Merge "Use recommended function to setup auth middleware in devstack"
This commit is contained in:
commit
eee459e2e0
@ -59,6 +59,11 @@ function mkdir_chown_stack {
|
|||||||
|
|
||||||
# configure_mistral - Set config files, create data dirs, etc
|
# configure_mistral - Set config files, create data dirs, etc
|
||||||
function configure_mistral {
|
function configure_mistral {
|
||||||
|
|
||||||
|
# create and clean up auth cache dir
|
||||||
|
mkdir_chown_stack "$MISTRAL_AUTH_CACHE_DIR"
|
||||||
|
rm -f "$MISTRAL_AUTH_CACHE_DIR"/*
|
||||||
|
|
||||||
mkdir_chown_stack "$MISTRAL_CONF_DIR"
|
mkdir_chown_stack "$MISTRAL_CONF_DIR"
|
||||||
|
|
||||||
# Generate Mistral configuration file and configure common parameters.
|
# Generate Mistral configuration file and configure common parameters.
|
||||||
@ -75,14 +80,8 @@ function configure_mistral {
|
|||||||
#-------------------------
|
#-------------------------
|
||||||
|
|
||||||
# Setup keystone_authtoken section
|
# Setup keystone_authtoken section
|
||||||
iniset $MISTRAL_CONF_FILE keystone_authtoken auth_host $KEYSTONE_AUTH_HOST
|
configure_auth_token_middleware $MISTRAL_CONF_FILE mistral $MISTRAL_AUTH_CACHE_DIR
|
||||||
iniset $MISTRAL_CONF_FILE keystone_authtoken auth_port $KEYSTONE_AUTH_PORT
|
|
||||||
iniset $MISTRAL_CONF_FILE keystone_authtoken auth_protocol $KEYSTONE_AUTH_PROTOCOL
|
|
||||||
iniset $MISTRAL_CONF_FILE keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME
|
|
||||||
iniset $MISTRAL_CONF_FILE keystone_authtoken admin_user $MISTRAL_ADMIN_USER
|
|
||||||
iniset $MISTRAL_CONF_FILE keystone_authtoken admin_password $SERVICE_PASSWORD
|
|
||||||
iniset $MISTRAL_CONF_FILE keystone_authtoken auth_uri $KEYSTONE_AUTH_URI_V3
|
iniset $MISTRAL_CONF_FILE keystone_authtoken auth_uri $KEYSTONE_AUTH_URI_V3
|
||||||
iniset $MISTRAL_CONF_FILE keystone_authtoken identity_uri $KEYSTONE_AUTH_URI
|
|
||||||
|
|
||||||
# Setup RabbitMQ credentials
|
# Setup RabbitMQ credentials
|
||||||
iniset_rpc_backend mistral $MISTRAL_CONF_FILE
|
iniset_rpc_backend mistral $MISTRAL_CONF_FILE
|
||||||
@ -249,8 +248,8 @@ if is_service_enabled mistral; then
|
|||||||
install_mistral_pythonclient
|
install_mistral_pythonclient
|
||||||
elif [[ "$1" == "stack" && "$2" == "post-config" ]]; then
|
elif [[ "$1" == "stack" && "$2" == "post-config" ]]; then
|
||||||
echo_summary "Configuring mistral"
|
echo_summary "Configuring mistral"
|
||||||
configure_mistral
|
|
||||||
create_mistral_accounts
|
create_mistral_accounts
|
||||||
|
configure_mistral
|
||||||
elif [[ "$1" == "stack" && "$2" == "extra" ]]; then
|
elif [[ "$1" == "stack" && "$2" == "extra" ]]; then
|
||||||
echo_summary "Initializing mistral"
|
echo_summary "Initializing mistral"
|
||||||
init_mistral
|
init_mistral
|
||||||
|
@ -29,6 +29,7 @@ MISTRAL_DASHBOARD_DIR=$DEST/mistral-dashboard
|
|||||||
MISTRAL_CONF_DIR=${MISTRAL_CONF_DIR:-/etc/mistral}
|
MISTRAL_CONF_DIR=${MISTRAL_CONF_DIR:-/etc/mistral}
|
||||||
MISTRAL_CONF_FILE=${MISTRAL_CONF_DIR}/mistral.conf
|
MISTRAL_CONF_FILE=${MISTRAL_CONF_DIR}/mistral.conf
