diff --git a/heat/common/auth_password.py b/heat/common/auth_password.py index ccb4e8822..1d60375d7 100644 --- a/heat/common/auth_password.py +++ b/heat/common/auth_password.py @@ -14,8 +14,8 @@ # See the License for the specific language governing permissions and # limitations under the License. -from keystoneclient import exceptions as keystone_exceptions -from keystoneclient import session +from keystoneauth1 import exceptions as keystone_exceptions +from keystoneauth1 import session from webob import exc from heat.common import config @@ -34,7 +34,7 @@ class KeystonePasswordAuthProtocol(object): def __init__(self, app, conf): self.app = app self.conf = conf - self.session = session.Session.construct(self._ssl_options()) + self.session = session.Session(**config.get_ssl_options('keystone')) def __call__(self, env, start_response): """Authenticate incoming request.""" @@ -105,13 +105,6 @@ class KeystonePasswordAuthProtocol(object): return headers - def _ssl_options(self): - opts = {'cacert': config.get_client_option('keystone', 'ca_file'), - 'insecure': config.get_client_option('keystone', 'insecure'), - 'cert': config.get_client_option('keystone', 'cert_file'), - 'key': config.get_client_option('keystone', 'key_file')} - return opts - def filter_factory(global_conf, **local_conf): """Returns a WSGI filter app for use with paste.deploy.""" diff --git a/heat/common/config.py b/heat/common/config.py index 2528864f8..1b10ee6d1 100644 --- a/heat/common/config.py +++ b/heat/common/config.py @@ -477,6 +477,21 @@ def get_client_option(client, option): return getattr(cfg.CONF.clients, option) +def get_ssl_options(client): + # Look for the ssl options in the [clients_${client}] section + cacert = get_client_option(client, 'ca_file') + insecure = get_client_option(client, 'insecure') + cert = get_client_option(client, 'cert_file') + key = get_client_option(client, 'key_file') + if insecure: + verify = False + else: + verify = cacert or True + if cert and key: + cert = (cert, key) + return {'verify': verify, 'cert': cert} + + def set_config_defaults(): """This method updates all configuration default values.""" # CORS Defaults diff --git a/heat/common/context.py b/heat/common/context.py index 65e8da2a2..ed224cdfb 100644 --- a/heat/common/context.py +++ b/heat/common/context.py @@ -11,11 +11,11 @@ # License for the specific language governing permissions and limitations # under the License. -from keystoneclient import access -from keystoneclient import auth -from keystoneclient.auth.identity import access as access_plugin -from keystoneclient.auth.identity import v3 -from keystoneclient.auth import token_endpoint +from keystoneauth1 import access +from keystoneauth1.identity import access as access_plugin +from keystoneauth1.identity import v3 +from keystoneauth1 import loading as ks_loading +from keystoneauth1 import token_endpoint from oslo_config import cfg from oslo_context import context from oslo_log import log as logging @@ -37,22 +37,23 @@ LOG = logging.getLogger(__name__) # Note, we yield the options via list_opts to enable generation of the # sample heat.conf, but we don't register these options directly via -# cfg.CONF.register*, it's done via auth.register_conf_options -# Note, only auth_plugin = v3password is expected to work, example config: +# cfg.CONF.register*, it's done via ks_loading.register_auth_conf_options +# Note, only auth_type = v3password is expected to work, example config: # [trustee] -# auth_plugin = password +# auth_type = v3password # auth_url = http://192.168.1.2:35357 # username = heat # password = password # user_domain_id = default