openstack
/
mistral
Code Issues Proposed changes

Support transition to keystone auth plugin 

The puppet module puppet-mistral is moving to use a proper keystone
authtoken module. This supports that transition. A follow on patch
will remove the transition code.

Change-Id: Ief32ae01372c8c8d32fc5e2c89a2927510983a5b
This commit is contained in:
Brad P. Crochet 2017-05-04 08:51:25 -04:00
parent 97e2d359b6
commit 1c485867c4
4 changed files with 68 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
devstack/plugin.sh
View File

@ -75,14 +75,15 @@ function configure_mistral {
#------------------------- #-------------------------
# Setup keystone_authtoken section # Setup keystone_authtoken section
iniset $MISTRAL_CONF_FILE keystone_authtoken auth_host $KEYSTONE_AUTH_HOST iniset $MISTRAL_CONF_FILE keystone_authtoken project_name $SERVICE_TENANT_NAME
iniset $MISTRAL_CONF_FILE keystone_authtoken auth_port $KEYSTONE_AUTH_PORT iniset $MISTRAL_CONF_FILE keystone_authtoken username $MISTRAL_ADMIN_USER
iniset $MISTRAL_CONF_FILE keystone_authtoken auth_protocol $KEYSTONE_AUTH_PROTOCOL iniset $MISTRAL_CONF_FILE keystone_authtoken password $SERVICE_PASSWORD
iniset $MISTRAL_CONF_FILE keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME
iniset $MISTRAL_CONF_FILE keystone_authtoken admin_user $MISTRAL_ADMIN_USER
iniset $MISTRAL_CONF_FILE keystone_authtoken admin_password $SERVICE_PASSWORD
iniset $MISTRAL_CONF_FILE keystone_authtoken auth_uri $KEYSTONE_AUTH_URI_V3 iniset $MISTRAL_CONF_FILE keystone_authtoken auth_uri $KEYSTONE_AUTH_URI_V3
iniset $MISTRAL_CONF_FILE keystone_authtoken identity_uri $KEYSTONE_AUTH_URI iniset $MISTRAL_CONF_FILE keystone_authtoken service_token_roles_required True
iniset $MISTRAL_CONF_FILE keystone_authtoken auth_type password
iniset $MISTRAL_CONF_FILE keystone_authtoken auth_url $KEYSTONE_SERVICE_URI
iniset $MISTRAL_CONF_FILE keystone_authtoken user_domain_name Default
iniset $MISTRAL_CONF_FILE keystone_authtoken project_domain_name Default
# Setup RabbitMQ credentials # Setup RabbitMQ credentials
iniset $MISTRAL_CONF_FILE oslo_messaging_rabbit rabbit_userid $RABBIT_USERID iniset $MISTRAL_CONF_FILE oslo_messaging_rabbit rabbit_userid $RABBIT_USERID

29
mistral/context.py
View File

@ -88,6 +88,8 @@ class MistralContext(BaseContext):
"expires_at", "expires_at",
"trust_id", "trust_id",
"is_target", "is_target",
"user_domain_name",
"project_domain_name",
]) ])
def __repr__(self): def __repr__(self):
@ -206,10 +208,25 @@ def _extract_service_catalog_from_headers(headers):
def context_from_config(): def context_from_config():
username = (
CONF.keystone_authtoken.username or
CONF.keystone_authtoken.admin_user)
password = (
CONF.keystone_authtoken.password or
CONF.keystone_authtoken.admin_password)
project_name = (
CONF.keystone_authtoken.project_name or
CONF.keystone_authtoken.admin_tenant_name)
user_domain_name = (
CONF.keystone_authtoken.user_domain_name or 'Default')
project_domain_name = (
CONF.keystone_authtoken.project_domain_name or 'Default')
keystone = keystone_client.Client( keystone = keystone_client.Client(
username=CONF.keystone_authtoken.admin_user, username=username,
password=CONF.keystone_authtoken.admin_password, password=password,
tenant_name=CONF.keystone_authtoken.admin_tenant_name, project_name=project_name,
user_domain_name=user_domain_name,
project_domain_name=project_domain_name,
auth_url=CONF.keystone_authtoken.auth_uri, auth_url=CONF.keystone_authtoken.auth_uri,
is_trust_scoped=False, is_trust_scoped=False,
) )
@ -220,8 +237,10 @@ def context_from_config():
user_id=keystone.user_id, user_id=keystone.user_id,
project_id=keystone.project_id, project_id=keystone.project_id,
auth_token=keystone.auth_token, auth_token=keystone.auth_token,
project_name=CONF.keystone_authtoken.admin_tenant_name, project_name=project_name,
user_name=CONF.keystone_authtoken.admin_user, user_name=username,
user_domain_name=user_domain_name,
project_domain_name=project_domain_name,
is_trust_scoped=False, is_trust_scoped=False,
) )

