openstack
/
mistral
Code Issues Proposed changes

Use recommended function to setup auth middleware in devstack 

Currently Mistral has own configuration for keystone
auth middleware, many parameters of which are deprecated [1].
It's not desired behavior and it is suggested to use recommended
devstack configuration function to prevent possible errors if
something is changed in keystone deployment in the future.

This patch fixes this situation and implements official
"configure_auth_token_middleware" function support.

[1] 712438ebf9/keystonemiddleware/auth_token/_auth.py (L29-L35)

Change-Id: I884777826d6ed40d58f75ec5dfba93a876752dfe
Closes-bug: #1697662
This commit is contained in:
Mike Fedosin 2017-06-13 14:29:51 +03:00
parent b19d871415
commit fe922eacdb
4 changed files with 42 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
devstack/plugin.sh
View File

@ -59,6 +59,11 @@ function mkdir_chown_stack {
# configure_mistral - Set config files, create data dirs, etc # configure_mistral - Set config files, create data dirs, etc
function configure_mistral { function configure_mistral {
# create and clean up auth cache dir
mkdir_chown_stack "$MISTRAL_AUTH_CACHE_DIR"
rm -f "$MISTRAL_AUTH_CACHE_DIR"/*
mkdir_chown_stack "$MISTRAL_CONF_DIR" mkdir_chown_stack "$MISTRAL_CONF_DIR"
# Generate Mistral configuration file and configure common parameters. # Generate Mistral configuration file and configure common parameters.
@ -75,14 +80,8 @@ function configure_mistral {
#------------------------- #-------------------------
# Setup keystone_authtoken section # Setup keystone_authtoken section
iniset $MISTRAL_CONF_FILE keystone_authtoken auth_host $KEYSTONE_AUTH_HOST configure_auth_token_middleware $MISTRAL_CONF_FILE mistral $MISTRAL_AUTH_CACHE_DIR
iniset $MISTRAL_CONF_FILE keystone_authtoken auth_port $KEYSTONE_AUTH_PORT
iniset $MISTRAL_CONF_FILE keystone_authtoken auth_protocol $KEYSTONE_AUTH_PROTOCOL
iniset $MISTRAL_CONF_FILE keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME
iniset $MISTRAL_CONF_FILE keystone_authtoken admin_user $MISTRAL_ADMIN_USER
iniset $MISTRAL_CONF_FILE keystone_authtoken admin_password $SERVICE_PASSWORD
iniset $MISTRAL_CONF_FILE keystone_authtoken auth_uri $KEYSTONE_AUTH_URI_V3 iniset $MISTRAL_CONF_FILE keystone_authtoken auth_uri $KEYSTONE_AUTH_URI_V3
iniset $MISTRAL_CONF_FILE keystone_authtoken identity_uri $KEYSTONE_AUTH_URI
# Setup RabbitMQ credentials # Setup RabbitMQ credentials
iniset $MISTRAL_CONF_FILE oslo_messaging_rabbit rabbit_userid $RABBIT_USERID iniset $MISTRAL_CONF_FILE oslo_messaging_rabbit rabbit_userid $RABBIT_USERID
@ -250,8 +249,8 @@ if is_service_enabled mistral; then
install_mistral_pythonclient install_mistral_pythonclient
elif [[ "$1" == "stack" && "$2" == "post-config" ]]; then elif [[ "$1" == "stack" && "$2" == "post-config" ]]; then
echo_summary "Configuring mistral" echo_summary "Configuring mistral"
configure_mistral
create_mistral_accounts create_mistral_accounts
configure_mistral
elif [[ "$1" == "stack" && "$2" == "extra" ]]; then elif [[ "$1" == "stack" && "$2" == "extra" ]]; then
echo_summary "Initializing mistral" echo_summary "Initializing mistral"
init_mistral init_mistral

1
devstack/settings
View File

@ -29,6 +29,7 @@ MISTRAL_DASHBOARD_DIR=$DEST/mistral-dashboard
MISTRAL_CONF_DIR=${MISTRAL_CONF_DIR:-/etc/mistral} MISTRAL_CONF_DIR=${MISTRAL_CONF_DIR:-/etc/mistral}
MISTRAL_CONF_FILE=${MISTRAL_CONF_DIR}/mistral.conf MISTRAL_CONF_FILE=${MISTRAL_CONF_DIR}/mistral.conf
MISTRAL_DEBUG=${MISTRAL_DEBUG:-True} MISTRAL_DEBUG=${MISTRAL_DEBUG:-True}
MISTRAL_AUTH_CACHE_DIR=${MISTRAL_AUTH_CACHE_DIR:-/var/cache/mistral}
MISTRAL_SERVICE_HOST=${MISTRAL_SERVICE_HOST:-$SERVICE_HOST} MISTRAL_SERVICE_HOST=${MISTRAL_SERVICE_HOST:-$SERVICE_HOST}
MISTRAL_SERVICE_PORT=${MISTRAL_SERVICE_PORT:-8989} MISTRAL_SERVICE_PORT=${MISTRAL_SERVICE_PORT:-8989}

