Add authentication options for KeyCloak OIDC

Change-Id: I3126cc5fcc42f6ad6f8eb2daa0d30e032b54bcae

mistral/config.py

@@ -28,6 +28,7 @@ from osprofiler import opts as profiler
 from mistral import version
 
 
+# Options under default group.
 launch_opt = cfg.ListOpt(
     'server',
     default=['all'],
@@ -36,6 +37,27 @@ launch_opt = cfg.ListOpt(
          'api, engine, and executor.'
 )
 
+wf_trace_log_name_opt = cfg.StrOpt(
+    'workflow_trace_log_name',
+    default='workflow_trace',
+    help='Logger name for pretty workflow trace output.'
+)
+
+use_debugger_opt = cfg.BoolOpt(
+    'use-debugger',
+    default=False,
+    help='Enables debugger. Note that using this option changes how the '
+         'eventlet library is used to support async IO. This could result '
+         'in failures that do not occur under normal operation. '
+         'Use at your own risk.'
+)
+
+auth_type_opt = cfg.StrOpt(
+    'auth_type',
+    default='keystone',
+    help='Authentication type (valid options: keystone, keycloak-oidc)'
+)
+
 api_opts = [
     cfg.StrOpt('host', default='0.0.0.0', help='Mistral API server host'),
     cfg.PortOpt('port', default=8989, help='Mistral API server port'),
@@ -87,15 +109,6 @@ pecan_opts = [
     )
 ]
 
-use_debugger = cfg.BoolOpt(
-    "use-debugger",
-    default=False,
-    help='Enables debugger. Note that using this option changes how the '
-         'eventlet library is used to support async IO. This could result '
-         'in failures that do not occur under normal operation. '
-         'Use at your own risk.'
-)
-
 engine_opts = [
     cfg.StrOpt('engine', default='default', help='Mistral engine plugin'),
     cfg.StrOpt(
@@ -157,13 +170,6 @@ execution_expiration_policy_opts = [
     )
 ]
 
-wf_trace_log_name_opt = cfg.StrOpt(
-    'workflow_trace_log_name',
-    default='workflow_trace',
-    help='Logger name for pretty '
-         'workflow trace output.'
-)
-
 coordination_opts = [
     cfg.StrOpt(
         'backend_url',
@@ -186,6 +192,14 @@ profiler_opts.append(
 )
 
 
+keycloak_oidc_opts = [
+    cfg.StrOpt(
+        'auth_url',
+        help='Keycloak base url (e.g. https://my.keycloak:8443/auth)'
+    )
+]
+
+
 CONF = cfg.CONF
 
 API_GROUP = 'api'
@@ -195,25 +209,36 @@ PECAN_GROUP = 'pecan'
 COORDINATION_GROUP = 'coordination'
 EXECUTION_EXPIRATION_POLICY_GROUP = 'execution_expiration_policy'
 PROFILER_GROUP = profiler.list_opts()[0][0]
+KEYCLOAK_OIDC_GROUP = "keycloak_oidc"
+
+CONF.register_opt(wf_trace_log_name_opt)
+CONF.register_opt(auth_type_opt)
 
 CONF.register_opts(api_opts, group=API_GROUP)
 CONF.register_opts(engine_opts, group=ENGINE_GROUP)
 CONF.register_opts(pecan_opts, group=PECAN_GROUP)
 CONF.register_opts(executor_opts, group=EXECUTOR_GROUP)
-CONF.register_opts(execution_expiration_policy_opts,
+CONF.register_opts(
-                   group=EXECUTION_EXPIRATION_POLICY_GROUP)
+    execution_expiration_policy_opts,
-CONF.register_opt(wf_trace_log_name_opt)
+    group=EXECUTION_EXPIRATION_POLICY_GROUP
+)
 CONF.register_opts(coordination_opts, group=COORDINATION_GROUP)
 CONF.register_opts(profiler_opts, group=PROFILER_GROUP)
 CONF.register_opt(rpc_impl_opt)
+CONF.register_opts(keycloak_oidc_opts, group=KEYCLOAK_OIDC_GROUP)
 CONF.register_opt(os_endpoint_type)
 
 
 CLI_OPTS = [
-    use_debugger,
+    use_debugger_opt,
     launch_opt
 ]
 
+default_group_opts = itertools.chain(
+    CLI_OPTS,
+    [wf_trace_log_name_opt, auth_type_opt, rpc_impl_opt, os_endpoint_type]
+)
+
 CONF.register_cli_opts(CLI_OPTS)
 
 _DEFAULT_LOG_LEVELS = [
@@ -239,14 +264,8 @@ def list_opts():
         (COORDINATION_GROUP, coordination_opts),
         (EXECUTION_EXPIRATION_POLICY_GROUP, execution_expiration_policy_opts),
         (PROFILER_GROUP, profiler_opts),
-        (None, itertools.chain(
+        (KEYCLOAK_OIDC_GROUP, keycloak_oidc_opts),
-            CLI_OPTS,
+        (None, default_group_opts)
-            [
-                wf_trace_log_name_opt,
-                rpc_impl_opt,
-                os_endpoint_type,
-            ]
-        ))
     ]