From 2a688440132173d493dff7c7c3760681d41e11be Mon Sep 17 00:00:00 2001 From: Steven Hardy Date: Tue, 8 Dec 2015 13:26:29 +0000 Subject: [PATCH] Heat - revise keystone/trusts config to avoid deprecated options There are some inter-related changes required to avoid using legacy fallback/deprecated paths in heat, which result in warnings in the log, e.g because we fall-back to reusing keystone auth_token configuration instead of heat specific sections. To fix this: - Don't explicitly set deferred_auth_method=trusts, as this is now the default (since kilo) - Create a new "trustee" section containing configuration used for the password auth-plugin associated with deferred authentication via trusts (support for this was added during liberty to enable us to stop incorrectly using the keystone auth_token config) - Create a "clients_keystone" section to avoid falling back to the legacy behavior of stealing the uri from auth_token. This also means we can remove the FIXME and auth_token auth_uri mentioned by jamielennox. Change-Id: Ie34332a7aec3b9b271df0759dd6ab66b45302832 Related-Bug: #1300246 --- lib/heat | 31 ++++++++++++++++++++++--------- 1 file changed, 22 insertions(+), 9 deletions(-) diff --git a/lib/heat b/lib/heat index fdcf5bcaad..3666776317 100644 --- a/lib/heat +++ b/lib/heat @@ -56,6 +56,10 @@ HEAT_ENV_DIR=$HEAT_CONF_DIR/environment.d HEAT_TEMPLATES_DIR=$HEAT_CONF_DIR/templates HEAT_API_HOST=${HEAT_API_HOST:-$HOST_IP} HEAT_API_PORT=${HEAT_API_PORT:-8004} +HEAT_SERVICE_USER=${HEAT_SERVICE_USER:-heat} +HEAT_TRUSTEE_USER=${HEAT_TRUSTEE_USER:-$HEAT_SERVICE_USER} +HEAT_TRUSTEE_PASSWORD=${HEAT_TRUSTEE_PASSWORD:-$SERVICE_PASSWORD} +HEAT_TRUSTEE_DOMAIN=${HEAT_TRUSTEE_DOMAIN:-default} # Support entry points installation of console scripts HEAT_BIN_DIR=$(get_python_exec_prefix) @@ -73,7 +77,7 @@ if [[ "$HEAT_STANDALONE" = "True" ]]; then fi else HEAT_STACK_DOMAIN=$(trueorfalse True HEAT_STACK_DOMAIN) - HEAT_DEFERRED_AUTH=${HEAT_DEFERRED_AUTH:-trusts} + HEAT_DEFERRED_AUTH=${HEAT_DEFERRED_AUTH:-} fi HEAT_PLUGIN_DIR=${HEAT_PLUGIN_DIR:-$DATA_DIR/heat/plugins} ENABLE_HEAT_PLUGINS=${ENABLE_HEAT_PLUGINS:-} @@ -134,30 +138,39 @@ function configure_heat { setup_colorized_logging $HEAT_CONF DEFAULT tenant user fi - iniset $HEAT_CONF DEFAULT deferred_auth_method $HEAT_DEFERRED_AUTH + if [ ! -z "$HEAT_DEFERRED_AUTH" ]; then + iniset $HEAT_CONF DEFAULT deferred_auth_method $HEAT_DEFERRED_AUTH + fi if [ "$HEAT_USE_MOD_WSGI" == "True" ]; then _config_heat_apache_wsgi fi - # NOTE(jamielennox): heat re-uses specific values from the - # keystone_authtoken middleware group and so currently fails when using the - # auth plugin setup. This should be fixed in heat. Heat is also the only - # service that requires the auth_uri to include a /v2.0. Remove this custom - # setup when bug #1300246 is resolved. - iniset $HEAT_CONF keystone_authtoken auth_uri $KEYSTONE_SERVICE_URI/v2.0 if [[ "$HEAT_STANDALONE" = "True" ]]; then iniset $HEAT_CONF paste_deploy flavor standalone iniset $HEAT_CONF clients_heat url "http://$HEAT_API_HOST:$HEAT_API_PORT/v1/%(tenant_id)s" else iniset $HEAT_CONF keystone_authtoken identity_uri $KEYSTONE_AUTH_URI - iniset $HEAT_CONF keystone_authtoken admin_user heat + iniset $HEAT_CONF keystone_authtoken admin_user $HEAT_SERVICE_USER iniset $HEAT_CONF keystone_authtoken admin_password $SERVICE_PASSWORD iniset $HEAT_CONF keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME iniset $HEAT_CONF keystone_authtoken cafile $SSL_BUNDLE_FILE iniset $HEAT_CONF keystone_authtoken signing_dir $HEAT_AUTH_CACHE_DIR fi + # If HEAT_DEFERRED_AUTH is unset or explicitly set to trusts, configure + # the section for the client plugin associated with the trustee + if [ -z "$HEAT_DEFERRED_AUTH" -o "trusts" == "$HEAT_DEFERRED_AUTH" ]; then + iniset $HEAT_CONF trustee auth_plugin password + iniset $HEAT_CONF trustee auth_url $KEYSTONE_AUTH_URI + iniset $HEAT_CONF trustee username $HEAT_TRUSTEE_USER + iniset $HEAT_CONF trustee password $HEAT_TRUSTEE_PASSWORD + iniset $HEAT_CONF trustee user_domain_id $HEAT_TRUSTEE_DOMAIN + fi + + # clients_keystone + iniset $HEAT_CONF clients_keystone auth_uri $KEYSTONE_AUTH_URI + # ec2authtoken iniset $HEAT_CONF ec2authtoken auth_uri $KEYSTONE_SERVICE_URI/v2.0