Make murano auth with murano_auth section instend of keystone_authtoken

This patch add a murano_auth for murano auth with keystone, This gives ability to fine-tune role-based privileges for service-user going to execute trust-delegated tasks and the auth configuration properties do not need to change when keystonemiddleware deprecates its configuration properties. Closes-Bug: #1643583 Closes-Bug: #1658648 Change-Id: If10fa8c938c264c7b5cadb3c3ed77f39488dcab7
2017-03-28 17:19:08 +08:00 · 2017-03-28 17:19:08 +08:00 · 75b47bbabd
commit 75b47bbabd
parent 928db440f2
6 changed files with 89 additions and 43 deletions
--- a/devstack/plugin.sh
+++ b/devstack/plugin.sh
@ -18,6 +18,8 @@ else
    MURANO_BIN_DIR=$(get_python_exec_prefix)
 fi

+MURANO_AUTH_CACHE_DIR=${MURANO_AUTH_CACHE_DIR:-/var/cache/murano}
+

 # create_murano_accounts() - Set up common required murano accounts
 #
@ -184,14 +186,15 @@ function configure_murano {
    #-------------------------

    # Setup keystone_authtoken section
-    iniset $MURANO_CONF_FILE keystone_authtoken auth_uri "http://${KEYSTONE_AUTH_HOST}:5000"
-    iniset $MURANO_CONF_FILE keystone_authtoken auth_host $KEYSTONE_AUTH_HOST
-    iniset $MURANO_CONF_FILE keystone_authtoken auth_port $KEYSTONE_AUTH_PORT
-    iniset $MURANO_CONF_FILE keystone_authtoken auth_protocol $KEYSTONE_AUTH_PROTOCOL
-    iniset $MURANO_CONF_FILE keystone_authtoken cafile $KEYSTONE_SSL_CA
-    iniset $MURANO_CONF_FILE keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME
-    iniset $MURANO_CONF_FILE keystone_authtoken admin_user $MURANO_ADMIN_USER
-    iniset $MURANO_CONF_FILE keystone_authtoken admin_password $SERVICE_PASSWORD
+    configure_auth_token_middleware $MURANO_CONF_FILE $MURANO_ADMIN_USER $MURANO_AUTH_CACHE_DIR
+
+    # Setup murano_auth section
+    iniset $MURANO_CONF_FILE murano_auth auth_uri $KEYSTONE_AUTH_URI
+    iniset $MURANO_CONF_FILE murano_auth admin_project_name $SERVICE_TENANT_NAME
+    iniset $MURANO_CONF_FILE murano_auth admin_user $MURANO_ADMIN_USER
+    iniset $MURANO_CONF_FILE murano_auth admin_password $SERVICE_PASSWORD
+    iniset $MURANO_CONF_FILE murano_auth user_domain_name "$SERVICE_DOMAIN_NAME"
+    iniset $MURANO_CONF_FILE murano_auth project_domain_name "$SERVICE_DOMAIN_NAME"

    configure_murano_rpc_backend

@ -202,10 +205,10 @@ function configure_murano {
    iniset $MURANO_CONF_FILE database connection `database_connection_url murano`

    # Configure keystone auth url
-    iniset $MURANO_CONF_FILE keystone auth_url "http://${KEYSTONE_AUTH_HOST}:5000"
+    iniset $MURANO_CONF_FILE keystone auth_url $KEYSTONE_SERVICE_URI

    # Configure Murano API URL
-    iniset $MURANO_CONF_FILE murano url "http://127.0.0.1:8082"
+    iniset $MURANO_CONF_FILE murano url "$MURANO_SERVICE_PROTOCOL://$MURANO_SERVICE_HOST:$MURANO_SERVICE_PORT"

