Fully switch to keystone authtoken parameters

The old v2 parameters are not set anymore by puppet-sahara:
https://review.openstack.org/#/c/441223/
and trust (which means cluster operations) is broken.

Because puppet-sahara is used by TripleO and Packstack, we consider
this a critical issue.

We now switch to the "new" v3 parameters from keystone_authtoken, as
incentivized by that puppet-sahara change.

We no longer use the custom options admin_user_domain_name and
admin_project_domain_name, as [keystone_authtoken] can provide them.

Note 1: A workaround is needed to access some of the configs in
[keystone_authtoken], as they are considered private for
keystonemiddleware. In sahara-api, it would have been possible to
grab these configs with only a slight bit of magic, as sahara-api
is a keystonemiddleware-enabled WSGI application. However, with
sahara-engine it is not as straightforward, since keystonemiddleware
is not integrated there. Therefore, to access these private configs
we use a very sneaky workaround inspired by [0]. This should be
removed in Queens: we should add a separate, non-private
[clients_keystone] section in sahara.conf. That is the standard way to
grab service user credentials when excluded from access to
[keystone_authtoken]. Unfortunately we could not have done that in Pike
as it was too late to have a new puppet-sahara release.

Note 2: tools/get_auth_token.py was not changed as it probably
requires other changes to work with Identity v3.

[0] Ibbc738ee4c90392af47f1b6d69aee3c8dbbf3c17

Closes-Bug: #1709091
Co-Authored-By: Jeremy Freudberg <jeremyfreudberg@gmail.com>

Change-Id: I930e544b16f0871f5e8dc1a42aae34518ff25bcd

devstack/plugin.sh

@@ -98,10 +98,10 @@ function configure_sahara {
 
     # Set admin user parameters needed for trusts creation
     iniset $SAHARA_CONF_FILE \
-        keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME
-    iniset $SAHARA_CONF_FILE keystone_authtoken admin_user sahara
+        keystone_authtoken project_name $SERVICE_TENANT_NAME
+    iniset $SAHARA_CONF_FILE keystone_authtoken username sahara
     iniset $SAHARA_CONF_FILE \
-        keystone_authtoken admin_password $SERVICE_PASSWORD
+        keystone_authtoken password $SERVICE_PASSWORD
 
     iniset_rpc_backend sahara $SAHARA_CONF_FILE DEFAULT
 

doc/source/admin/configuration-guide.rst

@@ -43,7 +43,7 @@ should point to the admin Identity API endpoint. For example:
     auth_uri=http://127.0.0.1:5000/v2.0/
     identity_uri=http://127.0.0.1:35357/
 
-Specify the ``admin_user``, ``admin_password`` and ``admin_tenant_name``.
+Specify the ``username``, ``password`` and ``project_name``.
 These parameters must specify an Identity user who has the ``admin`` role
 in the given project. These credentials allow sahara to authenticate and
 authorize its users.

releasenotes/notes/remove_custom_auth_domainname-984fd2d931e306cc.yaml

@@ -0,0 +1,6 @@
+---
+deprecations:
+  - The custom admin_user_domain_name and admin_project_domain_name
+    configuration options have been removed; they are provided
+    by keystone_authtoken as user_domain_name and
+    project_domain_name respectively.

sahara/service/trusts.py

@@ -87,7 +87,7 @@ def create_trust_for_cluster(cluster, expires=True):
     if CONF.use_identity_api_v3 and not cluster.trust_id:
         trustor = keystone.auth()
         trustee = keystone.auth_for_admin(
-            project_name=CONF.keystone_authtoken.admin_tenant_name)
+            project_name=keystone.get_keystoneauth_cfg(CONF, 'project_name'))
 
         trust_id = create_trust(trustor=trustor,
                                 trustee=trustee,
@@ -153,7 +153,7 @@ def use_os_admin_auth_token(cluster):
     ctx = context.current()
     cluster = conductor.cluster_get(ctx, cluster)
     if CONF.use_identity_api_v3 and cluster.trust_id:
-        ctx.username = CONF.keystone_authtoken.admin_user
+        ctx.username = keystone.get_keystoneauth_cfg(CONF, 'username')
         ctx.tenant_id = cluster.tenant_id
         ctx.auth_plugin = keystone.auth_for_admin(
             trust_id=cluster.trust_id)

sahara/tests/unit/service/test_trusts.py

@@ -70,15 +70,16 @@ class TestTrusts(base.SaharaTestCase):
                                                 allow_redelegation=False)
         self.assertEqual("trust_id", trust_id)
 
