Don't use keystone_authtoken section for trust

We've a fallback mechanism to use configuration from keystone_authtoken section for trust plugin. It's been deprecated for sometime and does not seem to work. Change-Id: Ie435b3df8cb1551cee90e6a349913aabd5f4557f
2016-12-28 13:50:10 +05:30 · 2016-12-28 13:50:10 +05:30 · 35a4981ae3
parent 642404d6ff
commit 35a4981ae3
2 changed files with 17 additions and 50 deletions
--- a/heat/common/context.py
+++ b/heat/common/context.py
@ -28,7 +28,7 @@ import six
 from heat.common import config
 from heat.common import endpoint_utils
 from heat.common import exception
-from heat.common.i18n import _LE, _LW
+from heat.common.i18n import _LE
 from heat.common import policy
 from heat.common import wsgi
 from heat.db.sqlalchemy import api as db_api
@ -242,33 +242,16 @@ class RequestContext(context.RequestContext):

    @property
    def trusts_auth_plugin(self):
-        if self._trusts_auth_plugin:
-            return self._trusts_auth_plugin
+        if not self._trusts_auth_plugin:
+            self._trusts_auth_plugin = ks_loading.load_auth_from_conf_options(
+                cfg.CONF, TRUSTEE_CONF_GROUP, trust_id=self.trust_id)

-        self._trusts_auth_plugin = ks_loading.load_auth_from_conf_options(
-            cfg.CONF, TRUSTEE_CONF_GROUP, trust_id=self.trust_id)
+        if not self._trusts_auth_plugin:
+            LOG.error(_LE('Please add the trustee credentials you need '
+                          'to the %s section of your heat.conf file.'),
+                      TRUSTEE_CONF_GROUP)
+            raise exception.AuthorizationFailure()

-        if self._trusts_auth_plugin:
-            return self._trusts_auth_plugin
-
-        LOG.warning(_LW('Using the keystone_authtoken user as the heat '
-                        'trustee user directly is deprecated. Please add the '
-                        'trustee credentials you need to the %s section of '
-                        'your heat.conf file.') % TRUSTEE_CONF_GROUP)
-
-        cfg.CONF.import_group('keystone_authtoken',
-                              'keystonemiddleware.auth_token')
-
-        trustee_user_domain = 'default'
-        if 'user_domain_id' in cfg.CONF.keystone_authtoken:
-            trustee_user_domain = cfg.CONF.keystone_authtoken.user_domain_id
-
-        self._trusts_auth_plugin = generic.Password(
-            username=cfg.CONF.keystone_authtoken.admin_user,
-            password=cfg.CONF.keystone_authtoken.admin_password,
-            user_domain_id=trustee_user_domain,
-            auth_url=self.keystone_v3_endpoint,
-            trust_id=self.trust_id)
        return self._trusts_auth_plugin

    def _create_auth_plugin(self):
--- a/heat/tests/test_common_context.py
+++ b/heat/tests/test_common_context.py
@ -13,6 +13,7 @@

 import os

+from keystoneauth1 import loading as ks_loading
 import mock
 from oslo_config import cfg
 from oslo_config import fixture as config_fixture
@ -144,9 +145,6 @@ class TestRequestContext(common.HeatTestCase):
        """
        cfg.CONF.set_override('auth_uri', 'http://xyz',
                              group='clients_keystone', enforce_type=True)
-        importutils.import_module('keystonemiddleware.auth_token')
-        cfg.CONF.set_override('auth_uri', 'http://abc/v2.0',
-                              group='keystone_authtoken', enforce_type=True)
        policy_check = 'heat.common.policy.Enforcer.check_is_admin'
        with mock.patch(policy_check) as pc:
            pc.return_value = False
@ -188,27 +186,13 @@ class TestRequestContext(common.HeatTestCase):
            self.assertRaises(exception.AuthorizationFailure, getattr, ctx,
                              'keystone_v3_endpoint')

-    def test_create_trusts_auth_plugin_with_correct_user_domain_id(self):
-        importutils.import_module('keystonemiddleware.auth_token')
-        cfg.CONF.set_override('auth_uri', 'http://abc/v2.0',
-                              group='keystone_authtoken', enforce_type=True)
-        cfg.CONF.set_override('admin_user', 'heat',
-                              group='keystone_authtoken', enforce_type=True)
-        cfg.CONF.set_override('admin_password', 'password',
-                              group='keystone_authtoken', enforce_type=True)
-        policy_check = 'heat.common.policy.Enforcer.check_is_admin'
-        with mock.patch(policy_check) as pc:
-            pc.return_value = False
-            ctx = context.RequestContext(auth_url=None,
-                                         user_domain_id='non-default',
-                                         username='test')
-            with mock.patch('keystoneauth1.identity.generic.Password') as ps:
-                ctx.trusts_auth_plugin
-                ps.assert_called_once_with(username='heat',
-                                           password='password',
-                                           user_domain_id='default',
-                                           auth_url='http://abc/v3',
-                                           trust_id=None)
+    def test_get_trust_context_auth_plugin_unauthorized(self):
+        self.ctx['trust_id'] = 'trust_id'
+        ctx = context.RequestContext.from_dict(self.ctx)
+        self.patchobject(ks_loading, 'load_auth_from_conf_options',
+                         return_value=None)
+        self.assertRaises(exception.AuthorizationFailure, getattr,
+                          ctx, 'auth_plugin')

    def test_cache(self):
        ctx = context.RequestContext.from_dict(self.ctx)