consoleauth: Store access_url on token authorization

Related-bug: 1409142 As part of the fix for the related bug - we've added protocol checking to mitigate MITM attacks, however we base protocol checking on a config option that is normally only intended for compute hosts. This is quite user hostile, as it is now important that all nodes running compute and proxy services have this option in sync. We can do better than that - we can persist the URL the client is expected to use, and once we get it back on token validation, we can make sure that the request is using the intended protocol, mitigating the MITM injected script attacks. This patch makes sure that the access_url is persisted with the token - the follow-up patch makes consoles use that info. Change-Id: I02a377f54de46536ca35413b615d3298967afc33
author: Nikola Dipanov <ndipanov@redhat.com> 2015-04-01 14:35:13 +0100
committer: Nikola Dipanov <ndipanov@redhat.com> 2015-04-07 16:54:32 +0100
commit: 2ffcf18d00eff6fb0777769469c4aa5ac7bbb6c9 (patch)
tree: ff0825301c5884d7bca6c2fe3215e37d72d73135 /nova/consoleauth
parent: bf70df295b0529da9f4381f52fc94d328fa2fdb3 (diff)
download: nova-2ffcf18d00eff6fb0777769469c4aa5ac7bbb6c9.tar.gz
2 files changed, 21 insertions, 11 deletions
diff --git a/nova/consoleauth/manager.py b/nova/consoleauth/manager.py
index 9555404f59..3ad341bb12 100644
--- a/nova/consoleauth/manager.py
+++ b/nova/consoleauth/manager.py
@@ -47,7 +47,7 @@ CONF.import_opt('enable', 'nova.cells.opts', group='cells')
 class ConsoleAuthManager(manager.Manager):
     """Manages token based authentication."""
 
-    target = messaging.Target(version='2.0')
+    target = messaging.Target(version='2.1')
 
     def __init__(self, scheduler_driver=None, *args, **kwargs):
         super(ConsoleAuthManager, self).__init__(service_name='consoleauth',
@@ -65,7 +65,8 @@ class ConsoleAuthManager(manager.Manager):
         return tokens
 
     def authorize_console(self, context, token, console_type, host, port,
-                          internal_access_path, instance_uuid):
+                          internal_access_path, instance_uuid,
+                          access_url=None):
 
         token_dict = {'token': token,
                       'instance_uuid': instance_uuid,
@@ -73,6 +74,7 @@ class ConsoleAuthManager(manager.Manager):
                       'host': host,
                       'port': port,
                       'internal_access_path': internal_access_path,
+                      'access_url': access_url,
                       'last_activity_at': time.time()}
         data = jsonutils.dumps(token_dict)
 
diff --git a/nova/consoleauth/rpcapi.py b/nova/consoleauth/rpcapi.py
index 7273c5d3ee..c005c8b633 100644
--- a/nova/consoleauth/rpcapi.py
+++ b/nova/consoleauth/rpcapi.py
@@ -47,6 +47,8 @@ class ConsoleAuthAPI(object):
         ... Icehouse and Juno support message version 2.0.  So, any changes to
         existing methods in 2.x after that point should be done such that they
         can handle the version_cap being set to 2.0.
+
+        * 2.1 - Added access_url to authorize_console
     '''
 
     VERSION_ALIASES = {
@@ -58,22 +60,28 @@ class ConsoleAuthAPI(object):
 
     def __init__(self):
         super(ConsoleAuthAPI, self).__init__()
-        target = messaging.Target(topic=CONF.consoleauth_topic, version='2.0')
+        target = messaging.Target(topic=CONF.consoleauth_topic, version='2.1')
         version_cap = self.VERSION_ALIASES.get(CONF.upgrade_levels.consoleauth,
                                                CONF.upgrade_levels.consoleauth)
         self.client = rpc.get_client(target, version_cap=version_cap)
 
     def authorize_console(self, ctxt, token, console_type, host, port,
-                          internal_access_path, instance_uuid):
+                          internal_access_path, instance_uuid,
+                          access_url):
         # The remote side doesn't return anything, but we want to block
         # until it completes.'
-        cctxt = self.client.prepare()
-        return cctxt.call(ctxt,
-                          'authorize_console',
-                          token=token, console_type=console_type,
-                          host=host, port=port,
-                          internal_access_path=internal_access_path,
-                          instance_uuid=instance_uuid)
+        msg_args = dict(token=token, console_type=console_type,
+                        host=host, port=port,
+                        internal_access_path=internal_access_path,
+                        instance_uuid=instance_uuid,
+                        access_url=access_url)
+        version = '2.1'
+        if not self.client.can_send_version('2.1'):
+            version = '2.0'
+            del msg_args['access_url']
+
+        cctxt = self.client.prepare(version=version)
+        return cctxt.call(ctxt, 'authorize_console', **msg_args)
 
     def check_token(self, ctxt, token):
         cctxt = self.client.prepare()
author	Nikola Dipanov <ndipanov@redhat.com>	2015-04-01 14:35:13 +0100
committer	Nikola Dipanov <ndipanov@redhat.com>	2015-04-07 16:54:32 +0100
commit	2ffcf18d00eff6fb0777769469c4aa5ac7bbb6c9 (patch)
tree	ff0825301c5884d7bca6c2fe3215e37d72d73135 /nova/consoleauth
parent	bf70df295b0529da9f4381f52fc94d328fa2fdb3 (diff)
download	nova-2ffcf18d00eff6fb0777769469c4aa5ac7bbb6c9.tar.gz