+    @mock.patch('sahara.utils.openstack.keystone.get_keystoneauth_cfg')
     @mock.patch('sahara.conductor.API.cluster_get')
     @mock.patch('sahara.conductor.API.cluster_update')
     @mock.patch('sahara.service.trusts.create_trust')
     @mock.patch('sahara.utils.openstack.keystone.auth_for_admin')
     @mock.patch('sahara.context.current')
     def test_create_trust_for_cluster(self, context_current, auth_for_admin,
-                                      create_trust, cluster_update, cl_get):
-        self.override_config('admin_tenant_name', 'admin_project',
-                             group='keystone_authtoken')
+                                      create_trust, cluster_update, cl_get,
+                                      config_get):
+        config_get.return_value = "admin_project"
         trustor_auth = mock.Mock()
         fake_cluster = mock.Mock(trust_id=None)
         cl_get.return_value = fake_cluster

sahara/utils/openstack/keystone.py

@@ -23,6 +23,19 @@ from sahara.service import sessions
 from sahara.utils.openstack import base
 
 
+def get_keystoneauth_cfg(conf, name):
+    """get the keystone auth cfg
+
+    Fetch value of keystone_authtoken group from config file when not
+    available as part of GroupAttr.
+    :rtype: String
+    :param conf: oslo config cfg.CONF
+    :param name: property name to be retrieved
+    """
+    value_list = conf._namespace._get_file_value([('keystone_authtoken',
+                                                   name)])
+    return value_list[0]
+
 opts = [
     # TODO(alazarev) Move to [keystone] section
     cfg.BoolOpt('use_identity_api_v3',
@@ -30,17 +43,7 @@ opts = [
                 help='Enables Sahara to use Keystone API v3. '
                      'If that flag is disabled, '
                      'per-job clusters will not be terminated '
-                     'automatically.'),
-    # TODO(mimccune) The following should be integrated into a custom
-    # auth section
-    cfg.StrOpt('admin_user_domain_name',
-               default='default',
-               help='The name of the domain to which the admin user '
-                    'belongs.'),
-    cfg.StrOpt('admin_project_domain_name',
-               default='default',
-               help='The name of the domain for the service '
-                    'project(ex. tenant).')
+                     'automatically.')
 ]
 
 ssl_opts = [
@@ -84,11 +87,11 @@ def auth_for_admin(project_name=None, trust_id=None):
     # into federated authentication. it will need to match the domain that
     # the project_name exists in.
     auth = _password_auth(
-        username=CONF.keystone_authtoken.admin_user,
-        password=CONF.keystone_authtoken.admin_password,
+        username=get_keystoneauth_cfg(CONF, 'username'),
+        password=get_keystoneauth_cfg(CONF, 'password'),
         project_name=project_name,
-        user_domain_name=CONF.admin_user_domain_name,
-        project_domain_name=CONF.admin_project_domain_name,
+        user_domain_name=get_keystoneauth_cfg(CONF, 'user_domain_name'),
+        project_domain_name=get_keystoneauth_cfg(CONF, 'project_domain_name'),
         trust_id=trust_id)
     return auth
 
@@ -120,7 +123,7 @@ def client():
 def client_for_admin():
     '''Return the Sahara admin user client.'''
     auth = auth_for_admin(
-        project_name=CONF.keystone_authtoken.admin_tenant_name)
+        project_name=get_keystoneauth_cfg(CONF, 'project_name'))
     return client_from_auth(auth)