openstack/deb-murano
Code Issues Proposed changes

Use keystoneauth1 lib for authentication helpers

Browse Source 
If auth_type is set in the keystone_authtoken section,
then one can use the the keystoneauth1 library to load the
authentication plugin. This makes muranoclient fully workable,
with Keystone v3 in case domain name is not 'Default'.

Related-Bug: 1580611

Change-Id: I0d71032fb5296752ee25482b75993072884731e7
This commit is contained in:
Gyorgy Szombathelyi 2016-06-20 21:41:04 +02:00 committed by Kirill Zaitsev
parent 420f7e7a23
commit 3d20f25d3b
4 changed files with 82 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
murano/api/middleware/ext_context.py
View File

@ -14,10 +14,9 @@
import base64 import base64
import keystoneclient from keystoneauth1 import exceptions
from keystoneclient.auth.identity import v3 from keystoneauth1.identity import v3
from keystoneclient import exceptions from keystoneauth1 import session as ks_session
from keystoneclient import session as ks_session
from oslo_config import cfg from oslo_config import cfg
from oslo_log import log from oslo_log import log
from webob import exc from webob import exc
@ -65,13 +64,13 @@ class ExternalContextMiddleware(wsgi.Middleware):
try: try:
self._murano_endpoint = auth.get_endpoint( self._murano_endpoint = auth.get_endpoint(
session, 'application-catalog') session, 'application-catalog')
except keystoneclient.exceptions.EndpointNotFound: except exceptions.EndpointNotFound:
pass pass
if not hasattr(self, '_glare_endpoint'): if not hasattr(self, '_glare_endpoint'):
try: try:
self._glare_endpoint = auth.get_endpoint( self._glare_endpoint = auth.get_endpoint(
session, 'artifact') session, 'artifact')
except keystoneclient.exceptions.EndpointNotFound: except exceptions.EndpointNotFound:
pass pass
def get_endpoints(self): def get_endpoints(self):

