Merge "Clean up deprecated configuration options"
This commit is contained in:
commit
0b634ed5b3
106
example.conf
106
example.conf
@ -5,13 +5,11 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
# IP to listen on. (string value)
|
# IP to listen on. (string value)
|
||||||
# Deprecated group/name - [discoverd]/listen_address
|
|
||||||
#listen_address = 0.0.0.0
|
#listen_address = 0.0.0.0
|
||||||
|
|
||||||
# Port to listen on. (port value)
|
# Port to listen on. (port value)
|
||||||
# Minimum value: 0
|
# Minimum value: 0
|
||||||
# Maximum value: 65535
|
# Maximum value: 65535
|
||||||
# Deprecated group/name - [discoverd]/listen_port
|
|
||||||
#listen_port = 5050
|
#listen_port = 5050
|
||||||
|
|
||||||
# Authentication method used on the ironic-inspector API. Either
|
# Authentication method used on the ironic-inspector API. Either
|
||||||
@ -20,26 +18,17 @@
|
|||||||
# Allowed values: keystone, noauth
|
# Allowed values: keystone, noauth
|
||||||
#auth_strategy = keystone
|
#auth_strategy = keystone
|
||||||
|
|
||||||
# DEPRECATED: use auth_strategy. (boolean value)
|
|
||||||
# Deprecated group/name - [discoverd]/authenticate
|
|
||||||
# This option is deprecated for removal.
|
|
||||||
# Its value may be silently ignored in the future.
|
|
||||||
#authenticate = <None>
|
|
||||||
|
|
||||||
# Timeout after which introspection is considered failed, set to 0 to
|
# Timeout after which introspection is considered failed, set to 0 to
|
||||||
# disable. (integer value)
|
# disable. (integer value)
|
||||||
# Deprecated group/name - [discoverd]/timeout
|
|
||||||
#timeout = 3600
|
#timeout = 3600
|
||||||
|
|
||||||
# For how much time (in seconds) to keep status information about
|
# For how much time (in seconds) to keep status information about
|
||||||
# nodes after introspection was finished for them. Default value is 1
|
# nodes after introspection was finished for them. Default value is 1
|
||||||
# week. (integer value)
|
# week. (integer value)
|
||||||
# Deprecated group/name - [discoverd]/node_status_keep_time
|
|
||||||
#node_status_keep_time = 604800
|
#node_status_keep_time = 604800
|
||||||
|
|
||||||
# Amount of time in seconds, after which repeat clean up of timed out
|
# Amount of time in seconds, after which repeat clean up of timed out
|
||||||
# nodes and old nodes status information. (integer value)
|
# nodes and old nodes status information. (integer value)
|
||||||
# Deprecated group/name - [discoverd]/clean_up_period
|
|
||||||
#clean_up_period = 60
|
#clean_up_period = 60
|
||||||
|
|
||||||
# SSL Enabled/Disabled (boolean value)
|
# SSL Enabled/Disabled (boolean value)
|
||||||
@ -380,20 +369,6 @@
|
|||||||
#db_max_retries = 20
|
#db_max_retries = 20
|
||||||
|
|
||||||
|
|
||||||
[discoverd]
|
|
||||||
|
|
||||||
#
|
|
||||||
# From ironic_inspector
|
|
||||||
#
|
|
||||||
|
|
||||||
# DEPRECATED: SQLite3 database to store nodes under introspection,
|
|
||||||
# required. Do not use :memory: here, it won't work. DEPRECATED: use
|
|
||||||
# [database]/connection. (string value)
|
|
||||||
# This option is deprecated for removal.
|
|
||||||
# Its value may be silently ignored in the future.
|
|
||||||
#database =
|
|
||||||
|
|
||||||
|
|
||||||
[discovery]
|
[discovery]
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -412,17 +387,14 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
