Verify keystone connection using token
This patch simplifies the keystone connectivity check to just
get a token instead of making another call that internally gets
a token too. This ensures that only the public keystone endpoint
needs to be accesible, by contrast with the previous project or
region list that needed access to the admin keystone endpoint,
which is usually not accesible from within OpenStack VMs.
Closes-Bug: 1789632
Change-Id: Id19a7e7e1662c33dfb5df417ac24d22926227737
(cherry picked from commit 810865cad4
)
This commit is contained in:
parent
8fdb5b4c1d
commit
531ed16e5d
|
@ -19,8 +19,6 @@ from flask import Flask
|
|||
from oslo_config import cfg
|
||||
from oslo_log import log as logging
|
||||
|
||||
from keystoneauth1 import exceptions as k_exc
|
||||
from keystoneclient import client as keystone_client
|
||||
from kuryr.lib._i18n import _
|
||||
from kuryr.lib import config as kuryr_config
|
||||
from kuryr.lib import utils
|
||||
|
@ -75,12 +73,9 @@ class HealthServer(object):
|
|||
return error_message, httplib.INTERNAL_SERVER_ERROR, self.headers
|
||||
try:
|
||||
self.verify_keystone_connection()
|
||||
except k_exc.http.HttpError as h_ex:
|
||||
error_message = 'Error when processing Keystone request %s.' % h_ex
|
||||
LOG.exception(error_message)
|
||||
return error_message, h_ex.http_status, self.headers
|
||||
except Exception as ex:
|
||||
error_message = 'Error when creating a Keystone client: %s.' % ex
|
||||
error_message = ('Error when creating a Keystone session and '
|
||||
'getting a token: %s.' % ex)
|
||||
LOG.exception(error_message)
|
||||
return error_message, httplib.INTERNAL_SERVER_ERROR, self.headers
|
||||
try:
|
||||
|
@ -121,13 +116,11 @@ class HealthServer(object):
|
|||
return True
|
||||
|
||||
def verify_keystone_connection(self):
|
||||
# Obtain a new token to ensure connectivity with keystone
|
||||
conf_group = kuryr_config.neutron_group.name
|
||||
auth_plugin = utils.get_auth_plugin(conf_group)
|
||||
sess = utils.get_keystone_session(conf_group, auth_plugin)
|
||||
endpoint_type = getattr(getattr(cfg.CONF, conf_group), 'endpoint_type')
|
||||
ks = keystone_client.Client(session=sess, auth=auth_plugin,
|
||||
endpoint_type=endpoint_type)
|
||||
ks.regions.list()
|
||||
sess.get_token()
|
||||
|
||||
def verify_neutron_connection(self):
|
||||
neutron = utils.get_neutron_client()
|
||||
|
|
|
@ -12,7 +12,6 @@
|
|||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
from keystoneauth1 import exceptions
|
||||
from kuryr_kubernetes.controller.managers import health
|
||||
from kuryr_kubernetes.handlers import health as h_health
|
||||
from kuryr_kubernetes.tests import base
|
||||
|
@ -80,11 +79,11 @@ class TestHealthServer(base.TestCase):
|
|||
m_verify_keystone_conn):
|
||||
m_exist.return_value = True
|
||||
m_verify_k8s_conn.return_value = True, 200
|
||||
m_verify_keystone_conn.side_effect = exceptions.http.Unauthorized
|
||||
m_verify_keystone_conn.side_effect = Exception
|
||||
resp = self.test_client.get('/ready')
|
||||
|
||||
m_verify_keystone_conn.assert_called_once()
|
||||
self.assertEqual(401, resp.status_code)
|
||||
self.assertEqual(500, resp.status_code)
|
||||
|
||||
@mock.patch('kuryr_kubernetes.controller.managers.health.HealthServer.'
|
||||
'verify_neutron_connection')
|
||||
|
|
Loading…
Reference in New Issue