Verify keystone connection using token

This patch simplifies the keystone connectivity check to just
get a token instead of making another call that internally gets
a token too. This ensures that only the public keystone endpoint
needs to be accesible, by contrast with the previous project or
region list that needed access to the admin keystone endpoint,
which is usually not accesible from within OpenStack VMs.

Closes-Bug: 1789632
Change-Id: Id19a7e7e1662c33dfb5df417ac24d22926227737
(cherry picked from commit 810865cad4)
This commit is contained in:
Luis Tomas Bolivar 2018-08-29 13:34:02 +02:00
parent 8fdb5b4c1d
commit 531ed16e5d
2 changed files with 6 additions and 14 deletions

View File

@ -19,8 +19,6 @@ from flask import Flask
from oslo_config import cfg
from oslo_log import log as logging
from keystoneauth1 import exceptions as k_exc
from keystoneclient import client as keystone_client
from kuryr.lib._i18n import _
from kuryr.lib import config as kuryr_config
from kuryr.lib import utils
@ -75,12 +73,9 @@ class HealthServer(object):
return error_message, httplib.INTERNAL_SERVER_ERROR, self.headers
try:
self.verify_keystone_connection()
except k_exc.http.HttpError as h_ex:
error_message = 'Error when processing Keystone request %s.' % h_ex
LOG.exception(error_message)
return error_message, h_ex.http_status, self.headers
except Exception as ex:
error_message = 'Error when creating a Keystone client: %s.' % ex
error_message = ('Error when creating a Keystone session and '
'getting a token: %s.' % ex)
LOG.exception(error_message)
return error_message, httplib.INTERNAL_SERVER_ERROR, self.headers
try:
@ -121,13 +116,11 @@ class HealthServer(object):
return True
def verify_keystone_connection(self):
# Obtain a new token to ensure connectivity with keystone
conf_group = kuryr_config.neutron_group.name
auth_plugin = utils.get_auth_plugin(conf_group)
sess = utils.get_keystone_session(conf_group, auth_plugin)
endpoint_type = getattr(getattr(cfg.CONF, conf_group), 'endpoint_type')
ks = keystone_client.Client(session=sess, auth=auth_plugin,
endpoint_type=endpoint_type)
ks.regions.list()
sess.get_token()
def verify_neutron_connection(self):
neutron = utils.get_neutron_client()

View File

@ -12,7 +12,6 @@
# See the License for the specific language governing permissions and
# limitations under the License.
from keystoneauth1 import exceptions
from kuryr_kubernetes.controller.managers import health
from kuryr_kubernetes.handlers import health as h_health
from kuryr_kubernetes.tests import base
@ -80,11 +79,11 @@ class TestHealthServer(base.TestCase):
m_verify_keystone_conn):
m_exist.return_value = True
m_verify_k8s_conn.return_value = True, 200
m_verify_keystone_conn.side_effect = exceptions.http.Unauthorized
m_verify_keystone_conn.side_effect = Exception
resp = self.test_client.get('/ready')
m_verify_keystone_conn.assert_called_once()
self.assertEqual(401, resp.status_code)
self.assertEqual(500, resp.status_code)
@mock.patch('kuryr_kubernetes.controller.managers.health.HealthServer.'
'verify_neutron_connection')