Merge "Deprecate http_basic_username and http_basic_password in [json_rpc]"

This commit is contained in:
Zuul 2020-07-28 19:14:00 +00:00 committed by Gerrit Code Review
commit 3670be1283
8 changed files with 68 additions and 35 deletions

View File

@ -1410,10 +1410,15 @@ function configure_ironic {
if [[ "$IRONIC_JSON_RPC_AUTH_STRATEGY" != "" ]]; then if [[ "$IRONIC_JSON_RPC_AUTH_STRATEGY" != "" ]]; then
iniset $IRONIC_CONF_FILE json_rpc auth_strategy $IRONIC_JSON_RPC_AUTH_STRATEGY iniset $IRONIC_CONF_FILE json_rpc auth_strategy $IRONIC_JSON_RPC_AUTH_STRATEGY
fi fi
iniset $IRONIC_CONF_FILE json_rpc http_basic_username myName if [[ "$IRONIC_JSON_RPC_AUTH_STRATEGY" == "http_basic" ]]; then
iniset $IRONIC_CONF_FILE json_rpc http_basic_password myPassword iniset $IRONIC_CONF_FILE json_rpc username myName
# json-rpc auth file with bcrypt hash of myPassword iniset $IRONIC_CONF_FILE json_rpc password myPassword
echo 'myName:$2y$05$lE3eGtyj41jZwrzS87KTqe6.JETVCWBkc32C63UP2aYrGoYOEpbJm' > /etc/ironic/htpasswd-json-rpc # json-rpc auth file with bcrypt hash of myPassword
echo 'myName:$2y$05$lE3eGtyj41jZwrzS87KTqe6.JETVCWBkc32C63UP2aYrGoYOEpbJm' > /etc/ironic/htpasswd-json-rpc
fi
if [[ "$IRONIC_JSON_RPC_AUTH_STRATEGY" == "" ]] || [[ "$IRONIC_JSON_RPC_AUTH_STRATEGY" == "keystone" ]]; then
configure_client_for json_rpc
fi
# Set fast track options # Set fast track options
iniset $IRONIC_CONF_FILE deploy fast_track $IRONIC_DEPLOY_FAST_TRACK iniset $IRONIC_CONF_FILE deploy fast_track $IRONIC_DEPLOY_FAST_TRACK
@ -1547,7 +1552,7 @@ function configure_ironic_conductor {
# NOTE(pas-ha) service_catalog section is used to discover # NOTE(pas-ha) service_catalog section is used to discover
# ironic API endpoint from keystone catalog # ironic API endpoint from keystone catalog
local client_sections="neutron swift glance inspector cinder service_catalog json_rpc nova" local client_sections="neutron swift glance inspector cinder service_catalog nova"
for conf_section in $client_sections; do for conf_section in $client_sections; do
configure_client_for $conf_section configure_client_for $conf_section
done done

View File

@ -73,8 +73,8 @@ You should make the following changes to ``/etc/ironic/ironic.conf``:
[json_rpc] [json_rpc]
auth_strategy=http_basic auth_strategy=http_basic
http_basic_username=myName username=myName
http_basic_password=myPassword password=myPassword
Preparing images Preparing images
---------------- ----------------

View File

@ -15,8 +15,6 @@
This client is compatible with any JSON RPC 2.0 implementation, including ours. This client is compatible with any JSON RPC 2.0 implementation, including ours.
""" """
import base64
from oslo_config import cfg from oslo_config import cfg
from oslo_log import log from oslo_log import log
from oslo_utils import importutils from oslo_utils import importutils
@ -38,23 +36,25 @@ def _get_session():
global _SESSION global _SESSION
if _SESSION is None: if _SESSION is None:
kwargs = {}
auth_strategy = json_rpc.auth_strategy() auth_strategy = json_rpc.auth_strategy()
if auth_strategy == 'keystone': if auth_strategy != 'keystone':
auth = keystone.get_auth('json_rpc') auth_type = 'none' if auth_strategy == 'noauth' else auth_strategy
else: CONF.set_default('auth_type', auth_type, group='json_rpc')
auth = None
# Deprecated, remove in W
if auth_strategy == 'http_basic':
if CONF.json_rpc.http_basic_username:
kwargs['username'] = CONF.json_rpc.http_basic_username
if CONF.json_rpc.http_basic_password:
kwargs['password'] = CONF.json_rpc.http_basic_password
auth = keystone.get_auth('json_rpc', **kwargs)
session = keystone.get_session('json_rpc', auth=auth) session = keystone.get_session('json_rpc', auth=auth)
headers = { headers = {
'Content-Type': 'application/json' 'Content-Type': 'application/json'
} }
if auth_strategy == 'http_basic':
token = '{}:{}'.format(
CONF.json_rpc.http_basic_username,
CONF.json_rpc.http_basic_password
).encode('utf-8')
encoded = base64.b64encode(token).decode('utf-8')
headers['Authorization'] = 'Basic {}'.format(encoded)
# Adds options like connect_retries # Adds options like connect_retries
_SESSION = keystone.get_adapter('json_rpc', session=session, _SESSION = keystone.get_adapter('json_rpc', session=session,

