Use keystoneauth1 for cinder access
The goal is to add support for keystone v3, while still maintain backward-compatibility. In particular, it did the following: * Use keystoneauth1 for keystone authentication * Deprecate the usage of keystoneclient.auth, which is the legacy way of doing authentication. It seems to support keystone v2 only, which cause the problem. * Introduce new auth session in config file. * Deprecate old auth session in config file. Closes-Bug: #1563011 Change-Id: Ia80b4377eda6314ad8e6287cb65eb2842f972b8b
This commit is contained in:
parent
58af54cfc8
commit
af24f14be5
@ -9,4 +9,8 @@ SERVICE_PASSWORD=pass
|
||||
SERVICE_TOKEN=pass
|
||||
ADMIN_PASSWORD=pass
|
||||
|
||||
# Install kuryr git master source code by default.
|
||||
# If you want to use stable kuryr lib, please comment out this line.
|
||||
LIBS_FROM_GIT=kuryr
|
||||
|
||||
enable_plugin fuxi https://git.openstack.org/openstack/fuxi
|
||||
|
@ -54,10 +54,7 @@ function configure_fuxi {
|
||||
|
||||
if is_service_enabled fuxi; then
|
||||
configure_auth_token_middleware $FUXI_CONFIG fuxi \
|
||||
$FUXI_AUTH_CACHE_DIR keystone
|
||||
iniset $FUXI_CONFIG keystone admin_user fuxi
|
||||
iniset $FUXI_CONFIG keystone admin_password $SERVICE_PASSWORD
|
||||
iniset $FUXI_CONFIG keystone admin_tenant_name $SERVICE_PROJECT_NAME
|
||||
$FUXI_AUTH_CACHE_DIR cinder
|
||||
|
||||
iniset $FUXI_CONFIG DEFAULT fuxi_port 7879
|
||||
iniset $FUXI_CONFIG DEFAULT my_ip $HOST_IP
|
||||
@ -79,6 +76,10 @@ function configure_fuxi {
|
||||
if is_service_enabled fuxi; then
|
||||
|
||||
if [[ "$1" == "stack" && "$2" == "install" ]]; then
|
||||
if use_library_from_git "kuryr"; then
|
||||
git_clone_by_name "kuryr"
|
||||
setup_dev_lib "kuryr"
|
||||
fi
|
||||
install_etcd_data_store
|
||||
setup_develop $FUXI_HOME
|
||||
|
||||
|
@ -17,4 +17,8 @@ FUXI_DOCKER_ENGINE_PORT=${FUXI_DOCKER_ENGINE_PORT:-2375}
|
||||
FUXI_DOCKER_ENGINE_SOCKET_FILE=${FUXI_DOCKER_ENGINE_SOCKET_FILE:-/var/run/docker.sock}
|
||||
FUXI_ETCD_PORT=${FUXI_ETCD_PORT:-4001}
|
||||
|
||||
GITREPO["kuryr"]=${KURYR_REPO:-${GIT_BASE}/openstack/kuryr.git}
|
||||
GITBRANCH["kuryr"]=${KURYR_BRANCH:-master}
|
||||
GITDIR["kuryr"]=$DEST/kuryr
|
||||
|
||||
enable_service fuxi etcd-server docker-engine
|
||||
|
@ -12,6 +12,8 @@
|
||||
|
||||
import os
|
||||
|
||||
from kuryr.lib import config as kuryr_config
|
||||
from kuryr.lib import opts as kuryr_opts
|
||||
from oslo_config import cfg
|
||||
from oslo_log import log as logging
|
||||
|
||||
@ -45,31 +47,39 @@ default_opts = [
|
||||
default='/etc/fuxi/rootwrap.conf'),
|
||||
]
|
||||
|
||||
keystone_opts = [
|
||||
legacy_keystone_opts = [
|
||||
cfg.StrOpt('region',
|
||||
default=os.environ.get('REGION'),
|
||||
help=_('The region that this machine belongs to.')),
|
||||
help=_('The region that this machine belongs to.'),
|
||||
deprecated_for_removal=True),
|
||||
cfg.StrOpt('auth_url',
|
||||
default=os.environ.get('IDENTITY_URL'),
|
||||
help=_('The URL for accessing the identity service.')),
|
||||
help=_('The URL for accessing the identity service.'),
|
||||
deprecated_for_removal=True),
|
||||
cfg.StrOpt('admin_user',
|
||||
default=os.environ.get('SERVICE_USER'),
|
||||
help=_('The username to auth with the identity service.')),
|
||||
help=_('The username to auth with the identity service.'),
|
||||
deprecated_for_removal=True),
|
||||
cfg.StrOpt('admin_tenant_name',
|
||||
default=os.environ.get('SERVICE_TENANT_NAME'),
|
||||
help=_('The tenant name to auth with the identity service.')),
|
||||
help=_('The tenant name to auth with the identity service.'),
|
||||
deprecated_for_removal=True),
|
||||
cfg.StrOpt('admin_password',
|
||||
default=os.environ.get('SERVICE_PASSWORD'),
|
||||
help=_('The password to auth with the identity service.')),
|
||||
help=_('The password to auth with the identity service.'),
|
||||
deprecated_for_removal=True),
|
||||
cfg.StrOpt('admin_token',
|
||||
default=os.environ.get('SERVICE_TOKEN'),
|
||||
help=_('The admin token.')),
|
||||
help=_('The admin token.'),
|
||||
deprecated_for_removal=True),
|
||||
cfg.StrOpt('auth_ca_cert',
|
||||
default=os.environ.get('SERVICE_CA_CERT'),
|
||||
help=_('The CA certification file.')),
|
||||
help=_('The CA certification file.'),
|
||||
deprecated_for_removal=True),
|
||||
cfg.BoolOpt('auth_insecure',
|
||||
default=True,
|
||||
help=_("Turn off verification of the certificate for ssl.")),
|
||||
help=_("Turn off verification of the certificate for ssl."),
|
||||
deprecated_for_removal=True),
|
||||
]
|
||||
|
||||
cinder_opts = [
|
||||
@ -96,9 +106,17 @@ cinder_opts = [
|
||||
|
||||
CONF = cfg.CONF
|
||||
CONF.register_opts(default_opts)
|
||||
CONF.register_opts(keystone_opts, group='keystone')
|
||||
CONF.register_opts(legacy_keystone_opts, group='keystone')
|
||||
CONF.register_opts(cinder_opts, group='cinder')
|
||||
|
||||
CFG_GROUP = 'cinder'
