From 3139ef39cb34c411d340572b098a790c92cfdf7e Mon Sep 17 00:00:00 2001
From: Erno Kuvaja <jokke@usr.fi>
Date: Thu, 10 Jun 2021 13:51:49 +0100
Subject: [PATCH] Revert "Remove all usage of keystoneclient"

This reverts commit 810417df865c7b4eb71cee4dfee843d65972852b.

The Swift driver not being able to use Trusts had nothing to do
about the store driver itself nor that keystoneauth1 would have
broken the feature, but rather it not having the functionality
in the first place and us not catching that on reviews.

We should figure out how to test this before we try to replace
this code again.

Change-Id: If12a013404296486dc387b099477d1608b24ba63
Closes-Bug: #1916052
(cherry picked from commit 9b683678b2a19bb1069aace58e054150a78b5f6f)
---
 glance/common/auth.py       | 11 ++++++-----
 glance/common/trust_auth.py | 21 +++++++++++----------
 requirements.txt            |  1 +
 3 files changed, 18 insertions(+), 15 deletions(-)

diff --git a/glance/common/auth.py b/glance/common/auth.py
index 554e0bf1f2..8b19526733 100644
--- a/glance/common/auth.py
+++ b/glance/common/auth.py
@@ -32,7 +32,7 @@ Keystone (an identity management system).
 
 """
 import httplib2
-from keystoneauth1.access import service_catalog as ks_service_catalog
+from keystoneclient import service_catalog as ks_service_catalog
 from oslo_serialization import jsonutils
 from six.moves import http_client as http
 # NOTE(jokke): simplified transition to py3, behaves like py2 xrange
@@ -326,10 +326,11 @@ def get_endpoint(service_catalog, service_type='image', endpoint_region=None,
     otherwise we will raise an exception.
     """
     endpoints = ks_service_catalog.ServiceCatalogV2(
-        service_catalog).get_urls(interface=endpoint_type,
-                                  service_type=service_type,
-                                  region_name=endpoint_region)
-    if len(endpoints) == 0:
+        {'serviceCatalog': service_catalog}
+    ).get_urls(service_type=service_type,
+               region_name=endpoint_region,
+               endpoint_type=endpoint_type)
+    if endpoints is None:
         raise exception.NoServiceEndpoint()
     elif len(endpoints) == 1:
         return endpoints[0]
diff --git a/glance/common/trust_auth.py b/glance/common/trust_auth.py
index 3667981957..9590e2c63f 100644
--- a/glance/common/trust_auth.py
+++ b/glance/common/trust_auth.py
@@ -14,6 +14,7 @@
 
 from keystoneauth1 import exceptions as ka_exceptions
 from keystoneauth1 import loading as ka_loading
+from keystoneclient.v3 import client as ks_client
 from oslo_config import cfg
 from oslo_log import log as logging
 
@@ -31,17 +32,17 @@ class TokenRefresher(object):
         # step 1: create trust to ensure that we can always update token
 
         # trustor = user who made the request
-        trustor_client = self._load_session(user_plugin)
-        trustor_id = trustor_client.get_user_id()
+        trustor_client = self._load_client(user_plugin)
+        trustor_id = trustor_client.session.get_user_id()
 
         # get trustee user client that impersonates main user
         trustee_user_auth = ka_loading.load_auth_from_conf_options(
             CONF, 'keystone_authtoken')
         # save service user client because we need new service token
         # to refresh trust-scoped client later
-        self.trustee_user_client = self._load_session(trustee_user_auth)
+        self.trustee_user_client = self._load_client(trustee_user_auth)
 
-        trustee_id = self.trustee_user_client.get_user_id()
+        trustee_id = self.trustee_user_client.session.get_user_id()
 
         self.trust_id = trustor_client.trusts.create(trustor_user=trustor_id,
                                                      trustee_user=trustee_id,
@@ -63,12 +64,12 @@ class TokenRefresher(object):
         if self.trustee_client is None:
             self.trustee_client = self._refresh_trustee_client()
         try:
-            return self.trustee_client.get_token()
+            return self.trustee_client.session.get_token()
         except ka_exceptions.Unauthorized:
             # in case of Unauthorized exceptions try to refresh client because
             # service user token may expired
             self.trustee_client = self._refresh_trustee_client()
-            return self.trustee_client.get_token()
+            return self.trustee_client.session.get_token()
 
     def release_resources(self):
         """Release keystone resources required for refreshing"""
@@ -98,11 +99,11 @@ class TokenRefresher(object):
         trustee_auth = ka_loading.load_auth_from_conf_options(
             CONF, 'keystone_authtoken', **kwargs)
 
-        return self._load_session(trustee_auth)
+        return self._load_client(trustee_auth)
 
     @staticmethod
-    def _load_session(plugin):
-        # load ksa session from auth settings and user plugin
+    def _load_client(plugin):
+        # load client from auth settings and user plugin
         sess = ka_loading.load_session_from_conf_options(
             CONF, 'keystone_authtoken', auth=plugin)
-        return sess
+        return ks_client.Client(session=sess)
diff --git a/requirements.txt b/requirements.txt
index 6f5bf1412b..926948c846 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -32,6 +32,7 @@ PrettyTable<0.8,>=0.7.1 # BSD
 Paste>=2.0.2 # MIT
 
 jsonschema>=3.2.0 # MIT
+python-keystoneclient>=3.8.0 # Apache-2.0
 pyOpenSSL>=17.1.0 # Apache-2.0
 # Required by openstack.common libraries
 six>=1.11.0 # MIT