summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJohannes Grassler <johannes.grassler@suse.com>2016-09-16 10:01:07 +0200
committerJohannes Grassler <johannes.grassler@suse.com>2017-02-22 19:22:10 +0100
commit0c7625ff4b7eb27f2ece751fa0475d4babd6d824 (patch)
treed0eedd619e69c5adf0623f63fd41fef077d667f1
parent6c9ef6768248984f2c232020e0d71e8d4b88f7de (diff)
Fix CVE-2016-7404
This commit addresses multiple potential vulnerabilities in Magnum. It makes the following changes: * Permissions for /etc/sysconfig/heat-params inside Magnum created instances are tightened to 0600 (used to be 0755). * Certificate retrieval is modified to work without the need for a Keystone trust. * The cluster's Keystone trust id is only passed into instances for clusters where that is actually needed. This prevents the trustee user from consuming the trust in cases where it is not needed. * The configuration setting trust/cluster_user_trust (False by default) is introduced. It needs to be explicitely enabled by the cloud operator to allow clusters that need the trust_id to be passed into instances to work. Without this setting, attempts to create such clusters will fail. Please note, that none of these changes apply to existing clusters. They will have to be deleted and rebuilt to benefit from these changes. (cherry picked from commit e93d82e8b3bc19211efd54edc17aebdca50670c1) Change-Id: I643d408cde0d6e30812cf6429fb7118184793400
Notes
Notes (review): Code-Review+2: Spyros Trigazis <strigazi@gmail.com> Code-Review+2: Adrian Otto <adrian.otto@rackspace.com> Workflow+1: Adrian Otto <adrian.otto@rackspace.com> Verified+2: Jenkins Submitted-by: Jenkins Submitted-at: Wed, 22 Feb 2017 20:58:24 +0000 Reviewed-on: https://review.openstack.org/437051 Project: openstack/magnum Branch: refs/heads/stable/ocata
-rw-r--r--devstack/lib/magnum1
-rw-r--r--etc/magnum/policy.json54
-rw-r--r--magnum/common/keystone.py1
-rw-r--r--magnum/common/policy.py12
-rw-r--r--magnum/conductor/handlers/common/trust_manager.py13
-rw-r--r--magnum/conf/trust.py11
-rw-r--r--magnum/db/sqlalchemy/api.py17
-rw-r--r--magnum/drivers/common/templates/kubernetes/fragments/make-cert-client.sh5
-rw-r--r--magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh5
-rw-r--r--magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml2
-rw-r--r--magnum/drivers/common/templates/kubernetes/fragments/write-heat-params.yaml2
-rw-r--r--magnum/drivers/common/templates/swarm/fragments/make-cert.py6
-rw-r--r--magnum/drivers/common/templates/swarm/fragments/write-heat-params-master.yaml2
-rw-r--r--magnum/drivers/common/templates/swarm/fragments/write-heat-params-node.yaml2
-rw-r--r--magnum/drivers/heat/template_def.py16
-rw-r--r--magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert-client.yaml5
-rw-r--r--magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml5
-rw-r--r--magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params-master.yaml2
-rw-r--r--magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params.yaml2
-rw-r--r--magnum/drivers/mesos_ubuntu_v1/templates/fragments/write-heat-params.yaml2
-rw-r--r--magnum/tests/base.py27
-rw-r--r--magnum/tests/unit/common/test_keystone.py15
-rw-r--r--magnum/tests/unit/conductor/handlers/common/test_trust_manager.py3
-rw-r--r--magnum/tests/unit/conductor/handlers/test_cluster_conductor.py5
-rw-r--r--magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py14
-rw-r--r--magnum/tests/unit/conductor/handlers/test_mesos_cluster_conductor.py9
-rw-r--r--magnum/tests/unit/conductor/handlers/test_swarm_cluster_conductor.py8
27 files changed, 171 insertions, 75 deletions
diff --git a/devstack/lib/magnum b/devstack/lib/magnum
index f95b587..6410e07 100644
--- a/devstack/lib/magnum
+++ b/devstack/lib/magnum
@@ -204,6 +204,7 @@ function create_magnum_conf {
204 --os-identity-api-version 3 role add \ 204 --os-identity-api-version 3 role add \
205 --user $trustee_domain_admin_id --domain $trustee_domain_id \ 205 --user $trustee_domain_admin_id --domain $trustee_domain_id \
206 admin 206 admin
207 iniset $MAGNUM_CONF trust cluster_user_trust True
207 iniset $MAGNUM_CONF trust trustee_domain_name magnum 208 iniset $MAGNUM_CONF trust trustee_domain_name magnum
208 iniset $MAGNUM_CONF trust trustee_domain_admin_name trustee_domain_admin 209 iniset $MAGNUM_CONF trust trustee_domain_admin_name trustee_domain_admin
209 iniset $MAGNUM_CONF trust trustee_domain_admin_password $MAGNUM_TRUSTEE_DOMAIN_ADMIN_PASSWORD 210 iniset $MAGNUM_CONF trust trustee_domain_admin_password $MAGNUM_TRUSTEE_DOMAIN_ADMIN_PASSWORD
diff --git a/etc/magnum/policy.json b/etc/magnum/policy.json
index 86cea75..19552ab 100644
--- a/etc/magnum/policy.json
+++ b/etc/magnum/policy.json
@@ -4,35 +4,37 @@
4 "default": "rule:admin_or_owner", 4 "default": "rule:admin_or_owner",
5 "admin_api": "rule:context_is_admin", 5 "admin_api": "rule:context_is_admin",
6 "admin_or_user": "is_admin:True or user_id:%(user_id)s", 6 "admin_or_user": "is_admin:True or user_id:%(user_id)s",
7 "cluster_user": "user_id:%(trustee_user_id)s",
8 "deny_cluster_user": "not domain_id:%(trustee_domain_id)s",
7 9
8 "bay:create": "rule:default", 10 "bay:create": "rule:deny_cluster_user",
