Merge "Use keystoneauth1 instead of keystoneclient.auth"

heat/common/auth_password.py

@@ -14,8 +14,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-from keystoneclient import exceptions as keystone_exceptions
-from keystoneclient import session
+from keystoneauth1 import exceptions as keystone_exceptions
+from keystoneauth1 import session
 from webob import exc
 
 from heat.common import config
@@ -34,7 +34,7 @@ class KeystonePasswordAuthProtocol(object):
     def __init__(self, app, conf):
         self.app = app
         self.conf = conf
-        self.session = session.Session.construct(self._ssl_options())
+        self.session = session.Session(**config.get_ssl_options('keystone'))
 
     def __call__(self, env, start_response):
         """Authenticate incoming request."""
@@ -105,13 +105,6 @@ class KeystonePasswordAuthProtocol(object):
 
         return headers
 
-    def _ssl_options(self):
-        opts = {'cacert': config.get_client_option('keystone', 'ca_file'),
-                'insecure': config.get_client_option('keystone', 'insecure'),
-                'cert': config.get_client_option('keystone', 'cert_file'),
-                'key': config.get_client_option('keystone', 'key_file')}
-        return opts
-
 
 def filter_factory(global_conf, **local_conf):
     """Returns a WSGI filter app for use with paste.deploy."""

heat/common/config.py

@@ -482,6 +482,21 @@ def get_client_option(client, option):
     return getattr(cfg.CONF.clients, option)
 
 
+def get_ssl_options(client):
+    # Look for the ssl options in the [clients_${client}] section
+    cacert = get_client_option(client, 'ca_file')
+    insecure = get_client_option(client, 'insecure')
+    cert = get_client_option(client, 'cert_file')
+    key = get_client_option(client, 'key_file')
+    if insecure:
+        verify = False
+    else:
+        verify = cacert or True
+    if cert and key:
+        cert = (cert, key)
+    return {'verify': verify, 'cert': cert}
+
+
 def set_config_defaults():
     """This method updates all configuration default values."""
     # CORS Defaults

heat/common/context.py

@@ -11,11 +11,11 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
-from keystoneclient import access
-from keystoneclient import auth
-from keystoneclient.auth.identity import access as access_plugin
-from keystoneclient.auth.identity import v3
-from keystoneclient.auth import token_endpoint
+from keystoneauth1 import access
+from keystoneauth1.identity import access as access_plugin
+from keystoneauth1.identity import v3
+from keystoneauth1 import loading as ks_loading
+from keystoneauth1 import token_endpoint
 from oslo_config import cfg
 from oslo_context import context
 from oslo_log import log as logging
@@ -37,22 +37,23 @@ LOG = logging.getLogger(__name__)
 
 # Note, we yield the options via list_opts to enable generation of the
 # sample heat.conf, but we don't register these options directly via
-# cfg.CONF.register*, it's done via auth.register_conf_options
-# Note, only auth_plugin = v3password is expected to work, example config:
+# cfg.CONF.register*, it's done via ks_loading.register_auth_conf_options
+# Note, only auth_type = v3password is expected to work, example config:
 # [trustee]
-# auth_plugin = password
+# auth_type = v3password
 # auth_url = http://192.168.1.2:35357
 # username = heat
 # password = password
 # user_domain_id = default
 V3_PASSWORD_PLUGIN = 'v3password'
 TRUSTEE_CONF_GROUP = 'trustee'
-auth.register_conf_options(cfg.CONF, TRUSTEE_CONF_GROUP)
+ks_loading.register_auth_conf_options(cfg.CONF, TRUSTEE_CONF_GROUP)
 
 
 def list_opts():
-    trustee_opts = auth.conf.get_common_conf_options()
-    trustee_opts.extend(auth.conf.get_plugin_options(V3_PASSWORD_PLUGIN))
+    trustee_opts = ks_loading.get_auth_common_conf_options()
+    trustee_opts.extend(ks_loading.get_auth_plugin_conf_options(
+        V3_PASSWORD_PLUGIN))
     yield TRUSTEE_CONF_GROUP, trustee_opts
 
 
@@ -182,7 +183,7 @@ class RequestContext(context.RequestContext):
         if self._trusts_auth_plugin:
             return self._trusts_auth_plugin
 
