Use actual session for ironic-inspector action population

python-ironic-inspector needs an actual session when creating the client, since it will try to fetch and furtherly validate the given version regardless if a version is explicitly given. This fetching and validation do calls to keystone which require credentials. Thus, I'm using mistral's service credentials to fetch the required info. Change-Id: I908552d2fb8ab4a5a3593f03f92ee6a31b672034
2016-08-04 14:37:27 +03:00 · 2016-08-04 14:37:27 +03:00 · 81f16827e3
commit 81f16827e3
parent 277b08ad9e
3 changed files with 46 additions and 1 deletions
--- a/mistral/actions/openstack/actions.py
+++ b/mistral/actions/openstack/actions.py
@ -388,7 +388,25 @@ class BaremetalIntrospectionAction(base.OpenStackAction):

    @classmethod
    def _get_fake_client(cls):
-        return cls._get_client_class()(1)
+        try:
+            # ironic-inspector client tries to get and validate it's own
+            # version when created. This might require checking the keystone
+            # catalog if the ironic-inspector server is not listening on the
+            # localhost IP address. Thus, we get a session for this case.
+            sess = keystone_utils.get_admin_session()
+
+            return cls._get_client_class()(session=sess)
+        except Exception as e:
+            LOG.warning("There was an error trying to create the "
+                        "ironic-inspector client using a session: %s" % str(e))
+            # If it's not possible to establish a keystone session, attempt to
+            # create a client without it. This should fall back to where the
+            # ironic-inspector client tries to get it's own version on the
+            # default IP address.
+            LOG.debug("Attempting to create the ironic-inspector client "
+                      "without a session.")
+
+            return cls._get_client_class()()

    def _get_client(self):
        ctx = context.ctx()
--- a/mistral/utils/openstack/keystone.py
+++ b/mistral/utils/openstack/keystone.py
@ -13,6 +13,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

+import keystoneauth1.identity.generic as auth_plugins
+from keystoneauth1 import session as ks_session
 from keystoneclient.v3 import client as ks_client
 from keystoneclient.v3.endpoints import Endpoint
 from oslo_config import cfg
@ -130,3 +132,19 @@ def is_token_trust_scoped(auth_token):
    token_info = keystone_client.tokens.validate(auth_token)

    return 'OS-TRUST:trust' in token_info
+
+
+def get_admin_session():
+    """Returns a keystone session from Mistral's service credentials."""
+
+    auth = auth_plugins.Password(
+        CONF.keystone_authtoken.auth_uri,
+        username=CONF.keystone_authtoken.admin_user,
+        password=CONF.keystone_authtoken.admin_password,
+        project_name=CONF.keystone_authtoken.admin_tenant_name,
+        # NOTE(jaosorior): Once mistral supports keystone v3 properly, we can
+        # fetch the following values from the configuration.
+        user_domain_name='Default',
+        project_domain_name='Default')
+
+    return ks_session.Session(auth=auth)
--- a/tools/sync_db.py
+++ b/tools/sync_db.py
@ -12,6 +12,7 @@
 #    See the License for the specific language governing permissions and
 #    limitations under the License.

+import keystonemiddleware.opts as keystonemw_opts
 from oslo_config import cfg
 from oslo_log import log as logging

@ -25,6 +26,14 @@ CONF = cfg.CONF


 def main():
+    # NOTE(jaosorior): This is needed in order for db-sync to also register the
+    # keystonemiddleware options. Those options are used by clients that need a
+    # keystone session in order to be able to register their actions.
+    # This can be removed when mistral moves out of using keystonemiddleware in
+    # favor of keystoneauth1.
+    for group, opts in keystonemw_opts.list_auth_token_opts():
+        CONF.register_opts(opts, group=group)
+
    config.parse_args()

    if len(CONF.config_file) == 0: