From 38758fbb145751847e975873ce60c28e46bf6db0 Mon Sep 17 00:00:00 2001
From: wenchma <wenchma@cn.ibm.com>
Date: Tue, 28 Apr 2015 10:05:48 +0800
Subject: [PATCH] Refactor nova section to enable auth strategy

Authenticating to nova using nova_admin_* options is deprecated.

  CONF.nova_admin_auth_url
  CONF.nova_admin_username
  CONF.nova_admin_password
  CONF.nova_admin_tenant_id
  CONF.nova_admin_tenant_name

This should be done using an auth plugin, like password:

  [nova]
  region_name = RegionOne
  project_domain_id = default
  project_name = service
  user_domain_id = default
  password = passw0rd
  username = nova
  auth_url = http://127.0.0.1:35357
  auth_plugin = password

Reference: https://github.com/openstack/neutron/blob/master/neutron/notifiers/nova.py#L85-90

Change-Id: I8896af89f1b5fef39776a8aa1289cb9ee7645a08
Closes-bug: #1449058
---
 attributes/default.rb              | 12 ++++++++++-
 spec/default_spec.rb               | 32 ++++++++++++++++++----------
 templates/default/neutron.conf.erb | 34 ++++++++++++++++--------------
 3 files changed, 50 insertions(+), 28 deletions(-)

diff --git a/attributes/default.rb b/attributes/default.rb
index 5aa8ad3e..10c79774 100644
--- a/attributes/default.rb
+++ b/attributes/default.rb
@@ -244,6 +244,9 @@ default['openstack']['network']['nova']['region_name'] = node['openstack']['regi
 # Username for connection to nova in admin context
 default['openstack']['network']['nova']['admin_username'] = 'nova'
 
+# User's domain ID for authentication.
+default['openstack']['network']['nova']['user_domain_id'] = 'default'
+
 # Version for connection to nova
 # TODO: (MRV) Need to allow for this in Common.
 default['openstack']['network']['nova']['url_version'] = '/v2'
@@ -256,9 +259,16 @@ default['openstack']['network']['nova']['admin_tenant_id'] = nil
 # defined here based upon Compute cookbook attribute:
 # default['openstack']['compute']['service_tenant_name'] = 'service'
 # Since this cookbook does not depend upon Compute, can't directly
-# reference that here.
+# reference that here. Deprecated for Liberty.
 default['openstack']['network']['nova']['admin_tenant_name'] = 'service'
 
+# Project name for project scoping. Use this instead of deprecated 'admin_tenant_name',
+# which is still used until Liberty.
+default['openstack']['network']['nova']['project_name'] = node['openstack']['network']['nova']['admin_tenant_name']
+
+# Project's domain ID for project.
+default['openstack']['network']['nova']['project_domain_id'] = 'default'
+
 # Number of seconds between sending events to nova if there are any events to send
 default['openstack']['network']['nova']['send_events_interval'] = 2
 
diff --git a/spec/default_spec.rb b/spec/default_spec.rb
index 141a622f..d799a5e2 100644
--- a/spec/default_spec.rb
+++ b/spec/default_spec.rb
@@ -672,24 +672,34 @@ describe 'openstack-network' do
           expect(chef_run).not_to render_config_file(file.name).with_section_content('nova', /^admin_tenant_id =/)
         end
 
-        %w(region_name admin_username admin_tenant_id admin_tenant_name).each do |attr|
-          it "sets the #{attr} nova attribute" do
-            node.set['openstack']['network']['nova'][attr] = "nova_#{attr}_value"
-            expect(chef_run).to render_config_file(file.name).with_section_content('nova', /^#{attr} = nova_#{attr}_value$/)
+        it 'sets the nova admin_tenant_id' do
+          node.set['openstack']['network']['nova']['admin_tenant_id'] = 'admin_tenant_id_value'
+
+          expect(chef_run).to render_config_file(file.name).with_section_content('nova', /^admin_tenant_id = admin_tenant_id_value/)
+        end
+
+        it 'has default nova user and project attributes' do
+          [
+            /^username = nova$/,
+            /^user_domain_id = default$/,
+            /^project_name = service$/,
+            /^project_domain_id = default$/
+          ].each do |line|
+            expect(chef_run).to render_config_file(file.name).with_section_content('nova', line)
           end
         end
 