# Whether to manage firewall rules for PXE port. (boolean value)
|
# Whether to manage firewall rules for PXE port. (boolean value)
|
||||||
# Deprecated group/name - [discoverd]/manage_firewall
|
|
||||||
#manage_firewall = true
|
#manage_firewall = true
|
||||||
|
|
||||||
# Interface on which dnsmasq listens, the default is for VM's. (string
|
# Interface on which dnsmasq listens, the default is for VM's. (string
|
||||||
# value)
|
# value)
|
||||||
# Deprecated group/name - [discoverd]/dnsmasq_interface
|
|
||||||
#dnsmasq_interface = br-ctlplane
|
#dnsmasq_interface = br-ctlplane
|
||||||
|
|
||||||
# Amount of time in seconds, after which repeat periodic update of
|
# Amount of time in seconds, after which repeat periodic update of
|
||||||
# firewall. (integer value)
|
# firewall. (integer value)
|
||||||
# Deprecated group/name - [discoverd]/firewall_update_period
|
|
||||||
#firewall_update_period = 15
|
#firewall_update_period = 15
|
||||||
|
|
||||||
# iptables chain name to use. (string value)
|
# iptables chain name to use. (string value)
|
||||||
@ -469,14 +441,6 @@
|
|||||||
# Domain name to scope to (string value)
|
# Domain name to scope to (string value)
|
||||||
#domain_name = <None>
|
#domain_name = <None>
|
||||||
|
|
||||||
# DEPRECATED: Keystone admin endpoint. DEPRECATED: Use
|
|
||||||
# [keystone_authtoken] section for keystone token validation. (string
|
|
||||||
# value)
|
|
||||||
# Deprecated group/name - [discoverd]/identity_uri
|
|
||||||
# This option is deprecated for removal.
|
|
||||||
# Its value may be silently ignored in the future.
|
|
||||||
#identity_uri =
|
|
||||||
|
|
||||||
# Verify HTTPS connections. (boolean value)
|
# Verify HTTPS connections. (boolean value)
|
||||||
#insecure = false
|
#insecure = false
|
||||||
|
|
||||||
@ -492,51 +456,15 @@
|
|||||||
# (integer value)
|
# (integer value)
|
||||||
#max_retries = 30
|
#max_retries = 30
|
||||||
|
|
||||||
# DEPRECATED: Keystone authentication endpoint for accessing Ironic
|
|
||||||
# API. Use [keystone_authtoken] section for keystone token validation.
|
|
||||||
# (string value)
|
|
||||||
# Deprecated group/name - [discoverd]/os_auth_url
|
|
||||||
# This option is deprecated for removal.
|
|
||||||
# Its value may be silently ignored in the future.
|
|
||||||
# Reason: Use options presented by configured keystone auth plugin.
|
|
||||||
#os_auth_url =
|
|
||||||
|
|
||||||
# Ironic endpoint type. (string value)
|
# Ironic endpoint type. (string value)
|
||||||
#os_endpoint_type = internalURL
|
#os_endpoint_type = internalURL
|
||||||
|
|
||||||
# DEPRECATED: Password for accessing Ironic API. Use
|
|
||||||
# [keystone_authtoken] section for keystone token validation. (string
|
|
||||||
# value)
|
|
||||||
# Deprecated group/name - [discoverd]/os_password
|
|
||||||
# This option is deprecated for removal.
|
|
||||||
# Its value may be silently ignored in the future.
|
|
||||||
# Reason: Use options presented by configured keystone auth plugin.
|
|
||||||
#os_password =
|
|
||||||
|
|
||||||
# Keystone region used to get Ironic endpoints. (string value)
|
# Keystone region used to get Ironic endpoints. (string value)
|
||||||
#os_region = <None>
|
#os_region = <None>
|
||||||
|
|
||||||
# Ironic service type. (string value)
|
# Ironic service type. (string value)
|
||||||
#os_service_type = baremetal
|
#os_service_type = baremetal
|
||||||
|
|
||||||
# DEPRECATED: Tenant name for accessing Ironic API. Use
|
|
||||||
# [keystone_authtoken] section for keystone token validation. (string
|
|
||||||
# value)
|
|
||||||
# Deprecated group/name - [discoverd]/os_tenant_name
|
|
||||||
# This option is deprecated for removal.
|
|
||||||
# Its value may be silently ignored in the future.
|
|
||||||
# Reason: Use options presented by configured keystone auth plugin.
|
|
||||||
#os_tenant_name =
|
|
||||||
|
|
||||||
# DEPRECATED: User name for accessing Ironic API. Use
|
|
||||||
# [keystone_authtoken] section for keystone token validation. (string
|
|
||||||
# value)
|
|
||||||
# Deprecated group/name - [discoverd]/os_username
|
|
||||||
# This option is deprecated for removal.
|
|
||||||
# Its value may be silently ignored in the future.
|
|
||||||
# Reason: Use options presented by configured keystone auth plugin.
|
|
||||||
#os_username =
|
|
||||||
|
|
||||||
# User's password (string value)
|
# User's password (string value)
|
||||||
#password = <None>
|
#password = <None>
|
||||||
|
|
||||||
@ -746,6 +674,21 @@
|
|||||||
# Reason: PKI token format is no longer supported.
|
# Reason: PKI token format is no longer supported.
|
||||||
#hash_algorithms = md5
|
#hash_algorithms = md5
|
||||||
|
|
||||||
|
# A choice of roles that must be present in a service token. Service
|
||||||
|
# tokens are allowed to request that an expired token can be used and
|
||||||
|
# so this check should tightly control that only actual services
|
||||||
|
# should be sending this token. Roles here are applied as an ANY check
|
||||||
|
# so any role in this list must be present. For backwards
|
||||||
|
# compatibility reasons this currently only affects the allow_expired
|
||||||
|
# check. (list value)
|
||||||
|
#service_token_roles = service
|
||||||
|
|
||||||
|
# For backwards compatibility reasons we must let valid service tokens
|
||||||
|
# pass that don't pass the service_token_roles check as valid. Setting
|
||||||
|
# this true will become the default in a future release and should be
|
||||||
|
# enabled if possible. (boolean value)
|
||||||
|
#service_token_roles_required = false
|
||||||
|
|
||||||
# Authentication type to load (string value)
|
# Authentication type to load (string value)
|
||||||
# Deprecated group/name - [keystone_authtoken]/auth_plugin
|
# Deprecated group/name - [keystone_authtoken]/auth_plugin
|
||||||
#auth_type = <None>
|
#auth_type = <None>
|
||||||
@ -779,7 +722,6 @@
|
|||||||
# falls back to "active" if PXE MAC is not supplied by the ramdisk).
|
# falls back to "active" if PXE MAC is not supplied by the ramdisk).
|
||||||
# (string value)
|
# (string value)
|
||||||
# Allowed values: all, active, pxe
|
# Allowed values: all, active, pxe
|
||||||
# Deprecated group/name - [discoverd]/add_ports
|
|
||||||
#add_ports = pxe
|
#add_ports = pxe
|
||||||
|
|
||||||
# Which ports (already present on a node) to keep after introspection.
|
# Which ports (already present on a node) to keep after introspection.
|
||||||
@ -787,19 +729,16 @@
|
|||||||
# which MACs were present in introspection data), added (keep only
|
# which MACs were present in introspection data), added (keep only
|
||||||
# MACs that we added during introspection). (string value)
|
# MACs that we added during introspection). (string value)
|
||||||
# Allowed values: all, present, added
|
# Allowed values: all, present, added
|
||||||
# Deprecated group/name - [discoverd]/keep_ports
|
|
||||||
#keep_ports = all
|
#keep_ports = all
|
||||||
|
|
||||||
# Whether to overwrite existing values in node database. Disable this
|
# Whether to overwrite existing values in node database. Disable this
|
||||||
# option to make introspection a non-destructive operation. (boolean
|
# option to make introspection a non-destructive operation. (boolean
|
||||||
# value)
|
# value)
|
||||||
# Deprecated group/name - [discoverd]/overwrite_existing
|
|
||||||
#overwrite_existing = true
|
#overwrite_existing = true
|
||||||
|
|
||||||
# DEPRECATED: Whether to enable setting IPMI credentials during
|
# DEPRECATED: Whether to enable setting IPMI credentials during
|
||||||
# introspection. This feature will be removed in the Pike release.
|
# introspection. This feature will be removed in the Pike release.
|
||||||
# (boolean value)
|
# (boolean value)
|
||||||
# Deprecated group/name - [discoverd]/enable_setting_ipmi_credentials
|
|
||||||
# This option is deprecated for removal.
|
# This option is deprecated for removal.
|
||||||
# Its value may be silently ignored in the future.
|
