Dave Chen has uploaded a new change for review.
Change subject: Trusted Compute Pools - Open Attestation integration with oVirt
engine proposal
......................................................................
Trusted Compute Pools - Open Attestation integration with oVirt engine proposal
Change-Id: I8ce3448a821c74521d277f92f2c8d63ba0accfed
Signed-off-by: Dave Chen <wei.d.c...@intel.com>
Signed-off-by: Jimmy <gang....@intel.com>
Signed-off-by: Zhang Lijuan <lijuan.zh...@intel.com>
Signed-off-by: Quan Xu <quan...@intel.com>
---
A
backend/manager/dbscripts/upgrade/03_02_0340_add_trusted_service_to_vds_groups.sql
M backend/manager/dbscripts/vds_groups_sp.sql
M backend/manager/modules/bll/pom.xml
M
backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/InitVdsOnUpCommand.java
A
backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/attestationbroker
A
backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/businessentities/AttestationResultEnum.java
M
backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/businessentities/VDSGroup.java
M
backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/config/Config.java
M
backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/config/ConfigValues.java
M
backend/manager/modules/dal/src/main/java/org/ovirt/engine/core/dao/VdsGroupDAODbFacadeImpl.java
10 files changed, 108 insertions(+), 7 deletions(-)
git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/05/14605/1
diff --git
a/backend/manager/dbscripts/upgrade/03_02_0340_add_trusted_service_to_vds_groups.sql
b/backend/manager/dbscripts/upgrade/03_02_0340_add_trusted_service_to_vds_groups.sql
new file mode 100644
index 0000000..8ede5ee
--- /dev/null
+++
b/backend/manager/dbscripts/upgrade/03_02_0340_add_trusted_service_to_vds_groups.sql
@@ -0,0 +1 @@
+select fn_db_add_column('vds_groups', 'trusted_service', 'boolean not null
default false');
diff --git a/backend/manager/dbscripts/vds_groups_sp.sql
b/backend/manager/dbscripts/vds_groups_sp.sql
index efc08d4..f9aa255 100644
--- a/backend/manager/dbscripts/vds_groups_sp.sql
+++ b/backend/manager/dbscripts/vds_groups_sp.sql
@@ -24,16 +24,17 @@
v_migrate_on_error INTEGER,
v_virt_service BOOLEAN,
v_gluster_service BOOLEAN,
- v_tunnel_migration BOOLEAN)
+ v_tunnel_migration BOOLEAN,
+ v _trusted_service BOOLEAN)
RETURNS VOID
AS $procedure$
BEGIN
INSERT INTO vds_groups(vds_group_id,description, name, cpu_name,
selection_algorithm, high_utilization, low_utilization,
cpu_over_commit_duration_minutes, storage_pool_id,
max_vds_memory_over_commit, count_threads_as_cores, compatibility_version,
- transparent_hugepages, migrate_on_error, virt_service, gluster_service,
tunnel_migration)
+ transparent_hugepages, migrate_on_error, virt_service, gluster_service,
tunnel_migration, trusted_service)
VALUES(v_vds_group_id,v_description, v_name, v_cpu_name,
v_selection_algorithm, v_high_utilization, v_low_utilization,
v_cpu_over_commit_duration_minutes, v_storage_pool_id,
v_max_vds_memory_over_commit, v_count_threads_as_cores, v_compatibility_version,
- v_transparent_hugepages, v_migrate_on_error, v_virt_service,
v_gluster_service, v_tunnel_migration);
+ v_transparent_hugepages, v_migrate_on_error, v_virt_service,
v_gluster_service, v_tunnel_migration, v_trusted_service);
END; $procedure$
LANGUAGE plpgsql;
@@ -57,7 +58,8 @@
v_migrate_on_error INTEGER,
v_virt_service BOOLEAN,
v_gluster_service BOOLEAN,
- v_tunnel_migration BOOLEAN)
+ v_tunnel_migration BOOLEAN,
+ v_trusted_service BOOLEAN)
RETURNS VOID
--The [vds_groups] table doesn't have a timestamp column. Optimistic
concurrency logic cannot be generated
@@ -72,7 +74,7 @@
count_threads_as_cores = v_count_threads_as_cores,
compatibility_version = v_compatibility_version,transparent_hugepages =
v_transparent_hugepages,
migrate_on_error = v_migrate_on_error,
- virt_service = v_virt_service, gluster_service = v_gluster_service,
tunnel_migration = v_tunnel_migration
+ virt_service = v_virt_service, gluster_service = v_gluster_service,
tunnel_migration = v_tunnel_migration, trusted_service = v_trusted_service
WHERE vds_group_id = v_vds_group_id;
END; $procedure$
LANGUAGE plpgsql;
diff --git a/backend/manager/modules/bll/pom.xml
b/backend/manager/modules/bll/pom.xml
index 1dc3fc5..233c52e 100644
--- a/backend/manager/modules/bll/pom.xml
+++ b/backend/manager/modules/bll/pom.xml
@@ -111,6 +111,19 @@
<version>1.6</version>
<scope>test</scope>
</dependency>
+
+ <dependency>
+ <groupId>commons-httpclient</groupId>
+ <artifactId>commons-httpclient</artifactId>
+ <version>${httpclient.version}</version>
+ </dependency>
+
+ <dependency>
