Fully switch to keystone authtoken parameters
The old v2 parameters are not set anymore by puppet-sahara: https://review.openstack.org/#/c/441223/ and trust (which means cluster operations) is broken. Because puppet-sahara is used by TripleO and Packstack, we consider this a critical issue. We now switch to the "new" v3 parameters from keystone_authtoken, as incentivized by that puppet-sahara change. We no longer use the custom options admin_user_domain_name and admin_project_domain_name, as [keystone_authtoken] can provide them. Note 1: A workaround is needed to access some of the configs in [keystone_authtoken], as they are considered private for keystonemiddleware. In sahara-api, it would have been possible to grab these configs with only a slight bit of magic, as sahara-api is a keystonemiddleware-enabled WSGI application. However, with sahara-engine it is not as straightforward, since keystonemiddleware is not integrated there. Therefore, to access these private configs we use a very sneaky workaround inspired by [0]. This should be removed in Queens: we should add a separate, non-private [clients_keystone] section in sahara.conf. That is the standard way to grab service user credentials when excluded from access to [keystone_authtoken]. Unfortunately we could not have done that in Pike as it was too late to have a new puppet-sahara release. Note 2: tools/get_auth_token.py was not changed as it probably requires other changes to work with Identity v3. [0] Ibbc738ee4c90392af47f1b6d69aee3c8dbbf3c17 Closes-Bug: #1709091 Co-Authored-By: Jeremy Freudberg <jeremyfreudberg@gmail.com> Change-Id: I930e544b16f0871f5e8dc1a42aae34518ff25bcd
This commit is contained in:
parent
fae4540354
commit
5abae32028
|
@ -98,10 +98,10 @@ function configure_sahara {
|
|||
|
||||
# Set admin user parameters needed for trusts creation
|
||||
iniset $SAHARA_CONF_FILE \
|
||||
keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME
|
||||
iniset $SAHARA_CONF_FILE keystone_authtoken admin_user sahara
|
||||
keystone_authtoken project_name $SERVICE_TENANT_NAME
|
||||
iniset $SAHARA_CONF_FILE keystone_authtoken username sahara
|
||||
iniset $SAHARA_CONF_FILE \
|
||||
keystone_authtoken admin_password $SERVICE_PASSWORD
|
||||
keystone_authtoken password $SERVICE_PASSWORD
|
||||
|
||||
iniset_rpc_backend sahara $SAHARA_CONF_FILE DEFAULT
|
||||
|
||||
|
|
|
@ -43,7 +43,7 @@ should point to the admin Identity API endpoint. For example:
|
|||
auth_uri=http://127.0.0.1:5000/v2.0/
|
||||
identity_uri=http://127.0.0.1:35357/
|
||||
|
||||
Specify the ``admin_user``, ``admin_password`` and ``admin_tenant_name``.
|
||||
Specify the ``username``, ``password`` and ``project_name``.
|
||||
These parameters must specify an Identity user who has the ``admin`` role
|
||||
in the given project. These credentials allow sahara to authenticate and
|
||||
authorize its users.
|
||||
|
|
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
deprecations:
|
||||
- The custom admin_user_domain_name and admin_project_domain_name
|
||||
configuration options have been removed; they are provided
|
||||
by keystone_authtoken as user_domain_name and
|
||||
project_domain_name respectively.