# Its value may be silently ignored in the future.
|
||||||
#enable_setting_ipmi_credentials = false
|
#enable_setting_ipmi_credentials = false
|
||||||
@ -815,18 +754,15 @@
|
|||||||
# default for this is $default_processing_hooks, hooks can be added
|
# default for this is $default_processing_hooks, hooks can be added
|
||||||
# before or after the defaults like this:
|
# before or after the defaults like this:
|
||||||
# "prehook,$default_processing_hooks,posthook". (string value)
|
# "prehook,$default_processing_hooks,posthook". (string value)
|
||||||
# Deprecated group/name - [discoverd]/processing_hooks
|
|
||||||
#processing_hooks = $default_processing_hooks
|
#processing_hooks = $default_processing_hooks
|
||||||
|
|
||||||
# If set, logs from ramdisk will be stored in this directory. (string
|
# If set, logs from ramdisk will be stored in this directory. (string
|
||||||
# value)
|
# value)
|
||||||
# Deprecated group/name - [discoverd]/ramdisk_logs_dir
|
|
||||||
#ramdisk_logs_dir = <None>
|
#ramdisk_logs_dir = <None>
|
||||||
|
|
||||||
# Whether to store ramdisk logs even if it did not return an error
|
# Whether to store ramdisk logs even if it did not return an error
|
||||||
# message (dependent upon "ramdisk_logs_dir" option being set).
|
# message (dependent upon "ramdisk_logs_dir" option being set).
|
||||||
# (boolean value)
|
# (boolean value)
|
||||||
# Deprecated group/name - [discoverd]/always_store_ramdisk_logs
|
|
||||||
#always_store_ramdisk_logs = false
|
#always_store_ramdisk_logs = false
|
||||||
|
|
||||||
# The name of the hook to run when inspector receives inspection
|
# The name of the hook to run when inspector receives inspection
|
||||||
@ -917,18 +853,6 @@
|
|||||||
# (integer value)
|
# (integer value)
|
||||||
#max_retries = 2
|
#max_retries = 2
|
||||||
|
|
||||||
# DEPRECATED: Keystone authentication URL (string value)
|
|
||||||
# This option is deprecated for removal.
|
|
||||||
# Its value may be silently ignored in the future.
|
|
||||||
# Reason: Use options presented by configured keystone auth plugin.
|
|
||||||
#os_auth_url =
|
|
||||||
|
|
||||||
# DEPRECATED: Keystone authentication API version (string value)
|
|
||||||
# This option is deprecated for removal.
|
|
||||||
# Its value may be silently ignored in the future.
|
|
||||||
# Reason: Use options presented by configured keystone auth plugin.
|
|
||||||
#os_auth_version = 2
|
|
||||||
|
|
||||||
# Swift endpoint type. (string value)
|
# Swift endpoint type. (string value)
|
||||||
#os_endpoint_type = internalURL
|
#os_endpoint_type = internalURL
|
||||||
|
|
||||||
|
@ -37,50 +37,6 @@ IRONIC_GROUP = 'ironic'
|
|||||||
IRONIC_OPTS = [
|
IRONIC_OPTS = [
|
||||||
cfg.StrOpt('os_region',
|
cfg.StrOpt('os_region',
|
||||||
help=_('Keystone region used to get Ironic endpoints.')),
|
help=_('Keystone region used to get Ironic endpoints.')),
|
||||||
cfg.StrOpt('os_auth_url',
|
|
||||||
default='',
|
|
||||||
help=_('Keystone authentication endpoint for accessing Ironic '
|
|
||||||
'API. Use [keystone_authtoken] section for keystone '
|
|
||||||
'token validation.'),
|
|
||||||
deprecated_group='discoverd',
|
|
||||||
deprecated_for_removal=True,
|
|
||||||
deprecated_reason=_('Use options presented by configured '
|
|
||||||
'keystone auth plugin.')),
|
|
||||||
cfg.StrOpt('os_username',
|
|
||||||
default='',
|
|
||||||
help=_('User name for accessing Ironic API. '
|
|
||||||
'Use [keystone_authtoken] section for keystone '
|
|
||||||
'token validation.'),
|
|
||||||
deprecated_group='discoverd',
|
|
||||||
deprecated_for_removal=True,
|
|
||||||
deprecated_reason=_('Use options presented by configured '
|
|
||||||
'keystone auth plugin.')),
|
|
||||||
cfg.StrOpt('os_password',
|
|
||||||
default='',
|
|
||||||
help=_('Password for accessing Ironic API. '
|
|
||||||
'Use [keystone_authtoken] section for keystone '
|
|
||||||
'token validation.'),
|
|
||||||
secret=True,
|
|
||||||
deprecated_group='discoverd',
|
|
||||||
deprecated_for_removal=True,
|
|
||||||
deprecated_reason=_('Use options presented by configured '
|
|
||||||
'keystone auth plugin.')),
|
|
||||||
cfg.StrOpt('os_tenant_name',
|
|
||||||
default='',
|
|
||||||
help=_('Tenant name for accessing Ironic API. '
|
|
||||||
'Use [keystone_authtoken] section for keystone '
|
|
||||||
'token validation.'),
|
|
||||||
deprecated_group='discoverd',
|
|
||||||
deprecated_for_removal=True,
|
|
||||||
deprecated_reason=_('Use options presented by configured '
|
|
||||||
'keystone auth plugin.')),
|
|
||||||
cfg.StrOpt('identity_uri',
|
|
||||||
default='',
|
|
||||||
help=_('Keystone admin endpoint. '
|
|
||||||
'DEPRECATED: Use [keystone_authtoken] section for '
|
|
||||||
'keystone token validation.'),
|
|
||||||
deprecated_group='discoverd',
|
|
||||||
deprecated_for_removal=True),
|
|
||||||
cfg.StrOpt('auth_strategy',
|
cfg.StrOpt('auth_strategy',
|
||||||
default='keystone',
|
default='keystone',
|
||||||
choices=('keystone', 'noauth'),
|
choices=('keystone', 'noauth'),
|
||||||
@ -112,12 +68,6 @@ CONF.register_opts(IRONIC_OPTS, group=IRONIC_GROUP)
|
|||||||
keystone.register_auth_opts(IRONIC_GROUP)
|
keystone.register_auth_opts(IRONIC_GROUP)
|
||||||
|
|
||||||
IRONIC_SESSION = None
|
IRONIC_SESSION = None
|
||||||
LEGACY_MAP = {
|
|
||||||
'auth_url': 'os_auth_url',
|
|
||||||
'username': 'os_username',
|
|
||||||
'password': 'os_password',
|
|
||||||
'tenant_name': 'os_tenant_name'
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
class NotFound(utils.Error):
|
class NotFound(utils.Error):
|
||||||
@ -175,8 +125,7 @@ def get_client(token=None,
|
|||||||
else:
|
else:
|
||||||
global IRONIC_SESSION
|
global IRONIC_SESSION
|
||||||
if not IRONIC_SESSION:
|
if not IRONIC_SESSION:
|
||||||
IRONIC_SESSION = keystone.get_session(
|
IRONIC_SESSION = keystone.get_session(IRONIC_GROUP)
|
||||||
IRONIC_GROUP, legacy_mapping=LEGACY_MAP)
|
|
||||||
if token is None:
|
if token is None:
|
||||||
args = {'session': IRONIC_SESSION,
|
args = {'session': IRONIC_SESSION,
|
||||||
'region_name': CONF.ironic.os_region}
|
'region_name': CONF.ironic.os_region}
|
||||||
|
@ -13,16 +13,11 @@
|
|||||||
|
|
||||||
import copy
|
import copy
|
||||||
|
|
||||||
from keystoneauth1 import exceptions
|
|
||||||
from keystoneauth1 import loading
|
from keystoneauth1 import loading
|
||||||
from oslo_config import cfg
|
from oslo_config import cfg
|
||||||
from oslo_log import log
|
|
||||||
from six.moves.urllib import parse # for legacy options loading only
|
|
||||||
|
|
||||||
from ironic_inspector.common.i18n import _LW
|
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = cfg.CONF
|
||||||
LOG = log.getLogger(__name__)
|
|
||||||
|
|
||||||
|
|
||||||
def register_auth_opts(group):
|
def register_auth_opts(group):
|
||||||
@ -31,81 +26,13 @@ def register_auth_opts(group):
|
|||||||
CONF.set_default('auth_type', default='password', group=group)
|
CONF.set_default('auth_type', default='password', group=group)
|
||||||
|
|
||||||
|
|
||||||
def get_session(group, legacy_mapping=None, legacy_auth_opts=None):
|
def get_session(group):
|
||||||
auth = _get_auth(group, legacy_mapping, legacy_auth_opts)
|
auth = loading.load_auth_from_conf_options(CONF, group)
|
||||||
session = loading.load_session_from_conf_options(
|
session = loading.load_session_from_conf_options(
|
||||||
CONF, group, auth=auth)
|
CONF, group, auth=auth)
|
||||||
return session
|
return session
|
||||||
|
|
||||||
|
|
||||||
def _get_auth(group, legacy_mapping=None, legacy_opts=None):
|
|
||||||
try:
|
|
||||||
auth = loading.load_auth_from_conf_options(CONF, group)
|
|
||||||
except exceptions.MissingRequiredOptions:
|
|
||||||
auth = _get_legacy_auth(group, legacy_mapping, legacy_opts)
|
|
||||||
else:
|
|
||||||
if auth is None:
|
|
||||||
auth = _get_legacy_auth(group, legacy_mapping, legacy_opts)
|
|
||||||
return auth
|
|
||||||
|
|
||||||
|
|
||||||
def _get_legacy_auth(group, legacy_mapping, legacy_opts):
|
|
||||||
"""Load auth plugin from legacy options.