+ <groupId>org.codehaus.jackson</groupId>
+ <artifactId>jackson-core-asl</artifactId>
+ <version>${jackson-core-asl.version}</version>
+ </dependency>
+
</dependencies>
<build>
diff --git
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/InitVdsOnUpCommand.java
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/InitVdsOnUpCommand.java
index 1712821..4eb07d8 100644
---
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/InitVdsOnUpCommand.java
+++
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/InitVdsOnUpCommand.java
@@ -50,6 +50,7 @@
import org.ovirt.engine.core.utils.ejb.BeanType;
import org.ovirt.engine.core.utils.ejb.EjbUtils;
import org.ovirt.engine.core.vdsbroker.irsbroker.IrsBrokerCommand;
+import org.ovirt.engine.core.bll.attestationbroker.AttestationService;
/**
* Initialize Vds on its loading. For storages: First connect all storage
@@ -70,6 +71,15 @@
setVds(parameters.getVds());
}
+ private boolean validateHost() {
+ if (AttestationService.getInstance().validateHostIsTrusted(getVds())) {
+ return true;
+ } else {
+ setNonOperational(NonOperationalReason.GENERAL, null);
+ return false;
+ }
+ }
+
@Override
protected void executeCommand() {
VDSGroup vdsGroup = getVdsGroup();
@@ -81,6 +91,10 @@
if (vdsGroup.supportsGlusterService()) {
setSucceeded(initGlusterPeerProcess());
}
+
+ if (vdsGroup.supportsTrustedService()) {
+ setSucceeded(validateHost());
+ }
}
private boolean initVirtResources() {
diff --git
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/attestationbroker
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/attestationbroker
new file mode 100644
index 0000000..df48685
--- /dev/null
+++
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/attestationbroker
@@ -0,0 +1,11 @@
+package org.ovirt.engine.core.common.businessentities;
+
+public enum AttestationResultEnum {
+ UNTRUSTED(0),
+ TRUSTED(1),
+ UNKNOWN(2),
+ TIMEOUT(3);
+
+ private AttestationResultEnum(int value) {
+ }
+}
diff --git
a/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/businessentities/AttestationResultEnum.java
b/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/businessentities/AttestationResultEnum.java
new file mode 100644
index 0000000..df48685
--- /dev/null
+++
b/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/businessentities/AttestationResultEnum.java
@@ -0,0 +1,11 @@
+package org.ovirt.engine.core.common.businessentities;
+
+public enum AttestationResultEnum {
+ UNTRUSTED(0),
+ TRUSTED(1),
+ UNKNOWN(2),
+ TIMEOUT(3);
+
+ private AttestationResultEnum(int value) {
+ }
+}
diff --git
a/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/businessentities/VDSGroup.java
b/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/businessentities/VDSGroup.java
index b429f1b..85fb1b5 100644
---
a/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/businessentities/VDSGroup.java
+++
b/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/businessentities/VDSGroup.java
@@ -70,6 +70,8 @@
private boolean tunnelMigration = false;
+ private boolean trustedService = false;
+
public VDSGroup() {
selection_algorithm = VdsSelectionAlgorithm.None;
high_utilization = -1;
@@ -243,6 +245,14 @@
tunnelMigration = value;
}
+ public void setTrustedService(boolean trustedService) {
+ this.trustedService = trustedService;
+ }
+
+ public boolean supportsTrustedService() {
+ return trustedService;
+ }
+
@Override
public int hashCode() {
final int prime = 31;
@@ -266,6 +276,7 @@
result = prime * result + (virtService ? 1231 : 1237);
result = prime * result + (glusterService ? 1231 : 1237);
result = prime * result + (tunnelMigration ? 1231 : 1237);
+ result = prime * result + (trustedService ? 1231 : 1237);
return result;
}
@@ -299,7 +310,8 @@
&& transparentHugepages == other.transparentHugepages
&& virtService == other.virtService
&& glusterService == other.glusterService
- && tunnelMigration == other.tunnelMigration);
+ && tunnelMigration == other.tunnelMigration
+ && trustedService == other.trustedService);
}
}
diff --git
a/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/config/Config.java
b/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/config/Config.java
index aec31b7..dde88c5 100644
---
a/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/config/Config.java
+++
b/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/config/Config.java
@@ -33,4 +33,14 @@
Config.<String>
GetValue(ConfigValues.oVirtISOsRepositoryPath));
}
+ /**
+ * Fetch the AttestationTruststoreUrl configuration value and, if it is
not an absolute path, resolve it relative to the
+ * CABaseDirectory configuration value.
