Use proper config option to connect to keystone

Earlier, quotas used to authenticate to endpoint from not required
option located in keymgr.encryption_auth_url. Now, the required
auth_uri option from config file is used to authenticate to
keystone.

Co-Authored-By: Michal Dulko <michal.dulko@intel.com>
Change-Id: I1076527704f8def2c6755c060df49232e5ebe805
Closes-Bug: 1516085

cinder/api/contrib/quotas.py

@@ -15,8 +15,10 @@
 
 import webob
 
+from keystoneclient.auth.identity.generic import token
+from keystoneclient import client
 from keystoneclient import exceptions
-from keystoneclient.v3 import client
+from keystoneclient import session
 
 from cinder.api import extensions
 from cinder.api.openstack import wsgi
@@ -180,9 +182,13 @@ class QuotaSetsController(wsgi.Controller):
         order to do quota operations properly.
         """
         try:
-            keystone = client.Client(auth_url=CONF.keymgr.encryption_auth_url,
+            auth_plugin = token.Token(
+                auth_url=CONF.keystone_authtoken.auth_uri,
                 token=context.auth_token,
                 project_id=context.project_id)
+            client_session = session.Session(auth=auth_plugin)
+            keystone = client.Client(auth_url=CONF.keystone_authtoken.auth_uri,
+                                     session=client_session)
             project = keystone.projects.get(id, subtree_as_ids=subtree_as_ids)
         except exceptions.NotFound:
             msg = (_("Tenant ID: %s does not exist.") % id)

cinder/tests/unit/api/contrib/test_quotas.py

@@ -32,7 +32,9 @@ from cinder import db
 from cinder import test
 from cinder.tests.unit import test_db_api
 
+from keystonemiddleware import auth_token
 from oslo_config import cfg
+from oslo_config import fixture as config_fixture
 
 
 CONF = cfg.CONF
@@ -92,7 +94,10 @@ class QuotaSetsControllerTest(test.TestCase):
         self.req.environ['cinder.context'].project_id = 'foo'
 
         self._create_project_hierarchy()
-        self.auth_url = CONF.keymgr.encryption_auth_url
+
+        self.auth_url = 'http://localhost:5000'
+        self.fixture = self.useFixture(config_fixture.Config(auth_token.CONF))
+        self.fixture.config(auth_uri=self.auth_url, group='keystone_authtoken')
 
     def _create_project_hierarchy(self):
         """Sets an environment used for nested quotas tests.
@@ -123,15 +128,16 @@ class QuotaSetsControllerTest(test.TestCase):
     def _get_project(self, context, id, subtree_as_ids=False):
         return self.project_by_id.get(id, self.FakeProject())
 
-    @mock.patch('keystoneclient.v3.client.Client')
+    @mock.patch('keystoneclient.client.Client')
-    def test_keystone_client_instantiation(self, ksclient_class):
+    @mock.patch('keystoneclient.session.Session')
+    def test_keystone_client_instantiation(self, ksclient_session,
+                                           ksclient_class):
         context = self.req.environ['cinder.context']
         self.controller._get_project(context, context.project_id)
         ksclient_class.assert_called_once_with(auth_url=self.auth_url,
-                                               token=context.auth_token,
+                                               session=ksclient_session())
-                                               project_id=context.project_id)
 
-    @mock.patch('keystoneclient.v3.client.Client')
+    @mock.patch('keystoneclient.client.Client')
     def test_get_project(self, ksclient_class):
         context = self.req.environ['cinder.context']
         keystoneclient = ksclient_class.return_value

releasenotes/notes/a7401ead26a7c83b-keystone-url.yaml

@@ -0,0 +1,3 @@
+---
+fixes:
+  - Cinder will now correctly read Keystone's endpoint for quota calls from keystone_authtoken.auth_uri instead of keymgr.encryption_auth_url config option.

requirements.txt

@@ -33,6 +33,7 @@ pycrypto>=2.6
 pyparsing>=2.0.1
 python-barbicanclient>=3.3.0
 python-glanceclient>=0.18.0
+python-keystoneclient>=1.6.0,!=1.8.0
 python-novaclient!=2.33.0,>=2.29.0
 python-swiftclient>=2.2.0
 requests>=2.8.1