|
|
||||||
|
|
||||||
If legacy_opts is not empty, these options will be registered first.
|
|
||||||
|
|
||||||
legacy_mapping is a dict that maps the following keys to legacy option
|
|
||||||
names:
|
|
||||||
auth_url
|
|
||||||
username
|
|
||||||
password
|
|
||||||
tenant_name
|
|
||||||
"""
|
|
||||||
LOG.warning(_LW("Group [%s]: Using legacy auth loader is deprecated. "
|
|
||||||
"Consider specifying appropriate keystone auth plugin as "
|
|
||||||
"'auth_type' and corresponding plugin options."), group)
|
|
||||||
if legacy_opts:
|
|
||||||
for opt in legacy_opts:
|
|
||||||
try:
|
|
||||||
CONF.register_opt(opt, group=group)
|
|
||||||
except cfg.DuplicateOptError:
|
|
||||||
pass
|
|
||||||
|
|
||||||
conf = getattr(CONF, group)
|
|
||||||
auth_params = {a: getattr(conf, legacy_mapping[a])
|
|
||||||
for a in legacy_mapping}
|
|
||||||
legacy_loader = loading.get_plugin_loader('password')
|
|
||||||
# NOTE(pas-ha) only Swift had this option, take it into account
|
|
||||||
try:
|
|
||||||
auth_version = conf.get('os_auth_version')
|
|
||||||
except cfg.NoSuchOptError:
|
|
||||||
auth_version = None
|
|
||||||
# NOTE(pas-ha) mimic defaults of keystoneclient
|
|
||||||
if _is_apiv3(auth_params['auth_url'], auth_version):
|
|
||||||
auth_params.update({
|
|
||||||
'project_domain_id': 'default',
|
|
||||||
'user_domain_id': 'default'})
|
|
||||||
return legacy_loader.load_from_options(**auth_params)
|
|
||||||
|
|
||||||
|
|
||||||
# NOTE(pas-ha): for backward compat with legacy options loading only
|
|
||||||
def _is_apiv3(auth_url, auth_version):
|
|
||||||
"""Check if V3 version of API is being used or not.
|
|
||||||
|
|
||||||
This method inspects auth_url and auth_version, and checks whether V3
|
|
||||||
version of the API is being used or not.
|
|
||||||
When no auth_version is specified and auth_url is not a versioned
|
|
||||||
endpoint, v2.0 is assumed.
|
|
||||||
:param auth_url: a http or https url to be inspected (like
|
|
||||||
'http://127.0.0.1:9898/').
|
|
||||||
:param auth_version: a string containing the version (like 'v2', 'v3.0')
|
|
||||||
or None
|
|
||||||
:returns: True if V3 of the API is being used.
|
|
||||||
"""
|
|
||||||
return (auth_version in ('v3.0', '3') or
|
|
||||||
'/v3' in parse.urlparse(auth_url).path)
|
|
||||||
|
|
||||||
|
|
||||||
def add_auth_options(options, group):
|
def add_auth_options(options, group):
|
||||||
|
|
||||||
def add_options(opts, opts_to_add):
|
def add_options(opts, opts_to_add):
|
||||||
|
@ -42,18 +42,6 @@ SWIFT_OPTS = [
|
|||||||
default='ironic-inspector',
|
default='ironic-inspector',
|
||||||
help=_('Default Swift container to use when creating '
|
help=_('Default Swift container to use when creating '
|
||||||
'objects.')),
|
'objects.')),
|
||||||
cfg.StrOpt('os_auth_version',
|
|
||||||
default='2',
|
|
||||||
help=_('Keystone authentication API version'),
|
|
||||||
deprecated_for_removal=True,
|
|
||||||
deprecated_reason=_('Use options presented by configured '
|
|
||||||
'keystone auth plugin.')),
|
|
||||||
cfg.StrOpt('os_auth_url',
|
|
||||||
default='',
|
|
||||||
help=_('Keystone authentication URL'),
|
|
||||||
deprecated_for_removal=True,
|
|
||||||
deprecated_reason=_('Use options presented by configured '
|
|
||||||
'keystone auth plugin.')),
|
|
||||||
cfg.StrOpt('os_service_type',
|
cfg.StrOpt('os_service_type',
|
||||||
default='object-store',
|
default='object-store',
|
||||||
help=_('Swift service type.')),
|
help=_('Swift service type.')),
|
||||||
@ -64,33 +52,11 @@ SWIFT_OPTS = [
|
|||||||
help=_('Keystone region to get endpoint for.')),
|
help=_('Keystone region to get endpoint for.')),
|
||||||
]
|
]