-        it 'sets the nova url attribute with the right version' do
-          node.set['openstack']['network']['nova']['url_version'] = '/nova_version_value'
-          expect(chef_run).to render_config_file(file.name).with_section_content('nova', %r(^url = http://127.0.0.1:8774/nova_version_value$))
+        it 'sets the nova region_name attribute' do
+          node.set['openstack']['network']['nova']['region_name'] = 'nova_region_name_value'
+          expect(chef_run).to render_config_file(file.name).with_section_content('nova', /^region_name = nova_region_name_value$/)
         end
 
-        it 'sets the nova admin_password attribute' do
-          expect(chef_run).to render_config_file(file.name).with_section_content('nova', /^admin_password = nova-pass$/)
+        it 'sets the nova password attribute' do
+          expect(chef_run).to render_config_file(file.name).with_section_content('nova', /^password = nova-pass$/)
         end
 
-        it 'sets the nova admin_auth_url attribute' do
-          expect(chef_run).to render_config_file(file.name).with_section_content('nova', %r(^admin_auth_url = http://127.0.0.1:35357/v2.0$))
+        it 'sets the nova auth_url attribute' do
+          expect(chef_run).to render_config_file(file.name).with_section_content('nova', %r(^auth_url = http://127.0.0.1:35357/v2.0$))
         end
 
         it 'has default nova api insecure' do
diff --git a/templates/default/neutron.conf.erb b/templates/default/neutron.conf.erb
index eb53dadb..02c012e5 100644
--- a/templates/default/neutron.conf.erb
+++ b/templates/default/neutron.conf.erb
@@ -577,31 +577,33 @@ pool_timeout = <%= node['openstack']['db']['network']['pool_timeout'] %>
 # Name of the plugin to load
 auth_plugin = <%= node['openstack']['network']['nova']['auth_plugin'] %>
 
+# Authorization URL for connection to nova in admin context.
+auth_url = <%= @identity_admin_endpoint.to_s %>
+
+# Username for connection to nova in admin context
+username = <%= node["openstack"]["network"]["nova"]["admin_username"] %>
+
+user_domain_id = <%= node["openstack"]["network"]["nova"]["user_domain_id"] %>
+
+# Password for connection to nova in admin context.
+password = <%= @nova_admin_pass %>
+
+# Project's domain name for project.
+project_name = <%= node["openstack"]["network"]["nova"]["project_name"] %>
+
+# Project's domain ID for project.
+project_domain_id = <%= node["openstack"]["network"]["nova"]["project_domain_id"] %>
+
+
 # Boolean to control ignoring SSL errors on the nova url
 # insecure = False
 insecure = <%= node['openstack']['network']['nova']['insecure'] %>
 
-# URL for connection to nova (Only supports one nova region currently).
-url = <%= @nova_endpoint %>
-
-# Username for connection to nova in admin context
-admin_username = <%= node["openstack"]["network"]["nova"]["admin_username"] %>
-
 <% if node['openstack']['network']['nova']['admin_tenant_id'] -%>
 # The uuid of the admin nova tenant
 admin_tenant_id = <%= node["openstack"]["network"]["nova"]["admin_tenant_id"] %>
 <% end -%>
 
-# The name of the admin nova tenant. If the uuid of the admin nova tenant
-# is set, this is optional.
-admin_tenant_name = <%= node["openstack"]["network"]["nova"]["admin_tenant_name"] %>
-
-# Password for connection to nova in admin context.
-admin_password = <%= @nova_admin_pass %>
-
-# Authorization URL for connection to nova in admin context.
-admin_auth_url = <%= @identity_admin_endpoint.to_s %>
-
 # Name of nova region to use. Useful if keystone manages more than one region
 region_name = <%= node["openstack"]["network"]["nova"]["region_name"] %>