NSXAdmin: Update metadata shared secret

Change-Id: Ia8b236f3ddc751a8c317308fbac40818f35b3db7
2016-06-21 06:17:42 -07:00 · 2016-06-21 06:17:42 -07:00 · 051649eed5
commit 051649eed5
parent f7761ffea6
2 changed files with 45 additions and 1 deletions
--- a/vmware_nsx/shell/admin/plugins/nsxv/resources/metadata.py
+++ b/vmware_nsx/shell/admin/plugins/nsxv/resources/metadata.py
@ -13,6 +13,8 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.

+import hashlib
+import hmac
 import logging

 from neutron.callbacks import registry
@ -106,6 +108,46 @@ def nsx_redo_metadata_cfg(resource, event, trigger, **kwargs):
                lb.submit_to_backend(nsxv, edge_id, False)


+def update_shared_secret():
+    edgeapi = utils.NeutronDbClient()
+    edge_list = nsxv_db.get_nsxv_internal_edges_by_purpose(
+        edgeapi.context.session,
+        vcns_constants.InternalEdgePurposes.INTER_EDGE_PURPOSE)
+    md_rtr_ids = [edge['router_id'] for edge in edge_list]
+    router_bindings = nsxv_db.get_nsxv_router_bindings(
+        edgeapi.context.session,
+        filters={'edge_type': [nsxv_constants.SERVICE_EDGE]})
+    edge_ids = list(set([binding['edge_id'] for binding in router_bindings
+                         if (binding['router_id'] not in set(md_rtr_ids)
+                             and not binding['router_id'].startswith(
+                                 vcns_constants.BACKUP_ROUTER_PREFIX)
+                             and not binding['router_id'].startswith(
+                                 vcns_constants.PLR_EDGE_PREFIX))]))
+
+    for edge_id in edge_ids:
+        with locking.LockManager.get_lock(edge_id):
+            lb = nsxv_lb.NsxvLoadbalancer.get_loadbalancer(nsxv, edge_id)
+            virt = lb.virtual_servers.get(md_proxy.METADATA_VSE_NAME)
+            if not virt:
+                return
+
+            virt.del_app_rule('insert-auth')
+            if cfg.CONF.nsxv.metadata_shared_secret:
+                signature = hmac.new(cfg.CONF.nsxv.metadata_shared_secret,
+                                     edge_id,
+                                     hashlib.sha256).hexdigest()
+                sign = 'reqadd X-Metadata-Provider-Signature:' + signature
+                sign_app_rule = nsxv_lb.NsxvLBAppRule('insert-auth', sign)
+                virt.add_app_rule('insert-auth', sign_app_rule)
+
+            lb.submit_to_backend(nsxv, edge_id, False)
+
+
 registry.subscribe(nsx_redo_metadata_cfg,
                   constants.METADATA,
                   shell.Operations.NSX_UPDATE.value)
+
+
+registry.subscribe(update_shared_secret,
+                   constants.METADATA,
+                   shell.Operations.NSX_UPDATE_SECRET.value)
--- a/vmware_nsx/shell/nsxadmin.py
+++ b/vmware_nsx/shell/nsxadmin.py
@ -63,6 +63,7 @@ class Operations(enum.Enum):
    NSX_LIST = 'nsx-list'
    NSX_CLEAN = 'nsx-clean'
    NSX_UPDATE = 'nsx-update'
+    NSX_UPDATE_SECRET = 'nsx-update-secret'


 ops = [op.value for op in Operations]
@ -126,7 +127,8 @@ nsxv_resources = {
        constants.FIREWALL_NSX_GROUPS, [Operations.LIST.value,
                                        Operations.LIST_MISMATCHES.value]),
    constants.METADATA: Resource(
-        constants.METADATA, [Operations.NSX_UPDATE.value]),
+        constants.METADATA, [Operations.NSX_UPDATE.value,
+                             Operations.NSX_UPDATE_SECRET]),
 }

 nsxv3_resources_names = map(lambda res: res.name, nsxv3_resources.itervalues())