    # Configure the number of api workers
    if [[ -n "$MURANO_API_WORKERS" ]]; then
@ -265,8 +268,8 @@ function install_murano_apps() {
                murano --os-username $OS_USERNAME \
                       --os-password $OS_PASSWORD \
                       --os-tenant-name $OS_PROJECT_NAME \
-                       --os-auth-url http://$KEYSTONE_AUTH_HOST:5000 \
-                       --murano-url http://127.0.0.1:8082 \
+                       --os-auth-url $KEYSTONE_SERVICE_URI \
+                       --murano-url "$MURANO_SERVICE_PROTOCOL://$MURANO_SERVICE_HOST:$MURANO_SERVICE_PORT" \
                       --glare-url $GLANCE_SERVICE_PROTOCOL://$GLANCE_GLARE_HOSTPORT \
                       --murano-packages-service $MURANO_PACKAGES_SERVICE \
                       package-import \
@ -290,20 +293,13 @@ function configure_service_broker {
    iniset $MURANO_CFAPI_CONF_FILE cfapi tenant "$MURANO_CFAPI_DEFAULT_TENANT"
    iniset $MURANO_CFAPI_CONF_FILE cfapi bind_host "$MURANO_SERVICE_HOST"
    iniset $MURANO_CFAPI_CONF_FILE cfapi bind_port "$MURANO_CFAPI_SERVICE_PORT"
-    iniset $MURANO_CFAPI_CONF_FILE cfapi auth_url "http://${KEYSTONE_AUTH_HOST}:5000"
+    iniset $MURANO_CFAPI_CONF_FILE cfapi auth_url "$KEYSTONE_SERVICE_URI"

    # configure the database.
    iniset $MURANO_CFAPI_CONF_FILE database connection `database_connection_url murano_cfapi`

    # Setup keystone_authtoken section
-    iniset $MURANO_CFAPI_CONF_FILE keystone_authtoken auth_uri "http://${KEYSTONE_AUTH_HOST}:5000"
-    iniset $MURANO_CFAPI_CONF_FILE keystone_authtoken auth_host $KEYSTONE_AUTH_HOST
-    iniset $MURANO_CFAPI_CONF_FILE keystone_authtoken auth_port $KEYSTONE_AUTH_PORT
-    iniset $MURANO_CFAPI_CONF_FILE keystone_authtoken auth_protocol $KEYSTONE_AUTH_PROTOCOL
-    iniset $MURANO_CFAPI_CONF_FILE keystone_authtoken cafile $KEYSTONE_SSL_CA
-    iniset $MURANO_CFAPI_CONF_FILE keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME
-    iniset $MURANO_CFAPI_CONF_FILE keystone_authtoken admin_user $MURANO_ADMIN_USER
-    iniset $MURANO_CFAPI_CONF_FILE keystone_authtoken admin_password $SERVICE_PASSWORD
+    configure_auth_token_middleware $MURANO_CFAPI_CONF_FILE $MURANO_ADMIN_USER $MURANO_AUTH_CACHE_DIR

 }

@ -328,8 +324,18 @@ function init_murano() {
    recreate_database murano utf8

    $MURANO_BIN_DIR/murano-db-manage --config-file $MURANO_CONF_FILE upgrade
+
+    create_murano_cache_dir
+
 }

+# create_murano_cache_dir() - Part of the init_murano() process
+function create_murano_cache_dir {
+    # Create cache dirs
+    sudo install -d -o $STACK_USER $MURANO_AUTH_CACHE_DIR
+}
+
+
 # init_murano_cfapi() - Initialize databases, etc.
 function init_murano_cfapi() {

@ -347,9 +353,9 @@ function setup_core_library() {
    murano --os-username admin \
           --os-password $ADMIN_PASSWORD \
           --os-tenant-name admin \
-           --os-auth-url http://$KEYSTONE_AUTH_HOST:5000 \
+           --os-auth-url $KEYSTONE_SERVICE_URI \
           --os-region-name $REGION_NAME \
-           --murano-url http://127.0.0.1:8082 \
+           --murano-url "$MURANO_SERVICE_PROTOCOL://$MURANO_SERVICE_HOST:$MURANO_SERVICE_PORT" \
           --glare-url $GLANCE_SERVICE_PROTOCOL://$GLANCE_GLARE_HOSTPORT \
           --murano-packages-service $MURANO_PACKAGES_SERVICE \
           package-import $MURANO_DIR/meta/*.zip \
@ -613,11 +619,12 @@ if is_service_enabled murano; then
            init_murano_cfapi
            start_service_broker
        fi
-        setup_core_library

