Merge pull request #2071 from zhaoqin-github/9.10.4-stable

[OPENSTACK-2847] Disable icontrol token authentication by default (9.10.4.2)
F5Networks · Jul 25, 2023 · 00571bd · 00571bd
2 parents a096ada + 4886370
commit 00571bd
Show file tree

Hide file tree

Showing 6 changed files with 30 additions and 7 deletions.
diff --git a/docs/RELEASE-NOTES.rst b/docs/RELEASE-NOTES.rst
@@ -5,6 +5,21 @@
 Release Notes for F5 Openstack Agent
 ====================================
 
+v9.10.4.2 (Pike, Queens)
+--------------------------------------------
+NOTE: This version of F5 Openstack Agent supports Pike and Queens Openstack releases.
+
+Added Functionality
+```````````````````
+[OPENSTACK-2847] Disable icontrol token authentication by default
+[OPENSTACK-2835] modify ManagementRoot
+
+Bug Fixes
+`````````
+
+Limitations
+```````````
+
 v9.10.4.1 (Pike, Queens)
 --------------------------------------------
 NOTE: This version of F5 Openstack Agent supports Pike and Queens Openstack releases.

diff --git a/f5_openstack_agent/__init__.py b/f5_openstack_agent/__init__.py
@@ -1 +1 @@
-__version__ = "9.10.4.1"
+__version__ = "9.10.4.2"
diff --git a/f5_openstack_agent/client/clientmanager.py b/f5_openstack_agent/client/clientmanager.py
@@ -39,7 +39,7 @@ def _open_bigip(self):
                                    self.icontrol_username,
                                    self.icontrol_password,
                                    port=self.icontrol_port,
-                                   token=True,
+                                   token=False,
                                    timeout=f5const.DEVICE_CONNECTION_TIMEOUT)
             return bigip
         except Exception as e:

diff --git a/f5_openstack_agent/lbaasv2/drivers/bigip/bigip_device.py b/f5_openstack_agent/lbaasv2/drivers/bigip/bigip_device.py
@@ -17,7 +17,7 @@ def set_bigips(service, conf):
     service['bigips'] = bigip_dev.get_all_bigips()
 
 
-def build_connection(host, info):
+def build_connection(host, info, token=False):
     LOG.info("Build connection for %s: %s" % (host, info))
     try:
         bigip = ManagementRoot(
@@ -26,7 +26,7 @@ def build_connection(host, info):
             decrypt_data(info['serial_number'], info['password']),
             port=info['port'],
             timeout=constants_v2.DEVICE_CONNECTION_TIMEOUT,
-            token=True,
+            token=token,
             debug=True
         )
         bigip.device_name = info["device_name"]
@@ -84,7 +84,7 @@ def connect(self, host, info):
             "Build connection of device %s for resource config" %
             host
         )
-        bigip = build_connection(host, info)
+        bigip = build_connection(host, info, self.conf.icontrol_token)
         self._bigips[host] = bigip
 
         LOG.info("Add and refresh host %s in cache." % host)

diff --git a/f5_openstack_agent/lbaasv2/drivers/bigip/icontrol_driver.py b/f5_openstack_agent/lbaasv2/drivers/bigip/icontrol_driver.py
@@ -161,6 +161,10 @@
         help='The hostname (name or IP address) to use for vCMP Host '
              'iControl access'
     ),
+    cfg.BoolOpt(
+        'icontrol_token', default=False,
+        help='Enable token authentication for iControl access'
+    ),
     cfg.IntOpt(
         'icontrol_connection_timeout', default=30,
         help='How many seconds to timeout a connection to BIG-IP'

diff --git a/f5_openstack_agent/lbaasv2/drivers/bigip/monitor_manager.py b/f5_openstack_agent/lbaasv2/drivers/bigip/monitor_manager.py
@@ -471,7 +471,9 @@ def update_member_status_task(self):
                                        info['username'],
                                        info['password'],
                                        port=info['port'],
-                                       token=True)
+                                       token=self.conf.icontrol_token,
+                                       debug=True,
+                                       timeout=constants_v2.DEVICE_CONNECTION_TIMEOUT) # noqa
 
                 if self.conf.member_update_mode == 1:
                     # logic of update member by pools
@@ -552,7 +554,9 @@ def report_device_status_task(self):
                                                username,
                                                password,
                                                port=m['device_info']['port'],
-                                               token=True)
+                                               token=self.conf.icontrol_token,
+                                               debug=True,
+                                               timeout=constants_v2.DEVICE_CONNECTION_TIMEOUT) # noqa
 
                         failover_state = bigip.tm.sys.dbs.db.load(
                             name='failover.state'