V3_PASSWORD_PLUGIN = 'v3password' TRUSTEE_CONF_GROUP = 'trustee' -auth.register_conf_options(cfg.CONF, TRUSTEE_CONF_GROUP) +ks_loading.register_auth_conf_options(cfg.CONF, TRUSTEE_CONF_GROUP) def list_opts(): - trustee_opts = auth.conf.get_common_conf_options() - trustee_opts.extend(auth.conf.get_plugin_options(V3_PASSWORD_PLUGIN)) + trustee_opts = ks_loading.get_auth_common_conf_options() + trustee_opts.extend(ks_loading.get_auth_plugin_conf_options( + V3_PASSWORD_PLUGIN)) yield TRUSTEE_CONF_GROUP, trustee_opts @@ -171,7 +172,7 @@ class RequestContext(context.RequestContext): if self._trusts_auth_plugin: return self._trusts_auth_plugin - self._trusts_auth_plugin = auth.load_from_conf_options( + self._trusts_auth_plugin = ks_loading.load_auth_from_conf_options( cfg.CONF, TRUSTEE_CONF_GROUP, trust_id=self.trust_id) if self._trusts_auth_plugin: @@ -199,8 +200,8 @@ class RequestContext(context.RequestContext): def _create_auth_plugin(self): if self.auth_token_info: - auth_ref = access.AccessInfo.factory(body=self.auth_token_info, - auth_token=self.auth_token) + auth_ref = access.AccessInfoV3(self.auth_token_info, + auth_token=self.auth_token) return access_plugin.AccessInfoPlugin( auth_url=self.keystone_v3_endpoint, auth_ref=auth_ref) diff --git a/heat/common/heat_keystoneclient.py b/heat/common/heat_keystoneclient.py index bf4423302..92cdc2f2e 100644 --- a/heat/common/heat_keystoneclient.py +++ b/heat/common/heat_keystoneclient.py @@ -17,9 +17,9 @@ import collections import uuid import weakref -from keystoneclient.auth.identity import v3 as kc_auth_v3 +from keystoneauth1.identity import v3 as kc_auth_v3 +from keystoneauth1 import session import keystoneclient.exceptions as kc_exception -from keystoneclient import session from keystoneclient.v3 import client as kc_v3 from oslo_config import cfg from oslo_log import log as logging @@ -76,7 +76,7 @@ class KeystoneClientV3(object): self._domain_admin_auth = None self._domain_admin_client = None - self.session = session.Session.construct(self._ssl_options()) + self.session = session.Session(**config.get_ssl_options('keystone')) self.v3_endpoint = self.context.keystone_v3_endpoint if self.context.trust_id: @@ -176,13 +176,6 @@ class KeystoneClientV3(object): return client - def _ssl_options(self): - opts = {'cacert': config.get_client_option('keystone', 'ca_file'), - 'insecure': config.get_client_option('keystone', 'insecure'), - 'cert': config.get_client_option('keystone', 'cert_file'), - 'key': config.get_client_option('keystone', 'key_file')} - return opts - def create_trust_context(self): """Create a trust using the trustor identity in the current context. diff --git a/heat/engine/clients/client_plugin.py b/heat/engine/clients/client_plugin.py index fec60fc1c..83ef08126 100644 --- a/heat/engine/clients/client_plugin.py +++ b/heat/engine/clients/client_plugin.py @@ -16,11 +16,11 @@ import functools import sys import weakref -from keystoneclient import auth -from keystoneclient.auth.identity import v2 -from keystoneclient.auth.identity import v3 -from keystoneclient import exceptions -from keystoneclient import session +from keystoneauth1 import exceptions +from keystoneauth1.identity import v2 +from keystoneauth1.identity import v3 +from keystoneauth1 import plugin +from keystoneauth1 import session from oslo_config import cfg import requests import six @@ -130,12 +130,8 @@ class ClientPlugin(object): # authentication requests so there is no reason to construct it fresh # for every client plugin. It should be global and shared amongst them. if not self._keystone_session_obj: - o = {'cacert': self._get_client_option('keystone', 'ca_file'), - 'insecure': self._get_client_option('keystone', 'insecure'), - 'cert': self._get_client_option('keystone', 'cert_file'), - 'key': self._get_client_option('keystone', 'key_file')} - - self._keystone_session_obj = session.Session.construct(o) + self._keystone_session_obj = session.Session( + **config.get_ssl_options('keystone')) return self._keystone_session_obj @@ -205,8 +201,8 @@ class ClientPlugin(object): kc = self.clients.client('keystone').client auth_plugin = self.context.auth_plugin - endpoint = auth_plugin.get_endpoint(None, - interface=auth.AUTH_INTERFACE) + endpoint = auth_plugin.get_endpoint( + None, interface=plugin.AUTH_INTERFACE) token = auth_plugin.get_token(None) project_id = auth_plugin.get_project_id(None) diff --git a/heat/tests/clients/test_clients.py b/heat/tests/clients/test_clients.py index e981c8687..95c026b0a 100644 --- a/heat/tests/clients/test_clients.py +++ b/heat/tests/clients/test_clients.py @@ -18,7 +18,7 @@ from glanceclient import exc as glance_exc from glanceclient.openstack.common.apiclient import exceptions as g_a_exc from heatclient import client as heatclient from heatclient import exc as heat_exc -from keystoneclient.auth.identity import v3 +from keystoneauth1.identity import v3 from keystoneclient import exceptions as keystone_exc from manilaclient import exceptions as manila_exc import mock diff --git a/heat/tests/clients/test_heat_client.py b/heat/tests/clients/test_heat_client.py index 8ea2db6f5..3e9cef344 100644 --- a/heat/tests/clients/test_heat_client.py +++ b/heat/tests/clients/test_heat_client.py @@ -14,13 +14,13 @@ import json import uuid -from keystoneclient import access as ks_access -from keystoneclient import auth as ks_auth -from keystoneclient.auth.identity import access as ks_auth_access -from keystoneclient.auth.identity import v3 as ks_auth_v3 -from keystoneclient.auth import token_endpoint as ks_token_endpoint -import keystoneclient.exceptions as kc_exception -from keystoneclient import session as ks_session +from keystoneauth1 import access as ks_access +from keystoneauth1 import exceptions as kc_exception +from keystoneauth1.identity import access as ks_auth_access +from keystoneauth1.identity import v3 as ks_auth_v3 +from keystoneauth1 import loading as ks_loading +from keystoneauth1 import session as ks_session +from keystoneauth1 import token_endpoint as ks_token_endpoint from keystoneclient.v3 import client as kc_v3 from keystoneclient.v3 import domains as kc_v3_domains import mox @@ -52,7 +52,7 @@ class KeystoneClientTest(common.HeatTestCase): self.m.StubOutWithMock(ks_auth_v3, 'Password') self.m.StubOutWithMock(ks_token_endpoint, 'Token') self.m.StubOutWithMock(ks_auth_access, 'AccessInfoPlugin') - self.m.StubOutWithMock(ks_auth, 'load_from_conf_options') + self.m.StubOutWithMock(ks_loading, 'load_auth_from_conf_options') cfg.CONF.set_override('auth_uri', 'http://server.test:5000/v2.0', group='keystone_authtoken', enforce_type=True) @@ -77,7 +77,8 @@ class KeystoneClientTest(common.HeatTestCase): else: a.AndRaise(kc_exception.Unauthorized) - m = ks_auth.load_from_conf_options(cfg.CONF, 'trustee', trust_id=None) + m = ks_loading.load_auth_from_conf_options( + cfg.CONF, 'trustee', trust_id=None) m.AndReturn(mock_ks_auth) def _stub_domain_admin_client(self, domain_id=None): @@ -121,9 +122,9 @@ class KeystoneClientTest(common.HeatTestCase): user_domain_id='adomain123') elif method == 'trust': - p = ks_auth.load_from_conf_options(cfg.CONF, - 'trustee', - trust_id='atrust123') + p = ks_loading.load_auth_from_conf_options(cfg.CONF, + 