9 "bay:delete": "rule:default", 11 "bay:delete": "rule:deny_cluster_user",
10 "bay:detail": "rule:default", 12 "bay:detail": "rule:deny_cluster_user",
11 "bay:get": "rule:default", 13 "bay:get": "rule:deny_cluster_user",
12 "bay:get_all": "rule:default", 14 "bay:get_all": "rule:deny_cluster_user",
13 "bay:update": "rule:default", 15 "bay:update": "rule:deny_cluster_user",
14 16
15 "baymodel:create": "rule:default", 17 "baymodel:create": "rule:deny_cluster_user",
16 "baymodel:delete": "rule:default", 18 "baymodel:delete": "rule:deny_cluster_user",
17 "baymodel:detail": "rule:default", 19 "baymodel:detail": "rule:deny_cluster_user",
18 "baymodel:get": "rule:default", 20 "baymodel:get": "rule:deny_cluster_user",
19 "baymodel:get_all": "rule:default", 21 "baymodel:get_all": "rule:deny_cluster_user",
20 "baymodel:update": "rule:default", 22 "baymodel:update": "rule:deny_cluster_user",
21 "baymodel:publish": "rule:admin_or_owner", 23 "baymodel:publish": "rule:admin_or_owner",
22 24
23 "cluster:create": "rule:default", 25 "cluster:create": "rule:deny_cluster_user",
24 "cluster:delete": "rule:default", 26 "cluster:delete": "rule:deny_cluster_user",
25 "cluster:detail": "rule:default", 27 "cluster:detail": "rule:deny_cluster_user",
26 "cluster:get": "rule:default", 28 "cluster:get": "rule:deny_cluster_user",
27 "cluster:get_all": "rule:default", 29 "cluster:get_all": "rule:deny_cluster_user",
28 "cluster:update": "rule:default", 30 "cluster:update": "rule:deny_cluster_user",
29 31
30 "clustertemplate:create": "rule:default", 32 "clustertemplate:create": "rule:deny_cluster_user",
31 "clustertemplate:delete": "rule:default", 33 "clustertemplate:delete": "rule:deny_cluster_user",
32 "clustertemplate:detail": "rule:default", 34 "clustertemplate:detail": "rule:deny_cluster_user",
33 "clustertemplate:get": "rule:default", 35 "clustertemplate:get": "rule:deny_cluster_user",
34 "clustertemplate:get_all": "rule:default", 36 "clustertemplate:get_all": "rule:deny_cluster_user",
35 "clustertemplate:update": "rule:default", 37 "clustertemplate:update": "rule:deny_cluster_user",
36 "clustertemplate:publish": "rule:admin_or_owner", 38 "clustertemplate:publish": "rule:admin_or_owner",
37 39
38 "quotas:get": "rule:default", 40 "quotas:get": "rule:default",
@@ -41,9 +43,9 @@
41 "quotas:update": "rule:admin_api", 43 "quotas:update": "rule:admin_api",
42 "quotas:delete": "rule:admin_api", 44 "quotas:delete": "rule:admin_api",
43 45
44 "certificate:create": "rule:admin_or_user",
45 "certificate:get": "rule:admin_or_user",
46 "certificate:rotate_ca": "rule:admin_or_owner", 46 "certificate:rotate_ca": "rule:admin_or_owner",
47 "certificate:create": "rule:admin_or_user or rule:cluster_user",
48 "certificate:get": "rule:admin_or_user or rule:cluster_user",
47 49
48 "magnum-service:get_all": "rule:admin_api", 50 "magnum-service:get_all": "rule:admin_api",
49 "stats:get_all": "rule:admin_or_owner" 51 "stats:get_all": "rule:admin_or_owner"
diff --git a/magnum/common/keystone.py b/magnum/common/keystone.py
index 682d0e9..7113185 100644
--- a/magnum/common/keystone.py
+++ b/magnum/common/keystone.py
@@ -204,6 +204,7 @@ class KeystoneClientV3(object):
204 project=trustor_project_id, 204 project=trustor_project_id,
205 trustee_user=trustee_user, 205 trustee_user=trustee_user,
206 impersonation=True, 206 impersonation=True,
207 delegation_depth=0,
207 role_names=roles) 208 role_names=roles)
208 except Exception: 209 except Exception:
209 LOG.exception(_LE('Failed to create trust')) 210 LOG.exception(_LE('Failed to create trust'))
diff --git a/magnum/common/policy.py b/magnum/common/policy.py
index 980691f..160cf15 100644
--- a/magnum/common/policy.py
+++ b/magnum/common/policy.py
@@ -20,6 +20,8 @@ from oslo_config import cfg
20from oslo_policy import policy 20from oslo_policy import policy
21import pecan 21import pecan
22 22
23from magnum.common import clients
24from magnum.common import context
23from magnum.common import exception 25from magnum.common import exception
24 26
25 27
@@ -92,10 +94,20 @@ def enforce(context, rule=None, target=None,
92 if target is None: 94 if target is None:
93 target = {'project_id': context.project_id, 95 target = {'project_id': context.project_id,
94 'user_id': context.user_id} 96 'user_id': context.user_id}
97 add_policy_attributes(target)
95 return enforcer.enforce(rule, target, credentials, 98 return enforcer.enforce(rule, target, credentials,
96 do_raise=do_raise, exc=exc, *args, **kwargs) 99 do_raise=do_raise, exc=exc, *args, **kwargs)
97 100
98 101
102def add_policy_attributes(target):
103 """Adds extra information for policy enforcement to raw target object"""
104 admin_context = context.make_admin_context()
105 admin_osc = clients.OpenStackClients(admin_context)
106 trustee_domain_id = admin_osc.keystone().trustee_domain_id
107 target['trustee_domain_id'] = trustee_domain_id
108 return target
109
110
99def enforce_wsgi(api_name, act=None): 111def enforce_wsgi(api_name, act=None):
100 """This is a decorator to simplify wsgi action policy rule check. 112 """This is a decorator to simplify wsgi action policy rule check.
