Use auth admin for get_router when building proxy commands

The default proxy command that is generated when use_namespaces
is true retrieves the router id from neutron. Because the neutron
client uses the service catalog to process the request, admin
authentication is needed.

Change-Id: Icdd25764017cdf86914650b2b62ac29405b93326
Closes-Bug: #1556173

sahara/service/trusts.py

@@ -163,3 +163,21 @@ def use_os_admin_auth_token(cluster):
         ctx.auth_token = context.get_auth_token()
         ctx.service_catalog = json.dumps(
             keystone.service_catalog_from_auth(ctx.auth_plugin))
+
+
+def get_os_admin_auth_plugin(cluster):
+    '''Return an admin auth plugin based on the cluster trust id or project
+
+    If a trust id is available for the cluster, then it is used
+    to create an auth plugin scoped to the trust. If not, the
+    project name from the current context is used to scope the
+    auth plugin.
+
+    :param cluster: The id of the cluster to use for trust identification.
+
+    '''
+    ctx = context.current()
+    cluster = conductor.cluster_get(ctx, cluster)
+    if CONF.use_identity_api_v3 and cluster.trust_id:
+        return keystone.auth_for_admin(trust_id=cluster.trust_id)
+    return keystone.auth_for_admin(project_name=ctx.tenant_name)

sahara/tests/unit/utils/test_ssh_remote.py

@@ -123,10 +123,12 @@ class TestInstanceInteropHelper(base.SaharaTestCase):
     # When use_floating_ips=False and use_namespaces=True, a netcat socket
     # created with 'ip netns exec qrouter-...' should be used to access
     # instances.
+    @mock.patch("sahara.service.trusts.get_os_admin_auth_plugin")
     @mock.patch("sahara.utils.openstack.keystone.token_auth")
     @mock.patch('sahara.utils.ssh_remote._simple_exec_func')
     @mock.patch('sahara.utils.ssh_remote.ProxiedHTTPAdapter')
-    def test_use_namespaces(self, p_adapter, p_simple_exec_func, token_auth):
+    def test_use_namespaces(self, p_adapter, p_simple_exec_func, token_auth,
+                            use_os_admin):
         self.override_config('use_floating_ips', False)
         self.override_config('use_namespaces', True)
 

sahara/utils/openstack/neutron.py

@@ -59,9 +59,10 @@ class NeutronClient(object):
     neutron = None
     routers = {}
 
-    def __init__(self, network, token, tenant_name):
+    def __init__(self, network, token, tenant_name, auth=None):
         session = sessions.cache().get_session(sessions.SESSION_TYPE_NEUTRON)
-        auth = keystone.token_auth(token=token, project_name=tenant_name)
+        if auth is None:
+            auth = keystone.token_auth(token=token, project_name=tenant_name)
         self.neutron = neutron_cli.Client('2.0', session=session, auth=auth,
                                           region_name=CONF.os_region_name)
         self.network = network

sahara/utils/ssh_remote.py

@@ -54,6 +54,7 @@ from sahara import context
 from sahara import exceptions as ex
 from sahara.i18n import _
 from sahara.i18n import _LE
+from sahara.service import trusts
 from sahara.utils import crypto
 from sahara.utils.openstack import neutron
 from sahara.utils import procutils
@@ -594,8 +595,9 @@ class InstanceInteropHelper(remote.Remote):
 
         # Query Neutron only if needed
         if '{router_id}' in command:
+            auth = trusts.get_os_admin_auth_plugin(instance.cluster)
             client = neutron.NeutronClient(info['network'], info['token'],
-                                           info['tenant'])
+                                           info['tenant'], auth=auth)
             keywords['router_id'] = client.get_router()
 
         keywords['host'] = instance.management_ip