Skip to content

Commit

Permalink
Added support for verifying HMC certificates (#405)
Browse files Browse the repository at this point in the history
Details:

* Added module sub-parameters 'ca_certs' and 'verify' to the 'hmc_auth'
  module parameter of all modules. (issue #401)

* Changed module input parameter 'hmc_auth.userid' to no longer be
  hidden in logs, for better debugging. The password is still
  hidden in any logs.

* Increased minimum version of zhmcclient to 0.31.0 in order to have
  the support for certificate verification.

Signed-off-by: Andreas Maier <[email protected]>
  • Loading branch information
andy-maier authored Jun 9, 2021
1 parent 917dfb6 commit df66c6f
Show file tree
Hide file tree
Showing 30 changed files with 684 additions and 123 deletions.
17 changes: 16 additions & 1 deletion docs/source/modules/zhmc_adapter.rst
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ hmc_host

hmc_auth
The authentication credentials for the HMC, as a dictionary of ``userid``, ``password``.
The authentication credentials for the HMC.

| **required**: True
| **type**: dict
Expand All @@ -56,6 +56,21 @@ hmc_auth
| **type**: str

ca_certs
Path name of certificate file or certificate directory to be used for verifying the HMC certificate. If null (default), the path name in the 'REQUESTS_CA_BUNDLE' environment variable or the path name in the 'CURL_CA_BUNDLE' environment variable is used, or if neither of these variables is set, the certificates in the Mozilla CA Certificate List provided by the 'certifi' Python package are used for verifying the HMC certificate.

| **required**: False
| **type**: str

verify
If True (default), verify the HMC certificate as specified in the ``ca_certs`` parameter. If False, ignore what is specified in the ``ca_certs`` parameter and do not verify the HMC certificate.

| **required**: False
| **type**: bool
| **default**: True


name
The name of the target adapter. In case of renaming an adapter, this is the new name of the adapter.
Expand Down
17 changes: 16 additions & 1 deletion docs/source/modules/zhmc_cpc.rst
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ hmc_host

hmc_auth
The authentication credentials for the HMC, as a dictionary of ``userid``, ``password``.
The authentication credentials for the HMC.

| **required**: True
| **type**: dict
Expand All @@ -55,6 +55,21 @@ hmc_auth
| **type**: str

ca_certs
Path name of certificate file or certificate directory to be used for verifying the HMC certificate. If null (default), the path name in the 'REQUESTS_CA_BUNDLE' environment variable or the path name in the 'CURL_CA_BUNDLE' environment variable is used, or if neither of these variables is set, the certificates in the Mozilla CA Certificate List provided by the 'certifi' Python package are used for verifying the HMC certificate.

| **required**: False
| **type**: str

verify
If True (default), verify the HMC certificate as specified in the ``ca_certs`` parameter. If False, ignore what is specified in the ``ca_certs`` parameter and do not verify the HMC certificate.

| **required**: False
| **type**: bool
| **default**: True


name
The name of the target CPC.
Expand Down
17 changes: 16 additions & 1 deletion docs/source/modules/zhmc_crypto_attachment.rst
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ hmc_host

hmc_auth
The authentication credentials for the HMC, as a dictionary of ``userid``, ``password``.
The authentication credentials for the HMC.

| **required**: True
| **type**: dict
Expand All @@ -56,6 +56,21 @@ hmc_auth
| **type**: str

ca_certs
Path name of certificate file or certificate directory to be used for verifying the HMC certificate. If null (default), the path name in the 'REQUESTS_CA_BUNDLE' environment variable or the path name in the 'CURL_CA_BUNDLE' environment variable is used, or if neither of these variables is set, the certificates in the Mozilla CA Certificate List provided by the 'certifi' Python package are used for verifying the HMC certificate.

| **required**: False
| **type**: str

verify
If True (default), verify the HMC certificate as specified in the ``ca_certs`` parameter. If False, ignore what is specified in the ``ca_certs`` parameter and do not verify the HMC certificate.

| **required**: False
| **type**: bool
| **default**: True


cpc_name
The name of the CPC that has the partition and the crypto adapters.
Expand Down
17 changes: 16 additions & 1 deletion docs/source/modules/zhmc_hba.rst
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ hmc_host

hmc_auth
The authentication credentials for the HMC, as a dictionary of ``userid``, ``password``.
The authentication credentials for the HMC.

| **required**: True
| **type**: dict
Expand All @@ -55,6 +55,21 @@ hmc_auth
| **type**: str

ca_certs
Path name of certificate file or certificate directory to be used for verifying the HMC certificate. If null (default), the path name in the 'REQUESTS_CA_BUNDLE' environment variable or the path name in the 'CURL_CA_BUNDLE' environment variable is used, or if neither of these variables is set, the certificates in the Mozilla CA Certificate List provided by the 'certifi' Python package are used for verifying the HMC certificate.