'trustee', + trust_id='atrust123') mock_auth_ref.user_id = user_id or 'trustor_user_id' mock_auth_ref.project_id = project_id or 'test_tenant_id' diff --git a/heat/tests/fakes.py b/heat/tests/fakes.py index ac8f877a6..48e763e7a 100644 --- a/heat/tests/fakes.py +++ b/heat/tests/fakes.py @@ -18,8 +18,8 @@ wrong the tests might raise AssertionError. I've indicated in comments the places where actual behavior differs from the spec. """ -from keystoneclient import auth -from keystoneclient import session +from keystoneauth1 import plugin +from keystoneauth1 import session from heat.common import context @@ -73,7 +73,7 @@ class FakeClient(object): pass -class FakeAuth(auth.BaseAuthPlugin): +class FakeAuth(plugin.BaseAuthPlugin): def __init__(self, auth_token='abcd1234', only_services=None): self.auth_token = auth_token diff --git a/heat/tests/test_auth_password.py b/heat/tests/test_auth_password.py index 044c23e0c..b931dfdb7 100644 --- a/heat/tests/test_auth_password.py +++ b/heat/tests/test_auth_password.py @@ -14,9 +14,9 @@ # See the License for the specific language governing permissions and # limitations under the License. -from keystoneclient.auth.identity import v3 as ks_v3_auth +from keystoneauth1.identity import v3 as ks_v3_auth +from keystoneauth1 import session as ks_session from keystoneclient import exceptions as keystone_exc -from keystoneclient import session as ks_session import mox from oslo_config import cfg import six diff --git a/heat/tests/test_common_context.py b/heat/tests/test_common_context.py index c432d6dbd..cd6f863d9 100644 --- a/heat/tests/test_common_context.py +++ b/heat/tests/test_common_context.py @@ -198,7 +198,7 @@ class TestRequestContext(common.HeatTestCase): ctx = context.RequestContext(auth_url=None, user_domain_id='non-default', username='test') - with mock.patch('keystoneclient.auth.identity.v3.Password') as ps: + with mock.patch('keystoneauth1.identity.v3.Password') as ps: ctx.trusts_auth_plugin ps.assert_called_once_with(username='heat', password='password', diff --git a/heat_integrationtests/common/clients.py b/heat_integrationtests/common/clients.py index 89135955c..7a674bf58 100644 --- a/heat_integrationtests/common/clients.py +++ b/heat_integrationtests/common/clients.py @@ -16,9 +16,9 @@ from ceilometerclient import client as ceilometer_client from cinderclient import client as cinder_client from heat.common.i18n import _ from heatclient import client as heat_client -from keystoneclient.auth.identity.generic import password -from keystoneclient import exceptions as kc_exceptions -from keystoneclient import session +from keystoneauth1 import exceptions as kc_exceptions +from keystoneauth1.identity.generic import password +from keystoneauth1 import session from neutronclient.v2_0 import client as neutron_client from novaclient import client as nova_client from swiftclient import client as swift_client @@ -51,10 +51,7 @@ class KeystoneWrapperClient(object): def get_endpoint_url(self, service_type, region=None): kwargs = { 'service_type': service_type, - 'endpoint_type': 'publicURL'} - if region: - kwargs.update({'attr': 'region', - 'filter_value': region}) + 'region_name': region} return self.auth_ref.service_catalog.url_for(**kwargs) diff --git a/requirements.txt b/requirements.txt index ed85cc520..1b659698e 100644 --- a/requirements.txt +++ b/requirements.txt @@ -9,6 +9,7 @@ cryptography!=1.3.0,>=1.0 # BSD/Apache-2.0 debtcollector>=1.2.0 # Apache-2.0 eventlet!=0.18.3,>=0.18.2 # MIT greenlet>=0.3.2 # MIT +keystoneauth1>=2.1.0 # Apache-2.0 keystonemiddleware!=4.1.0,!=4.5.0,>=4.0.0 # Apache-2.0 lxml>=2.3 # BSD netaddr!=0.7.16,>=0.7.12 # BSD