|
||||||
|
|
||||||
# NOTE(pas-ha) these old options conflict with options exported by
|
|
||||||
# most used keystone auth plugins. Need to register them manually
|
|
||||||
# for the backward-compat case.
|
|
||||||
LEGACY_OPTS = [
|
|
||||||
cfg.StrOpt('username',
|
|
||||||
default='',
|
|
||||||
help=_('User name for accessing Swift API.')),
|
|
||||||
cfg.StrOpt('password',
|
|
||||||
default='',
|
|
||||||
help=_('Password for accessing Swift API.'),
|
|
||||||
secret=True),
|
|
||||||
cfg.StrOpt('tenant_name',
|
|
||||||
default='',
|
|
||||||
help=_('Tenant name for accessing Swift API.')),
|
|
||||||
]
|
|
||||||
|
|
||||||
CONF.register_opts(SWIFT_OPTS, group=SWIFT_GROUP)
|
CONF.register_opts(SWIFT_OPTS, group=SWIFT_GROUP)
|
||||||
keystone.register_auth_opts(SWIFT_GROUP)
|
keystone.register_auth_opts(SWIFT_GROUP)
|
||||||
|
|
||||||
OBJECT_NAME_PREFIX = 'inspector_data'
|
OBJECT_NAME_PREFIX = 'inspector_data'
|
||||||
SWIFT_SESSION = None
|
SWIFT_SESSION = None
|
||||||
LEGACY_MAP = {
|
|
||||||
'auth_url': 'os_auth_url',
|
|
||||||
'username': 'username',
|
|
||||||
'password': 'password',
|
|
||||||
'tenant_name': 'tenant_name',
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
def reset_swift_session():
|
def reset_swift_session():
|
||||||
@ -112,9 +78,7 @@ class SwiftAPI(object):
|
|||||||
"""
|
"""
|
||||||
global SWIFT_SESSION
|
global SWIFT_SESSION
|
||||||
if not SWIFT_SESSION:
|
if not SWIFT_SESSION:
|
||||||
SWIFT_SESSION = keystone.get_session(
|
SWIFT_SESSION = keystone.get_session(SWIFT_GROUP)
|
||||||
SWIFT_GROUP, legacy_mapping=LEGACY_MAP,
|
|
||||||
legacy_auth_opts=LEGACY_OPTS)
|
|
||||||
# TODO(pas-ha): swiftclient does not support keystone sessions ATM.
|
# TODO(pas-ha): swiftclient does not support keystone sessions ATM.
|
||||||
# Must be reworked when LP bug #1518938 is fixed.
|
# Must be reworked when LP bug #1518938 is fixed.
|
||||||
swift_url = SWIFT_SESSION.get_endpoint(
|
swift_url = SWIFT_SESSION.get_endpoint(
|
||||||
|
@ -29,18 +29,15 @@ VALID_STORE_DATA_VALUES = ('none', 'swift')
|
|||||||
FIREWALL_OPTS = [
|
FIREWALL_OPTS = [
|
||||||
cfg.BoolOpt('manage_firewall',
|
cfg.BoolOpt('manage_firewall',
|
||||||
default=True,
|
default=True,
|
||||||
help=_('Whether to manage firewall rules for PXE port.'),
|
help=_('Whether to manage firewall rules for PXE port.')),
|
||||||
deprecated_group='discoverd'),
|
|
||||||
cfg.StrOpt('dnsmasq_interface',
|
cfg.StrOpt('dnsmasq_interface',
|
||||||
default='br-ctlplane',
|
default='br-ctlplane',
|
||||||
help=_('Interface on which dnsmasq listens, the default is for '
|
help=_('Interface on which dnsmasq listens, the default is for '
|
||||||
'VM\'s.'),
|
'VM\'s.')),
|
||||||
deprecated_group='discoverd'),
|
|
||||||
cfg.IntOpt('firewall_update_period',
|
cfg.IntOpt('firewall_update_period',
|
||||||
default=15,
|
default=15,
|
||||||
help=_('Amount of time in seconds, after which repeat periodic '
|
help=_('Amount of time in seconds, after which repeat periodic '
|
||||||
'update of firewall.'),
|
'update of firewall.')),
|
||||||
deprecated_group='discoverd'),
|
|
||||||
cfg.StrOpt('firewall_chain',
|
cfg.StrOpt('firewall_chain',
|
||||||
default='ironic-inspector',
|
default='ironic-inspector',
|
||||||
help=_('iptables chain name to use.')),
|
help=_('iptables chain name to use.')),
|
||||||
@ -56,8 +53,7 @@ PROCESSING_OPTS = [
|
|||||||
'IP addresses), pxe (only MAC address of NIC node PXE '
|
'IP addresses), pxe (only MAC address of NIC node PXE '
|
||||||
'booted from, falls back to "active" if PXE MAC is not '
|
'booted from, falls back to "active" if PXE MAC is not '
|
||||||
'supplied by the ramdisk).'),
|
'supplied by the ramdisk).'),
|
||||||
choices=VALID_ADD_PORTS_VALUES,
|
choices=VALID_ADD_PORTS_VALUES),
|
||||||
deprecated_group='discoverd'),
|
|
||||||
cfg.StrOpt('keep_ports',
|
cfg.StrOpt('keep_ports',
|
||||||
default='all',
|
default='all',
|
||||||
help=_('Which ports (already present on a node) to keep after '
|
help=_('Which ports (already present on a node) to keep after '
|
||||||
@ -65,20 +61,17 @@ PROCESSING_OPTS = [
|
|||||||
'anything), present (keep ports which MACs were present '
|
'anything), present (keep ports which MACs were present '
|
||||||
'in introspection data), added (keep only MACs that we '
|
'in introspection data), added (keep only MACs that we '
|
||||||
'added during introspection).'),
|
'added during introspection).'),
|
||||||
choices=VALID_KEEP_PORTS_VALUES,
|
choices=VALID_KEEP_PORTS_VALUES),
|
||||||
deprecated_group='discoverd'),
|
|
||||||
cfg.BoolOpt('overwrite_existing',
|
cfg.BoolOpt('overwrite_existing',
|
||||||
default=True,
|
default=True,
|
||||||
help=_('Whether to overwrite existing values in node '
|
help=_('Whether to overwrite existing values in node '
|
||||||
'database. Disable this option to make '
|
'database. Disable this option to make '
|
||||||
'introspection a non-destructive operation.'),
|
'introspection a non-destructive operation.')),
|
||||||
deprecated_group='discoverd'),
|
|
||||||
cfg.BoolOpt('enable_setting_ipmi_credentials',
|
cfg.BoolOpt('enable_setting_ipmi_credentials',
|
||||||
default=False,
|
default=False,
|
||||||
help=_('Whether to enable setting IPMI credentials during '
|
help=_('Whether to enable setting IPMI credentials during '
|
||||||
'introspection. This feature will be removed in the '
|
