diff --git a/etc/marconi.conf.sample b/etc/marconi.conf.sample index ce2a80dbe..40a86e076 100644 --- a/etc/marconi.conf.sample +++ b/etc/marconi.conf.sample @@ -146,9 +146,36 @@ # Options defined in marconi.storage.mongodb # -# Mongodb Connection URI. (string value) +# Mongodb Connection URI. If ssl connection enabled, +# then the following 'ssl_keyfile', 'ssl_certfile', +# 'ssl_cert_reqs', 'ssl_ca_certs' need to be set accordingly. +# (string value) #uri= +# The private keyfile used to identify the local connection +# against mongod. If included with the 'certifle' then only +# the ssl_certfile is needed. (string value) +#ssl_keyfile= + +# The certificate file used to identify the local connection +# against mongod. (string value) +#ssl_certfile= + +# Specifies whether a certificate is required from the other +# side of the connection, and whether it will be validated +# if provided. It must be one of the three values 'CERT_NONE' +# (certificates ignored), 'CERT_OPTIONAL'(not required, but +# validated if provided), or 'CERT_REQUIRED'(required and validated). +# If the value of this parameter is not 'CERT_NONE', then the +# 'ssl_ca_certs' parameter must point to a file of CA certificates. +# (string value) +#ssl_cert_reqs=CERT_REQUIRED + +# The ca_certs file contains a set of concatenated certification +# authority certificates, which are used to validate certificates +# passed from the other end of the connection. (string value) +#ssl_ca_certs= + # Database name. (string value) #database=marconi diff --git a/marconi/queues/storage/mongodb/driver.py b/marconi/queues/storage/mongodb/driver.py index 5e43a9db2..1b99ea8cb 100644 --- a/marconi/queues/storage/mongodb/driver.py +++ b/marconi/queues/storage/mongodb/driver.py @@ -15,6 +15,8 @@ """Mongodb storage driver implementation.""" +import ssl + import pymongo import pymongo.errors @@ -34,6 +36,29 @@ def _connection(conf): else: MongoClient = pymongo.MongoClient + if 'ssl=true' in conf.uri.lower(): + kwargs = {} + + # Default to CERT_REQUIRED + ssl_cert_reqs = ssl.CERT_REQUIRED + + if conf.ssl_cert_reqs == 'CERT_OPTIONAL': + ssl_cert_reqs = ssl.CERT_OPTIONAL + + if conf.ssl_cert_reqs == 'CERT_NONE': + ssl_cert_reqs = ssl.CERT_NONE + + kwargs['ssl_cert_reqs'] = ssl_cert_reqs + + if conf.ssl_keyfile: + kwargs['ssl_keyfile'] = conf.ssl_keyfile + if conf.ssl_certfile: + kwargs['ssl_certfile'] = conf.ssl_certfile + if conf.ssl_ca_certs: + kwargs['ssl_ca_certs'] = conf.ssl_ca_certs + + return MongoClient(conf.uri, **kwargs) + return MongoClient(conf.uri) diff --git a/marconi/queues/storage/mongodb/options.py b/marconi/queues/storage/mongodb/options.py index b27e26196..390a2a0d6 100644 --- a/marconi/queues/storage/mongodb/options.py +++ b/marconi/queues/storage/mongodb/options.py @@ -18,7 +18,39 @@ from oslo.config import cfg MONGODB_OPTIONS = ( - cfg.StrOpt('uri', help='Mongodb Connection URI.'), + + cfg.StrOpt('ssl_keyfile', + help=('The private keyfile used to identify the local ' + 'connection against mongod. If included with the ' + '``certifle`` then only the ``ssl_certfile`` ' + 'is needed.')), + + cfg.StrOpt('ssl_certfile', + help=('The certificate file used to identify the local ' + 'connection against mongod.')), + + cfg.StrOpt('ssl_cert_reqs', default='CERT_REQUIRED', + help=('Specifies whether a certificate is required from ' + 'the other side of the connection, and whether it ' + 'will be validated if provided. It must be one of ' + 'the three values ``CERT_NONE``(certificates ignored), ' + '``CERT_OPTIONAL``(not required, but validated if ' + 'provided), or ``CERT_REQUIRED``(required and ' + 'validated). If the value of this parameter is not ' + '``CERT_NONE``, then the ``ssl_ca_cert`` parameter ' + 'must point to a file of CA certificates.')), + + cfg.StrOpt('ssl_ca_certs', + help=('The ca_certs file contains a set of concatenated ' + '"certification authority" certificates, which are ' + 'used to validate certificates passed from the other ' + 'end of the connection.')), + + cfg.StrOpt('uri', + help=('Mongodb Connection URI. If ssl connection enabled, ' + 'then ``ssl_keyfile``, ``ssl_certfile``, ' + '``ssl_cert_reqs``, ``ssl_ca_certs`` need to be set ' + 'accordingly.')), cfg.StrOpt('database', default='marconi', help='Database name.'),