openstack/deb-heat
Code Issues Proposed changes

Use keystoneauth1 instead of keystoneclient.auth

Browse Source 
keystoneclient.auth is deprecated, use keystoneauth1 instead.

Change-Id: Idf6daaccef8547755989140a91e4543cc94f9b58
Closes-Bug: #1554533
This commit is contained in:
Ethan Lynn 2016-05-10 23:09:51 +08:00 committed by rabi
parent b7cbfef696
commit 44862d9ac4
12 changed files with 70 additions and 73 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
heat/common/auth_password.py
View File

@ -14,8 +14,8 @@
# See the License for the specific language governing permissions and # See the License for the specific language governing permissions and
# limitations under the License. # limitations under the License.
from keystoneclient import exceptions as keystone_exceptions from keystoneauth1 import exceptions as keystone_exceptions
from keystoneclient import session from keystoneauth1 import session
from webob import exc from webob import exc
from heat.common import config from heat.common import config
@ -34,7 +34,7 @@ class KeystonePasswordAuthProtocol(object):
def __init__(self, app, conf): def __init__(self, app, conf):
self.app = app self.app = app
self.conf = conf self.conf = conf
self.session = session.Session.construct(self._ssl_options()) self.session = session.Session(**config.get_ssl_options('keystone'))
def __call__(self, env, start_response): def __call__(self, env, start_response):
"""Authenticate incoming request.""" """Authenticate incoming request."""
@ -105,13 +105,6 @@ class KeystonePasswordAuthProtocol(object):
return headers return headers
def _ssl_options(self):
opts = {'cacert': config.get_client_option('keystone', 'ca_file'),
'insecure': config.get_client_option('keystone', 'insecure'),
'cert': config.get_client_option('keystone', 'cert_file'),
'key': config.get_client_option('keystone', 'key_file')}
return opts
def filter_factory(global_conf, **local_conf): def filter_factory(global_conf, **local_conf):
"""Returns a WSGI filter app for use with paste.deploy.""" """Returns a WSGI filter app for use with paste.deploy."""

15
heat/common/config.py
View File

@ -477,6 +477,21 @@ def get_client_option(client, option):
return getattr(cfg.CONF.clients, option) return getattr(cfg.CONF.clients, option)
def get_ssl_options(client):
# Look for the ssl options in the [clients_${client}] section
cacert = get_client_option(client, 'ca_file')
insecure = get_client_option(client, 'insecure')
cert = get_client_option(client, 'cert_file')
key = get_client_option(client, 'key_file')
if insecure:
verify = False
else:
verify = cacert or True
if cert and key:
cert = (cert, key)
return {'verify': verify, 'cert': cert}
def set_config_defaults(): def set_config_defaults():
"""This method updates all configuration default values.""" """This method updates all configuration default values."""
# CORS Defaults # CORS Defaults