101 113
diff --git a/magnum/conductor/handlers/common/trust_manager.py b/magnum/conductor/handlers/common/trust_manager.py
index 287953f..415ff65 100644
--- a/magnum/conductor/handlers/common/trust_manager.py
+++ b/magnum/conductor/handlers/common/trust_manager.py
@@ -22,15 +22,20 @@ LOG = logging.getLogger(__name__)
22def create_trustee_and_trust(osc, cluster): 22def create_trustee_and_trust(osc, cluster):
23 try: 23 try:
24 password = utils.generate_password(length=18) 24 password = utils.generate_password(length=18)
25
25 trustee = osc.keystone().create_trustee( 26 trustee = osc.keystone().create_trustee(
26 cluster.uuid, 27 "%s_%s" % (cluster.uuid, cluster.project_id),
27 password, 28 password,
28 ) 29 )
30
29 cluster.trustee_username = trustee.name 31 cluster.trustee_username = trustee.name
30 cluster.trustee_user_id = trustee.id 32 cluster.trustee_user_id = trustee.id
31 cluster.trustee_password = password 33 cluster.trustee_password = password
32 trust = osc.keystone().create_trust(trustee.id) 34
35 trust = osc.keystone().create_trust(
36 cluster.trustee_user_id)
33 cluster.trust_id = trust.id 37 cluster.trust_id = trust.id
38
34 except Exception: 39 except Exception:
35 LOG.exception( 40 LOG.exception(
36 _LE('Failed to create trustee and trust for Cluster: %s'), 41 _LE('Failed to create trustee and trust for Cluster: %s'),
@@ -41,9 +46,11 @@ def create_trustee_and_trust(osc, cluster):
41 46
42def delete_trustee_and_trust(osc, context, cluster): 47def delete_trustee_and_trust(osc, context, cluster):
43 try: 48 try:
49 kst = osc.keystone()
50
44 # The cluster which is upgraded from Liberty doesn't have trust_id 51 # The cluster which is upgraded from Liberty doesn't have trust_id
45 if cluster.trust_id: 52 if cluster.trust_id:
46 osc.keystone().delete_trust(context, cluster) 53 kst.delete_trust(context, cluster)
47 except Exception: 54 except Exception:
48 # Exceptions are already logged by keystone().delete_trust 55 # Exceptions are already logged by keystone().delete_trust
49 pass 56 pass
diff --git a/magnum/conf/trust.py b/magnum/conf/trust.py
index 1a079e2..ffa25e8 100644
--- a/magnum/conf/trust.py
+++ b/magnum/conf/trust.py
@@ -18,6 +18,17 @@ trust_group = cfg.OptGroup(name='trust',
18 title='Trustee options for the magnum services') 18 title='Trustee options for the magnum services')
19 19
20trust_opts = [ 20trust_opts = [
21 cfg.BoolOpt('cluster_user_trust',
22 default=False,
23 help=_('This setting controls whether to assign a trust to'
24 ' the cluster user or not. You will need to set it to'
25 ' True for clusters with volume_driver=cinder or'
26 ' registry_enabled=true in the underlying cluster'
27 ' template to work. This is a potential security risk'
28 ' since the trust gives instances OpenStack API access'
29 " to the cluster's project. Note that this setting"
30 ' does not affect per-cluster trusts assigned to the'
31 'Magnum service user.')),
21 cfg.StrOpt('trustee_domain_id', 32 cfg.StrOpt('trustee_domain_id',
22 help=_('Id of the domain to create trustee for clusters')), 33 help=_('Id of the domain to create trustee for clusters')),
23 cfg.StrOpt('trustee_domain_name', 34 cfg.StrOpt('trustee_domain_name',
diff --git a/magnum/db/sqlalchemy/api.py b/magnum/db/sqlalchemy/api.py
index fd1857b..8898239 100644
--- a/magnum/db/sqlalchemy/api.py
+++ b/magnum/db/sqlalchemy/api.py
@@ -26,6 +26,8 @@ from sqlalchemy.orm.exc import MultipleResultsFound
26from sqlalchemy.orm.exc import NoResultFound 26from sqlalchemy.orm.exc import NoResultFound
27from sqlalchemy.sql import func 27from sqlalchemy.sql import func
28 28
29from magnum.common import clients
30from magnum.common import context as request_context
29from magnum.common import exception 31from magnum.common import exception
30import magnum.conf 32import magnum.conf
31from magnum.db import api 33from magnum.db import api
@@ -122,8 +124,21 @@ class Connection(api.Connection):
122 if context.is_admin and context.all_tenants: 124 if context.is_admin and context.all_tenants:
123 return query 125 return query
124 126
125 if context.project_id: 127 admin_context = request_context.make_admin_context(all_tenants=True)
128 osc = clients.OpenStackClients(admin_context)
129 kst = osc.keystone()
130
131 # User in a regular project (not in the trustee domain)
132 if context.project_id and context.domain_id != kst.trustee_domain_id:
126 query = query.filter_by(project_id=context.project_id) 133 query = query.filter_by(project_id=context.project_id)
134 # Match project ID component in trustee user's user name against
135 # cluster's project_id to associate per-cluster trustee users who have
136 # no project information with the project their clusters/cluster models
137 # reside in. This is equivalent to the project filtering above.