|
||||||
MISTRAL_DEBUG=${MISTRAL_DEBUG:-True}
|
MISTRAL_DEBUG=${MISTRAL_DEBUG:-True}
|
||||||
|
MISTRAL_AUTH_CACHE_DIR=${MISTRAL_AUTH_CACHE_DIR:-/var/cache/mistral}
|
||||||
|
|
||||||
MISTRAL_SERVICE_HOST=${MISTRAL_SERVICE_HOST:-$SERVICE_HOST}
|
MISTRAL_SERVICE_HOST=${MISTRAL_SERVICE_HOST:-$SERVICE_HOST}
|
||||||
MISTRAL_SERVICE_PORT=${MISTRAL_SERVICE_PORT:-8989}
|
MISTRAL_SERVICE_PORT=${MISTRAL_SERVICE_PORT:-8989}
|
||||||
|
@ -42,8 +42,7 @@ def create_trust():
|
|||||||
|
|
||||||
ctx = auth_ctx.ctx()
|
ctx = auth_ctx.ctx()
|
||||||
|
|
||||||
trustee_id = keystone.client_for_admin(
|
trustee_id = keystone.client_for_admin().session.get_user_id()
|
||||||
CONF.keystone_authtoken.admin_tenant_name).user_id
|
|
||||||
|
|
||||||
return client.trusts.create(
|
return client.trusts.create(
|
||||||
trustor_user=client.user_id,
|
trustor_user=client.user_id,
|
||||||
|
@ -14,6 +14,7 @@
|
|||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
import keystoneauth1.identity.generic as auth_plugins
|
import keystoneauth1.identity.generic as auth_plugins
|
||||||
|
from keystoneauth1 import loading
|
||||||
from keystoneauth1 import session as ks_session
|
from keystoneauth1 import session as ks_session
|
||||||
from keystoneauth1.token_endpoint import Token
|
from keystoneauth1.token_endpoint import Token
|
||||||
from keystoneclient import service_catalog as ks_service_catalog
|
from keystoneclient import service_catalog as ks_service_catalog
|
||||||
@ -27,6 +28,7 @@ from mistral import context
|
|||||||
from mistral import exceptions
|
from mistral import exceptions
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = cfg.CONF
|
||||||
|
CONF.register_opt(cfg.IntOpt('timeout'), group='keystone_authtoken')
|
||||||
|
|
||||||
|
|
||||||
def client():
|
def client():
|
||||||
@ -91,13 +93,14 @@ def get_session_and_auth(context, **kwargs):
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
def _admin_client(trust_id=None, project_name=None):
|
def _admin_client(trust_id=None):
|
||||||
|
if CONF.keystone_authtoken.auth_type is None:
|
||||||
auth_url = CONF.keystone_authtoken.auth_uri
|
auth_url = CONF.keystone_authtoken.auth_uri
|
||||||
|
|
||||||
cl = ks_client.Client(
|
cl = ks_client.Client(
|
||||||
username=CONF.keystone_authtoken.admin_user,
|
username=CONF.keystone_authtoken.admin_user,
|
||||||
password=CONF.keystone_authtoken.admin_password,
|
password=CONF.keystone_authtoken.admin_password,
|
||||||
project_name=project_name,
|
project_name=CONF.keystone_authtoken.admin_tenant_name,
|
||||||
auth_url=auth_url,
|
auth_url=auth_url,
|
||||||
trust_id=trust_id
|
trust_id=trust_id
|
||||||
)
|
)
|
||||||
@ -105,10 +108,33 @@ def _admin_client(trust_id=None, project_name=None):
|
|||||||
cl.management_url = auth_url
|
cl.management_url = auth_url
|
||||||
|
|
||||||
return cl
|
return cl
|
||||||
|
else:
|
||||||
|
kwargs = {}
|
||||||
|
|
||||||
|
if trust_id:
|
||||||
|
# Remove project_name and project_id, since we need a trust scoped
|
||||||
|
# auth object
|
||||||
|