29
heat/common/context.py
View File

@ -11,11 +11,11 @@
# License for the specific language governing permissions and limitations # License for the specific language governing permissions and limitations
# under the License. # under the License.
from keystoneclient import access from keystoneauth1 import access
from keystoneclient import auth from keystoneauth1.identity import access as access_plugin
from keystoneclient.auth.identity import access as access_plugin from keystoneauth1.identity import v3
from keystoneclient.auth.identity import v3 from keystoneauth1 import loading as ks_loading
from keystoneclient.auth import token_endpoint from keystoneauth1 import token_endpoint
from oslo_config import cfg from oslo_config import cfg
from oslo_context import context from oslo_context import context
from oslo_log import log as logging from oslo_log import log as logging
@ -37,22 +37,23 @@ LOG = logging.getLogger(__name__)
# Note, we yield the options via list_opts to enable generation of the # Note, we yield the options via list_opts to enable generation of the
# sample heat.conf, but we don't register these options directly via # sample heat.conf, but we don't register these options directly via
# cfg.CONF.register*, it's done via auth.register_conf_options # cfg.CONF.register*, it's done via ks_loading.register_auth_conf_options
# Note, only auth_plugin = v3password is expected to work, example config: # Note, only auth_type = v3password is expected to work, example config:
# [trustee] # [trustee]
# auth_plugin = password # auth_type = v3password
# auth_url = http://192.168.1.2:35357 # auth_url = http://192.168.1.2:35357
# username = heat # username = heat
# password = password # password = password
# user_domain_id = default # user_domain_id = default
V3_PASSWORD_PLUGIN = 'v3password' V3_PASSWORD_PLUGIN = 'v3password'
TRUSTEE_CONF_GROUP = 'trustee' TRUSTEE_CONF_GROUP = 'trustee'
auth.register_conf_options(cfg.CONF, TRUSTEE_CONF_GROUP) ks_loading.register_auth_conf_options(cfg.CONF, TRUSTEE_CONF_GROUP)
def list_opts(): def list_opts():
trustee_opts = auth.conf.get_common_conf_options() trustee_opts = ks_loading.get_auth_common_conf_options()
trustee_opts.extend(auth.conf.get_plugin_options(V3_PASSWORD_PLUGIN)) trustee_opts.extend(ks_loading.get_auth_plugin_conf_options(
V3_PASSWORD_PLUGIN))
yield TRUSTEE_CONF_GROUP, trustee_opts yield TRUSTEE_CONF_GROUP, trustee_opts
@ -171,7 +172,7 @@ class RequestContext(context.RequestContext):
if self._trusts_auth_plugin: if self._trusts_auth_plugin:
return self._trusts_auth_plugin return self._trusts_auth_plugin
self._trusts_auth_plugin = auth.load_from_conf_options( self._trusts_auth_plugin = ks_loading.load_auth_from_conf_options(
cfg.CONF, TRUSTEE_CONF_GROUP, trust_id=self.trust_id) cfg.CONF, TRUSTEE_CONF_GROUP, trust_id=self.trust_id)
if self._trusts_auth_plugin: if self._trusts_auth_plugin:
@ -199,8 +200,8 @@ class RequestContext(context.RequestContext):
def _create_auth_plugin(self): def _create_auth_plugin(self):
if self.auth_token_info: if self.auth_token_info:
auth_ref = access.AccessInfo.factory(body=self.auth_token_info, auth_ref = access.AccessInfoV3(self.auth_token_info,
auth_token=self.auth_token) auth_token=self.auth_token)
return access_plugin.AccessInfoPlugin( return access_plugin.AccessInfoPlugin(
auth_url=self.keystone_v3_endpoint, auth_url=self.keystone_v3_endpoint,
auth_ref=auth_ref) auth_ref=auth_ref)

13
heat/common/heat_keystoneclient.py
View File

@ -17,9 +17,9 @@ import collections
import uuid import uuid
import weakref import weakref
from keystoneclient.auth.identity import v3 as kc_auth_v3 from keystoneauth1.identity import v3 as kc_auth_v3
from keystoneauth1 import session
import keystoneclient.exceptions as kc_exception import keystoneclient.exceptions as kc_exception
from keystoneclient import session
from keystoneclient.v3 import client as kc_v3 from keystoneclient.v3 import client as kc_v3
from oslo_config import cfg from oslo_config import cfg
from oslo_log import log as logging from oslo_log import log as logging
@ -76,7 +76,7 @@ class KeystoneClientV3(object):
self._domain_admin_auth = None self._domain_admin_auth = None
self._domain_admin_client = None self._domain_admin_client = None
self.session = session.Session.construct(self._ssl_options()) self.session = session.Session(**config.get_ssl_options('keystone'))
self.v3_endpoint = self.context.keystone_v3_endpoint self.v3_endpoint = self.context.keystone_v3_endpoint
if self.context.trust_id: if self.context.trust_id:
@ -176,13 +176,6 @@ class KeystoneClientV3(object):
return client return client
def _ssl_options(self):
opts = {'cacert': config.get_client_option('keystone', 'ca_file'),
'insecure': config.get_client_option('keystone', 'insecure'),
'cert': config.get_client_option('keystone', 'cert_file'),
'key': config.get_client_option('keystone', 'key_file')}
return opts
def create_trust_context(self): def create_trust_context(self):
"""Create a trust using the trustor identity in the current context. """Create a trust using the trustor identity in the current context.

22
heat/engine/clients/client_plugin.py
View File

@ -16,11 +16,11 @@ import functools
import sys import sys
import weakref import weakref
from keystoneclient import auth from keystoneauth1 import exceptions
from keystoneclient.auth.identity import v2 from keystoneauth1.identity import v2
from keystoneclient.auth.identity import v3 from keystoneauth1.identity import v3
from keystoneclient import exceptions from keystoneauth1 import plugin
from keystoneclient import session from keystoneauth1 import session
from oslo_config import cfg from oslo_config import cfg
import requests import requests
import six import six
@ -130,12 +130,8 @@ class ClientPlugin(object):
# authentication requests so there is no reason to construct it fresh # authentication requests so there is no reason to construct it fresh
# for every client plugin. It should be global and shared amongst them. # for every client plugin. It should be global and shared amongst them.
if not self._keystone_session_obj: if not self._keystone_session_obj:
o = {'cacert': self._get_client_option('keystone', 'ca_file'), self._keystone_session_obj = session.Session(
'insecure': self._get_client_option('keystone', 'insecure'), **config.get_ssl_options('keystone'))
'cert': self._get_client_option('keystone', 'cert_file'),
'key': self._get_client_option('keystone', 'key_file')}
self._keystone_session_obj = session.Session.construct(o)
return self._keystone_session_obj return self._keystone_session_obj
@ -205,8 +201,8 @@ class ClientPlugin(object):
kc = self.clients.client('keystone').client kc = self.clients.client('keystone').client
auth_plugin = self.context.auth_plugin auth_plugin = self.context.auth_plugin
endpoint = auth_plugin.get_endpoint(None, endpoint = auth_plugin.get_endpoint(
interface=auth.AUTH_INTERFACE) None, interface=plugin.AUTH_INTERFACE)
token = auth_plugin.get_token(None) token = auth_plugin.get_token(None)
project_id = auth_plugin.get_project_id(None) project_id = auth_plugin.get_project_id(None)