        # Give Murano some time to Start
        sleep 3

+        setup_core_library
+
        # Install Murano apps, if needed
        install_murano_apps
    elif [[ "$1" == "stack" && "$2" == "test-config" ]]; then
--- a/murano/cmd/test_runner.py
+++ b/murano/cmd/test_runner.py
@ -23,7 +23,6 @@ from muranoclient.common import utils
 from oslo_config import cfg
 from oslo_db import options
 from oslo_log import log as logging
-from oslo_utils import importutils
 from oslo_utils import timeutils
 import six

@ -170,7 +169,7 @@ class MuranoTestRunner(object):
            'auth_url': 'auth_uri',
            'username': 'admin_user',
            'password': 'admin_password',
-            'project_name': 'admin_tenant_name'}
+            'project_name': 'admin_project_name'}

        ks_opts = {'auth_url': getattr(args, 'os_auth_url', None),
                   'username': getattr(args, 'os_username', None),
@ -184,12 +183,10 @@ class MuranoTestRunner(object):
                           '--os-project-name', '--os-tenant-id']))
            LOG.error(msg)
            self.error(msg)
-        # Load keystone configuration parameters from config
-        importutils.import_module('keystonemiddleware.auth_token')

        for param, value in six.iteritems(ks_opts):
            if not value:
-                ks_opts[param] = getattr(CONF.keystone_authtoken,
+                ks_opts[param] = getattr(CONF.murano_auth,
                                         ks_opts_to_config[param])
            if param == 'auth_url':
                ks_opts[param] = ks_opts[param].replace('v2.0', 'v3')
--- a/murano/common/auth_utils.py
+++ b/murano/common/auth_utils.py
@ -16,32 +16,49 @@ from keystoneauth1 import identity
 from keystoneauth1 import loading as ka_loading
 from keystoneclient.v3 import client as ks_client
 from oslo_config import cfg
+from oslo_log import log as logging
+from oslo_log import versionutils

 from murano.dsl import helpers


 CFG_KEYSTONE_GROUP = 'keystone_authtoken'
+LOG = logging.getLogger(__name__)

 cfg.CONF.import_group(CFG_KEYSTONE_GROUP, 'keystonemiddleware.auth_token')


 def _get_keystone_auth(trust_id=None):
-    if not cfg.CONF[CFG_KEYSTONE_GROUP].auth_type:
+    auth_uri = cfg.CONF['murano_auth'].auth_uri
+    username = cfg.CONF['murano_auth'].admin_user
+    password = cfg.CONF['murano_auth'].admin_password
+    user_domain_name = cfg.CONF['murano_auth'].user_domain_name or "Default"
+    auth_type = cfg.CONF['murano_auth'].auth_type
+    project_name = cfg.CONF['murano_auth'].admin_project_name
+    project_domain_name = cfg.CONF['murano_auth'].project_domain_name or \
+        "Default"
+    if not (auth_uri and username and password):
+        versionutils.report_deprecated_feature(
+            LOG, "Please update configuration in 'murano_auth' group")
+        auth_uri = cfg.CONF[CFG_KEYSTONE_GROUP].auth_uri
+        username = cfg.CONF[CFG_KEYSTONE_GROUP].admin_user
+        password = cfg.CONF[CFG_KEYSTONE_GROUP].admin_password
+        auth_type = cfg.CONF[CFG_KEYSTONE_GROUP].auth_type
+        project_name = cfg.CONF[CFG_KEYSTONE_GROUP].admin_tenant_name
+    if not auth_type:
        # Fallback to legacy v2 options if no auth_type is set.
        # If auth_type is set, it is possible to use the auth loader
        # from keystoneauth1. This is the same fallback as keystonemiddleware
        # uses.
        kwargs = {
-            'auth_url':
-                cfg.CONF[CFG_KEYSTONE_GROUP].auth_uri.replace('v2.0', 'v3'),
-            'username': cfg.CONF[CFG_KEYSTONE_GROUP].admin_user,
-            'password': cfg.CONF[CFG_KEYSTONE_GROUP].admin_password,
-            'user_domain_name': "Default"
+            'auth_url': auth_uri.replace('v2.0', 'v3'),
+            'username': username,
+            'password': password,
+            'user_domain_name': user_domain_name
        }
        if not trust_id:
-            kwargs['project_name'] = \
-                cfg.CONF[CFG_KEYSTONE_GROUP].admin_tenant_name
-            kwargs['project_domain_name'] = "Default"
+            kwargs['project_name'] = project_name
+            kwargs['project_domain_name'] = project_domain_name
        else:
            kwargs['trust_id'] = trust_id
        auth = identity.Password(**kwargs)
--- a/murano/common/config.py
+++ b/murano/common/config.py
@ -328,6 +328,27 @@ home_region = cfg.StrOpt(
    'home_region',
    help="Default region name used to get services endpoints.")