138 elif context.domain_id == kst.trustee_domain_id:
139 user_name = kst.client.users.get(context.user_id).name
140 user_project = user_name.split('_', 2)[1]
141 query = query.filter_by(project_id=user_project)
127 else: 142 else:
128 query = query.filter_by(user_id=context.user_id) 143 query = query.filter_by(user_id=context.user_id)
129 144
diff --git a/magnum/drivers/common/templates/kubernetes/fragments/make-cert-client.sh b/magnum/drivers/common/templates/kubernetes/fragments/make-cert-client.sh
index 34d05ba..97d9bf4 100644
--- a/magnum/drivers/common/templates/kubernetes/fragments/make-cert-client.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/make-cert-client.sh
@@ -49,11 +49,6 @@ auth_json=$(cat << EOF
49 "password": "$TRUSTEE_PASSWORD" 49 "password": "$TRUSTEE_PASSWORD"
50 } 50 }
51 } 51 }
52 },
53 "scope": {
54 "OS-TRUST:trust": {
55 "id": "$TRUST_ID"
56 }
57 } 52 }
58 } 53 }
59} 54}
diff --git a/magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh b/magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh
index 3dd2c71..4eaad62 100644
--- a/magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh
@@ -71,11 +71,6 @@ auth_json=$(cat << EOF
71 "password": "$TRUSTEE_PASSWORD" 71 "password": "$TRUSTEE_PASSWORD"
72 } 72 }
73 } 73 }
74 },
75 "scope": {
76 "OS-TRUST:trust": {
77 "id": "$TRUST_ID"
78 }
79 } 74 }
80 } 75 }
81} 76}
diff --git a/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml b/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml
index 249d3d4..ec0f1f6 100644
--- a/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml
+++ b/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml
@@ -3,7 +3,7 @@ merge_how: dict(recurse_array)+list(append)
3write_files: 3write_files:
4 - path: /etc/sysconfig/heat-params 4 - path: /etc/sysconfig/heat-params
5 owner: "root:root" 5 owner: "root:root"
6 permissions: "0644" 6 permissions: "0600"
7 content: | 7 content: |
8 KUBE_API_PUBLIC_ADDRESS="$KUBE_API_PUBLIC_ADDRESS" 8 KUBE_API_PUBLIC_ADDRESS="$KUBE_API_PUBLIC_ADDRESS"
9 KUBE_API_PRIVATE_ADDRESS="$KUBE_API_PRIVATE_ADDRESS" 9 KUBE_API_PRIVATE_ADDRESS="$KUBE_API_PRIVATE_ADDRESS"
diff --git a/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params.yaml b/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params.yaml
index cc906e7..20a98fa 100644
--- a/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params.yaml
+++ b/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params.yaml
@@ -3,7 +3,7 @@ merge_how: dict(recurse_array)+list(append)
3write_files: 3write_files:
4 - path: /etc/sysconfig/heat-params 4 - path: /etc/sysconfig/heat-params
5 owner: "root:root" 5 owner: "root:root"
6 permissions: "0644" 6 permissions: "0600"
7 content: | 7 content: |
8 KUBE_ALLOW_PRIV="$KUBE_ALLOW_PRIV" 8 KUBE_ALLOW_PRIV="$KUBE_ALLOW_PRIV"
9 KUBE_MASTER_IP="$KUBE_MASTER_IP" 9 KUBE_MASTER_IP="$KUBE_MASTER_IP"
diff --git a/magnum/drivers/common/templates/swarm/fragments/make-cert.py b/magnum/drivers/common/templates/swarm/fragments/make-cert.py
index 9782dcb..896beac 100644
--- a/magnum/drivers/common/templates/swarm/fragments/make-cert.py
+++ b/magnum/drivers/common/templates/swarm/fragments/make-cert.py
@@ -150,11 +150,6 @@ def get_user_token(config):
150 "password": "%(trustee_password)s" 150 "password": "%(trustee_password)s"
151 } 151 }
152 } 152 }
153 },
154 "scope": {
155 "OS-TRUST:trust": {
156 "id": "%(trust_id)s"
157 }
158 } 153 }
159 } 154 }
160} 155}
@@ -162,7 +157,6 @@ def get_user_token(config):
162 params = { 157 params = {
163 'trustee_user_id': config['TRUSTEE_USER_ID'], 158 'trustee_user_id': config['TRUSTEE_USER_ID'],
164 'trustee_password': config['TRUSTEE_PASSWORD'], 159 'trustee_password': config['TRUSTEE_PASSWORD'],
165 'trust_id': config['TRUST_ID']
166 } 160 }
167 creds = creds_str % params 161 creds = creds_str % params
168 headers = {'Content-Type': 'application/json'} 162 headers = {'Content-Type': 'application/json'}
diff --git a/magnum/drivers/common/templates/swarm/fragments/write-heat-params-master.yaml b/magnum/drivers/common/templates/swarm/fragments/write-heat-params-master.yaml
index 0a3504c..435e891 100644
--- a/magnum/drivers/common/templates/swarm/fragments/write-heat-params-master.yaml
+++ b/magnum/drivers/common/templates/swarm/fragments/write-heat-params-master.yaml
@@ -3,7 +3,7 @@ merge_how: dict(recurse_array)+list(append)
3write_files: 3write_files:
4 - path: /etc/sysconfig/heat-params 4 - path: /etc/sysconfig/heat-params
5 owner: "root:root" 5 owner: "root:root"
6 permissions: "0644" 6 permissions: "0600"
7 content: | 7 content: |
8 WAIT_HANDLE_ENDPOINT="$WAIT_HANDLE_ENDPOINT" 8 WAIT_HANDLE_ENDPOINT="$WAIT_HANDLE_ENDPOINT"
9 WAIT_HANDLE_TOKEN="$WAIT_HANDLE_TOKEN" 9 WAIT_HANDLE_TOKEN="$WAIT_HANDLE_TOKEN"
diff --git a/magnum/drivers/common/templates/swarm/fragments/write-heat-params-node.yaml b/magnum/drivers/common/templates/swarm/fragments/write-heat-params-node.yaml
index d201654..af0b650 100644
--- a/magnum/drivers/common/templates/swarm/fragments/write-heat-params-node.yaml
+++ b/magnum/drivers/common/templates/swarm/fragments/write-heat-params-node.yaml
@@ -3,7 +3,7 @@ merge_how: dict(recurse_array)+list(append)
3write_files: 3write_files:
4 - path: /etc/sysconfig/heat-params 4 - path: /etc/sysconfig/heat-params
5 owner: "root:root" 5 owner: "root:root"
6 permissions: "0644" 6 permissions: "0600"
7 content: | 7 content: |
8 WAIT_HANDLE_ENDPOINT="$WAIT_HANDLE_ENDPOINT" 8 WAIT_HANDLE_ENDPOINT="$WAIT_HANDLE_ENDPOINT"
9 WAIT_HANDLE_TOKEN="$WAIT_HANDLE_TOKEN" 9 WAIT_HANDLE_TOKEN="$WAIT_HANDLE_TOKEN"
diff --git a/magnum/drivers/heat/template_def.py b/magnum/drivers/heat/template_def.py
index 13ac630..5485c10 100644
--- a/magnum/drivers/heat/template_def.py
+++ b/magnum/drivers/heat/template_def.py
@@ -21,6 +21,7 @@ import six
21from magnum.common import clients 21from magnum.common import clients
22from magnum.common import exception 22from magnum.common import exception
23import magnum.conf 23import magnum.conf
24from magnum.i18n import _LE
24from magnum.i18n import _LW 25from magnum.i18n import _LW
25 26
26from requests import exceptions as req_exceptions 27from requests import exceptions as req_exceptions
@@ -245,7 +246,20 @@ class BaseTemplateDefinition(TemplateDefinition):
245 extra_params['trustee_user_id'] = cluster.trustee_user_id 246 extra_params['trustee_user_id'] = cluster.trustee_user_id
246 extra_params['trustee_username'] = cluster.trustee_username 247 extra_params['trustee_username'] = cluster.trustee_username
247 extra_params['trustee_password'] = cluster.trustee_password 248 extra_params['trustee_password'] = cluster.trustee_password
248 extra_params['trust_id'] = cluster.trust_id 249
250 # Only pass trust ID into the template when it is needed.