|
|
@ -87,7 +87,7 @@ def create_trust_for_cluster(cluster, expires=True):
|
|||
if CONF.use_identity_api_v3 and not cluster.trust_id:
|
||||
trustor = keystone.auth()
|
||||
trustee = keystone.auth_for_admin(
|
||||
project_name=CONF.keystone_authtoken.admin_tenant_name)
|
||||
project_name=keystone.get_keystoneauth_cfg(CONF, 'project_name'))
|
||||
|
||||
trust_id = create_trust(trustor=trustor,
|
||||
trustee=trustee,
|
||||
|
@ -153,7 +153,7 @@ def use_os_admin_auth_token(cluster):
|
|||
ctx = context.current()
|
||||
cluster = conductor.cluster_get(ctx, cluster)
|
||||
if CONF.use_identity_api_v3 and cluster.trust_id:
|
||||
ctx.username = CONF.keystone_authtoken.admin_user
|
||||
ctx.username = keystone.get_keystoneauth_cfg(CONF, 'username')
|
||||
ctx.tenant_id = cluster.tenant_id
|
||||
ctx.auth_plugin = keystone.auth_for_admin(
|
||||
trust_id=cluster.trust_id)
|
||||
|
|
|
@ -70,15 +70,16 @@ class TestTrusts(base.SaharaTestCase):
|
|||
allow_redelegation=False)
|
||||
self.assertEqual("trust_id", trust_id)
|
||||
|
||||
@mock.patch('sahara.utils.openstack.keystone.get_keystoneauth_cfg')
|
||||
@mock.patch('sahara.conductor.API.cluster_get')
|
||||
@mock.patch('sahara.conductor.API.cluster_update')
|
||||
@mock.patch('sahara.service.trusts.create_trust')
|
||||
@mock.patch('sahara.utils.openstack.keystone.auth_for_admin')
|
||||
@mock.patch('sahara.context.current')
|
||||
def test_create_trust_for_cluster(self, context_current, auth_for_admin,
|
||||
create_trust, cluster_update, cl_get):
|
||||
self.override_config('admin_tenant_name', 'admin_project',
|
||||
group='keystone_authtoken')
|
||||
create_trust, cluster_update, cl_get,
|
||||
config_get):
|
||||
config_get.return_value = "admin_project"
|
||||
trustor_auth = mock.Mock()
|
||||
fake_cluster = mock.Mock(trust_id=None)
|
||||
cl_get.return_value = fake_cluster
|
||||
|
|
|
@ -23,6 +23,19 @@ from sahara.service import sessions
|
|||
from sahara.utils.openstack import base
|
||||
|
||||
|
||||
def get_keystoneauth_cfg(conf, name):
|
||||
"""get the keystone auth cfg
|
||||
|
||||
Fetch value of keystone_authtoken group from config file when not
|
||||
available as part of GroupAttr.
|
||||
:rtype: String
|
||||
:param conf: oslo config cfg.CONF
|
||||
:param name: property name to be retrieved
|
||||
"""
|
||||
value_list = conf._namespace._get_file_value([('keystone_authtoken',
|
||||
name)])
|
||||
return value_list[0]
|
||||
|
||||
opts = [
|
||||
# TODO(alazarev) Move to [keystone] section
|
||||
cfg.BoolOpt('use_identity_api_v3',
|
||||
|
@ -30,17 +43,7 @@ opts = [
|
|||
help='Enables Sahara to use Keystone API v3. '
|
||||
'If that flag is disabled, '
|
||||
'per-job clusters will not be terminated '
|
||||
'automatically.'),
|
||||
# TODO(mimccune) The following should be integrated into a custom
|
||||
# auth section
|
||||
cfg.StrOpt('admin_user_domain_name',
|
||||
default='default',
|
||||
help='The name of the domain to which the admin user '
|
||||
'belongs.'),
|
||||
cfg.StrOpt('admin_project_domain_name',
|
||||
default='default',
|
||||
help='The name of the domain for the service '
|
||||
'project(ex. tenant).')
|
||||
'automatically.')
|
||||
]
|
||||
|
||||
ssl_opts = [
|
||||
|
@ -84,11 +87,11 @@ def auth_for_admin(project_name=None, trust_id=None):
|
|||
# into federated authentication. it will need to match the domain that
|
||||
# the project_name exists in.
|
||||
auth = _password_auth(
|
||||
username=CONF.keystone_authtoken.admin_user,
|
||||
password=CONF.keystone_authtoken.admin_password,
|
||||
username=get_keystoneauth_cfg(CONF, 'username'),
|
||||
password=get_keystoneauth_cfg(CONF, 'password'),
|
||||
project_name=project_name,
|
||||
user_domain_name=CONF.admin_user_domain_name,
|
||||
project_domain_name=CONF.admin_project_domain_name,
|
||||
user_domain_name=get_keystoneauth_cfg(CONF, 'user_domain_name'),
|
||||
project_domain_name=get_keystoneauth_cfg(CONF, 'project_domain_name'),
|
||||
trust_id=trust_id)
|
||||
return auth
|
||||
|
||||
|
@ -120,7 +123,7 @@ def client():
|
|||
def client_for_admin():
|
||||
'''Return the Sahara admin user client.'''
|
||||
auth = auth_for_admin(
|
||||
project_name=CONF.keystone_authtoken.admin_tenant_name)
|
||||
project_name=get_keystoneauth_cfg(CONF, 'project_name'))
|
||||
return client_from_auth(auth)
|
||||
|
||||
|
||||
|
|
Loading…
Reference in New Issue