'introspection. This feature will be removed in the '
|
||||||
'Pike release.'),
|
'Pike release.'),
|
||||||
deprecated_group='discoverd',
|
|
||||||
deprecated_for_removal=True),
|
deprecated_for_removal=True),
|
||||||
cfg.StrOpt('default_processing_hooks',
|
cfg.StrOpt('default_processing_hooks',
|
||||||
default='ramdisk_error,root_disk_selection,scheduler,'
|
default='ramdisk_error,root_disk_selection,scheduler,'
|
||||||
@ -96,18 +89,15 @@ PROCESSING_OPTS = [
|
|||||||
'pipeline. The default for this is '
|
'pipeline. The default for this is '
|
||||||
'$default_processing_hooks, hooks can be added before '
|
'$default_processing_hooks, hooks can be added before '
|
||||||
'or after the defaults like this: '
|
'or after the defaults like this: '
|
||||||
'"prehook,$default_processing_hooks,posthook".'),
|
'"prehook,$default_processing_hooks,posthook".')),
|
||||||
deprecated_group='discoverd'),
|
|
||||||
cfg.StrOpt('ramdisk_logs_dir',
|
cfg.StrOpt('ramdisk_logs_dir',
|
||||||
help=_('If set, logs from ramdisk will be stored in this '
|
help=_('If set, logs from ramdisk will be stored in this '
|
||||||
'directory.'),
|
'directory.')),
|
||||||
deprecated_group='discoverd'),
|
|
||||||
cfg.BoolOpt('always_store_ramdisk_logs',
|
cfg.BoolOpt('always_store_ramdisk_logs',
|
||||||
default=False,
|
default=False,
|
||||||
help=_('Whether to store ramdisk logs even if it did not '
|
help=_('Whether to store ramdisk logs even if it did not '
|
||||||
'return an error message (dependent upon '
|
'return an error message (dependent upon '
|
||||||
'"ramdisk_logs_dir" option being set).'),
|
'"ramdisk_logs_dir" option being set).')),
|
||||||
deprecated_group='discoverd'),
|
|
||||||
cfg.StrOpt('node_not_found_hook',
|
cfg.StrOpt('node_not_found_hook',
|
||||||
help=_('The name of the hook to run when inspector receives '
|
help=_('The name of the hook to run when inspector receives '
|
||||||
'inspection information from a node it isn\'t already '
|
'inspection information from a node it isn\'t already '
|
||||||
@ -144,51 +134,32 @@ PROCESSING_OPTS = [
|
|||||||
help=_('Whether to power off a node after introspection.')),
|
help=_('Whether to power off a node after introspection.')),
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
DISCOVERD_OPTS = [
|
|
||||||
cfg.StrOpt('database',
|
|
||||||
default='',
|
|
||||||
help=_('SQLite3 database to store nodes under introspection, '
|
|
||||||
'required. Do not use :memory: here, it won\'t work. '
|
|
||||||
'DEPRECATED: use [database]/connection.'),
|
|
||||||
deprecated_for_removal=True),
|
|
||||||
]
|
|
||||||
|
|
||||||
SERVICE_OPTS = [
|
SERVICE_OPTS = [
|
||||||
cfg.StrOpt('listen_address',
|
cfg.StrOpt('listen_address',
|
||||||
default='0.0.0.0',
|
default='0.0.0.0',
|
||||||
help=_('IP to listen on.'),
|
help=_('IP to listen on.')),
|
||||||
deprecated_group='discoverd'),
|
|
||||||
cfg.PortOpt('listen_port',
|
cfg.PortOpt('listen_port',
|
||||||
default=5050,
|
default=5050,
|
||||||
help=_('Port to listen on.'),
|
help=_('Port to listen on.')),
|
||||||
deprecated_group='discoverd'),
|
|
||||||
cfg.StrOpt('auth_strategy',
|
cfg.StrOpt('auth_strategy',
|
||||||
default='keystone',
|
default='keystone',
|
||||||
choices=('keystone', 'noauth'),
|
choices=('keystone', 'noauth'),
|
||||||
help=_('Authentication method used on the ironic-inspector '
|
help=_('Authentication method used on the ironic-inspector '
|
||||||
'API. Either "noauth" or "keystone" are currently valid '
|
'API. Either "noauth" or "keystone" are currently valid '
|
||||||
'options. "noauth" will disable all authentication.')),
|
'options. "noauth" will disable all authentication.')),
|
||||||
cfg.BoolOpt('authenticate',
|
|
||||||
help=_('DEPRECATED: use auth_strategy.'),
|
|
||||||
deprecated_group='discoverd',
|
|
||||||
deprecated_for_removal=True),
|
|
||||||
cfg.IntOpt('timeout',
|
cfg.IntOpt('timeout',
|
||||||
default=3600,
|
default=3600,
|
||||||
help=_('Timeout after which introspection is considered '
|
help=_('Timeout after which introspection is considered '
|
||||||
'failed, set to 0 to disable.'),
|
'failed, set to 0 to disable.')),
|
||||||
deprecated_group='discoverd'),
|
|
||||||
cfg.IntOpt('node_status_keep_time',
|
cfg.IntOpt('node_status_keep_time',
|
||||||
default=604800,
|
default=604800,
|
||||||
help=_('For how much time (in seconds) to keep status '
|
help=_('For how much time (in seconds) to keep status '
|
||||||
'information about nodes after introspection was '
|
'information about nodes after introspection was '
|
||||||
'finished for them. Default value is 1 week.'),
|
'finished for them. Default value is 1 week.')),
|
||||||
deprecated_group='discoverd'),
|
|
||||||
cfg.IntOpt('clean_up_period',
|
cfg.IntOpt('clean_up_period',
|
||||||
default=60,
|
default=60,
|
||||||
help=_('Amount of time in seconds, after which repeat clean up '
|
help=_('Amount of time in seconds, after which repeat clean up '
|
||||||
'of timed out nodes and old nodes status information.'),
|
'of timed out nodes and old nodes status information.')),
|
||||||
deprecated_group='discoverd'),
|
|
||||||
cfg.BoolOpt('use_ssl',
|
cfg.BoolOpt('use_ssl',
|
||||||
default=False,
|
default=False,
|
||||||
help=_('SSL Enabled/Disabled')),
|
help=_('SSL Enabled/Disabled')),
|
||||||
@ -227,7 +198,6 @@ SERVICE_OPTS = [
|
|||||||
cfg.CONF.register_opts(SERVICE_OPTS)
