x/vmware-nsx
Code Issues Proposed changes

NSXv3 Admin: Multiple client certificate support

Browse Source 
Allow deletion of specific certificate
List all openstack certificates with nsx-list command

Change-Id: I79b37a10e2ecf82d0e8f6ed518f491eb2fa612b5
This commit is contained in:
Anna Khmelnitsky 2017-03-06 13:37:06 -08:00
parent a85f0c7341
commit f8ea21aff0
2 changed files with 43 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
doc/source/admin_util.rst
View File

@ -333,7 +333,7 @@ Client Certificate
- Import external certificate to NSX:: - Import external certificate to NSX::
nsxadmin -r certificate -o import --property username=<username> --property password=<password> nsxadmin -r certificate -o import [--property username=<username> --property password=<password> --property filename=<cert filename>]
- List certificates associated with openstack principal identity in NSX:: - List certificates associated with openstack principal identity in NSX::

69
vmware_nsx/shell/admin/plugins/nsxv3/resources/certificates.py
View File

@ -22,7 +22,6 @@ from vmware_nsx.shell.admin.plugins.common import utils as admin_utils
from vmware_nsx.shell.admin.plugins.nsxv3.resources import utils from vmware_nsx.shell.admin.plugins.nsxv3.resources import utils
from vmware_nsx.shell import resources as shell from vmware_nsx.shell import resources as shell
from vmware_nsxlib.v3 import client_cert from vmware_nsxlib.v3 import client_cert
from vmware_nsxlib.v3 import exceptions as nsxlib_exc
from vmware_nsxlib.v3 import trust_management from vmware_nsxlib.v3 import trust_management
from neutron.callbacks import registry from neutron.callbacks import registry
@ -123,18 +122,21 @@ def generate_cert(resource, event, trigger, **kwargs):
def delete_cert(resource, event, trigger, **kwargs): def delete_cert(resource, event, trigger, **kwargs):
"""Delete client certificate and private key """ """Delete client certificate and private key """
with get_certificate_manager(**kwargs) as cert:
if cfg.CONF.nsx_v3.nsx_client_cert_storage.lower() == "none": if cfg.CONF.nsx_v3.nsx_client_cert_storage.lower() == "none":
LOG.info(_LI("Clean operation is not supported " filename = get_cert_filename(**kwargs)
"with storage type 'none'")) if not filename:
LOG.info(_LI("Please specify file containing the certificate "
"using filename property"))
return
cert.delete_pem(filename)
else:
if not cert.exists():
LOG.info(_LI("Nothing to clean"))
return return
with get_certificate_manager(**kwargs) as cert:
if cert.exists():
cert.delete() cert.delete()
LOG.info(_LI("Client certificate deleted succesfully")) LOG.info(_LI("Client certificate deleted succesfully"))
return
LOG.info(_LI("Nothing to clean"))
@admin_utils.output_header @admin_utils.output_header
@ -170,6 +172,18 @@ def show_cert(resource, event, trigger, **kwargs):
"in storage")) "in storage"))
def get_cert_filename(**kwargs):
filename = cfg.CONF.nsx_v3.nsx_client_cert_file
if kwargs.get('property'):
properties = admin_utils.parse_multi_keyval_opt(kwargs['property'])
filename = properties.get('filename', filename)
if not filename:
LOG.info(_LI("Please specify file containing the certificate "
"using filename property"))
return filename
@admin_utils.output_header @admin_utils.output_header
def import_cert(resource, event, trigger, **kwargs): def import_cert(resource, event, trigger, **kwargs):
"""Import client certificate that was generated externally""" """Import client certificate that was generated externally"""
@ -179,21 +193,14 @@ def import_cert(resource, event, trigger, **kwargs):
"with storage type 'none' only")) "with storage type 'none' only"))
return return
filename = None
if kwargs.get('property'):
properties = admin_utils.parse_multi_keyval_opt(kwargs['property'])
filename = properties.get('filename')
if not filename:
LOG.info(_LI("Please specify file containing the certificate "
"using filename property"))
return
with get_certificate_manager(**kwargs) as cert: with get_certificate_manager(**kwargs) as cert:
if cert.exists(): if cert.exists():
LOG.info(_LI("Deleting existing certificate")) LOG.info(_LI("Deleting existing certificate"))
cert.delete() cert.delete()
filename = get_cert_filename(**kwargs)
if not filename:
return
cert.import_pem(filename) cert.import_pem(filename)
LOG.info(_LI("Client certificate imported succesfully")) LOG.info(_LI("Client certificate imported succesfully"))
@ -202,26 +209,26 @@ def import_cert(resource, event, trigger, **kwargs):
@admin_utils.output_header @admin_utils.output_header
def show_nsx_certs(resource, event, trigger, **kwargs): def show_nsx_certs(resource, event, trigger, **kwargs):
"""Show client certificates associated with openstack identity in NSX""" """Show client certificates associated with openstack identity in NSX"""
# TODO(annak): show multiple certs when backend supports it
try:
nsx_trust = get_nsx_trust_management(**kwargs) nsx_trust = get_nsx_trust_management(**kwargs)
details = nsx_trust.get_identity_details( ids = nsx_trust.get_identities(cert_utils.NSX_OPENSTACK_IDENTITY)
if not ids:
LOG.info(_LI("Principal identity %s not found"),
cert_utils.NSX_OPENSTACK_IDENTITY)
return
LOG.info(_LI("Certificate(s) associated with principal identity %s\n"),
cert_utils.NSX_OPENSTACK_IDENTITY) cert_utils.NSX_OPENSTACK_IDENTITY)
if 'certificate_id' in details: cert = None
cert = nsx_trust.get_cert(details['certificate_id']) for identity in ids:
if 'certificate_id' in identity:
LOG.info(_LI("The following certificate is associated with " cert = nsx_trust.get_cert(identity['certificate_id'])
"principal identity %s\n"),
cert_utils.NSX_OPENSTACK_IDENTITY)
LOG.info(cert['pem_encoded']) LOG.info(cert['pem_encoded'])
except nsxlib_exc.ResourceNotFound: if not cert:
LOG.info(_LI("No certificates associated with principal identity %s"), LOG.info(_LI("No certificates found"))
cert_utils.NSX_OPENSTACK_IDENTITY)
registry.subscribe(generate_cert, registry.subscribe(generate_cert,