kwargs['project_name'] = None
|
||||||
|
kwargs['project_domain_name'] = None
|
||||||
|
kwargs['project_id'] = None
|
||||||
|
kwargs['trust_id'] = trust_id
|
||||||
|
|
||||||
|
auth = loading.load_auth_from_conf_options(
|
||||||
|
CONF,
|
||||||
|
'keystone_authtoken',
|
||||||
|
**kwargs
|
||||||
|
)
|
||||||
|
sess = loading.load_session_from_conf_options(
|
||||||
|
CONF,
|
||||||
|
'keystone_authtoken',
|
||||||
|
auth=auth
|
||||||
|
)
|
||||||
|
|
||||||
|
return ks_client.Client(session=sess)
|
||||||
|
|
||||||
|
|
||||||
def client_for_admin(project_name):
|
def client_for_admin():
|
||||||
return _admin_client(project_name=project_name)
|
return _admin_client()
|
||||||
|
|
||||||
|
|
||||||
def client_for_trusts(trust_id):
|
def client_for_trusts(trust_id):
|
||||||
@ -231,28 +257,34 @@ def format_url(url_template, values):
|
|||||||
|
|
||||||
|
|
||||||
def is_token_trust_scoped(auth_token):
|
def is_token_trust_scoped(auth_token):
|
||||||
admin_project_name = CONF.keystone_authtoken.admin_tenant_name
|
return 'OS-TRUST:trust' in client_for_admin().tokens.validate(auth_token)
|
||||||
keystone_client = _admin_client(project_name=admin_project_name)
|
|
||||||
|
|
||||||
token_info = keystone_client.tokens.validate(auth_token)
|
|
||||||
|
|
||||||
return 'OS-TRUST:trust' in token_info
|
|
||||||
|
|
||||||
|
|
||||||
def get_admin_session():
|
def get_admin_session():
|
||||||
"""Returns a keystone session from Mistral's service credentials."""
|
"""Returns a keystone session from Mistral's service credentials."""
|
||||||
|
if CONF.keystone_authtoken.auth_type is None:
|
||||||
auth = auth_plugins.Password(
|
auth = auth_plugins.Password(
|
||||||
CONF.keystone_authtoken.auth_uri,
|
CONF.keystone_authtoken.auth_uri,
|
||||||
username=CONF.keystone_authtoken.admin_user,
|
username=CONF.keystone_authtoken.admin_user,
|
||||||
password=CONF.keystone_authtoken.admin_password,
|
password=CONF.keystone_authtoken.admin_password,
|
||||||
project_name=CONF.keystone_authtoken.admin_tenant_name,
|
project_name=CONF.keystone_authtoken.admin_tenant_name,
|
||||||
# NOTE(jaosorior): Once mistral supports keystone v3 properly, we can
|
# NOTE(jaosorior): Once mistral supports keystone v3 properly, we
|
||||||
# fetch the following values from the configuration.
|
# can fetch the following values from the configuration.
|
||||||
user_domain_name='Default',
|
user_domain_name='Default',
|
||||||
project_domain_name='Default')
|
project_domain_name='Default')
|
||||||
|
|
||||||
return ks_session.Session(auth=auth)
|
return ks_session.Session(auth=auth)
|
||||||
|
else:
|
||||||
|
auth = loading.load_auth_from_conf_options(
|
||||||
|
CONF,
|
||||||
|
'keystone_authtoken'
|
||||||
|
)
|
||||||
|
|
||||||
|
return loading.load_session_from_conf_options(
|
||||||
|
CONF,
|
||||||
|
'keystone_authtoken',
|
||||||
|
auth=auth
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
def will_expire_soon(expires_at):
|
def will_expire_soon(expires_at):
|
||||||
|
Loading…
Reference in New Issue
Block a user