|
cfg.CONF.register_opts(SERVICE_OPTS)
|
||||||
cfg.CONF.register_opts(FIREWALL_OPTS, group='firewall')
|
cfg.CONF.register_opts(FIREWALL_OPTS, group='firewall')
|
||||||
cfg.CONF.register_opts(PROCESSING_OPTS, group='processing')
|
cfg.CONF.register_opts(PROCESSING_OPTS, group='processing')
|
||||||
cfg.CONF.register_opts(DISCOVERD_OPTS, group='discoverd')
|
|
||||||
|
|
||||||
|
|
||||||
def list_opts():
|
def list_opts():
|
||||||
@ -235,7 +205,6 @@ def list_opts():
|
|||||||
('', SERVICE_OPTS),
|
('', SERVICE_OPTS),
|
||||||
('firewall', FIREWALL_OPTS),
|
('firewall', FIREWALL_OPTS),
|
||||||
('processing', PROCESSING_OPTS),
|
('processing', PROCESSING_OPTS),
|
||||||
('discoverd', DISCOVERD_OPTS),
|
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
@ -43,10 +43,6 @@ _FACADE = None
|
|||||||
|
|
||||||
db_opts.set_defaults(cfg.CONF, _DEFAULT_SQL_CONNECTION,
|
db_opts.set_defaults(cfg.CONF, _DEFAULT_SQL_CONNECTION,
|
||||||
'ironic_inspector.sqlite')
|
'ironic_inspector.sqlite')
|
||||||
if CONF.discoverd.database:
|
|
||||||
db_opts.set_defaults(CONF,
|
|
||||||
connection='sqlite:///%s' %
|
|
||||||
str(CONF.discoverd.database).strip())
|
|
||||||
|
|
||||||
|
|
||||||
class Node(Base):
|
class Node(Base):
|
||||||
|
@ -429,7 +429,7 @@ class Service(object):
|
|||||||
CONF.log_opt_values(LOG, log.DEBUG)
|
CONF.log_opt_values(LOG, log.DEBUG)
|
||||||
|
|
||||||
def init(self):
|
def init(self):
|
||||||
if utils.get_auth_strategy() != 'noauth':
|
if CONF.auth_strategy != 'noauth':
|
||||||
utils.add_auth_middleware(app)
|
utils.add_auth_middleware(app)
|
||||||
else:
|
else:
|
||||||
LOG.warning(_LW('Starting unauthenticated, please check'
|
LOG.warning(_LW('Starting unauthenticated, please check'
|
||||||
|
@ -13,7 +13,6 @@
|
|||||||
|
|
||||||
import mock
|
import mock
|
||||||
|
|
||||||
from keystoneauth1 import exceptions as kaexc
|
|
||||||
from keystoneauth1 import loading as kaloading
|
from keystoneauth1 import loading as kaloading
|
||||||
from oslo_config import cfg
|
from oslo_config import cfg
|
||||||
|
|
||||||
@ -38,7 +37,7 @@ class KeystoneTest(base.BaseTest):
|
|||||||
self.assertIn(o, self.cfg.conf[TESTGROUP])
|
self.assertIn(o, self.cfg.conf[TESTGROUP])
|
||||||
self.assertEqual('password', self.cfg.conf[TESTGROUP]['auth_type'])
|
self.assertEqual('password', self.cfg.conf[TESTGROUP]['auth_type'])
|
||||||
|
|
||||||
@mock.patch.object(keystone, '_get_auth')
|
@mock.patch.object(kaloading, 'load_auth_from_conf_options', autospec=True)
|
||||||
def test_get_session(self, auth_mock):
|
def test_get_session(self, auth_mock):
|
||||||
keystone.register_auth_opts(TESTGROUP)
|
keystone.register_auth_opts(TESTGROUP)
|
||||||
self.cfg.config(group=TESTGROUP,
|
self.cfg.config(group=TESTGROUP,
|
||||||
@ -49,57 +48,6 @@ class KeystoneTest(base.BaseTest):
|
|||||||
self.assertEqual('/path/to/ca/file', sess.verify)
|
self.assertEqual('/path/to/ca/file', sess.verify)
|
||||||
self.assertEqual(auth1, sess.auth)
|
self.assertEqual(auth1, sess.auth)
|
||||||
|
|
||||||
@mock.patch('keystoneauth1.loading.load_auth_from_conf_options')
|
|
||||||
@mock.patch.object(keystone, '_get_legacy_auth')
|
|
||||||
def test__get_auth(self, legacy_mock, load_mock):
|
|
||||||
auth1 = mock.Mock()
|
|
||||||
load_mock.side_effect = [
|
|
||||||
auth1,
|
|
||||||
None,
|
|
||||||
kaexc.MissingRequiredOptions([kaloading.Opt('spam')])]
|
|
||||||
auth2 = mock.Mock()
|
|
||||||
legacy_mock.return_value = auth2
|
|
||||||
self.assertEqual(auth1, keystone._get_auth(TESTGROUP))
|
|
||||||
self.assertEqual(auth2, keystone._get_auth(TESTGROUP))
|
|
||||||
self.assertEqual(auth2, keystone._get_auth(TESTGROUP))
|
|
||||||
|
|
||||||
@mock.patch('keystoneauth1.loading._plugins.identity.generic.Password.'
|
|
||||||
'load_from_options')
|
|
||||||
def test__get_legacy_auth(self, load_mock):
|
|
||||||
self.cfg.register_opts(
|
|
||||||
[cfg.StrOpt('identity_url'),
|
|
||||||
cfg.StrOpt('old_user'),
|
|
||||||
cfg.StrOpt('old_password')],
|
|
||||||
group=TESTGROUP)
|
|
||||||
self.cfg.config(group=TESTGROUP,
|
|
||||||
identity_url='http://fake:5000/v3',
|
|
||||||
old_password='ham',
|
|
||||||
old_user='spam')
|
|
||||||
options = [cfg.StrOpt('old_tenant_name', default='fake'),
|
|
||||||
cfg.StrOpt('old_user')]
|
|
||||||
mapping = {'username': 'old_user',
|
|
||||||
'password': 'old_password',
|
|
||||||
'auth_url': 'identity_url',
|
|
||||||
'tenant_name': 'old_tenant_name'}
|
|
||||||
|
|
||||||
keystone._get_legacy_auth(TESTGROUP, mapping, options)
|
|
||||||
load_mock.assert_called_once_with(username='spam',
|
|
||||||
password='ham',
|
|
||||||
tenant_name='fake',
|
|
||||||
user_domain_id='default',
|
|
||||||
project_domain_id='default',
|
|
||||||
auth_url='http://fake:5000/v3')
|
|
||||||
|
|
||||||
def test__is_api_v3(self):
|
|
||||||
cases = ((False, 'http://fake:5000', None),
|
|
||||||
(False, 'http://fake:5000/v2.0', None),
|
|
||||||
(True, 'http://fake:5000/v3', None),
|
|
||||||
(True, 'http://fake:5000', '3'),
|
|
||||||
(True, 'http://fake:5000', 'v3.0'))
|
|
||||||
for case in cases:
|
|
||||||
result, url, version = case
|
|
||||||
self.assertEqual(result, keystone._is_apiv3(url, version))
|
|
||||||
|
|
||||||
def test_add_auth_options(self):
|
def test_add_auth_options(self):
|
||||||
group, opts = keystone.add_auth_options([], TESTGROUP)[0]
|
