Fix retrieving barbican endpoint from service catalog

The context wrapper classes under castellan.common.credentials were
missing an auth_url property resulting in calls to get_endpoint()
failing with 'Could not determine a suitable URL for the plugin' unless
users set barbican/auth_endpoint.

Change-Id: I1be3a1e11e3f4c2170062927ad359bf679eb25d9
Closes-Bug: #1497993
This commit is contained in:
Paul Bourke 2017-07-13 16:49:16 +01:00 committed by Paul Bourke (pbourke)
parent 54b1b52533
commit 17e8b29067
7 changed files with 40 additions and 10 deletions

View File

@ -23,13 +23,14 @@ from castellan.common.credentials import password
class KeystonePassword(password.Password):
"""This class represents a keystone password credential."""
def __init__(self, password, username=None, user_id=None,
def __init__(self, password, auth_url=None, username=None, user_id=None,
user_domain_id=None, user_domain_name=None, trust_id=None,
domain_id=None, domain_name=None, project_id=None,
project_name=None, project_domain_id=None,
project_domain_name=None, reauthenticate=True):
"""Create a new Keystone Password Credential.
:param string auth_url: Use this endpoint to connect to Keystone.
:param string password: Password for authentication.
:param string username: Username for authentication.
:param string user_id: User ID for authentication.
@ -46,6 +47,7 @@ class KeystonePassword(password.Password):
one is going to expire. (optional) default True
"""
self._auth_url = auth_url
self._user_id = user_id
self._user_domain_id = user_domain_id
self._user_domain_name = user_domain_name
@ -61,6 +63,11 @@ class KeystonePassword(password.Password):
super(KeystonePassword, self).__init__(username,
password)
@property
def auth_url(self):
"""This method returns an auth_url."""
return self._auth_url
@property
def user_id(self):
"""This method returns a user_id."""

View File

@ -23,13 +23,15 @@ from castellan.common.credentials import token
class KeystoneToken(token.Token):
"""This class represents a keystone token credential."""
def __init__(self, token, trust_id=None, domain_id=None, domain_name=None,
project_id=None, project_name=None, project_domain_id=None,
project_domain_name=None, reauthenticate=True):
def __init__(self, token, auth_url=None, trust_id=None, domain_id=None,
domain_name=None, project_id=None, project_name=None,
project_domain_id=None, project_domain_name=None,
reauthenticate=True):
"""Create a new Keystone Token Credential.
:param string token: Token for authentication. The type of token
formats accepted are UUID, PKI, and Fernet.
:param string auth_url: Use this endpoint to connect to Keystone.
:param string trust_id: Trust ID for trust scoping.
:param string domain_id: Domain ID for domain scoping.
:param string domain_name: Domain name for domain scoping.
@ -41,6 +43,7 @@ class KeystoneToken(token.Token):
one is going to expire. (optional) default True
"""
self._auth_url = auth_url
self._trust_id = trust_id
self._domain_id = domain_id
self._domain_name = domain_name
@ -52,6 +55,11 @@ class KeystoneToken(token.Token):
super(KeystoneToken, self).__init__(token)
@property
def auth_url(self):
"""This method returns an auth_url."""
return self._auth_url
@property
def trust_id(self):
"""This method returns a trust_id."""

View File

@ -51,6 +51,8 @@ credential_opts = [
"'keystone_password' auth_type."),
# keystone credential opts
cfg.StrOpt('auth_url',
help="Use this endpoint to connect to Keystone."),
cfg.StrOpt('user_id',
help="User ID for authentication. Optional for "
"'keystone_token' and 'keystone_password' auth_type."),
@ -130,6 +132,7 @@ def credential_factory(conf=None, context=None):
elif conf.key_manager.auth_type == 'keystone_password':
return keystone_password.KeystonePassword(
conf.key_manager.password,
auth_url=conf.key_manager.auth_url,
username=conf.key_manager.username,
user_id=conf.key_manager.user_id,
user_domain_id=conf.key_manager.user_domain_id,
@ -153,6 +156,7 @@ def credential_factory(conf=None, context=None):
return keystone_token.KeystoneToken(
auth_token,
auth_url=conf.key_manager.auth_url,
trust_id=conf.key_manager.trust_id,
domain_id=conf.key_manager.domain_id,
domain_name=conf.key_manager.domain_name,

