Now use admin client to delete the trust gives the error:
"You are not authorized to perform the requested action:
Only admin or trustor can delete a trust.: ForbiddenAction:
You are not authorized to perform the requested action:
Only admin or trustor can delete a trust."
This patch use trustor's session to delete the trust.
Change-Id: Ib673128be860f548195181a465a9dff784cdef1a
When executing 'murano environment create test' command, the result
is failed because keystone has delete V2 api. Therefore murano need
to use V3 auth_url.
Change-Id: Ia9874949c0e7bdef733815ae6d37a3f19784abe3
Co-Authored-By: zhurong <aaronzhu1121@gmail.com>
Option auth_uri from group keystone_authtoken is deprecated[1].
Use option www_authenticate_uri from group keystone_authtoken.
[1]: https://review.openstack.org/#/c/508522/
Change-Id: Ib8623a359a27b8a4aa90bf69a3fe3f3a5c2411a6
Since [murano_auth] section is introduced in Pike, no need to
fallback to [keystone_authtoken] now.
Change-Id: I24e2475997feb9fdcf388af03d51fd5ced9e3885
Various components defines different options for the client sessions.
Standardize them with the help of keystonauth1 lib.
Change-Id: I2f791caaf230a58b8426d1c1d6e1eb4316a85a28
Use the OpenStack standard keystoneauth1 library for loading
authentication plugins and register their options in the
murano_auth section.
Still provide a fallback if no murano_auth.auth_type is specified
to make old config files work.
Closes-bug: 1705838
Change-Id: Ie74364a4401f64fe42bf2206b6df760d2fc60edb
From 2016/10, there is no domain with name 'Default' in keystone.
And the user would create a domain whith name 'default', like this:
https://docs.openstack.org/mitaka/install-guide-obs/keystone-users.html
If there is no domain_name in murano.conf, set the default domain with name
'default'.
Change-Id: I1aa9efe4119c586bd6fb6c9442560813530a5e9d
This patch add a murano_auth for murano auth with keystone,
This gives ability to fine-tune role-based privileges for
service-user going to execute trust-delegated tasks and the auth
configuration properties do not need to change when keystonemiddleware
deprecates its configuration properties.
Closes-Bug: #1643583
Closes-Bug: #1658648
Change-Id: If10fa8c938c264c7b5cadb3c3ed77f39488dcab7
Added an ability to retrieve information about the current user,
current project, environment owner (both user and project)
from keystone. Appropriate information (including
extra fields but excluding internal system data) is fetched from
Keystone using the same service credentials that are used to validate
tokens, create trusts etc.
- io.murano.User and io.murano.Project classes were added.
- Both classes have 2 static methods to get current and environment
owner object of appropriate class
- Object model now contains project_id/user_id of the user who
created the environment
- Deployment task contains project_id (renamed from tenant_id)
and user_id of the user who initiated the deployment
Change-Id: Ic7e24c1d2b669ed315851047bcdb27e075cfc56b
This reverts commit df8bf9c8f8.
That patch renamed keys of the configuration properties of the
keystone_authtoken settings group, thus breaking config file
compatibility.
Change-Id: I8fd3b3211e75207cf6061eef6f038ea045d9dbfe
Now murano can not auth when only using keystone v3,
this commit update the devstack config to fix with keystone v3.
Closes-bug: #1633394
Change-Id: Ie6a2ccdf6121b3badd403a1c08f1e91052e8c4dc
If auth_type is set in the keystone_authtoken section,
then one can use the the keystoneauth1 library to load the
authentication plugin. This makes muranoclient fully workable,
with Keystone v3 in case domain name is not 'Default'.
Related-Bug: 1580611
Change-Id: I0d71032fb5296752ee25482b75993072884731e7
Previously user_domain_id and project_domain_id was hardcoded to
"default" which causes an error in environments using PostgreSQL or
case-sensirive MySQL as DB backend.
Change-Id: Id8489ad712deebff2248fbf404df255f484a8071
Closes-Bug: #1580611
* Single universal ClientManager class was dropped in favor of
of individual in-context methods to create OS clients without
ClientManager restrictions.