| **required**: False
| **type**: str

verify
If True (default), verify the HMC certificate as specified in the ``ca_certs`` parameter. If False, ignore what is specified in the ``ca_certs`` parameter and do not verify the HMC certificate.

| **required**: False
| **type**: bool
| **default**: True


cpc_name
The name of the CPC with the partition containing the HBA.
Expand Down
17 changes: 16 additions & 1 deletion docs/source/modules/zhmc_nic.rst
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ hmc_host

hmc_auth
The authentication credentials for the HMC, as a dictionary of ``userid``, ``password``.
The authentication credentials for the HMC.

| **required**: True
| **type**: dict
Expand All @@ -55,6 +55,21 @@ hmc_auth
| **type**: str

ca_certs
Path name of certificate file or certificate directory to be used for verifying the HMC certificate. If null (default), the path name in the 'REQUESTS_CA_BUNDLE' environment variable or the path name in the 'CURL_CA_BUNDLE' environment variable is used, or if neither of these variables is set, the certificates in the Mozilla CA Certificate List provided by the 'certifi' Python package are used for verifying the HMC certificate.

| **required**: False
| **type**: str

verify
If True (default), verify the HMC certificate as specified in the ``ca_certs`` parameter. If False, ignore what is specified in the ``ca_certs`` parameter and do not verify the HMC certificate.

| **required**: False
| **type**: bool
| **default**: True


cpc_name
The name of the CPC with the partition containing the NIC.
Expand Down
17 changes: 16 additions & 1 deletion docs/source/modules/zhmc_partition.rst
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ hmc_host

hmc_auth
The authentication credentials for the HMC, as a dictionary of userid, password.
The authentication credentials for the HMC.

| **required**: True
| **type**: dict
Expand All @@ -56,6 +56,21 @@ hmc_auth
| **type**: str

ca_certs
Path name of certificate file or certificate directory to be used for verifying the HMC certificate. If null (default), the path name in the 'REQUESTS_CA_BUNDLE' environment variable or the path name in the 'CURL_CA_BUNDLE' environment variable is used, or if neither of these variables is set, the certificates in the Mozilla CA Certificate List provided by the 'certifi' Python package are used for verifying the HMC certificate.

| **required**: False
| **type**: str

verify
If True (default), verify the HMC certificate as specified in the ``ca_certs`` parameter. If False, ignore what is specified in the ``ca_certs`` parameter and do not verify the HMC certificate.

| **required**: False
| **type**: bool
| **default**: True


cpc_name
The name of the CPC with the target partition.
Expand Down
17 changes: 16 additions & 1 deletion docs/source/modules/zhmc_storage_group.rst
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ hmc_host

hmc_auth
The authentication credentials for the HMC, as a dictionary of ``userid``, ``password``.
The authentication credentials for the HMC.

| **required**: True
| **type**: dict
Expand All @@ -55,6 +55,21 @@ hmc_auth
| **type**: str

ca_certs
Path name of certificate file or certificate directory to be used for verifying the HMC certificate. If null (default), the path name in the 'REQUESTS_CA_BUNDLE' environment variable or the path name in the 'CURL_CA_BUNDLE' environment variable is used, or if neither of these variables is set, the certificates in the Mozilla CA Certificate List provided by the 'certifi' Python package are used for verifying the HMC certificate.

| **required**: False
| **type**: str

verify
If True (default), verify the HMC certificate as specified in the ``ca_certs`` parameter. If False, ignore what is specified in the ``ca_certs`` parameter and do not verify the HMC certificate.

| **required**: False
| **type**: bool
| **default**: True


cpc_name
The name of the CPC associated with the target storage group.
Expand Down
17 changes: 16 additions & 1 deletion docs/source/modules/zhmc_storage_group_attachment.rst
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ hmc_host

hmc_auth
The authentication credentials for the HMC, as a dictionary of ``userid``, ``password``.
The authentication credentials for the HMC.

| **required**: True
| **type**: dict
Expand All @@ -55,6 +55,21 @@ hmc_auth
| **type**: str

ca_certs
Path name of certificate file or certificate directory to be used for verifying the HMC certificate. If null (default), the path name in the 'REQUESTS_CA_BUNDLE' environment variable or the path name in the 'CURL_CA_BUNDLE' environment variable is used, or if neither of these variables is set, the certificates in the Mozilla CA Certificate List provided by the 'certifi' Python package are used for verifying the HMC certificate.

| **required**: False
| **type**: str

verify
If True (default), verify the HMC certificate as specified in the ``ca_certs`` parameter. If False, ignore what is specified in the ``ca_certs`` parameter and do not verify the HMC certificate.

| **required**: False
| **type**: bool
| **default**: True


cpc_name
The name of the CPC that has the partition and is associated with the storage group.
Expand Down
17 changes: 16 additions & 1 deletion docs/source/modules/zhmc_storage_volume.rst
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ hmc_host

hmc_auth
The authentication credentials for the HMC, as a dictionary of ``userid``, ``password``.
The authentication credentials for the HMC.