2
heat/tests/clients/test_clients.py
View File

@ -18,7 +18,7 @@ from glanceclient import exc as glance_exc
from glanceclient.openstack.common.apiclient import exceptions as g_a_exc from glanceclient.openstack.common.apiclient import exceptions as g_a_exc
from heatclient import client as heatclient from heatclient import client as heatclient
from heatclient import exc as heat_exc from heatclient import exc as heat_exc
from keystoneclient.auth.identity import v3 from keystoneauth1.identity import v3
from keystoneclient import exceptions as keystone_exc from keystoneclient import exceptions as keystone_exc
from manilaclient import exceptions as manila_exc from manilaclient import exceptions as manila_exc
import mock import mock

25
heat/tests/clients/test_heat_client.py
View File

@ -14,13 +14,13 @@
import json import json
import uuid import uuid
from keystoneclient import access as ks_access from keystoneauth1 import access as ks_access
from keystoneclient import auth as ks_auth from keystoneauth1 import exceptions as kc_exception
from keystoneclient.auth.identity import access as ks_auth_access from keystoneauth1.identity import access as ks_auth_access
from keystoneclient.auth.identity import v3 as ks_auth_v3 from keystoneauth1.identity import v3 as ks_auth_v3
from keystoneclient.auth import token_endpoint as ks_token_endpoint from keystoneauth1 import loading as ks_loading
import keystoneclient.exceptions as kc_exception from keystoneauth1 import session as ks_session
from keystoneclient import session as ks_session from keystoneauth1 import token_endpoint as ks_token_endpoint
from keystoneclient.v3 import client as kc_v3 from keystoneclient.v3 import client as kc_v3
from keystoneclient.v3 import domains as kc_v3_domains from keystoneclient.v3 import domains as kc_v3_domains
import mox import mox
@ -52,7 +52,7 @@ class KeystoneClientTest(common.HeatTestCase):
self.m.StubOutWithMock(ks_auth_v3, 'Password') self.m.StubOutWithMock(ks_auth_v3, 'Password')
self.m.StubOutWithMock(ks_token_endpoint, 'Token') self.m.StubOutWithMock(ks_token_endpoint, 'Token')
self.m.StubOutWithMock(ks_auth_access, 'AccessInfoPlugin') self.m.StubOutWithMock(ks_auth_access, 'AccessInfoPlugin')
self.m.StubOutWithMock(ks_auth, 'load_from_conf_options') self.m.StubOutWithMock(ks_loading, 'load_auth_from_conf_options')
cfg.CONF.set_override('auth_uri', 'http://server.test:5000/v2.0', cfg.CONF.set_override('auth_uri', 'http://server.test:5000/v2.0',
group='keystone_authtoken', enforce_type=True) group='keystone_authtoken', enforce_type=True)
@ -77,7 +77,8 @@ class KeystoneClientTest(common.HeatTestCase):
else: else:
a.AndRaise(kc_exception.Unauthorized) a.AndRaise(kc_exception.Unauthorized)
m = ks_auth.load_from_conf_options(cfg.CONF, 'trustee', trust_id=None) m = ks_loading.load_auth_from_conf_options(
cfg.CONF, 'trustee', trust_id=None)
m.AndReturn(mock_ks_auth) m.AndReturn(mock_ks_auth)
def _stub_domain_admin_client(self, domain_id=None): def _stub_domain_admin_client(self, domain_id=None):
@ -121,9 +122,9 @@ class KeystoneClientTest(common.HeatTestCase):
user_domain_id='adomain123') user_domain_id='adomain123')
elif method == 'trust': elif method == 'trust':
p = ks_auth.load_from_conf_options(cfg.CONF, p = ks_loading.load_auth_from_conf_options(cfg.CONF,
'trustee', 'trustee',
trust_id='atrust123') trust_id='atrust123')
mock_auth_ref.user_id = user_id or 'trustor_user_id' mock_auth_ref.user_id = user_id or 'trustor_user_id'
mock_auth_ref.project_id = project_id or 'test_tenant_id' mock_auth_ref.project_id = project_id or 'test_tenant_id'

