Don't use keystone_authtoken section for trust
We've a fallback mechanism to use configuration from keystone_authtoken section for trust plugin. It's been deprecated for sometime and does not seem to work. Change-Id: Ie435b3df8cb1551cee90e6a349913aabd5f4557f
This commit is contained in:
parent
642404d6ff
commit
35a4981ae3
@ -28,7 +28,7 @@ import six
|
|||||||
from heat.common import config
|
from heat.common import config
|
||||||
from heat.common import endpoint_utils
|
from heat.common import endpoint_utils
|
||||||
from heat.common import exception
|
from heat.common import exception
|
||||||
from heat.common.i18n import _LE, _LW
|
from heat.common.i18n import _LE
|
||||||
from heat.common import policy
|
from heat.common import policy
|
||||||
from heat.common import wsgi
|
from heat.common import wsgi
|
||||||
from heat.db.sqlalchemy import api as db_api
|
from heat.db.sqlalchemy import api as db_api
|
||||||
@ -242,33 +242,16 @@ class RequestContext(context.RequestContext):
|
|||||||
|
|
||||||
@property
|
@property
|
||||||
def trusts_auth_plugin(self):
|
def trusts_auth_plugin(self):
|
||||||
if self._trusts_auth_plugin:
|
if not self._trusts_auth_plugin:
|
||||||
return self._trusts_auth_plugin
|
|
||||||
|
|
||||||
self._trusts_auth_plugin = ks_loading.load_auth_from_conf_options(
|
self._trusts_auth_plugin = ks_loading.load_auth_from_conf_options(
|
||||||
cfg.CONF, TRUSTEE_CONF_GROUP, trust_id=self.trust_id)
|
cfg.CONF, TRUSTEE_CONF_GROUP, trust_id=self.trust_id)
|
||||||
|
|
||||||
if self._trusts_auth_plugin:
|
if not self._trusts_auth_plugin:
|
||||||
return self._trusts_auth_plugin
|
LOG.error(_LE('Please add the trustee credentials you need '
|
||||||
|
'to the %s section of your heat.conf file.'),
|
||||||
|
TRUSTEE_CONF_GROUP)
|
||||||
|
raise exception.AuthorizationFailure()
|
||||||
|
|
||||||
LOG.warning(_LW('Using the keystone_authtoken user as the heat '
|
|
||||||
'trustee user directly is deprecated. Please add the '
|
|
||||||
'trustee credentials you need to the %s section of '
|
|
||||||
'your heat.conf file.') % TRUSTEE_CONF_GROUP)
|
|
||||||
|
|
||||||
cfg.CONF.import_group('keystone_authtoken',
|
|
||||||
'keystonemiddleware.auth_token')
|
|
||||||
|
|
||||||
trustee_user_domain = 'default'
|
|
||||||
if 'user_domain_id' in cfg.CONF.keystone_authtoken:
|
|
||||||
trustee_user_domain = cfg.CONF.keystone_authtoken.user_domain_id
|
|
||||||
|
|
||||||
self._trusts_auth_plugin = generic.Password(
|
|
||||||
username=cfg.CONF.keystone_authtoken.admin_user,
|
|
||||||
password=cfg.CONF.keystone_authtoken.admin_password,
|
|
||||||
user_domain_id=trustee_user_domain,
|
|
||||||
auth_url=self.keystone_v3_endpoint,
|
|
||||||
trust_id=self.trust_id)
|
|
||||||
return self._trusts_auth_plugin
|
return self._trusts_auth_plugin
|
||||||
|
|
||||||
def _create_auth_plugin(self):
|
def _create_auth_plugin(self):
|
||||||
|
@ -13,6 +13,7 @@
|
|||||||
|
|
||||||
import os
|
import os
|
||||||
|
|
||||||
|
from keystoneauth1 import loading as ks_loading
|
||||||
import mock
|
import mock
|
||||||
from oslo_config import cfg
|
from oslo_config import cfg
|
||||||
from oslo_config import fixture as config_fixture
|
from oslo_config import fixture as config_fixture
|
||||||
@ -144,9 +145,6 @@ class TestRequestContext(common.HeatTestCase):
|
|||||||
"""
|
"""
|
||||||
cfg.CONF.set_override('auth_uri', 'http://xyz',
|
cfg.CONF.set_override('auth_uri', 'http://xyz',
|
||||||
group='clients_keystone', enforce_type=True)
|
group='clients_keystone', enforce_type=True)
|
||||||
importutils.import_module('keystonemiddleware.auth_token')
|
|
||||||
cfg.CONF.set_override('auth_uri', 'http://abc/v2.0',
|
|
||||||
group='keystone_authtoken', enforce_type=True)
|
|
||||||
policy_check = 'heat.common.policy.Enforcer.check_is_admin'
|
policy_check = 'heat.common.policy.Enforcer.check_is_admin'
|
||||||
with mock.patch(policy_check) as pc:
|
with mock.patch(policy_check) as pc:
|
||||||
pc.return_value = False
|
pc.return_value = False
|
||||||
@ -188,27 +186,13 @@ class TestRequestContext(common.HeatTestCase):
|
|||||||
self.assertRaises(exception.AuthorizationFailure, getattr, ctx,
|
self.assertRaises(exception.AuthorizationFailure, getattr, ctx,
|
||||||
'keystone_v3_endpoint')
|
'keystone_v3_endpoint')
|
||||||
|
|
||||||
def test_create_trusts_auth_plugin_with_correct_user_domain_id(self):
|
def test_get_trust_context_auth_plugin_unauthorized(self):
|
||||||
importutils.import_module('keystonemiddleware.auth_token')
|
self.ctx['trust_id'] = 'trust_id'
|
||||||
cfg.CONF.set_override('auth_uri', 'http://abc/v2.0',
|
ctx = context.RequestContext.from_dict(self.ctx)
|
||||||
group='keystone_authtoken', enforce_type=True)
|
self.patchobject(ks_loading, 'load_auth_from_conf_options',
|
||||||
cfg.CONF.set_override('admin_user', 'heat',
|
return_value=None)
|
||||||
group='keystone_authtoken', enforce_type=True)
|
self.assertRaises(exception.AuthorizationFailure, getattr,
|
||||||
cfg.CONF.set_override('admin_password', 'password',
|
ctx, 'auth_plugin')
|
||||||
group='keystone_authtoken', enforce_type=True)
|
|
||||||
policy_check = 'heat.common.policy.Enforcer.check_is_admin'
|
|
||||||
with mock.patch(policy_check) as pc:
|
|
||||||
pc.return_value = False
|
|
||||||
ctx = context.RequestContext(auth_url=None,
|
|
||||||
user_domain_id='non-default',
|
|
||||||
username='test')
|
|
||||||
with mock.patch('keystoneauth1.identity.generic.Password') as ps:
|
|
||||||
ctx.trusts_auth_plugin
|
|
||||||
ps.assert_called_once_with(username='heat',
|
|
||||||
password='password',
|
|
||||||
user_domain_id='default',
|
|
||||||
auth_url='http://abc/v3',
|
|
||||||
trust_id=None)
|
|
||||||
|
|
||||||
def test_cache(self):
|
def test_cache(self):
|
||||||
ctx = context.RequestContext.from_dict(self.ctx)
|
ctx = context.RequestContext.from_dict(self.ctx)
|
||||||
|
Loading…
Reference in New Issue
Block a user