From af24f14be5581bbaa4cd737330bb2cbcc49a9908 Mon Sep 17 00:00:00 2001
From: Hongbin Lu <hongbin.lu@huawei.com>
Date: Sun, 25 Dec 2016 12:19:37 -0600
Subject: [PATCH] Use keystoneauth1 for cinder access

The goal is to add support for keystone v3, while still maintain
backward-compatibility. In particular, it did the following:
* Use keystoneauth1 for keystone authentication
* Deprecate the usage of keystoneclient.auth, which is the legacy
  way of doing authentication. It seems to support keystone v2
  only, which cause the problem.
* Introduce new auth session in config file.
* Deprecate old auth session in config file.

Closes-Bug: #1563011
Change-Id: Ia80b4377eda6314ad8e6287cb65eb2842f972b8b
---
 devstack/local.conf.sample |  4 ++++
 devstack/plugin.sh         |  9 +++++----
 devstack/settings          |  4 ++++
 fuxi/common/config.py      | 38 ++++++++++++++++++++++++++++----------
 fuxi/opts.py               |  5 +++--
 fuxi/utils.py              | 23 ++++++++++++++++++-----
 requirements.txt           |  1 +
 7 files changed, 63 insertions(+), 21 deletions(-)

diff --git a/devstack/local.conf.sample b/devstack/local.conf.sample
index 20d7287..146e6dc 100644
--- a/devstack/local.conf.sample
+++ b/devstack/local.conf.sample
@@ -9,4 +9,8 @@ SERVICE_PASSWORD=pass
 SERVICE_TOKEN=pass
 ADMIN_PASSWORD=pass
 
+# Install kuryr git master source code by default.
+# If you want to use stable kuryr lib, please comment out this line.
+LIBS_FROM_GIT=kuryr
+
 enable_plugin fuxi https://git.openstack.org/openstack/fuxi
diff --git a/devstack/plugin.sh b/devstack/plugin.sh
index b9a1707..bab02a3 100644
--- a/devstack/plugin.sh
+++ b/devstack/plugin.sh
@@ -54,10 +54,7 @@ function configure_fuxi {
 
     if is_service_enabled fuxi; then
         configure_auth_token_middleware $FUXI_CONFIG fuxi \
-            $FUXI_AUTH_CACHE_DIR keystone
-        iniset $FUXI_CONFIG keystone admin_user fuxi
-        iniset $FUXI_CONFIG keystone admin_password $SERVICE_PASSWORD
-        iniset $FUXI_CONFIG keystone admin_tenant_name $SERVICE_PROJECT_NAME
+            $FUXI_AUTH_CACHE_DIR cinder
 
         iniset $FUXI_CONFIG DEFAULT fuxi_port 7879
         iniset $FUXI_CONFIG DEFAULT my_ip $HOST_IP
@@ -79,6 +76,10 @@ function configure_fuxi {
 if is_service_enabled fuxi; then
 
     if [[ "$1" == "stack" && "$2" == "install" ]]; then
+        if use_library_from_git "kuryr"; then
+            git_clone_by_name "kuryr"
+            setup_dev_lib "kuryr"
+        fi
         install_etcd_data_store
         setup_develop $FUXI_HOME
 
diff --git a/devstack/settings b/devstack/settings
index 0ba1323..39bd30c 100644
--- a/devstack/settings
+++ b/devstack/settings
@@ -17,4 +17,8 @@ FUXI_DOCKER_ENGINE_PORT=${FUXI_DOCKER_ENGINE_PORT:-2375}
 FUXI_DOCKER_ENGINE_SOCKET_FILE=${FUXI_DOCKER_ENGINE_SOCKET_FILE:-/var/run/docker.sock}
 FUXI_ETCD_PORT=${FUXI_ETCD_PORT:-4001}
 
+GITREPO["kuryr"]=${KURYR_REPO:-${GIT_BASE}/openstack/kuryr.git}
+GITBRANCH["kuryr"]=${KURYR_BRANCH:-master}
+GITDIR["kuryr"]=$DEST/kuryr
+
 enable_service fuxi etcd-server docker-engine
diff --git a/fuxi/common/config.py b/fuxi/common/config.py
index 592964a..c2fe8f4 100644
--- a/fuxi/common/config.py
+++ b/fuxi/common/config.py
@@ -12,6 +12,8 @@
 
 import os
 
+from kuryr.lib import config as kuryr_config
+from kuryr.lib import opts as kuryr_opts
 from oslo_config import cfg
 from oslo_log import log as logging
 
@@ -45,31 +47,39 @@ default_opts = [
                default='/etc/fuxi/rootwrap.conf'),
 ]
 