View File

@ -55,6 +55,8 @@ barbican_opts = [
help='Version of the Barbican API, for example: "v1"'),
cfg.StrOpt('auth_endpoint',
default='http://localhost/identity/v3',
deprecated_name='auth_url',
deprecated_group='key_manager',
help='Use this endpoint to connect to Keystone'),
cfg.IntOpt('retry_delay',
default=1,
@ -123,6 +125,8 @@ class BarbicanKeyManager(key_manager.KeyManager):
endpoint=self._barbican_endpoint)
self._current_context = context
# TODO(pbourke): more fine grained exception handling - we are eating
# tracebacks here
except Exception as e:
LOG.error("Error creating Barbican client: %s", e)
raise exception.KeyManagerError(reason=e)
@ -134,11 +138,9 @@ class BarbicanKeyManager(key_manager.KeyManager):
return self._barbican_client
def _get_keystone_auth(self, context):
auth_url = self.conf.barbican.auth_endpoint
if context.__class__.__name__ is 'KeystonePassword':
return identity.Password(
auth_url=auth_url,
auth_url=context.auth_url,
username=context.username,
password=context.password,
user_id=context.user_id,
@ -154,7 +156,7 @@ class BarbicanKeyManager(key_manager.KeyManager):
reauthenticate=context.reauthenticate)
elif context.__class__.__name__ is 'KeystoneToken':
return identity.Token(
auth_url=auth_url,
auth_url=context.auth_url,
token=context.token,
trust_id=context.trust_id,
domain_id=context.domain_id,
@ -168,7 +170,7 @@ class BarbicanKeyManager(key_manager.KeyManager):
# projects begin to use utils.credential_factory
elif context.__class__.__name__ is 'RequestContext':
return identity.Token(
auth_url=auth_url,
auth_url=self.conf.barbican.auth_endpoint,
token=context.auth_token,
project_id=context.tenant)
else:

View File

@ -129,6 +129,7 @@ class BarbicanKeyManagerKSPasswordTestCase(BarbicanKeyManagerTestCase,
base.BaseTestCase):
def get_context(self):
auth_url = CONF.identity.auth_url
username = CONF.identity.username
password = CONF.identity.password
project_name = CONF.identity.project_name
@ -136,7 +137,7 @@ class BarbicanKeyManagerKSPasswordTestCase(BarbicanKeyManagerTestCase,
project_domain_name = CONF.identity.project_domain_name
ctxt = keystone_password.KeystonePassword(
username=username, password=password,
auth_url=auth_url, username=username, password=password,
project_name=project_name,
user_domain_name=user_domain_name,
project_domain_name=project_domain_name)
@ -165,4 +166,5 @@ class BarbicanKeyManagerKSTokenTestCase(BarbicanKeyManagerTestCase,
return keystone_token.KeystoneToken(
token=auth.get_token(sess),
auth_url=auth_url,
project_id=auth.get_project_id(sess))

View File

@ -37,12 +37,14 @@ provided.
# keystone token credential
[key_manager]
auth_url = 'http://192.169.5.254:5000'
auth_type = 'keystone_token'
token = '5b4de0bb77064f289f7cc58e33bea8c7'
project_id = 'a1e19934af81420d980a5d02b4afe9fb'
# keystone password credential
[key_manager]
auth_url = 'http://192.169.5.254:5000'
auth_type = 'keystone_password'
username = 'admin'
password = 'passw0rd1'

View File

@ -0,0 +1,5 @@
---
deprecations:
- |
Config option barbican/auth_endpoint is unnecessary and deprecated in
favor of the more standard key_manager/auth_url.