Expose pymongo's SSL cert options
Expose 'ssl_keyfile','ssl_certfile','ssl_cert_reqs' and 'ssl_ca_certs' options for maximum security. By default, ssl is not enabled except that ssl parameter was included in the mongodb uri directly, and ssl_cert_reqs = CERT_REQUIRED which means user must provide the 'ssl_ca_certs' if ssl is enabled by adding the ssl parameter in the mongodb uri. Change-Id: I67cb5a9b2d76625de2932c854d0a696e9118ca6b Closes-Bug: #1328720
This commit is contained in:
parent
22584f484c
commit
f1c3437320
@ -146,9 +146,36 @@
|
||||
# Options defined in marconi.storage.mongodb
|
||||
#
|
||||
|
||||
# Mongodb Connection URI. (string value)
|
||||
# Mongodb Connection URI. If ssl connection enabled,
|
||||
# then the following 'ssl_keyfile', 'ssl_certfile',
|
||||
# 'ssl_cert_reqs', 'ssl_ca_certs' need to be set accordingly.
|
||||
# (string value)
|
||||
#uri=<None>
|
||||
|
||||
# The private keyfile used to identify the local connection
|
||||
# against mongod. If included with the 'certifle' then only
|
||||
# the ssl_certfile is needed. (string value)
|
||||
#ssl_keyfile=<None>
|
||||
|
||||
# The certificate file used to identify the local connection
|
||||
# against mongod. (string value)
|
||||
#ssl_certfile=<None>
|
||||
|
||||
# Specifies whether a certificate is required from the other
|
||||
# side of the connection, and whether it will be validated
|
||||
# if provided. It must be one of the three values 'CERT_NONE'
|
||||
# (certificates ignored), 'CERT_OPTIONAL'(not required, but
|
||||
# validated if provided), or 'CERT_REQUIRED'(required and validated).
|
||||
# If the value of this parameter is not 'CERT_NONE', then the
|
||||
# 'ssl_ca_certs' parameter must point to a file of CA certificates.
|
||||
# (string value)
|
||||
#ssl_cert_reqs=CERT_REQUIRED
|
||||
|
||||
# The ca_certs file contains a set of concatenated certification
|
||||
# authority certificates, which are used to validate certificates
|
||||
# passed from the other end of the connection. (string value)
|
||||
#ssl_ca_certs=<None>
|
||||
|
||||
# Database name. (string value)
|
||||
#database=marconi
|
||||
|
||||
|
@ -15,6 +15,8 @@
|
||||
|
||||
"""Mongodb storage driver implementation."""
|
||||
|
||||
import ssl
|
||||
|
||||
import pymongo
|
||||
import pymongo.errors
|
||||
|
||||
@ -34,6 +36,29 @@ def _connection(conf):
|
||||
else:
|
||||
MongoClient = pymongo.MongoClient
|
||||
|
||||
if 'ssl=true' in conf.uri.lower():
|
||||
kwargs = {}
|
||||
|
||||
# Default to CERT_REQUIRED
|
||||
ssl_cert_reqs = ssl.CERT_REQUIRED
|
||||
|
||||
if conf.ssl_cert_reqs == 'CERT_OPTIONAL':
|
||||
ssl_cert_reqs = ssl.CERT_OPTIONAL
|
||||
|
||||
if conf.ssl_cert_reqs == 'CERT_NONE':
|
||||
ssl_cert_reqs = ssl.CERT_NONE
|
||||
|
||||
kwargs['ssl_cert_reqs'] = ssl_cert_reqs
|
||||
|
||||
if conf.ssl_keyfile:
|
||||
kwargs['ssl_keyfile'] = conf.ssl_keyfile
|
||||
if conf.ssl_certfile:
|
||||
kwargs['ssl_certfile'] = conf.ssl_certfile
|
||||
if conf.ssl_ca_certs:
|
||||
kwargs['ssl_ca_certs'] = conf.ssl_ca_certs
|
||||
|
||||
return MongoClient(conf.uri, **kwargs)
|
||||
|
||||
return MongoClient(conf.uri)
|
||||
|
||||
|
||||
|
@ -18,7 +18,39 @@ from oslo.config import cfg
|
||||
|
||||
|
||||
MONGODB_OPTIONS = (
|
||||
cfg.StrOpt('uri', help='Mongodb Connection URI.'),
|
||||
|
||||
cfg.StrOpt('ssl_keyfile',
|
||||
help=('The private keyfile used to identify the local '
|
||||
'connection against mongod. If included with the '
|
||||
'``certifle`` then only the ``ssl_certfile`` '
|
||||
'is needed.')),
|
||||
|
||||
cfg.StrOpt('ssl_certfile',
|
||||
help=('The certificate file used to identify the local '
|
||||
'connection against mongod.')),
|
||||
|
||||
cfg.StrOpt('ssl_cert_reqs', default='CERT_REQUIRED',
|
||||
help=('Specifies whether a certificate is required from '
|
||||
'the other side of the connection, and whether it '
|
||||
'will be validated if provided. It must be one of '
|
||||
'the three values ``CERT_NONE``(certificates ignored), '
|
||||
'``CERT_OPTIONAL``(not required, but validated if '
|
||||
'provided), or ``CERT_REQUIRED``(required and '
|
||||
'validated). If the value of this parameter is not '
|
||||
'``CERT_NONE``, then the ``ssl_ca_cert`` parameter '
|
||||
'must point to a file of CA certificates.')),
|
||||
|
||||
cfg.StrOpt('ssl_ca_certs',
|
||||
help=('The ca_certs file contains a set of concatenated '
|
||||
'"certification authority" certificates, which are '
|
||||
'used to validate certificates passed from the other '
|
||||
'end of the connection.')),
|
||||
|
||||
cfg.StrOpt('uri',
|
||||
help=('Mongodb Connection URI. If ssl connection enabled, '
|
||||
'then ``ssl_keyfile``, ``ssl_certfile``, '
|
||||
'``ssl_cert_reqs``, ``ssl_ca_certs`` need to be set '
|
||||
'accordingly.')),
|
||||
|
||||
cfg.StrOpt('database', default='marconi', help='Database name.'),
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user