7
mistral/services/security.py
View File

@ -40,8 +40,11 @@ def create_trust():
ctx = auth_ctx.ctx() ctx = auth_ctx.ctx()
trustee_id = keystone.client_for_admin( project_name = (
CONF.keystone_authtoken.admin_tenant_name).user_id CONF.keystone_authtoken.project_name or
CONF.keystone_authtoken.admin_tenant_name)
trustee_id = keystone.client_for_admin(project_name).user_id
return client.trusts.create( return client.trusts.create(
trustor_user=client.user_id, trustor_user=client.user_id,

41
mistral/utils/openstack/keystone.py
View File

@ -47,9 +47,16 @@ def client():
def _admin_client(trust_id=None, project_name=None): def _admin_client(trust_id=None, project_name=None):
auth_url = CONF.keystone_authtoken.auth_uri auth_url = CONF.keystone_authtoken.auth_uri
username = (
CONF.keystone_authtoken.admin_user or
CONF.keystone_authtoken.username)
password = (
CONF.keystone_authtoken.admin_password or
CONF.keystone_authtoken.password)
cl = ks_client.Client( cl = ks_client.Client(
username=CONF.keystone_authtoken.admin_user, username=username,
password=CONF.keystone_authtoken.admin_password, password=password,
project_name=project_name, project_name=project_name,
auth_url=auth_url, auth_url=auth_url,
trust_id=trust_id trust_id=trust_id
@ -168,7 +175,9 @@ def format_url(url_template, values):
def is_token_trust_scoped(auth_token): def is_token_trust_scoped(auth_token):
admin_project_name = CONF.keystone_authtoken.admin_tenant_name admin_project_name = (
CONF.keystone_authtoken.admin_tenant_name or
CONF.keystone_authtoken.project_name)
keystone_client = _admin_client(project_name=admin_project_name) keystone_client = _admin_client(project_name=admin_project_name)
token_info = keystone_client.tokens.validate(auth_token) token_info = keystone_client.tokens.validate(auth_token)
@ -179,15 +188,27 @@ def is_token_trust_scoped(auth_token):
def get_admin_session(): def get_admin_session():
"""Returns a keystone session from Mistral's service credentials.""" """Returns a keystone session from Mistral's service credentials."""
username = (
CONF.keystone_authtoken.username or
CONF.keystone_authtoken.admin_user)
password = (
CONF.keystone_authtoken.password or
CONF.keystone_authtoken.admin_password)
project_name = (
CONF.keystone_authtoken.project_name or
CONF.keystone_authtoken.admin_tenant_name)
user_domain_name = (
CONF.keystone_authtoken.user_domain_name or 'Default')
project_domain_name = (
CONF.keystone_authtoken.project_domain_name or 'Default')
auth = auth_plugins.Password( auth = auth_plugins.Password(
CONF.keystone_authtoken.auth_uri, CONF.keystone_authtoken.auth_uri,
username=CONF.keystone_authtoken.admin_user, username=username,
password=CONF.keystone_authtoken.admin_password, password=password,
project_name=CONF.keystone_authtoken.admin_tenant_name, project_name=project_name,
# NOTE(jaosorior): Once mistral supports keystone v3 properly, we can user_domain_name=user_domain_name,
# fetch the following values from the configuration. project_domain_name=project_domain_name)
user_domain_name='Default',
project_domain_name='Default')
return ks_session.Session(auth=auth) return ks_session.Session(auth=auth)