Don't use keystone_authtoken section for trust
We've a fallback mechanism to use configuration from keystone_authtoken section for trust plugin. It's been deprecated for sometime and does not seem to work. Change-Id: Ie435b3df8cb1551cee90e6a349913aabd5f4557f
This commit is contained in:
parent
642404d6ff
commit
35a4981ae3
|
@ -28,7 +28,7 @@ import six
|
|||
from heat.common import config
|
||||
from heat.common import endpoint_utils
|
||||
from heat.common import exception
|
||||
from heat.common.i18n import _LE, _LW
|
||||
from heat.common.i18n import _LE
|
||||
from heat.common import policy
|
||||
from heat.common import wsgi
|
||||
from heat.db.sqlalchemy import api as db_api
|
||||
|
@ -242,33 +242,16 @@ class RequestContext(context.RequestContext):
|
|||
|
||||
@property
|
||||
def trusts_auth_plugin(self):
|
||||
if self._trusts_auth_plugin:
|
||||
return self._trusts_auth_plugin
|
||||
if not self._trusts_auth_plugin:
|
||||
self._trusts_auth_plugin = ks_loading.load_auth_from_conf_options(
|
||||
cfg.CONF, TRUSTEE_CONF_GROUP, trust_id=self.trust_id)
|
||||
|
||||
self._trusts_auth_plugin = ks_loading.load_auth_from_conf_options(
|
||||
cfg.CONF, TRUSTEE_CONF_GROUP, trust_id=self.trust_id)
|
||||
if not self._trusts_auth_plugin:
|
||||
LOG.error(_LE('Please add the trustee credentials you need '
|
||||
'to the %s section of your heat.conf file.'),
|
||||
TRUSTEE_CONF_GROUP)
|
||||
raise exception.AuthorizationFailure()
|
||||
|
||||
if self._trusts_auth_plugin:
|
||||
return self._trusts_auth_plugin
|
||||
|
||||
LOG.warning(_LW('Using the keystone_authtoken user as the heat '
|
||||
'trustee user directly is deprecated. Please add the '
|
||||
'trustee credentials you need to the %s section of '
|
||||
'your heat.conf file.') % TRUSTEE_CONF_GROUP)
|
||||
|
||||
cfg.CONF.import_group('keystone_authtoken',
|
||||
'keystonemiddleware.auth_token')
|
||||
|
||||
trustee_user_domain = 'default'
|
||||
if 'user_domain_id' in cfg.CONF.keystone_authtoken:
|
||||
trustee_user_domain = cfg.CONF.keystone_authtoken.user_domain_id
|
||||
|
||||
self._trusts_auth_plugin = generic.Password(
|
||||
username=cfg.CONF.keystone_authtoken.admin_user,
|
||||
password=cfg.CONF.keystone_authtoken.admin_password,
|
||||
user_domain_id=trustee_user_domain,
|
||||
auth_url=self.keystone_v3_endpoint,
|
||||
trust_id=self.trust_id)
|
||||
return self._trusts_auth_plugin
|
||||
|
||||
def _create_auth_plugin(self):
|
||||
|
|
|
@ -13,6 +13,7 @@
|
|||
|
||||
import os
|
||||
|
||||
from keystoneauth1 import loading as ks_loading
|
||||
import mock
|
||||
from oslo_config import cfg
|
||||
from oslo_config import fixture as config_fixture
|
||||
|
@ -144,9 +145,6 @@ class TestRequestContext(common.HeatTestCase):
|
|||
"""
|
||||
cfg.CONF.set_override('auth_uri', 'http://xyz',
|
||||
group='clients_keystone', enforce_type=True)
|
||||
importutils.import_module('keystonemiddleware.auth_token')
|
||||
cfg.CONF.set_override('auth_uri', 'http://abc/v2.0',
|
||||
group='keystone_authtoken', enforce_type=True)
|
||||
policy_check = 'heat.common.policy.Enforcer.check_is_admin'
|
||||
with mock.patch(policy_check) as pc:
|
||||
pc.return_value = False
|
||||
|
@ -188,27 +186,13 @@ class TestRequestContext(common.HeatTestCase):
|
|||
self.assertRaises(exception.AuthorizationFailure, getattr, ctx,
|
||||
'keystone_v3_endpoint')
|
||||
|
||||
def test_create_trusts_auth_plugin_with_correct_user_domain_id(self):
|
||||
importutils.import_module('keystonemiddleware.auth_token')
|
||||
cfg.CONF.set_override('auth_uri', 'http://abc/v2.0',
|
||||
group='keystone_authtoken', enforce_type=True)
|
||||
cfg.CONF.set_override('admin_user', 'heat',
|
||||
group='keystone_authtoken', enforce_type=True)
|
||||
cfg.CONF.set_override('admin_password', 'password',
|
||||
group='keystone_authtoken', enforce_type=True)
|
||||
policy_check = 'heat.common.policy.Enforcer.check_is_admin'
|
||||
with mock.patch(policy_check) as pc:
|
||||
pc.return_value = False
|
||||
ctx = context.RequestContext(auth_url=None,
|
||||
user_domain_id='non-default',
|
||||
username='test')
|
||||
with mock.patch('keystoneauth1.identity.generic.Password') as ps:
|
||||
ctx.trusts_auth_plugin
|
||||
ps.assert_called_once_with(username='heat',
|
||||
password='password',
|
||||
user_domain_id='default',
|
||||
auth_url='http://abc/v3',
|
||||
trust_id=None)
|
||||
def test_get_trust_context_auth_plugin_unauthorized(self):
|
||||
self.ctx['trust_id'] = 'trust_id'
|
||||
ctx = context.RequestContext.from_dict(self.ctx)
|
||||
self.patchobject(ks_loading, 'load_auth_from_conf_options',
|
||||
return_value=None)
|
||||
self.assertRaises(exception.AuthorizationFailure, getattr,
|
||||
ctx, 'auth_plugin')
|
||||
|
||||
def test_cache(self):
|
||||
ctx = context.RequestContext.from_dict(self.ctx)
|
||||
|
|
Loading…
Reference in New Issue