group, opts = keystone.add_auth_options([], TESTGROUP)[0]
|
||||||
self.assertEqual(TESTGROUP, group)
|
self.assertEqual(TESTGROUP, group)
|
||||||
|
@ -57,35 +57,6 @@ class TestCheckAuth(base.BaseTest):
|
|||||||
self.assertEqual('http://127.0.0.1:5000', args1['auth_uri'])
|
self.assertEqual('http://127.0.0.1:5000', args1['auth_uri'])
|
||||||
self.assertEqual('http://127.0.0.1:35357', args1['identity_uri'])
|
self.assertEqual('http://127.0.0.1:35357', args1['identity_uri'])
|
||||||
|
|
||||||
@mock.patch.object(auth_token, 'AuthProtocol')
|
|
||||||
def test_add_auth_middleware_with_deprecated_items(self, mock_auth):
|
|
||||||
CONF.set_override('os_password', 'os_password', 'ironic')
|
|
||||||
CONF.set_override('admin_password', 'admin_password',
|
|
||||||
'keystone_authtoken')
|
|
||||||
CONF.set_override('os_username', 'os_username', 'ironic')
|
|
||||||
CONF.set_override('admin_user', 'admin_user', 'keystone_authtoken')
|
|
||||||
CONF.set_override('os_auth_url', 'os_auth_url', 'ironic')
|
|
||||||
CONF.set_override('auth_uri', 'auth_uri', 'keystone_authtoken')
|
|
||||||
CONF.set_override('os_tenant_name', 'os_tenant_name', 'ironic')
|
|
||||||
CONF.set_override('admin_tenant_name', 'admin_tenant_name',
|
|
||||||
'keystone_authtoken')
|
|
||||||
CONF.set_override('identity_uri', 'identity_uri_ironic', 'ironic')
|
|
||||||
CONF.set_override('identity_uri', 'identity_uri', 'keystone_authtoken')
|
|
||||||
|
|
||||||
app = mock.Mock(wsgi_app=mock.sentinel.app)
|
|
||||||
utils.add_auth_middleware(app)
|
|
||||||
|
|
||||||
call_args = mock_auth.call_args_list[0]
|
|
||||||
args = call_args[0]
|
|
||||||
self.assertEqual(mock.sentinel.app, args[0])
|
|
||||||
args1 = args[1]
|
|
||||||
self.assertEqual('os_password', args1['admin_password'])
|
|
||||||
self.assertEqual('os_username', args1['admin_user'])
|
|
||||||
self.assertEqual('os_auth_url', args1['auth_uri'])
|
|
||||||
self.assertEqual('os_tenant_name', args1['admin_tenant_name'])
|
|
||||||
self.assertTrue(args1['delay_auth_decision'])
|
|
||||||
self.assertEqual('identity_uri_ironic', args1['identity_uri'])
|
|
||||||
|
|
||||||
def test_ok(self):
|
def test_ok(self):
|
||||||
request = mock.Mock(headers={'X-Identity-Status': 'Confirmed',
|
request = mock.Mock(headers={'X-Identity-Status': 'Confirmed',
|
||||||
'X-Roles': 'admin,member'})
|
'X-Roles': 'admin,member'})
|
||||||
|
@ -150,29 +150,6 @@ def add_auth_middleware(app):
|
|||||||
:param app: application.
|
:param app: application.
|
||||||
"""
|
"""
|
||||||
auth_conf = dict(CONF.keystone_authtoken)
|
auth_conf = dict(CONF.keystone_authtoken)
|
||||||
# These items should only be used for accessing Ironic API.
|
|
||||||
# For keystonemiddleware's authentication,
|
|
||||||
# keystone_authtoken's items will be used and
|
|
||||||
# these items will be unsupported.
|
|
||||||
# [ironic]/os_password
|
|
||||||
# [ironic]/os_username
|
|
||||||
# [ironic]/os_auth_url
|
|
||||||
# [ironic]/os_tenant_name
|
|
||||||
auth_conf.update({'admin_password':
|
|
||||||
CONF.ironic.os_password or
|
|
||||||
CONF.keystone_authtoken.admin_password,
|
|
||||||
'admin_user':
|
|
||||||
CONF.ironic.os_username or
|
|
||||||
CONF.keystone_authtoken.admin_user,
|
|
||||||
'auth_uri':
|
|
||||||
CONF.ironic.os_auth_url or
|
|
||||||
CONF.keystone_authtoken.auth_uri,
|
|
||||||
'admin_tenant_name':
|
|
||||||
CONF.ironic.os_tenant_name or
|
|
||||||
CONF.keystone_authtoken.admin_tenant_name,
|
|
||||||
'identity_uri':
|
|
||||||
CONF.ironic.identity_uri or
|
|
||||||
CONF.keystone_authtoken.identity_uri})
|
|
||||||
auth_conf['delay_auth_decision'] = True
|
auth_conf['delay_auth_decision'] = True
|
||||||
app.wsgi_app = auth_token.AuthProtocol(app.wsgi_app, auth_conf)
|
app.wsgi_app = auth_token.AuthProtocol(app.wsgi_app, auth_conf)
|
||||||
|
|
||||||
@ -194,7 +171,7 @@ def check_auth(request):
|
|||||||
:param request: Flask request
|
:param request: Flask request
|
||||||
:raises: utils.Error if access is denied
|
:raises: utils.Error if access is denied
|
||||||
"""
|
"""
|
||||||
if get_auth_strategy() == 'noauth':
|
if CONF.auth_strategy == 'noauth':
|
||||||
return
|
return
|
||||||
if request.headers.get('X-Identity-Status').lower() == 'invalid':
|
if request.headers.get('X-Identity-Status').lower() == 'invalid':
|
||||||
raise Error(_('Authentication required'), code=401)
|
raise Error(_('Authentication required'), code=401)
|
||||||
@ -204,12 +181,6 @@ def check_auth(request):
|
|||||||
raise Error(_('Access denied'), code=403)
|
raise Error(_('Access denied'), code=403)
|
||||||
|
|
||||||
|
|
||||||
def get_auth_strategy():
|
|
||||||
if CONF.authenticate is not None:
|
|
||||||
return 'keystone' if CONF.authenticate else 'noauth'
|
|
||||||
return CONF.auth_strategy
|
|
||||||
|
|
||||||
|
|
||||||
def get_valid_macs(data):
|
def get_valid_macs(data):
|
||||||
"""Get a list of valid MAC's from the introspection data."""
|
"""Get a list of valid MAC's from the introspection data."""
|
||||||
return [m['mac']
|
return [m['mac']
|
||||||
|
@ -0,0 +1,8 @@
|
|||||||
|
---
|
||||||
|
upgrade:
|
||||||
|
- |
|
||||||
|
Removed previously deprecated authentication options from "ironic",
|
||||||
|
"swift", and "keystone_authtoken" sections.
|
||||||
|
- |
|
||||||
|
Removed long deprecated support for "discoverd" section in configuration
|
||||||
|
file.
|
Loading…
Reference in New Issue
Block a user