251 if (cluster_template.volume_driver == 'rexray' or
252 cluster_template.registry_enabled):
253 if CONF.trust.cluster_user_trust:
254 extra_params['trust_id'] = cluster.trust_id
255 else:
256 missing_setting = ('trust/cluster_user_trust = True')
257 msg = _LE('This cluster can only be created with %s in '
258 'magnum.conf')
259 raise exception.ConfigInvalid(msg % missing_setting)
260 else:
261 extra_params['trust_id'] = ""
262
249 extra_params['auth_url'] = context.auth_url 263 extra_params['auth_url'] = context.auth_url
250 264
251 return super(BaseTemplateDefinition, 265 return super(BaseTemplateDefinition,
diff --git a/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert-client.yaml b/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert-client.yaml
index 4d96192..da290e5 100644
--- a/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert-client.yaml
+++ b/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert-client.yaml
@@ -63,11 +63,6 @@ write_files:
63 "password": "$TRUSTEE_PASSWORD" 63 "password": "$TRUSTEE_PASSWORD"
64 } 64 }
65 } 65 }
66 },
67 "scope": {
68 "OS-TRUST:trust": {
69 "id": "$TRUST_ID"
70 }
71 } 66 }
72 } 67 }
73 } 68 }
diff --git a/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml b/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml
index 1c07ce7..cc9196d 100644
--- a/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml
+++ b/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml
@@ -86,11 +86,6 @@ write_files:
86 "password": "$TRUSTEE_PASSWORD" 86 "password": "$TRUSTEE_PASSWORD"
87 } 87 }
88 } 88 }
89 },
90 "scope": {
91 "OS-TRUST:trust": {
92 "id": "$TRUST_ID"
93 }
94 } 89 }
95 } 90 }
96 } 91 }
diff --git a/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params-master.yaml b/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params-master.yaml
index 223ea8f..9d70465 100644
--- a/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params-master.yaml
+++ b/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params-master.yaml
@@ -3,7 +3,7 @@ merge_how: dict(recurse_array)+list(append)
3write_files: 3write_files:
4 - path: /etc/sysconfig/heat-params 4 - path: /etc/sysconfig/heat-params
5 owner: "root:root" 5 owner: "root:root"
6 permissions: "0644" 6 permissions: "0600"
7 content: | 7 content: |
8 KUBE_API_PUBLIC_ADDRESS="$KUBE_API_PUBLIC_ADDRESS" 8 KUBE_API_PUBLIC_ADDRESS="$KUBE_API_PUBLIC_ADDRESS"
9 KUBE_API_PRIVATE_ADDRESS="$KUBE_API_PRIVATE_ADDRESS" 9 KUBE_API_PRIVATE_ADDRESS="$KUBE_API_PRIVATE_ADDRESS"
diff --git a/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params.yaml b/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params.yaml
index 61f3043..fe59185 100644
--- a/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params.yaml
+++ b/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params.yaml
@@ -3,7 +3,7 @@ merge_how: dict(recurse_array)+list(append)
3write_files: 3write_files:
4 - path: /etc/sysconfig/heat-params 4 - path: /etc/sysconfig/heat-params
5 owner: "root:root" 5 owner: "root:root"
6 permissions: "0644" 6 permissions: "0600"
7 content: | 7 content: |
8 KUBE_ALLOW_PRIV="$KUBE_ALLOW_PRIV" 8 KUBE_ALLOW_PRIV="$KUBE_ALLOW_PRIV"
9 KUBE_MASTER_IP="$KUBE_MASTER_IP" 9 KUBE_MASTER_IP="$KUBE_MASTER_IP"
diff --git a/magnum/drivers/mesos_ubuntu_v1/templates/fragments/write-heat-params.yaml b/magnum/drivers/mesos_ubuntu_v1/templates/fragments/write-heat-params.yaml
index d9a4b91..2716480 100644
--- a/magnum/drivers/mesos_ubuntu_v1/templates/fragments/write-heat-params.yaml
+++ b/magnum/drivers/mesos_ubuntu_v1/templates/fragments/write-heat-params.yaml
@@ -3,7 +3,7 @@ merge_how: dict(recurse_array)+list(append)
3write_files: 3write_files:
4 - path: /etc/sysconfig/heat-params 4 - path: /etc/sysconfig/heat-params
5 owner: "root:root" 5 owner: "root:root"
6 permissions: "0644" 6 permissions: "0600"
7 content: | 7 content: |
8 MESOS_MASTERS_IPS="$MESOS_MASTERS_IPS" 8 MESOS_MASTERS_IPS="$MESOS_MASTERS_IPS"
9 EXECUTOR_REGISTRATION_TIMEOUT="$EXECUTOR_REGISTRATION_TIMEOUT" 9 EXECUTOR_REGISTRATION_TIMEOUT="$EXECUTOR_REGISTRATION_TIMEOUT"
diff --git a/magnum/tests/base.py b/magnum/tests/base.py
index 670b04a..d66cba3 100644
--- a/magnum/tests/base.py
+++ b/magnum/tests/base.py
@@ -26,6 +26,7 @@ import pecan
26import testscenarios 26import testscenarios
27 27
28from magnum.common import context as magnum_context 28from magnum.common import context as magnum_context
29from magnum.common import keystone as magnum_keystone
29from magnum.objects import base as objects_base 30from magnum.objects import base as objects_base
30from magnum.tests import conf_fixture 31from magnum.tests import conf_fixture
31from magnum.tests import fake_notifier 32from magnum.tests import fake_notifier
@@ -63,11 +64,18 @@ class TestCase(base.BaseTestCase):
63 } 64 }
64 } 65 }
65 } 66 }
67
68 trustee_domain_id = '12345678-9012-3456-7890-123456789abc'
69
66 self.context = magnum_context.RequestContext( 70 self.context = magnum_context.RequestContext(
67 auth_token_info=token_info, 71 auth_token_info=token_info,
68 project_id='fake_project', 72 project_id='fake_project',
69 user_id='fake_user') 73 user_id='fake_user')
70 74
75 self.global_mocks = {}
76
77 self.keystone_client = magnum_keystone.KeystoneClientV3(self.context)
78
71 self.policy = self.useFixture(policy_fixture.PolicyFixture()) 79 self.policy = self.useFixture(policy_fixture.PolicyFixture())
72 80
