Authenticate the domain user with id instead of username

This change makes the authentication process that requests a domain user
token provide user_id and password instead of username and password.
Authenticating with the user_id is more reliable, as that works even when
the username is truncated or modified in any other way before it is passed
to Keystone.

Change-Id: I7b2897c2be1e4ad7f55549449b1791991572a7f1
Closes-bug: 1402894

heat/common/heat_keystoneclient.py

@@ -370,7 +370,7 @@ class KeystoneClientV3(object):
 
         return user.id
 
-    def stack_domain_user_token(self, username, project_id, password):
+    def stack_domain_user_token(self, user_id, project_id, password):
         """Get a token for a stack domain user."""
         if not self.stack_domain:
             # Note, no legacy fallback path as we don't want to deploy
@@ -385,13 +385,13 @@ class KeystoneClientV3(object):
         # space is limited..)
         if self._stack_domain_is_id:
             auth = kc_auth_v3.Password(auth_url=self.v3_endpoint,
-                                       username=username,
+                                       user_id=user_id,
                                        password=password,
                                        project_id=project_id,
                                        user_domain_id=self.stack_domain)
         else:
             auth = kc_auth_v3.Password(auth_url=self.v3_endpoint,
-                                       username=username,
+                                       user_id=user_id,
                                        password=password,
                                        project_id=project_id,
                                        user_domain_name=self.stack_domain)
@@ -408,7 +408,7 @@ class KeystoneClientV3(object):
                          {'project': {'id': project_id}},
                          'identity': {'password': {'user': {
                              'domain': domain,
-                             'password': password, 'name': username}},
+                             'password': password, 'id': user_id}},
                              'methods': ['password']}}}
         t = sess.post(token_url, headers=headers, json=body,
                       authenticated=False)

heat/engine/stack_user.py

@@ -62,7 +62,7 @@ class StackUser(resource.Resource):
             raise ValueError(_("Can't get user token without password"))
 
         return self.keystone().stack_domain_user_token(
-            username=self.physical_resource_name(),
+            user_id=self._get_user_id(),
             project_id=project_id, password=password)
 
     def _get_user_id(self):

heat/tests/fakes.py

@@ -175,5 +175,5 @@ class FakeKeystoneClient(object):
                                          credential_id):
         pass
 
-    def stack_domain_user_token(self, username, project_id, password):
+    def stack_domain_user_token(self, user_id, project_id, password):
         return 'adomainusertoken'

heat/tests/test_heatclient.py

@@ -1368,7 +1368,7 @@ class KeystoneClientTest(common.HeatTestCase):
     def _stub_domain_user_pw_auth(self):
         self.m.StubOutWithMock(ks_auth_v3, 'Password')
         ks_auth_v3.Password(auth_url='http://server.test:5000/v3',
-                            username='duser',
+                            user_id='duser',
                             password='apassw',
                             project_id='aproject',
                             user_domain_id='adomain123').AndReturn('dummyauth')
@@ -1391,7 +1391,7 @@ class KeystoneClientTest(common.HeatTestCase):
         ctx.trust_id = None
         heat_ks_client = heat_keystoneclient.KeystoneClient(ctx)
         token = heat_ks_client.stack_domain_user_token(
-            username='duser', project_id='aproject', password='apassw')
+            user_id='duser', project_id='aproject', password='apassw')
         self.assertEqual('dummytoken', token)
 
     def test_stack_domain_user_token_err_nodomain(self):
@@ -1402,7 +1402,7 @@ class KeystoneClientTest(common.HeatTestCase):
         heat_ks_client = heat_keystoneclient.KeystoneClient(ctx)
         self.assertRaises(exception.Error,
                           heat_ks_client.stack_domain_user_token,
-                          username='user',
+                          user_id='user',
                           project_id='aproject',
                           password='password')
 
@@ -1527,7 +1527,7 @@ class KeystoneClientTestDomainName(KeystoneClientTest):
     def _stub_domain_user_pw_auth(self):
         self.m.StubOutWithMock(ks_auth_v3, 'Password')
         ks_auth_v3.Password(auth_url='http://server.test:5000/v3',
-                            username='duser',
+                            user_id='duser',
                             password='apassw',
                             project_id='aproject',
                             user_domain_name='fake_domain_name'

heat/tests/test_stack_user.py

@@ -356,15 +356,13 @@ class StackUserTest(common.HeatTestCase):
     def test_user_token(self):
         rsrc = self._user_create(stack_name='user_test123',
                                  project_id='aproject123',
-                                 user_id='auser123',
+                                 user_id='aabbcc',
                                  password='apassword')
 
-        short_id.get_id(rsrc.id).AndReturn('aabbcc')
         self.m.StubOutWithMock(fakes.FakeKeystoneClient,
                                'stack_domain_user_token')
-        username = 'user_test123-user-aabbcc'
         fakes.FakeKeystoneClient.stack_domain_user_token(
-            username=username, project_id='aproject123',
+            user_id='aabbcc', project_id='aproject123',
             password='apassword').AndReturn('atoken123')
         self.m.ReplayAll()