-        self._trusts_auth_plugin = auth.load_from_conf_options(
+        self._trusts_auth_plugin = ks_loading.load_auth_from_conf_options(
             cfg.CONF, TRUSTEE_CONF_GROUP, trust_id=self.trust_id)
 
         if self._trusts_auth_plugin:
@@ -210,8 +211,8 @@ class RequestContext(context.RequestContext):
 
     def _create_auth_plugin(self):
         if self.auth_token_info:
-            auth_ref = access.AccessInfo.factory(body=self.auth_token_info,
-                                                 auth_token=self.auth_token)
+            auth_ref = access.AccessInfoV3(self.auth_token_info,
+                                           auth_token=self.auth_token)
             return access_plugin.AccessInfoPlugin(
                 auth_url=self.keystone_v3_endpoint,
                 auth_ref=auth_ref)

heat/common/heat_keystoneclient.py

@@ -17,9 +17,9 @@ import collections
 import uuid
 import weakref
 
-from keystoneclient.auth.identity import v3 as kc_auth_v3
+from keystoneauth1.identity import v3 as kc_auth_v3
+from keystoneauth1 import session
 import keystoneclient.exceptions as kc_exception
-from keystoneclient import session
 from keystoneclient.v3 import client as kc_v3
 from oslo_config import cfg
 from oslo_log import log as logging
@@ -76,7 +76,7 @@ class KeystoneClientV3(object):
         self._domain_admin_auth = None
         self._domain_admin_client = None
 
-        self.session = session.Session.construct(self._ssl_options())
+        self.session = session.Session(**config.get_ssl_options('keystone'))
         self.v3_endpoint = self.context.keystone_v3_endpoint
 
         if self.context.trust_id:
@@ -176,13 +176,6 @@ class KeystoneClientV3(object):
 
         return client
 
-    def _ssl_options(self):
-        opts = {'cacert': config.get_client_option('keystone', 'ca_file'),
-                'insecure': config.get_client_option('keystone', 'insecure'),
-                'cert': config.get_client_option('keystone', 'cert_file'),
-                'key': config.get_client_option('keystone', 'key_file')}
-        return opts
-
     def create_trust_context(self):
         """Create a trust using the trustor identity in the current context.
 

heat/engine/clients/client_plugin.py

@@ -16,11 +16,11 @@ import functools
 import sys
 import weakref
 
-from keystoneclient import auth
-from keystoneclient.auth.identity import v2
-from keystoneclient.auth.identity import v3
-from keystoneclient import exceptions
-from keystoneclient import session
+from keystoneauth1 import exceptions
+from keystoneauth1.identity import v2
+from keystoneauth1.identity import v3
+from keystoneauth1 import plugin
+from keystoneauth1 import session
 from oslo_config import cfg
 import requests
 import six
@@ -130,12 +130,8 @@ class ClientPlugin(object):
         # authentication requests so there is no reason to construct it fresh
         # for every client plugin. It should be global and shared amongst them.
         if not self._keystone_session_obj:
-            o = {'cacert': self._get_client_option('keystone', 'ca_file'),
-                 'insecure': self._get_client_option('keystone', 'insecure'),
-                 'cert': self._get_client_option('keystone', 'cert_file'),
-                 'key': self._get_client_option('keystone', 'key_file')}
-
-            self._keystone_session_obj = session.Session.construct(o)
+            self._keystone_session_obj = session.Session(
+                **config.get_ssl_options('keystone'))
 
         return self._keystone_session_obj
 
@@ -205,8 +201,8 @@ class ClientPlugin(object):
             kc = self.clients.client('keystone').client
 
             auth_plugin = self.context.auth_plugin
-            endpoint = auth_plugin.get_endpoint(None,
-                                                interface=auth.AUTH_INTERFACE)
+            endpoint = auth_plugin.get_endpoint(
+                None, interface=plugin.AUTH_INTERFACE)
             token = auth_plugin.get_token(None)
             project_id = auth_plugin.get_project_id(None)
 

heat/tests/clients/test_clients.py

@@ -18,7 +18,7 @@ from glanceclient import exc as glance_exc
 from glanceclient.openstack.common.apiclient import exceptions as g_a_exc
 from heatclient import client as heatclient
 from heatclient import exc as heat_exc
-from keystoneclient.auth.identity import v3
+from keystoneauth1.identity import v3
 from keystoneclient import exceptions as keystone_exc
 from manilaclient import exceptions as manila_exc
 import mock

heat/tests/clients/test_heat_client.py

@@ -14,13 +14,13 @@
 import json
 import uuid
 
-from keystoneclient import access as ks_access
-from keystoneclient import auth as ks_auth
-from keystoneclient.auth.identity import access as ks_auth_access
-from keystoneclient.auth.identity import v3 as ks_auth_v3
-from keystoneclient.auth import token_endpoint as ks_token_endpoint
-import keystoneclient.exceptions as kc_exception
-from keystoneclient import session as ks_session
+from keystoneauth1 import access as ks_access
+from keystoneauth1 import exceptions as kc_exception
+from keystoneauth1.identity import access as ks_auth_access
+from keystoneauth1.identity import v3 as ks_auth_v3
+from keystoneauth1 import loading as ks_loading
+from keystoneauth1 import session as ks_session
+from keystoneauth1 import token_endpoint as ks_token_endpoint
 from keystoneclient.v3 import client as kc_v3
 from keystoneclient.v3 import domains as kc_v3_domains
 import mox
@@ -52,7 +52,7 @@ class KeystoneClientTest(common.HeatTestCase):
         self.m.StubOutWithMock(ks_auth_v3, 'Password')
         self.m.StubOutWithMock(ks_token_endpoint, 'Token')
         self.m.StubOutWithMock(ks_auth_access, 'AccessInfoPlugin')
-        self.m.StubOutWithMock(ks_auth, 'load_from_conf_options')
+        self.m.StubOutWithMock(ks_loading, 'load_auth_from_conf_options')
 
