Use auth_url as identity endpoint when not project scoped

There are a set of actions in keystone that can be performed without
a project scope, but the current discovery code will try to find the
identity endpoint in the catalog.

Use the auth_url for identity_endpoint_override when there is either
no project info or system-scope declaration.

Change-Id: Ibab4b2af2ca71fd9bd388829afcf9062431739ec
This commit is contained in:
Monty Taylor 2019-03-13 12:35:37 +00:00
parent c8b96cddd3
commit 72504d7f5b
3 changed files with 39 additions and 1 deletions

View File

@ -38,6 +38,12 @@ from openstack.config import defaults as config_defaults
from openstack import exceptions
from openstack import proxy
SCOPE_KEYS = {
'domain_id', 'domain_name',
'project_id', 'project_name',
'system_scope'
}
def _make_key(key, service_type):
if not service_type:
@ -313,6 +319,7 @@ class CloudRegion(object):
return self._get_config('service_name', service_type)
def get_endpoint(self, service_type):
auth = self.config.get('auth', {})
value = self._get_config('endpoint_override', service_type)
if not value:
value = self._get_config('endpoint', service_type)
@ -320,7 +327,13 @@ class CloudRegion(object):
# If endpoint is given and we're using the none auth type,
# then the endpoint value is the endpoint_override for every
# service.
value = self.config.get('auth', {}).get('endpoint')
value = auth.get('endpoint')
if (not value and service_type == 'identity'
and SCOPE_KEYS.isdisjoint(set(auth.keys()))):
# There are a small number of unscoped identity operations.
# Specifically, looking up a list of projects/domains/system to
# scope to.
value = auth.get('auth_url')
return value
def get_connect_retries(self, service_type):

View File

@ -168,6 +168,23 @@ class TestConfig(base.TestCase):
self.assertNotIn('domain-id', cc.auth)
self.assertNotIn('domain_id', cc)
def test_get_one_unscoped_identity(self):
single_conf = base._write_yaml({
'clouds': {
'unscoped': {
'auth': {
'auth_url': 'http://example.com/v2',
'username': 'testuser',
'password': 'testpass',
},
}
}
})
c = config.OpenStackConfig(config_files=[single_conf],
vendor_files=[self.vendor_yaml])
cc = c.get_one()
self.assertEqual('http://example.com/v2', cc.get_endpoint('identity'))
def test_get_one_domain_scoped(self):
c = config.OpenStackConfig(config_files=[self.cloud_yaml],
vendor_files=[self.vendor_yaml])
@ -175,6 +192,7 @@ class TestConfig(base.TestCase):
self.assertEqual('12345', cc.auth['domain_id'])
self.assertNotIn('user_domain_id', cc.auth)
self.assertNotIn('project_domain_id', cc.auth)
self.assertIsNone(cc.get_endpoint('identity'))
def test_get_one_infer_user_domain(self):
c = config.OpenStackConfig(config_files=[self.cloud_yaml],

View File

@ -0,0 +1,7 @@
---
features:
- |
The ``auth_url`` will be used for the default value of
``identity_endpoint_override`` in the absence of project or system-scope
information. This should simplify some actions such as listing available
projects.