Use auth_token from keystonemiddleware

auth_token middleware in python-keystoneclient is deprecated and has
been moved to the keystonemiddleware repo.

This patch updates Ironic to use the new keystonemiddleware package.

Change-Id: Ifb48996867f9f51c4dbedde0e0d9476c2d2818b4
Closes-Bug: #1342274

etc/ironic/ironic.conf.sample

@@ -854,7 +854,7 @@
 [keystone_authtoken]
 
 #
-# Options defined in keystoneclient.middleware.auth_token
+# Options defined in keystonemiddleware.auth_token
 #
 
 # Prefix to prepend at the beginning of the path. Deprecated,

ironic/api/acl.py

@@ -18,36 +18,19 @@
 
 """Access Control Lists (ACL's) control access the API server."""
 
-from keystoneclient.middleware import auth_token as keystone_auth_token
-from oslo.config import cfg
-
 from ironic.api.middleware import auth_token
 
 
-OPT_GROUP_NAME = 'keystone_authtoken'
-
-
-def register_opts(conf):
-    """Register keystoneclient middleware options
-
-    :param conf: Ironic settings.
-    """
-    conf.register_opts(keystone_auth_token.opts, group=OPT_GROUP_NAME)
-    keystone_auth_token.CONF = conf
-
-
 def install(app, conf, public_routes):
     """Install ACL check on application.
 
     :param app: A WSGI applicatin.
-    :param conf: Settings. Must include OPT_GROUP_NAME section.
+    :param conf: Settings. Dict'ified and passed to keystonemiddleware
     :param public_routes: The list of the routes which will be allowed to
                           access without authentication.
     :return: The same WSGI application with ACL installed.
 
     """
-    register_opts(cfg.CONF)
-    keystone_config = dict(conf.get(OPT_GROUP_NAME))
     return auth_token.AuthTokenMiddleware(app,
-                                          conf=keystone_config,
+                                          conf=dict(conf),
                                           public_api_routes=public_routes)

ironic/api/middleware/auth_token.py

@@ -14,7 +14,7 @@
 
 import re
 
-from keystoneclient.middleware import auth_token
+from keystonemiddleware import auth_token
 
 from ironic.common import exception
 from ironic.common import utils
@@ -54,6 +54,6 @@ class AuthTokenMiddleware(auth_token.AuthProtocol):
                                        self.public_api_routes))
 
         if env['is_public_api']:
-            return self.app(env, start_response)
+            return self._app(env, start_response)
 
         return super(AuthTokenMiddleware, self).__call__(env, start_response)

ironic/common/keystone.py

@@ -13,14 +13,14 @@
 # under the License.
 
 from keystoneclient import exceptions as ksexception
+# NOTE(deva): import auth_token so oslo.config pulls in keystone_authtoken
+from keystonemiddleware import auth_token  # noqa
 from oslo.config import cfg
 from six.moves.urllib import parse
 
-from ironic.api import acl
 from ironic.common import exception
 
 CONF = cfg.CONF
-acl.register_opts(CONF)
 
 
 def get_service_url(service_type='baremetal', endpoint_type='internal'):

ironic/common/neutron.py

@@ -20,7 +20,6 @@ from neutronclient.common import exceptions as neutron_client_exc
 from neutronclient.v2_0 import client as clientv20
 from oslo.config import cfg
 
-from ironic.api import acl
 from ironic.common import exception
 from ironic.common import keystone
 from ironic.drivers.modules import ssh
@@ -46,7 +45,6 @@ neutron_opts = [
 CONF = cfg.CONF
 CONF.import_opt('my_ip', 'ironic.netconf')
 CONF.register_opts(neutron_opts, group='neutron')
-acl.register_opts(CONF)
 LOG = logging.getLogger(__name__)
 
 

ironic/tests/api/base.py

@@ -20,12 +20,13 @@
 #       ceilometer/tests/api/__init__.py). This should be oslo'ified:
 #       https://bugs.launchpad.net/ironic/+bug/1255115.
 
+# NOTE(deva): import auth_token so we can override a config option
+from keystonemiddleware import auth_token  # noqa
 from oslo.config import cfg
 import pecan
 import pecan.testing
 from six.moves.urllib import parse as urlparse
 
-from ironic.api import acl
 from ironic.db import api as dbapi
 from ironic.tests.db import base
 
@@ -42,7 +43,8 @@ class FunctionalTest(base.DbTestCase):
 
     def setUp(self):
         super(FunctionalTest, self).setUp()
-        cfg.CONF.set_override("auth_version", "v2.0", group=acl.OPT_GROUP_NAME)
+        cfg.CONF.set_override("auth_version", "v2.0",
+                              group='keystone_authtoken')
         self.app = self._make_app()
         self.dbapi = dbapi.get_instance()
 

ironic/tests/api/test_acl.py

@@ -18,9 +18,11 @@ are blocked or allowed to be processed.
 
 import mock
 
+# NOTE(deva): import auth_token so we can override a config option
+from keystonemiddleware import auth_token  # noqa
+
 from oslo.config import cfg
 
-from ironic.api import acl
 from ironic.db import api as db_api
 from ironic.tests.api import base
 from ironic.tests.api import utils
@@ -46,7 +48,8 @@ class TestACL(base.FunctionalTest):
                                                 **param)
 
     def _make_app(self):
-        cfg.CONF.set_override('cache', 'fake.cache', group=acl.OPT_GROUP_NAME)
+        cfg.CONF.set_override('cache', 'fake.cache',
+                              group='keystone_authtoken')
         return super(TestACL, self)._make_app(enable_acl=True)
 
     def test_non_authenticated(self):

requirements.txt

@@ -31,6 +31,7 @@ six>=1.7.0
 jsonpatch>=1.1
 WSME>=0.6
 Jinja2
+keystonemiddleware>=1.0.0
 oslo.messaging>=1.4.0.0a3
 retrying>=1.2.2 # Apache-2.0
 posix_ipc

tools/config/oslo.config.generator.rc

@@ -1,2 +1,2 @@
 export IRONIC_CONFIG_GENERATOR_EXTRA_LIBRARIES='oslo.db oslo.messaging'
-export IRONIC_CONFIG_GENERATOR_EXTRA_MODULES=keystoneclient.middleware.auth_token
+export IRONIC_CONFIG_GENERATOR_EXTRA_MODULES=keystonemiddleware.auth_token