73 self.useFixture(fixtures.MockPatchObject( 81 self.useFixture(fixtures.MockPatchObject(
@@ -89,9 +97,22 @@ class TestCase(base.BaseTestCase):
89 97
90 p = mock.patch.object(magnum_context, 'make_context', 98 p = mock.patch.object(magnum_context, 'make_context',
91 side_effect=make_context) 99 side_effect=make_context)
100
101 self.global_mocks['magnum.common.context.make_context'] = p
102
103 q = mock.patch.object(magnum_keystone.KeystoneClientV3,
104 'trustee_domain_id',
105 return_value=trustee_domain_id)
106
107 self.global_mocks[
108 'magnum.common.keystone.KeystoneClientV3.trustee_domain_id'] = q
109
92 self.mock_make_context = p.start() 110 self.mock_make_context = p.start()
93 self.addCleanup(p.stop) 111 self.addCleanup(p.stop)
94 112
113 self.mock_make_trustee_domain_id = q.start()
114 self.addCleanup(q.stop)
115
95 self.useFixture(conf_fixture.ConfFixture()) 116 self.useFixture(conf_fixture.ConfFixture())
96 self.useFixture(fixtures.NestedTempfile()) 117 self.useFixture(fixtures.NestedTempfile())
97 118
@@ -104,6 +125,12 @@ class TestCase(base.BaseTestCase):
104 125
105 self.addCleanup(reset_pecan) 126 self.addCleanup(reset_pecan)
106 127
128 def start_global(self, name):
129 self.global_mocks[name].start()
130
131 def stop_global(self, name):
132 self.global_mocks[name].stop()
133
107 def _restore_obj_registry(self): 134 def _restore_obj_registry(self):
108 objects_base.MagnumObjectRegistry._registry._obj_classes \ 135 objects_base.MagnumObjectRegistry._registry._obj_classes \
109 = self._base_test_obj_backup 136 = self._base_test_obj_backup
diff --git a/magnum/tests/unit/common/test_keystone.py b/magnum/tests/unit/common/test_keystone.py
index b927b8d..11aae1a 100644
--- a/magnum/tests/unit/common/test_keystone.py
+++ b/magnum/tests/unit/common/test_keystone.py
@@ -55,6 +55,19 @@ class KeystoneClientTest(base.TestCase):
55 admin_tenant_name='service', 55 admin_tenant_name='service',
56 group=ksconf.CFG_LEGACY_GROUP) 56 group=ksconf.CFG_LEGACY_GROUP)
57 57
58 # Disable global mocking for trustee_domain_id
59 self.stop_global(
60 'magnum.common.keystone.KeystoneClientV3.trustee_domain_id')
61
62 def tearDown(self):
63 # Re-enable global mocking for trustee_domain_id. We need this because
64 # mock blows up when trying to stop an already stopped patch (which it
65 # will do due to the addCleanup() in base.TestCase).
66 self.start_global(
67 'magnum.common.keystone.KeystoneClientV3.trustee_domain_id')
68
69 super(KeystoneClientTest, self).tearDown()
70
58 def test_client_with_password(self, mock_ks): 71 def test_client_with_password(self, mock_ks):
59 self.ctx.is_admin = True 72 self.ctx.is_admin = True
60 ks_client = keystone.KeystoneClientV3(self.ctx) 73 ks_client = keystone.KeystoneClientV3(self.ctx)
@@ -136,6 +149,7 @@ class KeystoneClientTest(base.TestCase):
136 ks_client.create_trust(trustee_user='888888') 149 ks_client.create_trust(trustee_user='888888')
137 150
138 mock_ks.return_value.trusts.create.assert_called_once_with( 151 mock_ks.return_value.trusts.create.assert_called_once_with(
152 delegation_depth=0,
139 trustor_user='123456', project='654321', 153 trustor_user='123456', project='654321',
140 trustee_user='888888', role_names=['role1', 'role2'], 154 trustee_user='888888', role_names=['role1', 'role2'],
141 impersonation=True) 155 impersonation=True)
@@ -152,6 +166,7 @@ class KeystoneClientTest(base.TestCase):
152 ks_client.create_trust(trustee_user='888888') 166 ks_client.create_trust(trustee_user='888888')
153 167
154 mock_ks.return_value.trusts.create.assert_called_once_with( 168 mock_ks.return_value.trusts.create.assert_called_once_with(
169 delegation_depth=0,
155 trustor_user='123456', project='654321', 170 trustor_user='123456', project='654321',
156 trustee_user='888888', role_names=['role3'], 171 trustee_user='888888', role_names=['role3'],
157 impersonation=True) 172 impersonation=True)
diff --git a/magnum/tests/unit/conductor/handlers/common/test_trust_manager.py b/magnum/tests/unit/conductor/handlers/common/test_trust_manager.py
index be758c7..3860bb8 100644
--- a/magnum/tests/unit/conductor/handlers/common/test_trust_manager.py
+++ b/magnum/tests/unit/conductor/handlers/common/test_trust_manager.py
@@ -37,6 +37,7 @@ class TrustManagerTestCase(base.BaseTestCase):
37 mock_generate_password.return_value = mock_password 37 mock_generate_password.return_value = mock_password
38 mock_cluster = mock.MagicMock() 38 mock_cluster = mock.MagicMock()
39 mock_cluster.uuid = 'mock_cluster_uuid' 39 mock_cluster.uuid = 'mock_cluster_uuid'
40 mock_cluster.project_id = 'mock_cluster_project_id'
40 mock_keystone = mock.MagicMock() 41 mock_keystone = mock.MagicMock()
41 mock_trustee = mock.MagicMock() 42 mock_trustee = mock.MagicMock()
42 mock_trustee.id = 'mock_trustee_id' 43 mock_trustee.id = 'mock_trustee_id'
@@ -52,7 +53,7 @@ class TrustManagerTestCase(base.BaseTestCase):
52 trust_manager.create_trustee_and_trust(self.osc, mock_cluster) 53 trust_manager.create_trustee_and_trust(self.osc, mock_cluster)
53 54
54 mock_keystone.create_trustee.assert_called_once_with( 55 mock_keystone.create_trustee.assert_called_once_with(
55 mock_cluster.uuid, 56 '%s_%s' % (mock_cluster.uuid, mock_cluster.project_id),
56 mock_password, 57 mock_password,
57 ) 58 )
58 mock_keystone.create_trust.assert_called_once_with( 59 mock_keystone.create_trust.assert_called_once_with(
diff --git a/magnum/tests/unit/conductor/handlers/test_cluster_conductor.py b/magnum/tests/unit/conductor/handlers/test_cluster_conductor.py