View File

@ -38,16 +38,16 @@ opts = [
default=False, default=False,
help=_('Whether to use TLS for JSON RPC')), help=_('Whether to use TLS for JSON RPC')),
cfg.StrOpt('http_basic_username', cfg.StrOpt('http_basic_username',
default='', deprecated_for_removal=True,
deprecated_reason=_("Use username instead"),
help=_("Name of the user to use for HTTP Basic authentication " help=_("Name of the user to use for HTTP Basic authentication "
"client requests. Required when " "client requests.")),
"auth_strategy=http_basic.")),
cfg.StrOpt('http_basic_password', cfg.StrOpt('http_basic_password',
default='', deprecated_for_removal=True,
deprecated_reason=_("Use password instead"),
secret=True, secret=True,
help=_("Password to use for HTTP Basic authentication " help=_("Password to use for HTTP Basic authentication "
"client requests. Required when " "client requests.")),
"auth_strategy=http_basic.")),
] ]

View File

@ -584,9 +584,11 @@ class TestSession(test_base.TestCase):
self.config(auth_strategy='noauth', group='json_rpc') self.config(auth_strategy='noauth', group='json_rpc')
session = client._get_session() session = client._get_session()
mock_keystone.get_auth.assert_not_called() mock_keystone.get_auth.assert_called_once_with('json_rpc')
auth = mock_keystone.get_auth.return_value
mock_keystone.get_session.assert_called_once_with( mock_keystone.get_session.assert_called_once_with(
'json_rpc', auth=None) 'json_rpc', auth=auth)
internal_session = mock_keystone.get_session.return_value internal_session = mock_keystone.get_session.return_value
@ -620,13 +622,34 @@ class TestSession(test_base.TestCase):
def test_http_basic(self, mock_keystone): def test_http_basic(self, mock_keystone):
self.config(auth_strategy='http_basic', group='json_rpc') self.config(auth_strategy='http_basic', group='json_rpc')
self.config(http_basic_username='myName', group='json_rpc')
self.config(http_basic_password='myPassword', group='json_rpc')
session = client._get_session() session = client._get_session()
mock_keystone.get_auth.assert_not_called() mock_keystone.get_auth.assert_called_once_with('json_rpc')
auth = mock_keystone.get_auth.return_value
mock_keystone.get_session.assert_called_once_with( mock_keystone.get_session.assert_called_once_with(
'json_rpc', auth=None) 'json_rpc', auth=auth)
internal_session = mock_keystone.get_session.return_value
mock_keystone.get_adapter.assert_called_once_with(
'json_rpc',
session=internal_session,
additional_headers={
'Content-Type': 'application/json'
})
self.assertEqual(mock_keystone.get_adapter.return_value, session)
def test_http_basic_deprecated(self, mock_keystone):
self.config(auth_strategy='http_basic', group='json_rpc')
self.config(http_basic_username='myName', group='json_rpc')
self.config(http_basic_password='myPassword', group='json_rpc')
session = client._get_session()
mock_keystone.get_auth.assert_called_once_with(
'json_rpc', username='myName', password='myPassword')
auth = mock_keystone.get_auth.return_value
mock_keystone.get_session.assert_called_once_with(
'json_rpc', auth=auth)
internal_session = mock_keystone.get_session.return_value internal_session = mock_keystone.get_session.return_value
@ -634,7 +657,6 @@ class TestSession(test_base.TestCase):
'json_rpc', 'json_rpc',
session=internal_session, session=internal_session,
additional_headers={ additional_headers={
'Authorization': 'Basic bXlOYW1lOm15UGFzc3dvcmQ=',
'Content-Type': 'application/json' 'Content-Type': 'application/json'
}) })
self.assertEqual(mock_keystone.get_adapter.return_value, session) self.assertEqual(mock_keystone.get_adapter.return_value, session)

View File

@ -42,7 +42,7 @@ jmespath==0.9.5
jsonpatch==1.16 jsonpatch==1.16
jsonpointer==2.0 jsonpointer==2.0
jsonschema==3.2.0 jsonschema==3.2.0
keystoneauth1==3.18.0 keystoneauth1==4.2.0
keystonemiddleware==4.17.0 keystonemiddleware==4.17.0
kombu==4.6.8 kombu==4.6.8
linecache2==1.0.0 linecache2==1.0.0

View File

@ -0,0 +1,6 @@
---
deprecations:
- |
The configuration options ``[json_rpc]http_basic_username`` and
``[json_rpc]http_basic_password`` have been deprecated in favour of the
more generic ``[json_rpc]username`` and ``[json_rpc]password``.

View File

@ -10,7 +10,7 @@ WebOb>=1.7.1 # MIT
python-cinderclient!=4.0.0,>=3.3.0 # Apache-2.0 python-cinderclient!=4.0.0,>=3.3.0 # Apache-2.0
python-neutronclient>=6.7.0 # Apache-2.0 python-neutronclient>=6.7.0 # Apache-2.0
python-glanceclient>=2.8.0 # Apache-2.0 python-glanceclient>=2.8.0 # Apache-2.0
keystoneauth1>=3.18.0 # Apache-2.0 keystoneauth1>=4.2.0 # Apache-2.0
ironic-lib>=4.3.0 # Apache-2.0 ironic-lib>=4.3.0 # Apache-2.0
python-swiftclient>=3.2.0 # Apache-2.0 python-swiftclient>=3.2.0 # Apache-2.0
pytz>=2013.6 # MIT pytz>=2013.6 # MIT