-keystone_opts = [
+legacy_keystone_opts = [
     cfg.StrOpt('region',
                default=os.environ.get('REGION'),
-               help=_('The region that this machine belongs to.')),
+               help=_('The region that this machine belongs to.'),
+               deprecated_for_removal=True),
     cfg.StrOpt('auth_url',
                default=os.environ.get('IDENTITY_URL'),
-               help=_('The URL for accessing the identity service.')),
+               help=_('The URL for accessing the identity service.'),
+               deprecated_for_removal=True),
     cfg.StrOpt('admin_user',
                default=os.environ.get('SERVICE_USER'),
-               help=_('The username to auth with the identity service.')),
+               help=_('The username to auth with the identity service.'),
+               deprecated_for_removal=True),
     cfg.StrOpt('admin_tenant_name',
                default=os.environ.get('SERVICE_TENANT_NAME'),
-               help=_('The tenant name to auth with the identity service.')),
+               help=_('The tenant name to auth with the identity service.'),
+               deprecated_for_removal=True),
     cfg.StrOpt('admin_password',
                default=os.environ.get('SERVICE_PASSWORD'),
-               help=_('The password to auth with the identity service.')),
+               help=_('The password to auth with the identity service.'),
+               deprecated_for_removal=True),
     cfg.StrOpt('admin_token',
                default=os.environ.get('SERVICE_TOKEN'),
-               help=_('The admin token.')),
+               help=_('The admin token.'),
+               deprecated_for_removal=True),
     cfg.StrOpt('auth_ca_cert',
                default=os.environ.get('SERVICE_CA_CERT'),
-               help=_('The CA certification file.')),
+               help=_('The CA certification file.'),
+               deprecated_for_removal=True),
     cfg.BoolOpt('auth_insecure',
                 default=True,
-                help=_("Turn off verification of the certificate for ssl.")),
+                help=_("Turn off verification of the certificate for ssl."),
+                deprecated_for_removal=True),
 ]
 
 cinder_opts = [
@@ -96,9 +106,17 @@ cinder_opts = [
 
 CONF = cfg.CONF
 CONF.register_opts(default_opts)
-CONF.register_opts(keystone_opts, group='keystone')
+CONF.register_opts(legacy_keystone_opts, group='keystone')
 CONF.register_opts(cinder_opts, group='cinder')
 
+CFG_GROUP = 'cinder'
+
+# Settting options for Keystone.
+kuryr_config.register_keystoneauth_opts(CONF, CFG_GROUP)
+CONF.set_default('auth_type', default='password', group=CFG_GROUP)
+
+keystone_auth_opts = kuryr_opts.get_keystoneauth_conf_options()
+
 # Setting oslo.log options for logging.
 logging.register_options(CONF)
 
diff --git a/fuxi/opts.py b/fuxi/opts.py
index 4adfd1f..f46db4d 100644
--- a/fuxi/opts.py
+++ b/fuxi/opts.py
@@ -21,5 +21,6 @@ from fuxi.common import config
 
 def list_fuxi_opts():
     return [('DEFAULT', itertools.chain(config.default_opts,)),
-            ('keystone', itertools.chain(config.keystone_opts,)),
-            ('cinder', itertools.chain(config.cinder_opts,)), ]
+            ('keystone', itertools.chain(config.legacy_keystone_opts,)),
+            ('cinder', itertools.chain(config.cinder_opts,)),
+            (config.CFG_GROUP, itertools.chain(config.keystone_auth_opts,)), ]
diff --git a/fuxi/utils.py b/fuxi/utils.py
index f53b0f8..16cb379 100644
--- a/fuxi/utils.py
+++ b/fuxi/utils.py
@@ -18,14 +18,12 @@ import socket
 import string
 import traceback
 
-from fuxi.common import constants
-from fuxi import exceptions
-from fuxi.i18n import _LW, _LE
-
 from cinderclient import client as cinder_client
 from cinderclient import exceptions as cinder_exception
+from keystoneauth1 import exceptions as ka_exception
 from keystoneauth1.session import Session
 from keystoneclient.auth import get_plugin_class
+from kuryr.lib import utils as kuryr_utils
 from novaclient import client as nova_client
 from novaclient import exceptions as nova_exception
 from os_brick import exception as brick_exception
@@ -36,6 +34,11 @@ from oslo_utils import importutils
 from oslo_utils import uuidutils
 from werkzeug import exceptions as w_exceptions
 
+from fuxi.common import config
+from fuxi.common import constants
+from fuxi import exceptions
+from fuxi.i18n import _LW, _LE
+
 cloud_init_conf = '/var/lib/cloud/instances'
 
 CONF = cfg.CONF
@@ -140,7 +143,7 @@ def _openstack_auth_from_config(**config):
     return plugin_class(**plugin_kwargs)
 
 
-def get_keystone_session(**kwargs):
+def get_legacy_keystone_session(**kwargs):
     keystone_conf = CONF.keystone
     config = {}
     config['auth_url'] = keystone_conf.auth_url
@@ -158,6 +161,16 @@ def get_keystone_session(**kwargs):
     return Session(auth=_openstack_auth_from_config(**config), verify=verify)
 
 
+def get_keystone_session(**kwargs):
+    try:
+        conf_group = config.CFG_GROUP
+        auth_plugin = kuryr_utils.get_auth_plugin(conf_group)
+        session = kuryr_utils.get_keystone_session(conf_group, auth_plugin)
+        return session
+    except ka_exception.MissingRequiredOptions:
+        return get_legacy_keystone_session(**kwargs)
+
+
 def get_cinderclient(session=None, region=None, **kwargs):
     if not session:
         session = get_keystone_session(**kwargs)
diff --git a/requirements.txt b/requirements.txt
index 94fe8a1..a3fadaa 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -7,6 +7,7 @@ pytz>=2013.6 # MIT
 Babel>=2.3.4 # BSD
 Flask!=0.11,<1.0,>=0.10 # BSD
 keystoneauth1>=2.16.0 # Apache-2.0
+kuryr-lib>=0.1.0 # Apache-2.0
 oslo.rootwrap>=5.0.0 # Apache-2.0
 oslo.concurrency>=3.8.0 # Apache-2.0
 oslo.config!=3.18.0,>=3.14.0 # Apache-2.0