index b527b49..251af78 100644
--- a/magnum/tests/unit/conductor/handlers/test_cluster_conductor.py
+++ b/magnum/tests/unit/conductor/handlers/test_cluster_conductor.py
@@ -181,6 +181,11 @@ class TestHandler(db_base.DbTestCase):
181 mock_poller.poll_and_check.return_value = loopingcall.LoopingCallDone() 181 mock_poller.poll_and_check.return_value = loopingcall.LoopingCallDone()
182 mock_heat_poller_class.return_value = mock_poller 182 mock_heat_poller_class.return_value = mock_poller
183 osc = mock.sentinel.osc 183 osc = mock.sentinel.osc
184
185 def return_keystone():
186 return self.keystone_client
187
188 osc.keystone = return_keystone
184 mock_openstack_client_class.return_value = osc 189 mock_openstack_client_class.return_value = osc
185 mock_dr = mock.MagicMock() 190 mock_dr = mock.MagicMock()
186 mock_driver.return_value = mock_dr 191 mock_driver.return_value = mock_dr
diff --git a/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py b/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py
index 2e9438f..074539b 100644
--- a/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py
+++ b/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py
@@ -194,7 +194,7 @@ class TestClusterConductorWithK8s(base.TestCase):
194 'trustee_username': 'fake_trustee', 194 'trustee_username': 'fake_trustee',
195 'trustee_password': 'fake_trustee_password', 195 'trustee_password': 'fake_trustee_password',
196 'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656', 196 'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656',
197 'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de', 197 'trust_id': '',
198 'auth_url': 'http://192.168.10.10:5000/v3', 198 'auth_url': 'http://192.168.10.10:5000/v3',
199 'insecure_registry_url': '10.0.0.1:5000', 199 'insecure_registry_url': '10.0.0.1:5000',
200 'kube_version': 'fake-version', 200 'kube_version': 'fake-version',
@@ -236,6 +236,10 @@ class TestClusterConductorWithK8s(base.TestCase):
236 'RegionOne', 236 'RegionOne',
237 group='docker_registry') 237 group='docker_registry')
238 238
239 CONF.set_override('cluster_user_trust',
240 True,
241 group='trust')
242
239 (template_path, 243 (template_path,
240 definition, 244 definition,
241 env_files) = mock_driver()._extract_template_definition(self.context, 245 env_files) = mock_driver()._extract_template_definition(self.context,
@@ -350,7 +354,7 @@ class TestClusterConductorWithK8s(base.TestCase):
350 'ssh_key_name': 'keypair_id', 354 'ssh_key_name': 'keypair_id',
351 'tenant_name': 'fake_tenant', 355 'tenant_name': 'fake_tenant',
352 'tls_disabled': False, 356 'tls_disabled': False,
353 'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de', 357 'trust_id': '',
354 'trustee_domain_id': 'trustee_domain_id', 358 'trustee_domain_id': 'trustee_domain_id',
355 'trustee_password': 'fake_trustee_password', 359 'trustee_password': 'fake_trustee_password',
356 'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656', 360 'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656',
@@ -421,7 +425,7 @@ class TestClusterConductorWithK8s(base.TestCase):
421 'trustee_username': 'fake_trustee', 425 'trustee_username': 'fake_trustee',
422 'trustee_password': 'fake_trustee_password', 426 'trustee_password': 'fake_trustee_password',
423 'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656', 427 'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656',
424 'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de', 428 'trust_id': '',
425 'auth_url': 'http://192.168.10.10:5000/v3', 429 'auth_url': 'http://192.168.10.10:5000/v3',
426 'cluster_uuid': self.cluster_dict['uuid'], 430 'cluster_uuid': self.cluster_dict['uuid'],
427 'magnum_url': self.mock_osc.magnum_url.return_value, 431 'magnum_url': self.mock_osc.magnum_url.return_value,
@@ -488,7 +492,7 @@ class TestClusterConductorWithK8s(base.TestCase):
488 'trustee_username': 'fake_trustee', 492 'trustee_username': 'fake_trustee',
489 'trustee_password': 'fake_trustee_password', 493 'trustee_password': 'fake_trustee_password',
490 'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656', 494 'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656',
491 'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de', 495 'trust_id': '',
492 'auth_url': 'http://192.168.10.10:5000/v3', 496 'auth_url': 'http://192.168.10.10:5000/v3',
493 'cluster_uuid': self.cluster_dict['uuid'], 497 'cluster_uuid': self.cluster_dict['uuid'],
494 'magnum_url': self.mock_osc.magnum_url.return_value, 498 'magnum_url': self.mock_osc.magnum_url.return_value,
@@ -686,7 +690,7 @@ class TestClusterConductorWithK8s(base.TestCase):
686 'trustee_username': 'fake_trustee', 690 'trustee_username': 'fake_trustee',
687 'trustee_password': 'fake_trustee_password', 691 'trustee_password': 'fake_trustee_password',
688 'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656', 692 'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656',
689 'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de', 693 'trust_id': '',
690 'auth_url': 'http://192.168.10.10:5000/v3', 694 'auth_url': 'http://192.168.10.10:5000/v3',
691 'insecure_registry_url': '10.0.0.1:5000', 695 'insecure_registry_url': '10.0.0.1:5000',
692 'kube_version': 'fake-version', 696 'kube_version': 'fake-version',
diff --git a/magnum/tests/unit/conductor/handlers/test_mesos_cluster_conductor.py b/magnum/tests/unit/conductor/handlers/test_mesos_cluster_conductor.py