* Environment class was renamed to ExecutionSession to avoid
common confusion with io.murano.Environment
* execution_session_local module was introduced to simplify
keep of per-execution session (per-deployment) data. This
is similar to thread-locals with the difference that there can
be many threads in single session.
* All OS-clients related code was migrated to keystone client
sessions and API v3 (except for GLARE and Mistral that doesn't
support sessions). This increases performance and solves
authentication problems that could be caused by token expiration
even with trusts enabled.
* [DEFAULT]/home_region setting was introduced instead of
[murano]/region_for_services to configure what region
should be used by the clients by default (where Murano API
resides). All client factories respect this setting.
Change-Id: If02c7e5d7d39574d0621e0e8dc27d1f501a31984
The 'tenant_id' passing to keystoneclient.v3.client.Client is
deprecated, and may be removed in the 2.0.0 release[1]. Replace
it with 'project_id' as suggested.
[1]:
f8c47a1aa0/keystoneclient/v3/client.py (L73)
Change-Id: I2898bb10e4373916b06c90b6b18ceb65845ae3b7
Related-Bug: #1514756
It provides a configuration property region_name_for_services which contains
a default region name used to get services endpoints in the case that they are
several regions
Closes Bug: #1479260
Change-Id: I8ca3ee5aebd54c177b958327fdaa5906aa6a4cb2
The Oslo libraries have moved all of their code out of the 'oslo'
namespace package into per-library packages. The namespace package was
retained during kilo for backwards compatibility, but will be removed by
the liberty-2 milestone. This change removes the use of the namespace
package, replacing it with the new package names.
The patches in the libraries will be put on hold until application
patches have landed, or L2, whichever comes first. At that point, new
versions of the libraries without namespace packages will be released as
a major version update.
Please merge this patch, or an equivalent, before L2 to avoid problems
with those library releases.
Blueprint: remove-namespace-packages
https://blueprints.launchpad.net/oslo-incubator/+spec/remove-namespace-packages
Change-Id: I975592f3694be42d52685ebf606f6d3012caf1a8
Adds a support for Nova Network if Neutron is not present in the
current OpenStack deployment.
Supporting the Nova Network requires modifications in three different
parts of generated Heat Stack:
1) Generated Security Groups and their rules should be of type
'AWS::EC2::SecurityGroup', not 'OS::Neutron::SecurityGroup'
2) Security Group assignments should go to security_groups property
of Instance resource, not the network port (as port concept is
not present when using NovaNetwork)
3) FloatingIP should be of type OS::Nova::FloatingIP and should be
associated with an Instance by OS::Nova::FloatingIPAssociation
resource.
To achieve p1 a SecurityGroupManager class of Core Library is made
abstract and is inherited by two concrete implementations:
NeutronSecurityGroupManager (containing the old MuranoPL code which
generated templates based on OS::Neutron::SecurityGroup) and a new
AwsSecurityGroupManager, which generates AWS-compliant firewall rules
which are consumed by NovaNetwork.
The particular concreate instance of this class is generated by the
default network of environment: Network class has got a new method called
generateSecurityGroupManager which returns an appropriate implementation.
For pp 2-3 a new inheritor of Network class has been added to the Core
Library: an io.murano.resources.NovaNetwork. It generates FloatingIP
association resources if needed and returns a securityGroupName object
as one of the outputs of its joinInstance methods.
The Instance class has been modified to properly handle these types of
outputs.
The instance of the NovaNetwork class is generated at the API side
when a new Environment is created and a is assigned to the
defaultNetworks.environment property of the environment if the neutron
is not defined in keystone.
Also this change moves the auth_utils module from engine to common, as
Keystone Client it contains is now used by the API process as well.
This changed is based on some of the code from the outdated changeset
I6f4b7908bd4bbcd375f64705c7dd06e3954f1ec7
Co-Authored-By: Alexander Tivelkov <ativelkov@mirantis.com>
Co-Authored-By: Stan Lagun <slagun@mirantis.com>
DocImpact
Change-Id: I4c48f33de100a5730ba1d086540d0d99e8fbf9b1
Implements-Blueprint: nova-network-support