Expose pymongo's SSL cert options

Expose 'ssl_keyfile','ssl_certfile','ssl_cert_reqs' and
'ssl_ca_certs' options for maximum security. By default, ssl
is not enabled except that ssl parameter was included in the
mongodb uri directly, and ssl_cert_reqs = CERT_REQUIRED which
means user must provide the 'ssl_ca_certs' if ssl is enabled
by adding the ssl parameter in the mongodb uri.

Change-Id: I67cb5a9b2d76625de2932c854d0a696e9118ca6b
Closes-Bug: #1328720
This commit is contained in:
pengfei wang 2014-06-17 16:22:29 +08:00
parent 22584f484c
commit f1c3437320
3 changed files with 86 additions and 2 deletions

View File

@ -146,9 +146,36 @@
# Options defined in marconi.storage.mongodb
#
# Mongodb Connection URI. (string value)
# Mongodb Connection URI. If ssl connection enabled,
# then the following 'ssl_keyfile', 'ssl_certfile',
# 'ssl_cert_reqs', 'ssl_ca_certs' need to be set accordingly.
# (string value)
#uri=<None>
# The private keyfile used to identify the local connection
# against mongod. If included with the 'certifle' then only
# the ssl_certfile is needed. (string value)
#ssl_keyfile=<None>
# The certificate file used to identify the local connection
# against mongod. (string value)
#ssl_certfile=<None>
# Specifies whether a certificate is required from the other
# side of the connection, and whether it will be validated
# if provided. It must be one of the three values 'CERT_NONE'
# (certificates ignored), 'CERT_OPTIONAL'(not required, but
# validated if provided), or 'CERT_REQUIRED'(required and validated).
# If the value of this parameter is not 'CERT_NONE', then the
# 'ssl_ca_certs' parameter must point to a file of CA certificates.
# (string value)
#ssl_cert_reqs=CERT_REQUIRED
# The ca_certs file contains a set of concatenated certification
# authority certificates, which are used to validate certificates
# passed from the other end of the connection. (string value)
#ssl_ca_certs=<None>
# Database name. (string value)
#database=marconi

View File

@ -15,6 +15,8 @@
"""Mongodb storage driver implementation."""
import ssl
import pymongo
import pymongo.errors
@ -34,6 +36,29 @@ def _connection(conf):
else:
MongoClient = pymongo.MongoClient
if 'ssl=true' in conf.uri.lower():
kwargs = {}
# Default to CERT_REQUIRED
ssl_cert_reqs = ssl.CERT_REQUIRED
if conf.ssl_cert_reqs == 'CERT_OPTIONAL':
ssl_cert_reqs = ssl.CERT_OPTIONAL
if conf.ssl_cert_reqs == 'CERT_NONE':
ssl_cert_reqs = ssl.CERT_NONE
kwargs['ssl_cert_reqs'] = ssl_cert_reqs
if conf.ssl_keyfile:
kwargs['ssl_keyfile'] = conf.ssl_keyfile
if conf.ssl_certfile:
kwargs['ssl_certfile'] = conf.ssl_certfile
if conf.ssl_ca_certs:
kwargs['ssl_ca_certs'] = conf.ssl_ca_certs
return MongoClient(conf.uri, **kwargs)
return MongoClient(conf.uri)

View File

@ -18,7 +18,39 @@ from oslo.config import cfg
MONGODB_OPTIONS = (
cfg.StrOpt('uri', help='Mongodb Connection URI.'),
cfg.StrOpt('ssl_keyfile',
help=('The private keyfile used to identify the local '
'connection against mongod. If included with the '
'``certifle`` then only the ``ssl_certfile`` '
'is needed.')),
cfg.StrOpt('ssl_certfile',
help=('The certificate file used to identify the local '
'connection against mongod.')),
cfg.StrOpt('ssl_cert_reqs', default='CERT_REQUIRED',
help=('Specifies whether a certificate is required from '
'the other side of the connection, and whether it '
'will be validated if provided. It must be one of '
'the three values ``CERT_NONE``(certificates ignored), '
'``CERT_OPTIONAL``(not required, but validated if '
'provided), or ``CERT_REQUIRED``(required and '
'validated). If the value of this parameter is not '
'``CERT_NONE``, then the ``ssl_ca_cert`` parameter '
'must point to a file of CA certificates.')),
cfg.StrOpt('ssl_ca_certs',
help=('The ca_certs file contains a set of concatenated '
'"certification authority" certificates, which are '
'used to validate certificates passed from the other '
'end of the connection.')),
cfg.StrOpt('uri',
help=('Mongodb Connection URI. If ssl connection enabled, '
'then ``ssl_keyfile``, ``ssl_certfile``, '
'``ssl_cert_reqs``, ``ssl_ca_certs`` need to be set '
'accordingly.')),
cfg.StrOpt('database', default='marconi', help='Database name.'),