+ *
+ * @return an absolute path for AttestaionTruststore
+ */
+ public static String resolveAttestationTrustStorePath() {
+ return ConfigUtil.resolvePath(resolveCABasePath(), Config.<String>
GetValue(ConfigValues.AttestationTruststore));
+ }
+
}
diff --git
a/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/config/ConfigValues.java
b/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/config/ConfigValues.java
index cd57c1c..8a02d27 100644
---
a/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/config/ConfigValues.java
+++
b/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/config/ConfigValues.java
@@ -1333,6 +1333,31 @@
@DefaultValueAttribute("0.5")
DelayResetPerVmInSeconds(504),
+ @TypeConverterAttribute(Boolean.class)
+ @DefaultValueAttribute("true")
+ SecureConnectionWithOATServers(426),
+
+ @TypeConverterAttribute(String.class)
+ @DefaultValueAttribute("AttestationService/resources/PollHosts")
+ PollUri(427),
+
+ @TypeConverterAttribute(String.class)
+ @DefaultValueAttribute("TrustStore.jks")
+ AttestationTruststore(428),
+
+ @TypeConverterAttribute(Integer.class)
+ @DefaultValueAttribute("8443")
+ AttestationPort(429),
+
+ @TypeConverterAttribute(String.class)
+ @DefaultValueAttribute("password")
+ @OptionBehaviourAttribute(behaviour = OptionBehaviour.Password)
+ AttestationTruststorePass(430),
+
+ @TypeConverterAttribute(String.class)
+ @DefaultValueAttribute("oat-server")
+ AttestationServer(431),
+
Invalid(65535);
private int intValue;
diff --git
a/backend/manager/modules/dal/src/main/java/org/ovirt/engine/core/dao/VdsGroupDAODbFacadeImpl.java
b/backend/manager/modules/dal/src/main/java/org/ovirt/engine/core/dao/VdsGroupDAODbFacadeImpl.java
index e20fb72..2243c14 100644
---
a/backend/manager/modules/dal/src/main/java/org/ovirt/engine/core/dao/VdsGroupDAODbFacadeImpl.java
+++
b/backend/manager/modules/dal/src/main/java/org/ovirt/engine/core/dao/VdsGroupDAODbFacadeImpl.java
@@ -151,7 +151,8 @@
.addValue("migrate_on_error", group.getMigrateOnError())
.addValue("virt_service", group.supportsVirtService())
.addValue("gluster_service", group.supportsGlusterService())
- .addValue("tunnel_migration", group.isTunnelMigration());
+ .addValue("tunnel_migration", group.isTunnelMigration())
+ .addValue("trusted_service", group.supportsTrustedService());
return parameterSource;
}
@@ -189,6 +190,7 @@
entity.setVirtService(rs.getBoolean("virt_service"));
entity.setGlusterService(rs.getBoolean("gluster_service"));
entity.setTunnelMigration(rs.getBoolean("tunnel_migration"));
+ entity.setTrustedService(rs.getBoolean("trusted_service"));
return entity;
}
}
--
To view, visit http://gerrit.ovirt.org/14605
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I8ce3448a821c74521d277f92f2c8d63ba0accfed
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Dave Chen <wei.d.c...@intel.com>
_______________________________________________
Engine-patches mailing list
Engine-patches@ovirt.org
http://lists.ovirt.org/mailman/listinfo/engine-patches
