TLS verification & custom CA UI for oVirt and Container providers #450
Conversation
|
@cben Cannot apply the following label because they are not recognized: security |
cben
force-pushed
the
ovirt-container-ca
branch
from
d2ea016 to
d79c934
Compare
|
Remaining lint warnings hard to address without breaking consistency. |
| def retrieve_container_security_protocols | ||
| [[_('SSL'), 'ssl-with-validation'], | ||
| [_('SSL trusting custom CA'), 'ssl-with-validation-custom-ca'], | ||
| [_('SSL without validation'), 'ssl-without-validation']] |
There was a problem hiding this comment.
@cben @jhernand these seems a little verbose to me. They could be: 'ssl', 'ssl-custom-ca' and 'ssl-insecure'.
I think it's not required to specify with-validation in general because SSL in fact has validation by default. Is the 'ssl' value clashing with a pre-existing one that implied no validation? Are these values the ones ending up in the db?
Anyway this is just a suggestion, the rest LGTM.
There was a problem hiding this comment.
Yes, but. Alas, Openstack uses the values
[[_('SSL without validation'), 'ssl'],
[_('SSL'), 'ssl-with-validation'],
[_('Non-SSL'), 'non-ssl']]
where just ssl means insecure :-(
And AFAICT some other providers use ssl to mean secure.
It'd be good to fix, but would require migration(s), I don't want to block on that, and I don't want to add to the confusion now.
That only left the option of using 2 verbose but explicit values.
(If we do migrate openstack later, it'll be safer to never redefine ssl but switch to ssl-{with,without}-validation too.)
|
LGTM 👍 @miq-bot assign dclarizio |
|
This is how the user interface looks when adding an oVirt provider, checking TLS certificates, and not providing the required trusted CA certificates:
This is adding the same provider, but disabling checking TLS certificates:
And this is adding the same provider, enabling checking TLS certificates, and providing the required trusted CA certificates:
|
|
@dclarizio @AparnaKarve Please review. |
|
@cben I added @AparnaKarve to review . . . can you look at the spec failures? Thx, Dan |
|
Specs are failing because the core PR wasn't merged. They pass locally with given both PRs. |
There was a problem hiding this comment.
@cben Overall, the changes look good.
Had one question though.
Before this PR, we did not have the concept of security protocol for Containers.
So when we open an existing Container Provider in the Edit mode, the dropdown for Security Protocol says "Nothing Selected" (and rightly so).
Should we default the Security Protocol for these containers to ssl-without-validation if the @ems.default_endpoint.security_protocol is nil ?
|
The default should be |
|
@cben Try this -- - :default_security_protocol => default_security_protocol,
+ :default_security_protocol => default_endpoint.security_protocol ? default_endpoint.security_protocol : 'ssl-with-validation',- hawkular_security_protocol = @ems.connection_configurations.hawkular.endpoint.security_protocol
+ hawkular_security_protocol = @ems.connection_configurations.hawkular.endpoint.security_protocol ?
+ @ems.connection_configurations.hawkular.endpoint.security_protocol : 'ssl-with-validation'This should populate the dropdowns with the |
Currently the oVirt provider doesn't check the validity of the TLS
certificates presented by the oVirt server. This patch adds to the form
used to add and modify the oVirt provider connection details two new
controls. The first is a checkbox to enable or disable checking the TLS
certificates of the oVirt server:
Verify TLS Certificates [Yes | No]
The second will only be enabled when the value of the first is 'Yes', and it is
is a text box where the user can optionally paste a set of trusted CA
certificates, in PEM format:
Trusted CA Certificates ┌────────────────────────────────────────┐
│-----BEGIN CERTIFICATE----- │
│MIIDxjCCAq6gAwIBAgICEAAwDQYJKoZIhvc │
│NAQELBQAwSTELMAkGA1UEBhMCVVMxMCVVMx │
│... │
│-----END CERTIFICATE----- │
└────────────────────────────────────────┘
Paste here the trusted CA certificates, in
PEM format.
The value of the first control will be stored in the 'verify_ssl' column
of the 'endpoints' table.
The value of the second control will be stored in the
'certificate_authority' column of the 'endpoints' table.
Signed-off-by: Juan Hernandez <[email protected]>
…elds Both on default & hawkular endpoints, added dropdown: - SSL - SSL trusting custom CA, which additionally shows CA field. - SSL without validation Always sets (security_protocol, certificate_authority, verify_ssl) consisently.
|
Checked commits cben/manageiq-ui-classic@d8156d9~...856a9a3 with ruby 2.2.6, rubocop 0.47.1, and haml-lint 0.20.0 app/controllers/mixins/ems_common_angular.rb
app/views/layouts/angular-bootstrap/_endpoints_angular.html.haml |
|
@dclarizio @cben given that the backend part was merged ManageIQ/manageiq#14019 it is extremely problematic not having the UI (this PR) because currently the addition of a new provider fails 100%. Any chance we can merge this soon? |
|
@cben going to merge, but should follow up on @AparnaKarve's comments above about the the default in another PR. Thx, Dan |
|
Thanks. Will definitely follow up ASAP. |
Combined PR with @jhernand — UI side for oVirt's ManageIQ/manageiq#14004 and containers' ManageIQ/manageiq#14019.
Depends on the core PR (at least the containers one), should be merged soon after.
[Travis can't pass until https://github.com/ManageIQ/manageiq/pull/14019 lands, passes locally with it.]
These build on ManageIQ/manageiq#13567 [merged] for storing & parsing the certificate_authority #field.
oVirt
(core part: ManageIQ/manageiq#14004)
Currently the oVirt provider doesn't check the validity of the TLS certificates presented by the oVirt server. This patch adds to the form used to add and modify the oVirt provider connection details two new controls. The first is a checkbox to enable or disable checking the TLS certificates of the oVirt server:
The second will only be enabled when the value of the first is 'Yes', and it is is a text box where the user can optionally paste a set of trusted CA certificates, in PEM format:
The value of the first control will be stored in the 'verify_ssl' column of the 'endpoints' table.
The value of the second control will be stored in the certificate_authority column of the endpoints table.
See screenshots below
Containers
(core part: ManageIQ/manageiq#14019)
Container provider: add Security Protocol, Trusted CA Certificates fields
Both on default & hawkular endpoints, added dropdown:
This UI always sets (security_protocol, certificate_authority, verify_ssl) consisently.
Container backend will use security_protocol if set, ignoring verify_ssl.
See core PR for backward-compat details.
Hawkular endpoint has same dropdown and hiding/appearing CA field:
(independent control is useful because default openshift installs have bad SSL config, trying to address in openshift/openshift-ansible#3226 but no immediate relief)
@miq-bot add-label compute/containers, security, enhancement, pending core
@h-kataria @AparnaKarve @yaacov please review. cc @jhernand @simon3z