Authenticate the domain user with id instead of username
This change makes the authentication process that requests a domain user token provide user_id and password instead of username and password. Authenticating with the user_id is more reliable, as that works even when the username is truncated or modified in any other way before it is passed to Keystone. Change-Id: I7b2897c2be1e4ad7f55549449b1791991572a7f1 Closes-bug: 1402894
This commit is contained in:
parent
c16f539c53
commit
0ba4dacbe2
|
@ -370,7 +370,7 @@ class KeystoneClientV3(object):
|
|||
|
||||
return user.id
|
||||
|
||||
def stack_domain_user_token(self, username, project_id, password):
|
||||
def stack_domain_user_token(self, user_id, project_id, password):
|
||||
"""Get a token for a stack domain user."""
|
||||
if not self.stack_domain:
|
||||
# Note, no legacy fallback path as we don't want to deploy
|
||||
|
@ -385,13 +385,13 @@ class KeystoneClientV3(object):
|
|||
# space is limited..)
|
||||
if self._stack_domain_is_id:
|
||||
auth = kc_auth_v3.Password(auth_url=self.v3_endpoint,
|
||||
username=username,
|
||||
user_id=user_id,
|
||||
password=password,
|
||||
project_id=project_id,
|
||||
user_domain_id=self.stack_domain)
|
||||
else:
|
||||
auth = kc_auth_v3.Password(auth_url=self.v3_endpoint,
|
||||
username=username,
|
||||
user_id=user_id,
|
||||
password=password,
|
||||
project_id=project_id,
|
||||
user_domain_name=self.stack_domain)
|
||||
|
@ -408,7 +408,7 @@ class KeystoneClientV3(object):
|
|||
{'project': {'id': project_id}},
|
||||
'identity': {'password': {'user': {
|
||||
'domain': domain,
|
||||
'password': password, 'name': username}},
|
||||
'password': password, 'id': user_id}},
|
||||
'methods': ['password']}}}
|
||||
t = sess.post(token_url, headers=headers, json=body,
|
||||
authenticated=False)
|
||||
|
|
|
@ -62,7 +62,7 @@ class StackUser(resource.Resource):
|
|||
raise ValueError(_("Can't get user token without password"))
|
||||
|
||||
return self.keystone().stack_domain_user_token(
|
||||
username=self.physical_resource_name(),
|
||||
user_id=self._get_user_id(),
|
||||
project_id=project_id, password=password)
|
||||
|
||||
def _get_user_id(self):
|
||||
|
|
|
@ -175,5 +175,5 @@ class FakeKeystoneClient(object):
|
|||
credential_id):
|
||||
pass
|
||||
|
||||
def stack_domain_user_token(self, username, project_id, password):
|
||||
def stack_domain_user_token(self, user_id, project_id, password):
|
||||
return 'adomainusertoken'
|
||||
|
|
|
@ -1368,7 +1368,7 @@ class KeystoneClientTest(common.HeatTestCase):
|
|||
def _stub_domain_user_pw_auth(self):
|
||||
self.m.StubOutWithMock(ks_auth_v3, 'Password')
|
||||
ks_auth_v3.Password(auth_url='http://server.test:5000/v3',
|
||||
username='duser',
|
||||
user_id='duser',
|
||||
password='apassw',
|
||||
project_id='aproject',
|
||||
user_domain_id='adomain123').AndReturn('dummyauth')
|
||||
|
@ -1391,7 +1391,7 @@ class KeystoneClientTest(common.HeatTestCase):
|
|||
ctx.trust_id = None
|
||||
heat_ks_client = heat_keystoneclient.KeystoneClient(ctx)
|
||||
token = heat_ks_client.stack_domain_user_token(
|
||||
username='duser', project_id='aproject', password='apassw')
|
||||
user_id='duser', project_id='aproject', password='apassw')
|
||||
self.assertEqual('dummytoken', token)
|
||||
|
||||
def test_stack_domain_user_token_err_nodomain(self):
|
||||
|
@ -1402,7 +1402,7 @@ class KeystoneClientTest(common.HeatTestCase):
|
|||
heat_ks_client = heat_keystoneclient.KeystoneClient(ctx)
|
||||
self.assertRaises(exception.Error,
|
||||
heat_ks_client.stack_domain_user_token,
|
||||
username='user',
|
||||
user_id='user',
|
||||
project_id='aproject',
|
||||
password='password')
|
||||
|
||||
|
@ -1527,7 +1527,7 @@ class KeystoneClientTestDomainName(KeystoneClientTest):
|
|||
def _stub_domain_user_pw_auth(self):
|
||||
self.m.StubOutWithMock(ks_auth_v3, 'Password')
|
||||
ks_auth_v3.Password(auth_url='http://server.test:5000/v3',
|
||||
username='duser',
|
||||
user_id='duser',
|
||||
password='apassw',
|
||||
project_id='aproject',
|
||||
user_domain_name='fake_domain_name'
|
||||
|
|
|
@ -356,15 +356,13 @@ class StackUserTest(common.HeatTestCase):
|
|||
def test_user_token(self):
|
||||
rsrc = self._user_create(stack_name='user_test123',
|
||||
project_id='aproject123',
|
||||
user_id='auser123',
|
||||
user_id='aabbcc',
|
||||
password='apassword')
|
||||
|
||||
short_id.get_id(rsrc.id).AndReturn('aabbcc')
|
||||
self.m.StubOutWithMock(fakes.FakeKeystoneClient,
|
||||
'stack_domain_user_token')
|
||||
username = 'user_test123-user-aabbcc'
|
||||
fakes.FakeKeystoneClient.stack_domain_user_token(
|
||||
username=username, project_id='aproject123',
|
||||
user_id='aabbcc', project_id='aproject123',
|
||||
password='apassword').AndReturn('atoken123')
|
||||
self.m.ReplayAll()
|
||||
|
||||
|
|
Loading…
Reference in New Issue