+murano_auth_opts = [
+    cfg.StrOpt('auth_type', help='Authentication type to load.'),
+
+    cfg.StrOpt('auth_uri', help='Identity API endpoint.'),
+
+    cfg.StrOpt('admin_user',
+               help='User name for murano authentication.'),
+
+    cfg.StrOpt('admin_password',
+               help='Password for murano authentication.'),
+
+    cfg.StrOpt('user_domain_name',
+               help="User's domain name for authentication."),
+
+    cfg.StrOpt('admin_project_name',
+               help="Project name for project scoping."),
+
+    cfg.StrOpt('project_domain_name',
+               help="Project's domain name."),
+]
+

 CONF = cfg.CONF
 CONF.register_opts(paste_deploy_opts, group='paste_deploy')
@ -345,6 +366,7 @@ CONF.register_opts(stats_opts, group='stats')
 CONF.register_opts(networking_opts, group='networking')
 CONF.register_opts(glare_opts, group='glare')
 CONF.register_opts(glance_opts, group='glance')
+CONF.register_opts(murano_auth_opts, group='murano_auth')


 def parse_args(args=None, usage=None, default_config_files=None):
--- a/murano/opts.py
+++ b/murano/opts.py
@ -44,6 +44,7 @@ _opt_lists = [
    ('mistral', murano.common.config.mistral_opts),
    ('networking', murano.common.config.networking_opts),
    ('stats', murano.common.config.stats_opts),
+    ('murano_auth', murano.common.config.murano_auth_opts),
    (None, build_list([
        murano.common.config.metadata_dir,
        murano.common.config.bind_opts,
--- a/murano/tests/unit/common/test_auth_utils.py
+++ b/murano/tests/unit/common/test_auth_utils.py
@ -45,7 +45,9 @@ class TestAuthUtils(base.MuranoTestCase):
        mock_conf.auth_uri = 'foo_auth_uri/v2.0'
        mock_conf.admin_user = mock.sentinel.admin_user
        mock_conf.admin_password = mock.sentinel.admin_password
-        mock_conf.admin_tenant_name = mock.sentinel.admin_tenant_name
+        mock_conf.admin_project_name = mock.sentinel.admin_project_name
+        mock_conf.user_domain_name = mock.sentinel.user_domain_name
+        mock_conf.project_domain_name = mock.sentinel.project_domain_name
        return mock_cfg, mock_auth_obj

    def test_get_keystone_auth(self):
@ -55,9 +57,9 @@ class TestAuthUtils(base.MuranoTestCase):
            'auth_url': 'foo_auth_uri/v3',
            'username': mock.sentinel.admin_user,
            'password': mock.sentinel.admin_password,
-            'user_domain_name': 'Default',
-            'project_name': mock.sentinel.admin_tenant_name,
-            'project_domain_name': 'Default'
+            'user_domain_name': mock.sentinel.user_domain_name,
+            'project_name': mock.sentinel.admin_project_name,
+            'project_domain_name': mock.sentinel.project_domain_name
        }
        expected_auth = mock.sentinel.auth
        actual_auth = auth_utils._get_keystone_auth()
@ -72,7 +74,7 @@ class TestAuthUtils(base.MuranoTestCase):
            'auth_url': 'foo_auth_uri/v3',
            'username': mock.sentinel.admin_user,
            'password': mock.sentinel.admin_password,
-            'user_domain_name': 'Default',
+            'user_domain_name': mock.sentinel.user_domain_name,
            'trust_id': mock.sentinel.trust_id
        }
        expected_auth = mock.sentinel.auth