cfg +from nova.cells import rpcapi as cells_rpcapi from nova.compute import rpcapi as compute_rpcapi from nova.conductor import api as conductor_api from nova import manager @@ -43,6 +44,7 @@ consoleauth_opts = [ CONF = cfg.CONF CONF.register_opts(consoleauth_opts) +CONF.import_opt('enable', 'nova.cells.opts', group='cells') class ConsoleAuthManager(manager.Manager): @@ -53,8 +55,9 @@ class ConsoleAuthManager(manager.Manager): def __init__(self, scheduler_driver=None, *args, **kwargs): super(ConsoleAuthManager, self).__init__(*args, **kwargs) self.mc = memorycache.get_client() - self.compute_rpcapi = compute_rpcapi.ComputeAPI() self.conductor_api = conductor_api.API() + self.compute_rpcapi = compute_rpcapi.ComputeAPI() + self.cells_rpcapi = cells_rpcapi.CellsAPI() def _get_tokens_for_instance(self, instance_uuid): tokens_str = self.mc.get(instance_uuid.encode('UTF-8')) @@ -88,8 +91,16 @@ class ConsoleAuthManager(manager.Manager): instance_uuid = token['instance_uuid'] if instance_uuid is None: return False + + # NOTE(comstud): consoleauth was meant to run in API cells. So, + # if cells is enabled, we must call down to the child cell for + # the instance. + if CONF.cells.enable: + return self.cells_rpcapi.validate_console_port(context, + instance_uuid, token['port'], token['console_type']) + instance = self.conductor_api.instance_get_by_uuid(context, - instance_uuid) + instance_uuid) return self.compute_rpcapi.validate_console_port(context, instance, token['port'], diff --git a/nova/consoleauth/rpcapi.py b/nova/consoleauth/rpcapi.py index 474f3ad19..9ab477340 100644 --- a/nova/consoleauth/rpcapi.py +++ b/nova/consoleauth/rpcapi.py @@ -67,7 +67,7 @@ class ConsoleAuthAPI(nova.openstack.common.rpc.proxy.RpcProxy): return self.call(ctxt, self.make_msg('check_token', token=token)) def delete_tokens_for_instance(self, ctxt, instance_uuid): - return self.call(ctxt, + return self.cast(ctxt, self.make_msg('delete_tokens_for_instance', instance_uuid=instance_uuid), version="1.2") |