From 1c485867c456df32cf0401a47d177b2478a51313 Mon Sep 17 00:00:00 2001 From: "Brad P. Crochet" Date: Thu, 4 May 2017 08:51:25 -0400 Subject: [PATCH] Support transition to keystone auth plugin The puppet module puppet-mistral is moving to use a proper keystone authtoken module. This supports that transition. A follow on patch will remove the transition code. Change-Id: Ief32ae01372c8c8d32fc5e2c89a2927510983a5b --- devstack/plugin.sh | 15 ++++++----- mistral/context.py | 29 ++++++++++++++++---- mistral/services/security.py | 7 +++-- mistral/utils/openstack/keystone.py | 41 ++++++++++++++++++++++------- 4 files changed, 68 insertions(+), 24 deletions(-) diff --git a/devstack/plugin.sh b/devstack/plugin.sh index 09f654089..844dedf90 100755 --- a/devstack/plugin.sh +++ b/devstack/plugin.sh @@ -75,14 +75,15 @@ function configure_mistral { #------------------------- # Setup keystone_authtoken section - iniset $MISTRAL_CONF_FILE keystone_authtoken auth_host $KEYSTONE_AUTH_HOST - iniset $MISTRAL_CONF_FILE keystone_authtoken auth_port $KEYSTONE_AUTH_PORT - iniset $MISTRAL_CONF_FILE keystone_authtoken auth_protocol $KEYSTONE_AUTH_PROTOCOL - iniset $MISTRAL_CONF_FILE keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME - iniset $MISTRAL_CONF_FILE keystone_authtoken admin_user $MISTRAL_ADMIN_USER - iniset $MISTRAL_CONF_FILE keystone_authtoken admin_password $SERVICE_PASSWORD + iniset $MISTRAL_CONF_FILE keystone_authtoken project_name $SERVICE_TENANT_NAME + iniset $MISTRAL_CONF_FILE keystone_authtoken username $MISTRAL_ADMIN_USER + iniset $MISTRAL_CONF_FILE keystone_authtoken password $SERVICE_PASSWORD iniset $MISTRAL_CONF_FILE keystone_authtoken auth_uri $KEYSTONE_AUTH_URI_V3 - iniset $MISTRAL_CONF_FILE keystone_authtoken identity_uri $KEYSTONE_AUTH_URI + iniset $MISTRAL_CONF_FILE keystone_authtoken service_token_roles_required True + iniset $MISTRAL_CONF_FILE keystone_authtoken auth_type password + iniset $MISTRAL_CONF_FILE keystone_authtoken auth_url $KEYSTONE_SERVICE_URI + iniset $MISTRAL_CONF_FILE keystone_authtoken user_domain_name Default + iniset $MISTRAL_CONF_FILE keystone_authtoken project_domain_name Default # Setup RabbitMQ credentials iniset $MISTRAL_CONF_FILE oslo_messaging_rabbit rabbit_userid $RABBIT_USERID diff --git a/mistral/context.py b/mistral/context.py index cc93a32be..0cd2fed03 100644 --- a/mistral/context.py +++ b/mistral/context.py @@ -88,6 +88,8 @@ class MistralContext(BaseContext): "expires_at", "trust_id", "is_target", + "user_domain_name", + "project_domain_name", ]) def __repr__(self): @@ -206,10 +208,25 @@ def _extract_service_catalog_from_headers(headers): def context_from_config(): + username = ( + CONF.keystone_authtoken.username or + CONF.keystone_authtoken.admin_user) + password = ( + CONF.keystone_authtoken.password or + CONF.keystone_authtoken.admin_password) + project_name = ( + CONF.keystone_authtoken.project_name or + CONF.keystone_authtoken.admin_tenant_name) + user_domain_name = ( + CONF.keystone_authtoken.user_domain_name or 'Default') + project_domain_name = ( + CONF.keystone_authtoken.project_domain_name or 'Default') keystone = keystone_client.Client( - username=CONF.keystone_authtoken.admin_user, - password=CONF.keystone_authtoken.admin_password, - tenant_name=CONF.keystone_authtoken.admin_tenant_name, + username=username, + password=password, + project_name=project_name, + user_domain_name=user_domain_name, + project_domain_name=project_domain_name, auth_url=CONF.keystone_authtoken.auth_uri, is_trust_scoped=False, ) @@ -220,8 +237,10 @@ def context_from_config(): user_id=keystone.user_id, project_id=keystone.project_id, auth_token=keystone.auth_token, - project_name=CONF.keystone_authtoken.admin_tenant_name, - user_name=CONF.keystone_authtoken.admin_user, + project_name=project_name, + user_name=username, + user_domain_name=user_domain_name, + project_domain_name=project_domain_name, is_trust_scoped=False, ) diff --git a/mistral/services/security.py b/mistral/services/security.py index 4e4c53f97..bb67e6760 100644 --- a/mistral/services/security.py +++ b/mistral/services/security.py @@ -40,8 +40,11 @@ def create_trust(): ctx = auth_ctx.ctx() - trustee_id = keystone.client_for_admin( - CONF.keystone_authtoken.admin_tenant_name).user_id + project_name = ( + CONF.keystone_authtoken.project_name or + CONF.keystone_authtoken.admin_tenant_name) + + trustee_id = keystone.client_for_admin(project_name).user_id return client.trusts.create( trustor_user=client.user_id, diff --git a/mistral/utils/openstack/keystone.py b/mistral/utils/openstack/keystone.py index 7baaf8665..120e4e897 100644 --- a/mistral/utils/openstack/keystone.py +++ b/mistral/utils/openstack/keystone.py @@ -47,9 +47,16 @@ def client(): def _admin_client(trust_id=None, project_name=None): auth_url = CONF.keystone_authtoken.auth_uri + username = ( + CONF.keystone_authtoken.admin_user or + CONF.keystone_authtoken.username) + password = ( + CONF.keystone_authtoken.admin_password or + CONF.keystone_authtoken.password) + cl = ks_client.Client( - username=CONF.keystone_authtoken.admin_user, - password=CONF.keystone_authtoken.admin_password, + username=username, + password=password, project_name=project_name, auth_url=auth_url, trust_id=trust_id @@ -168,7 +175,9 @@ def format_url(url_template, values): def is_token_trust_scoped(auth_token): - admin_project_name = CONF.keystone_authtoken.admin_tenant_name + admin_project_name = ( + CONF.keystone_authtoken.admin_tenant_name or + CONF.keystone_authtoken.project_name) keystone_client = _admin_client(project_name=admin_project_name) token_info = keystone_client.tokens.validate(auth_token) @@ -179,15 +188,27 @@ def is_token_trust_scoped(auth_token): def get_admin_session(): """Returns a keystone session from Mistral's service credentials.""" + username = ( + CONF.keystone_authtoken.username or + CONF.keystone_authtoken.admin_user) + password = ( + CONF.keystone_authtoken.password or + CONF.keystone_authtoken.admin_password) + project_name = ( + CONF.keystone_authtoken.project_name or + CONF.keystone_authtoken.admin_tenant_name) + user_domain_name = ( + CONF.keystone_authtoken.user_domain_name or 'Default') + project_domain_name = ( + CONF.keystone_authtoken.project_domain_name or 'Default') + auth = auth_plugins.Password( CONF.keystone_authtoken.auth_uri, - username=CONF.keystone_authtoken.admin_user, - password=CONF.keystone_authtoken.admin_password, - project_name=CONF.keystone_authtoken.admin_tenant_name, - # NOTE(jaosorior): Once mistral supports keystone v3 properly, we can - # fetch the following values from the configuration. - user_domain_name='Default', - project_domain_name='Default') + username=username, + password=password, + project_name=project_name, + user_domain_name=user_domain_name, + project_domain_name=project_domain_name) return ks_session.Session(auth=auth)