         cfg.CONF.set_override('auth_uri', 'http://server.test:5000/v2.0',
                               group='keystone_authtoken', enforce_type=True)
@@ -77,7 +77,8 @@ class KeystoneClientTest(common.HeatTestCase):
         else:
             a.AndRaise(kc_exception.Unauthorized)
 
-        m = ks_auth.load_from_conf_options(cfg.CONF, 'trustee', trust_id=None)
+        m = ks_loading.load_auth_from_conf_options(
+            cfg.CONF, 'trustee', trust_id=None)
         m.AndReturn(mock_ks_auth)
 
     def _stub_domain_admin_client(self, domain_id=None):
@@ -121,9 +122,9 @@ class KeystoneClientTest(common.HeatTestCase):
                                     user_domain_id='adomain123')
 
         elif method == 'trust':
-            p = ks_auth.load_from_conf_options(cfg.CONF,
-                                               'trustee',
-                                               trust_id='atrust123')
+            p = ks_loading.load_auth_from_conf_options(cfg.CONF,
+                                                       'trustee',
+                                                       trust_id='atrust123')
 
             mock_auth_ref.user_id = user_id or 'trustor_user_id'
             mock_auth_ref.project_id = project_id or 'test_tenant_id'

heat/tests/fakes.py

@@ -18,8 +18,8 @@ wrong the tests might raise AssertionError. I've indicated in comments the
 places where actual behavior differs from the spec.
 """
 
-from keystoneclient import auth
-from keystoneclient import session
+from keystoneauth1 import plugin
+from keystoneauth1 import session
 
 from heat.common import context
 
@@ -73,7 +73,7 @@ class FakeClient(object):
         pass
 
 
-class FakeAuth(auth.BaseAuthPlugin):
+class FakeAuth(plugin.BaseAuthPlugin):
 
     def __init__(self, auth_token='abcd1234', only_services=None):
         self.auth_token = auth_token

heat/tests/test_auth_password.py

@@ -14,9 +14,9 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-from keystoneclient.auth.identity import v3 as ks_v3_auth
+from keystoneauth1.identity import v3 as ks_v3_auth
+from keystoneauth1 import session as ks_session
 from keystoneclient import exceptions as keystone_exc
-from keystoneclient import session as ks_session
 import mox
 from oslo_config import cfg
 import six

heat/tests/test_common_context.py

@@ -198,7 +198,7 @@ class TestRequestContext(common.HeatTestCase):
             ctx = context.RequestContext(auth_url=None,
                                          user_domain_id='non-default',
                                          username='test')
-            with mock.patch('keystoneclient.auth.identity.v3.Password') as ps:
+            with mock.patch('keystoneauth1.identity.v3.Password') as ps:
                 ctx.trusts_auth_plugin
                 ps.assert_called_once_with(username='heat',
                                            password='password',

heat_integrationtests/common/clients.py

@@ -16,9 +16,9 @@ from ceilometerclient import client as ceilometer_client
 from cinderclient import client as cinder_client
 from heat.common.i18n import _
 from heatclient import client as heat_client
-from keystoneclient.auth.identity.generic import password
-from keystoneclient import exceptions as kc_exceptions
-from keystoneclient import session
+from keystoneauth1 import exceptions as kc_exceptions
+from keystoneauth1.identity.generic import password
+from keystoneauth1 import session
 from neutronclient.v2_0 import client as neutron_client
 from novaclient import client as nova_client
 from swiftclient import client as swift_client
@@ -51,10 +51,7 @@ class KeystoneWrapperClient(object):
     def get_endpoint_url(self, service_type, region=None):
         kwargs = {
             'service_type': service_type,
-            'endpoint_type': 'publicURL'}
-        if region:
-            kwargs.update({'attr': 'region',
-                           'filter_value': region})
+            'region_name': region}
         return self.auth_ref.service_catalog.url_for(**kwargs)
 
 

requirements.txt

@@ -9,6 +9,7 @@ cryptography!=1.3.0,>=1.0 # BSD/Apache-2.0
 debtcollector>=1.2.0 # Apache-2.0
 eventlet!=0.18.3,>=0.18.2 # MIT
 greenlet>=0.3.2 # MIT
+keystoneauth1>=2.1.0  # Apache-2.0
 keystonemiddleware!=4.1.0,!=4.5.0,>=4.0.0 # Apache-2.0
 lxml>=2.3 # BSD
 netaddr!=0.7.16,>=0.7.12 # BSD