| **required**: True
| **type**: dict
Expand All @@ -55,6 +55,21 @@ hmc_auth
| **type**: str

ca_certs
Path name of certificate file or certificate directory to be used for verifying the HMC certificate. If null (default), the path name in the 'REQUESTS_CA_BUNDLE' environment variable or the path name in the 'CURL_CA_BUNDLE' environment variable is used, or if neither of these variables is set, the certificates in the Mozilla CA Certificate List provided by the 'certifi' Python package are used for verifying the HMC certificate.

| **required**: False
| **type**: str

verify
If True (default), verify the HMC certificate as specified in the ``ca_certs`` parameter. If False, ignore what is specified in the ``ca_certs`` parameter and do not verify the HMC certificate.

| **required**: False
| **type**: bool
| **default**: True


cpc_name
The name of the CPC associated with the storage group containing the target storage volume.
Expand Down
17 changes: 16 additions & 1 deletion docs/source/modules/zhmc_user.rst
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ hmc_host

hmc_auth
The authentication credentials for the HMC, as a dictionary of ``userid``, ``password``.
The authentication credentials for the HMC.

| **required**: True
| **type**: dict
Expand All @@ -55,6 +55,21 @@ hmc_auth
| **type**: str

ca_certs
Path name of certificate file or certificate directory to be used for verifying the HMC certificate. If null (default), the path name in the 'REQUESTS_CA_BUNDLE' environment variable or the path name in the 'CURL_CA_BUNDLE' environment variable is used, or if neither of these variables is set, the certificates in the Mozilla CA Certificate List provided by the 'certifi' Python package are used for verifying the HMC certificate.

| **required**: False
| **type**: str

verify
If True (default), verify the HMC certificate as specified in the ``ca_certs`` parameter. If False, ignore what is specified in the ``ca_certs`` parameter and do not verify the HMC certificate.

| **required**: False
| **type**: bool
| **default**: True


name
The userid of the target user (i.e. the 'name' property of the User object).
Expand Down
17 changes: 16 additions & 1 deletion docs/source/modules/zhmc_virtual_function.rst
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ hmc_host

hmc_auth
The authentication credentials for the HMC, as a dictionary of ``userid``, ``password``.
The authentication credentials for the HMC.

| **required**: True
| **type**: dict
Expand All @@ -55,6 +55,21 @@ hmc_auth
| **type**: str

ca_certs
Path name of certificate file or certificate directory to be used for verifying the HMC certificate. If null (default), the path name in the 'REQUESTS_CA_BUNDLE' environment variable or the path name in the 'CURL_CA_BUNDLE' environment variable is used, or if neither of these variables is set, the certificates in the Mozilla CA Certificate List provided by the 'certifi' Python package are used for verifying the HMC certificate.

| **required**: False
| **type**: str

verify
If True (default), verify the HMC certificate as specified in the ``ca_certs`` parameter. If False, ignore what is specified in the ``ca_certs`` parameter and do not verify the HMC certificate.

| **required**: False
| **type**: bool
| **default**: True


cpc_name
The name of the CPC with the partition containing the virtual function.
Expand Down
17 changes: 16 additions & 1 deletion docs/source/release_notes.rst
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,13 @@ Released: not yet

**Incompatible changes:**

* The new support for verifying HMC certificates will by default verify the
HMC certificate using the "Mozilla CA Certificate List" provided by the
'certifi' Python package, causing self-signed HMC certificates to be
rejected. The verification behavior can be controlled with the new
'ca_certs' and 'verify' sub-parameters of the 'hmc_auth' module parameter
of each module.

**Deprecations:**

**Bug fixes:**
Expand Down Expand Up @@ -65,7 +72,15 @@ Released: not yet
* Docs: The idempotency of each module and possible limitations are now
described for each module. (issue #375)

* Increased minimum version of zhmcclient to 0.29.0 to pick up fixes.
* Increased minimum version of zhmcclient to 0.31.0 in order to have
the support for certificate verification and to pick up fixes.

* Added support for verifying HMC certificates by adding module sub-parameters
'ca_certs' and 'verify' to the 'hmc_auth' module parameter of all modules.
(issue #401)

* Changed module input parameter 'hmc_auth.userid' to no longer be hidden in
logs, for better debugging. The password is still hidden in any logs.

**Cleanup:**

Expand Down
4 changes: 2 additions & 2 deletions minimum-constraints.txt
Original file line number Diff line number Diff line change
Expand Up @@ -87,8 +87,8 @@ wheel==0.33.5; python_version >= '3.8'

ansible==2.9.0.0
requests==2.20.1
# git+https://github.com/zhmcclient/python-zhmcclient@master#egg=zhmcclient
zhmcclient==0.29.0
# TODO: Enable zhmcclient 0.31.0 once released on Pypi
# zhmcclient==0.31.0

# Indirect dependencies for installation (must be consistent with requirements.txt)

Expand Down
Loading

0 comments on commit df66c6f

Please sign in to comment.