|
||||
|
||||
# Settting options for Keystone.
|
||||
kuryr_config.register_keystoneauth_opts(CONF, CFG_GROUP)
|
||||
CONF.set_default('auth_type', default='password', group=CFG_GROUP)
|
||||
|
||||
keystone_auth_opts = kuryr_opts.get_keystoneauth_conf_options()
|
||||
|
||||
# Setting oslo.log options for logging.
|
||||
logging.register_options(CONF)
|
||||
|
||||
|
@ -21,5 +21,6 @@ from fuxi.common import config
|
||||
|
||||
def list_fuxi_opts():
|
||||
return [('DEFAULT', itertools.chain(config.default_opts,)),
|
||||
('keystone', itertools.chain(config.keystone_opts,)),
|
||||
('cinder', itertools.chain(config.cinder_opts,)), ]
|
||||
('keystone', itertools.chain(config.legacy_keystone_opts,)),
|
||||
('cinder', itertools.chain(config.cinder_opts,)),
|
||||
(config.CFG_GROUP, itertools.chain(config.keystone_auth_opts,)), ]
|
||||
|
@ -18,14 +18,12 @@ import socket
|
||||
import string
|
||||
import traceback
|
||||
|
||||
from fuxi.common import constants
|
||||
from fuxi import exceptions
|
||||
from fuxi.i18n import _LW, _LE
|
||||
|
||||
from cinderclient import client as cinder_client
|
||||
from cinderclient import exceptions as cinder_exception
|
||||
from keystoneauth1 import exceptions as ka_exception
|
||||
from keystoneauth1.session import Session
|
||||
from keystoneclient.auth import get_plugin_class
|
||||
from kuryr.lib import utils as kuryr_utils
|
||||
from novaclient import client as nova_client
|
||||
from novaclient import exceptions as nova_exception
|
||||
from os_brick import exception as brick_exception
|
||||
@ -36,6 +34,11 @@ from oslo_utils import importutils
|
||||
from oslo_utils import uuidutils
|
||||
from werkzeug import exceptions as w_exceptions
|
||||
|
||||
from fuxi.common import config
|
||||
from fuxi.common import constants
|
||||
from fuxi import exceptions
|
||||
from fuxi.i18n import _LW, _LE
|
||||
|
||||
cloud_init_conf = '/var/lib/cloud/instances'
|
||||
|
||||
CONF = cfg.CONF
|
||||
@ -140,7 +143,7 @@ def _openstack_auth_from_config(**config):
|
||||
return plugin_class(**plugin_kwargs)
|
||||
|
||||
|
||||
def get_keystone_session(**kwargs):
|
||||
def get_legacy_keystone_session(**kwargs):
|
||||
keystone_conf = CONF.keystone
|
||||
config = {}
|
||||
config['auth_url'] = keystone_conf.auth_url
|
||||
@ -158,6 +161,16 @@ def get_keystone_session(**kwargs):
|
||||
return Session(auth=_openstack_auth_from_config(**config), verify=verify)
|
||||
|
||||
|
||||
def get_keystone_session(**kwargs):
|
||||
try:
|
||||
conf_group = config.CFG_GROUP
|
||||
auth_plugin = kuryr_utils.get_auth_plugin(conf_group)
|
||||
session = kuryr_utils.get_keystone_session(conf_group, auth_plugin)
|
||||
return session
|
||||
except ka_exception.MissingRequiredOptions:
|
||||
return get_legacy_keystone_session(**kwargs)
|
||||
|
||||
|
||||
def get_cinderclient(session=None, region=None, **kwargs):
|
||||
if not session:
|
||||
session = get_keystone_session(**kwargs)
|
||||
|
@ -7,6 +7,7 @@ pytz>=2013.6 # MIT
|
||||
Babel>=2.3.4 # BSD
|
||||
Flask!=0.11,<1.0,>=0.10 # BSD
|
||||
keystoneauth1>=2.16.0 # Apache-2.0
|
||||
kuryr-lib>=0.1.0 # Apache-2.0
|
||||
oslo.rootwrap>=5.0.0 # Apache-2.0
|
||||
oslo.concurrency>=3.8.0 # Apache-2.0
|
||||
oslo.config!=3.18.0,>=3.14.0 # Apache-2.0
|
||||
|
Loading…
Reference in New Issue
Block a user