6
heat/tests/fakes.py
View File

@ -18,8 +18,8 @@ wrong the tests might raise AssertionError. I've indicated in comments the
places where actual behavior differs from the spec. places where actual behavior differs from the spec.
""" """
from keystoneclient import auth from keystoneauth1 import plugin
from keystoneclient import session from keystoneauth1 import session
from heat.common import context from heat.common import context
@ -73,7 +73,7 @@ class FakeClient(object):
pass pass
class FakeAuth(auth.BaseAuthPlugin): class FakeAuth(plugin.BaseAuthPlugin):
def __init__(self, auth_token='abcd1234', only_services=None): def __init__(self, auth_token='abcd1234', only_services=None):
self.auth_token = auth_token self.auth_token = auth_token

4
heat/tests/test_auth_password.py
View File

@ -14,9 +14,9 @@
# See the License for the specific language governing permissions and # See the License for the specific language governing permissions and
# limitations under the License. # limitations under the License.
from keystoneclient.auth.identity import v3 as ks_v3_auth from keystoneauth1.identity import v3 as ks_v3_auth
from keystoneauth1 import session as ks_session
from keystoneclient import exceptions as keystone_exc from keystoneclient import exceptions as keystone_exc
from keystoneclient import session as ks_session
import mox import mox
from oslo_config import cfg from oslo_config import cfg
import six import six

2
heat/tests/test_common_context.py
View File

@ -198,7 +198,7 @@ class TestRequestContext(common.HeatTestCase):
ctx = context.RequestContext(auth_url=None, ctx = context.RequestContext(auth_url=None,
user_domain_id='non-default', user_domain_id='non-default',
username='test') username='test')
with mock.patch('keystoneclient.auth.identity.v3.Password') as ps: with mock.patch('keystoneauth1.identity.v3.Password') as ps:
ctx.trusts_auth_plugin ctx.trusts_auth_plugin
ps.assert_called_once_with(username='heat', ps.assert_called_once_with(username='heat',
password='password', password='password',

11
heat_integrationtests/common/clients.py
View File

@ -16,9 +16,9 @@ from ceilometerclient import client as ceilometer_client
from cinderclient import client as cinder_client from cinderclient import client as cinder_client
from heat.common.i18n import _ from heat.common.i18n import _
from heatclient import client as heat_client from heatclient import client as heat_client
from keystoneclient.auth.identity.generic import password from keystoneauth1 import exceptions as kc_exceptions
from keystoneclient import exceptions as kc_exceptions from keystoneauth1.identity.generic import password
from keystoneclient import session from keystoneauth1 import session
from neutronclient.v2_0 import client as neutron_client from neutronclient.v2_0 import client as neutron_client
from novaclient import client as nova_client from novaclient import client as nova_client
from swiftclient import client as swift_client from swiftclient import client as swift_client
@ -51,10 +51,7 @@ class KeystoneWrapperClient(object):
def get_endpoint_url(self, service_type, region=None): def get_endpoint_url(self, service_type, region=None):
kwargs = { kwargs = {
'service_type': service_type, 'service_type': service_type,
'endpoint_type': 'publicURL'} 'region_name': region}
if region:
kwargs.update({'attr': 'region',
'filter_value': region})
return self.auth_ref.service_catalog.url_for(**kwargs) return self.auth_ref.service_catalog.url_for(**kwargs)

1
requirements.txt
View File

@ -9,6 +9,7 @@ cryptography!=1.3.0,>=1.0 # BSD/Apache-2.0
debtcollector>=1.2.0 # Apache-2.0 debtcollector>=1.2.0 # Apache-2.0
eventlet!=0.18.3,>=0.18.2 # MIT eventlet!=0.18.3,>=0.18.2 # MIT
greenlet>=0.3.2 # MIT greenlet>=0.3.2 # MIT
keystoneauth1>=2.1.0 # Apache-2.0
keystonemiddleware!=4.1.0,!=4.5.0,>=4.0.0 # Apache-2.0 keystonemiddleware!=4.1.0,!=4.5.0,>=4.0.0 # Apache-2.0
lxml>=2.3 # BSD lxml>=2.3 # BSD
netaddr!=0.7.16,>=0.7.12 # BSD netaddr!=0.7.16,>=0.7.12 # BSD