119
murano/common/auth_utils.py
View File

@ -12,39 +12,60 @@
# License for the specific language governing permissions and limitations # License for the specific language governing permissions and limitations
# under the License. # under the License.
from keystoneauth1 import identity
from keystoneclient.auth import identity from keystoneauth1 import loading as ka_loading
from keystoneclient import session as ks_session
from keystoneclient.v3 import client as ks_client from keystoneclient.v3 import client as ks_client
from oslo_config import cfg from oslo_config import cfg
from oslo_utils import importutils
from murano.dsl import helpers from murano.dsl import helpers
@helpers.memoize CFG_KEYSTONE_GROUP = 'keystone_authtoken'
def _get_keystone_admin_parameters(scoped):
importutils.import_module('keystonemiddleware.auth_token') cfg.CONF.import_group(CFG_KEYSTONE_GROUP, 'keystonemiddleware.auth_token')
settings = {
'auth_url': cfg.CONF.keystone_authtoken.auth_uri.replace('v2.0', 'v3'),
'username': cfg.CONF.keystone_authtoken.admin_user, def _get_keystone_auth(trust_id=None):
'password': cfg.CONF.keystone_authtoken.admin_password, if not cfg.CONF[CFG_KEYSTONE_GROUP].auth_type:
# Fallback to legacy v2 options if no auth_type is set.
# If auth_type is set, it is possible to use the auth loader
# from keystoneauth1. This is the same fallback as keystonemiddleware
# uses.
kwargs = {
'auth_url':
cfg.CONF[CFG_KEYSTONE_GROUP].auth_uri.replace('v2.0', 'v3'),
'username': cfg.CONF[CFG_KEYSTONE_GROUP].admin_user,
'password': cfg.CONF[CFG_KEYSTONE_GROUP].admin_password,
'user_domain_name': "Default" 'user_domain_name': "Default"
} }
if scoped: if not trust_id:
settings.update({ kwargs['project_name'] = \
'project_name': cfg.CONF.keystone_authtoken.admin_tenant_name, cfg.CONF[CFG_KEYSTONE_GROUP].admin_tenant_name
'project_domain_name': "Default" kwargs['project_domain_name'] = "Default"
}) else:
return settings kwargs['trust_id'] = trust_id
auth = identity.Password(**kwargs)
else:
kwargs = {}
if trust_id:
# Remove project_name and project_id, since we need a trust scoped
# auth object
kwargs['project_name'] = None
kwargs['project_domain_name'] = None
kwargs['project_id'] = None
kwargs['trust_id'] = trust_id
auth = ka_loading.load_auth_from_conf_options(
cfg.CONF,
CFG_KEYSTONE_GROUP,
**kwargs)
return auth
@helpers.memoize def _create_keystone_admin_client():
def create_keystone_admin_client(scoped): auth = _get_keystone_auth()
kwargs = _get_keystone_admin_parameters(scoped) session = _get_session(
password_auth = identity.Password(**kwargs) auth=auth,
session = ks_session.Session(auth=password_auth) conf_section=cfg.CONF[CFG_KEYSTONE_GROUP])
_set_ssl_parameters(cfg.CONF.keystone_authtoken, session)
return ks_client.Client(session=session) return ks_client.Client(session=session)
@ -56,23 +77,22 @@ def get_client_session(execution_session=None, conf=None):
return get_token_client_session( return get_token_client_session(
token=execution_session.token, token=execution_session.token,
project_id=execution_session.project_id) project_id=execution_session.project_id)
kwargs = _get_keystone_admin_parameters(False) auth = _get_keystone_auth(trust_id)
kwargs['trust_id'] = trust_id session = _get_session(auth=auth, conf_section=conf)
password_auth = identity.Password(**kwargs)
session = ks_session.Session(auth=password_auth)
_set_ssl_parameters(conf, session)
return session return session
def get_token_client_session(token=None, project_id=None, conf=None): def get_token_client_session(token=None, project_id=None, conf=None):
auth_url = _get_keystone_admin_parameters(False)['auth_url'] auth_url = cfg.CONF[CFG_KEYSTONE_GROUP].auth_uri.replace('v2.0', 'v3')
if token is None or project_id is None: if token is None or project_id is None:
execution_session = helpers.get_execution_session() execution_session = helpers.get_execution_session()
token = execution_session.token token = execution_session.token
project_id = execution_session.project_id project_id = execution_session.project_id
token_auth = identity.Token(auth_url, token=token, project_id=project_id) token_auth = identity.Token(
session = ks_session.Session(auth=token_auth) auth_url,
_set_ssl_parameters(conf, session) token=token,
project_id=project_id)
session = _get_session(auth=token_auth, conf_section=conf)
return session return session
@ -82,7 +102,7 @@ def create_keystone_client(token=None, project_id=None, conf=None):
def create_trust(trustee_token=None, trustee_project_id=None): def create_trust(trustee_token=None, trustee_project_id=None):
admin_client = create_keystone_admin_client(True) admin_client = _create_keystone_admin_client()
user_client = create_keystone_client( user_client = create_keystone_client(
token=trustee_token, project_id=trustee_project_id) token=trustee_token, project_id=trustee_project_id)
trustee_user = admin_client.session.auth.get_user_id(admin_client.session) trustee_user = admin_client.session.auth.get_user_id(admin_client.session)
@ -100,7 +120,7 @@ def create_trust(trustee_token=None, trustee_project_id=None):
def delete_trust(trust): def delete_trust(trust):
user_client = create_keystone_admin_client(True) user_client = _create_keystone_admin_client()
user_client.trusts.delete(trust) user_client.trusts.delete(trust)
@ -113,25 +133,20 @@ def _get_config_option(conf_section, option_names, default=None):
return default return default
def _set_ssl_parameters(conf_section, session): def _get_session(auth, conf_section):
# Fallback to keystone_authtoken section for TLS parameters
# if no other conf_section supplied
if not conf_section: if not conf_section:
return conf_section = cfg.CONF[CFG_KEYSTONE_GROUP]
insecure = _get_config_option(conf_section, 'insecure', False) session = ka_loading.session.Session().load_from_options(
if insecure: auth=auth,
session.verify = False insecure=_get_config_option(conf_section, 'insecure', False),
else: cacert=_get_config_option(
session.verify = _get_config_option( conf_section,
conf_section, ('ca_file', 'cafile', 'cacert')) or True ('ca_file', 'cafile', 'cacert')),
key=_get_config_option(conf_section, ('key_file', 'keyfile')),
cert_file = _get_config_option(conf_section, ('cert_file', 'certfile')) cert=_get_config_option(conf_section, ('cert_file', 'certfile')))
key_file = _get_config_option(conf_section, ('key_file', 'keyfile')) return session
if cert_file and key_file:
session.cert = (cert_file, key_file)
elif cert_file:
session.cert = cert_file
else:
session.cert = None
def get_session_client_parameters(service_type=None, def get_session_client_parameters(service_type=None,

7
releasenotes/notes/keystone-v3-0e287679f7f40a2a.yaml Normal file
View File

@ -0,0 +1,7 @@
---
fixes:
- Removed the need for Keystone v2 options (admin_user,
admin_password, admin_tenant_name) when Keystone v3
is in use, also don't assume that the service user
and service project in the 'Default' domain. This
properly fixes #1580611.

1
requirements.txt
View File

@ -18,6 +18,7 @@ six>=1.9.0 # MIT
netaddr!=0.7.16,>=0.7.12 # BSD netaddr!=0.7.16,>=0.7.12 # BSD
PyYAML>=3.1.0 # MIT PyYAML>=3.1.0 # MIT
jsonpatch>=1.1 # BSD jsonpatch>=1.1 # BSD
keystoneauth1>=2.7.0 # Apache-2.0
keystonemiddleware!=4.1.0,!=4.5.0,>=4.0.0 # Apache-2.0 keystonemiddleware!=4.1.0,!=4.5.0,>=4.0.0 # Apache-2.0
testtools>=1.4.0 # MIT testtools>=1.4.0 # MIT
yaql>=1.1.0 # Apache 2.0 License yaql>=1.1.0 # Apache 2.0 License