3
mistral/services/security.py
View File

@ -42,8 +42,7 @@ def create_trust():
ctx = auth_ctx.ctx() ctx = auth_ctx.ctx()
trustee_id = keystone.client_for_admin( trustee_id = keystone.client_for_admin().session.get_user_id()
CONF.keystone_authtoken.admin_tenant_name).user_id
return client.trusts.create( return client.trusts.create(
trustor_user=client.user_id, trustor_user=client.user_id,

63
mistral/utils/openstack/keystone.py
View File

@ -13,7 +13,7 @@
# See the License for the specific language governing permissions and # See the License for the specific language governing permissions and
# limitations under the License. # limitations under the License.
import keystoneauth1.identity.generic as auth_plugins from keystoneauth1 import loading
from keystoneauth1 import session as ks_session from keystoneauth1 import session as ks_session
from keystoneauth1.token_endpoint import Token from keystoneauth1.token_endpoint import Token
from keystoneclient import service_catalog as ks_service_catalog from keystoneclient import service_catalog as ks_service_catalog
@ -27,6 +27,7 @@ from mistral import context
from mistral import exceptions from mistral import exceptions
CONF = cfg.CONF CONF = cfg.CONF
CONF.register_opt(cfg.IntOpt('timeout'), group='keystone_authtoken')
def client(): def client():
@ -92,23 +93,32 @@ def get_session_and_auth(context, **kwargs):
def _admin_client(trust_id=None, project_name=None): def _admin_client(trust_id=None, project_name=None):
auth_url = CONF.keystone_authtoken.auth_uri kwargs = {}
cl = ks_client.Client( if trust_id:
username=CONF.keystone_authtoken.admin_user, # Remove project_name and project_id, since we need a trust scoped
password=CONF.keystone_authtoken.admin_password, # auth object
project_name=project_name, kwargs['project_name'] = None
auth_url=auth_url, kwargs['project_domain_name'] = None
trust_id=trust_id kwargs['project_id'] = None
kwargs['trust_id'] = trust_id
auth = loading.load_auth_from_conf_options(
CONF,
'keystone_authtoken',
**kwargs
)
sess = loading.load_session_from_conf_options(
CONF,
'keystone_authtoken',
auth=auth
) )
cl.management_url = auth_url return ks_client.Client(session=sess)
return cl
def client_for_admin(project_name): def client_for_admin():
return _admin_client(project_name=project_name) return _admin_client()
def client_for_trusts(trust_id): def client_for_trusts(trust_id):
@ -230,28 +240,21 @@ def format_url(url_template, values):
def is_token_trust_scoped(auth_token): def is_token_trust_scoped(auth_token):
admin_project_name = CONF.keystone_authtoken.admin_tenant_name return 'OS-TRUST:trust' in client_for_admin().tokens.validate(auth_token)
keystone_client = _admin_client(project_name=admin_project_name)
token_info = keystone_client.tokens.validate(auth_token)
return 'OS-TRUST:trust' in token_info
def get_admin_session(): def get_admin_session():
"""Returns a keystone session from Mistral's service credentials.""" """Returns a keystone session from Mistral's service credentials."""
auth = loading.load_auth_from_conf_options(
CONF,
'keystone_authtoken'
)
auth = auth_plugins.Password( return loading.load_session_from_conf_options(
CONF.keystone_authtoken.auth_uri, CONF,
username=CONF.keystone_authtoken.admin_user, 'keystone_authtoken',
password=CONF.keystone_authtoken.admin_password, auth=auth
project_name=CONF.keystone_authtoken.admin_tenant_name, )
# NOTE(jaosorior): Once mistral supports keystone v3 properly, we can
# fetch the following values from the configuration.
user_domain_name='Default',
project_domain_name='Default')
return ks_session.Session(auth=auth)
def will_expire_soon(expires_at): def will_expire_soon(expires_at):