index ff14d92..c21f3b6 100644
--- a/magnum/tests/unit/conductor/handlers/test_mesos_cluster_conductor.py
+++ b/magnum/tests/unit/conductor/handlers/test_mesos_cluster_conductor.py
@@ -37,6 +37,7 @@ class TestClusterConductorWithMesos(base.TestCase):
37 'http_proxy': 'http_proxy', 37 'http_proxy': 'http_proxy',
38 'https_proxy': 'https_proxy', 38 'https_proxy': 'https_proxy',
39 'no_proxy': 'no_proxy', 39 'no_proxy': 'no_proxy',
40 'registry_enabled': False,
40 'server_type': 'vm', 41 'server_type': 'vm',
41 'volume_driver': 'volume_driver', 42 'volume_driver': 'volume_driver',
42 'labels': {'rexray_preempt': 'False', 43 'labels': {'rexray_preempt': 'False',
@@ -117,7 +118,7 @@ class TestClusterConductorWithMesos(base.TestCase):
117 'trustee_username': 'fake_trustee', 118 'trustee_username': 'fake_trustee',
118 'trustee_password': 'fake_trustee_password', 119 'trustee_password': 'fake_trustee_password',
119 'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656', 120 'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656',
120 'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de', 121 'trust_id': '',
121 'volume_driver': 'volume_driver', 122 'volume_driver': 'volume_driver',
122 'auth_url': 'http://192.168.10.10:5000/v3', 123 'auth_url': 'http://192.168.10.10:5000/v3',
123 'region_name': self.mock_osc.cinder_region_name.return_value, 124 'region_name': self.mock_osc.cinder_region_name.return_value,
@@ -171,7 +172,7 @@ class TestClusterConductorWithMesos(base.TestCase):
171 'trustee_username': 'fake_trustee', 172 'trustee_username': 'fake_trustee',
172 'trustee_password': 'fake_trustee_password', 173 'trustee_password': 'fake_trustee_password',
173 'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656', 174 'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656',
174 'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de', 175 'trust_id': '',
175 'auth_url': 'http://192.168.10.10:5000/v3', 176 'auth_url': 'http://192.168.10.10:5000/v3',
176 'region_name': self.mock_osc.cinder_region_name.return_value, 177 'region_name': self.mock_osc.cinder_region_name.return_value,
177 'username': 'mesos_user', 178 'username': 'mesos_user',
@@ -227,7 +228,7 @@ class TestClusterConductorWithMesos(base.TestCase):
227 'trustee_username': 'fake_trustee', 228 'trustee_username': 'fake_trustee',
228 'trustee_password': 'fake_trustee_password', 229 'trustee_password': 'fake_trustee_password',
229 'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656', 230 'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656',
230 'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de', 231 'trust_id': '',
231 'volume_driver': 'volume_driver', 232 'volume_driver': 'volume_driver',
232 'auth_url': 'http://192.168.10.10:5000/v3', 233 'auth_url': 'http://192.168.10.10:5000/v3',
233 'region_name': self.mock_osc.cinder_region_name.return_value, 234 'region_name': self.mock_osc.cinder_region_name.return_value,
@@ -285,7 +286,7 @@ class TestClusterConductorWithMesos(base.TestCase):
285 'trustee_username': 'fake_trustee', 286 'trustee_username': 'fake_trustee',
286 'trustee_password': 'fake_trustee_password', 287 'trustee_password': 'fake_trustee_password',
287 'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656', 288 'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656',
288 'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de', 289 'trust_id': '',
289 'volume_driver': 'volume_driver', 290 'volume_driver': 'volume_driver',
290 'auth_url': 'http://192.168.10.10:5000/v3', 291 'auth_url': 'http://192.168.10.10:5000/v3',
291 'region_name': self.mock_osc.cinder_region_name.return_value, 292 'region_name': self.mock_osc.cinder_region_name.return_value,
diff --git a/magnum/tests/unit/conductor/handlers/test_swarm_cluster_conductor.py b/magnum/tests/unit/conductor/handlers/test_swarm_cluster_conductor.py
index 6e531ad..e3b3036 100644
--- a/magnum/tests/unit/conductor/handlers/test_swarm_cluster_conductor.py
+++ b/magnum/tests/unit/conductor/handlers/test_swarm_cluster_conductor.py
@@ -74,6 +74,12 @@ class TestClusterConductorWithSwarm(base.TestCase):
74 'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de', 74 'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de',
75 'coe_version': 'fake-version' 75 'coe_version': 'fake-version'
76 } 76 }
77
78 # We need this due to volume_driver=rexray
79 CONF.set_override('cluster_user_trust',
80 True,
81 group='trust')
82
77 osc_patcher = mock.patch('magnum.common.clients.OpenStackClients') 83 osc_patcher = mock.patch('magnum.common.clients.OpenStackClients')
78 self.mock_osc_class = osc_patcher.start() 84 self.mock_osc_class = osc_patcher.start()
79 self.addCleanup(osc_patcher.stop) 85 self.addCleanup(osc_patcher.stop)
@@ -280,7 +286,7 @@ class TestClusterConductorWithSwarm(base.TestCase):
280 'trustee_username': 'fake_trustee', 286 'trustee_username': 'fake_trustee',
281 'trustee_password': 'fake_trustee_password', 287 'trustee_password': 'fake_trustee_password',
282 'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656', 288 'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656',
283 'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de', 289 'trust_id': '',
284 'auth_url': 'http://192.168.10.10:5000/v3', 290 'auth_url': 'http://192.168.10.10:5000/v3',
285 'swarm_version': 'fake-version', 291 'swarm_version': 'fake-version',
286 'swarm_strategy': u'spread', 292 'swarm_strategy': u'spread',