openstack
/
sahara
Code Issues Proposed changes

Merge "Fully switch to keystone authtoken parameters"

This commit is contained in:
Jenkins 2017-08-10 20:33:02 +00:00 committed by Gerrit Code Review
parent 5173382168 5abae32028
commit a197ec5c48
6 changed files with 35 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
devstack/plugin.sh
View File

@ -98,10 +98,10 @@ function configure_sahara {
# Set admin user parameters needed for trusts creation
iniset $SAHARA_CONF_FILE \
keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME
iniset $SAHARA_CONF_FILE keystone_authtoken admin_user sahara
keystone_authtoken project_name $SERVICE_TENANT_NAME
iniset $SAHARA_CONF_FILE keystone_authtoken username sahara
iniset $SAHARA_CONF_FILE \
keystone_authtoken admin_password $SERVICE_PASSWORD
keystone_authtoken password $SERVICE_PASSWORD
iniset_rpc_backend sahara $SAHARA_CONF_FILE DEFAULT

2
doc/source/admin/configuration-guide.rst
View File

@ -43,7 +43,7 @@ should point to the admin Identity API endpoint. For example:
auth_uri=http://127.0.0.1:5000/v2.0/
identity_uri=http://127.0.0.1:35357/
Specify the ``admin_user``, ``admin_password`` and ``admin_tenant_name``.
Specify the ``username``, ``password`` and ``project_name``.
These parameters must specify an Identity user who has the ``admin`` role
in the given project. These credentials allow sahara to authenticate and
authorize its users.

6
releasenotes/notes/remove_custom_auth_domainname-984fd2d931e306cc.yaml Normal file
View File

@ -0,0 +1,6 @@
---
deprecations:
- The custom admin_user_domain_name and admin_project_domain_name
configuration options have been removed; they are provided
by keystone_authtoken as user_domain_name and
project_domain_name respectively.

4
sahara/service/trusts.py
View File

@ -87,7 +87,7 @@ def create_trust_for_cluster(cluster, expires=True):
if CONF.use_identity_api_v3 and not cluster.trust_id:
trustor = keystone.auth()
trustee = keystone.auth_for_admin(
project_name=CONF.keystone_authtoken.admin_tenant_name)
project_name=keystone.get_keystoneauth_cfg(CONF, 'project_name'))
trust_id = create_trust(trustor=trustor,
trustee=trustee,
@ -153,7 +153,7 @@ def use_os_admin_auth_token(cluster):
ctx = context.current()
cluster = conductor.cluster_get(ctx, cluster)
if CONF.use_identity_api_v3 and cluster.trust_id:
ctx.username = CONF.keystone_authtoken.admin_user
ctx.username = keystone.get_keystoneauth_cfg(CONF, 'username')
ctx.tenant_id = cluster.tenant_id
ctx.auth_plugin = keystone.auth_for_admin(
trust_id=cluster.trust_id)

7
sahara/tests/unit/service/test_trusts.py
View File

@ -70,15 +70,16 @@ class TestTrusts(base.SaharaTestCase):
allow_redelegation=False)
self.assertEqual("trust_id", trust_id)
@mock.patch('sahara.utils.openstack.keystone.get_keystoneauth_cfg')
@mock.patch('sahara.conductor.API.cluster_get')
@mock.patch('sahara.conductor.API.cluster_update')
@mock.patch('sahara.service.trusts.create_trust')
@mock.patch('sahara.utils.openstack.keystone.auth_for_admin')
@mock.patch('sahara.context.current')
def test_create_trust_for_cluster(self, context_current, auth_for_admin,
create_trust, cluster_update, cl_get):
self.override_config('admin_tenant_name', 'admin_project',
group='keystone_authtoken')
create_trust, cluster_update, cl_get,
config_get):
config_get.return_value = "admin_project"
trustor_auth = mock.Mock()
fake_cluster = mock.Mock(trust_id=None)
cl_get.return_value = fake_cluster

35
sahara/utils/openstack/keystone.py
View File

@ -23,6 +23,19 @@ from sahara.service import sessions
from sahara.utils.openstack import base
def get_keystoneauth_cfg(conf, name):
"""get the keystone auth cfg
Fetch value of keystone_authtoken group from config file when not
available as part of GroupAttr.
:rtype: String
:param conf: oslo config cfg.CONF
:param name: property name to be retrieved
"""
value_list = conf._namespace._get_file_value([('keystone_authtoken',
name)])
return value_list[0]
opts = [
# TODO(alazarev) Move to [keystone] section
cfg.BoolOpt('use_identity_api_v3',
@ -30,17 +43,7 @@ opts = [
help='Enables Sahara to use Keystone API v3. '
'If that flag is disabled, '
'per-job clusters will not be terminated '
'automatically.'),
# TODO(mimccune) The following should be integrated into a custom
# auth section
cfg.StrOpt('admin_user_domain_name',
default='default',
help='The name of the domain to which the admin user '
'belongs.'),
cfg.StrOpt('admin_project_domain_name',
default='default',
help='The name of the domain for the service '
'project(ex. tenant).')
'automatically.')
]
ssl_opts = [
@ -84,11 +87,11 @@ def auth_for_admin(project_name=None, trust_id=None):
# into federated authentication. it will need to match the domain that
# the project_name exists in.
auth = _password_auth(
username=CONF.keystone_authtoken.admin_user,
password=CONF.keystone_authtoken.admin_password,
username=get_keystoneauth_cfg(CONF, 'username'),
password=get_keystoneauth_cfg(CONF, 'password'),
project_name=project_name,
user_domain_name=CONF.admin_user_domain_name,
project_domain_name=CONF.admin_project_domain_name,
user_domain_name=get_keystoneauth_cfg(CONF, 'user_domain_name'),
project_domain_name=get_keystoneauth_cfg(CONF, 'project_domain_name'),
trust_id=trust_id)
return auth
@ -120,7 +123,7 @@ def client():
def client_for_admin():
'''Return the Sahara admin user client.'''
auth = auth_for_admin(
project_name=CONF.keystone_authtoken.admin_tenant_name)
project_name=get_keystoneauth_cfg(CONF, 'project_name'))
return client_from_auth(auth)