From 67f12e5e24eb9ec06e609f4399008b9d704128a1 Mon Sep 17 00:00:00 2001 From: Steven Hardy Date: Mon, 7 Dec 2015 11:20:25 +0000 Subject: [PATCH] Add trustee config group to sample config Some time ago, we added support for a new "trustee" config section, aimed at allowing independent configuration of the credentials used to obtain trust-scoped tokens for deferred authentication. One of the main reasons for this was to avoid incorrectly using the keystone auth_token section, and as such a deprecation warning was added when we fall back to using that config section for heat. Unfortunately we didn't capture this new section in the sample config because it's registered via keystoneclient.auth, so this adds support for this section to the sample config generated via tox -e genconfig, and adds some notes clarifying usage to the auth_plugin option. To move to the new config syntax, but maintain the current behavior, which is to delegate to the heat service user, you can add this section to your heat.conf [trustee] auth_plugin = password auth_url = http://:35357 username = heat password = password user_domain_id = default The generated config documents many more options, all of those supported by the keystoneclient v3 Password auth plugin, but these are the minimum to enable delegation to the heat service user in the default domain. In new deployments this could be set to some other user (such as one created in the heat domain), but note that the trustee should not be changed for existing deployments where stacks exist, as the trust stored inside heat defines a relationship between the stack owner (trustor) and a specific trustee (which will be the heat service user if the deployment is using the deprecated path that steals credentials from keystone auth_token). Change-Id: I30aeb765a2246ce54b10972ae7187655d85cde1f Partial-Bug: #1300246 --- config-generator.conf | 1 + heat/common/context.py | 19 +++++++++++++++++++ setup.cfg | 1 + 3 files changed, 21 insertions(+) diff --git a/config-generator.conf b/config-generator.conf index 469ec00fec..44e94d1106 100644 --- a/config-generator.conf +++ b/config-generator.conf @@ -2,6 +2,7 @@ output_file = etc/heat/heat.conf.sample wrap_width = 79 namespace = heat.common.config +namespace = heat.common.context namespace = heat.common.crypt namespace = heat.common.heat_keystoneclient namespace = heat.common.wsgi diff --git a/heat/common/context.py b/heat/common/context.py index 7df5638661..74e6747b7a 100644 --- a/heat/common/context.py +++ b/heat/common/context.py @@ -34,10 +34,28 @@ from heat.engine import clients LOG = logging.getLogger(__name__) + +# Note, we yield the options via list_opts to enable generation of the +# sample heat.conf, but we don't register these options directly via +# cfg.CONF.register*, it's done via auth.register_conf_options +# Note, only auth_plugin = v3password is expected to work, example config: +# [trustee] +# auth_plugin = password +# auth_url = http://192.168.1.2:35357 +# username = heat +# password = password +# user_domain_id = default +V3_PASSWORD_PLUGIN = 'v3password' TRUSTEE_CONF_GROUP = 'trustee' auth.register_conf_options(cfg.CONF, TRUSTEE_CONF_GROUP) +def list_opts(): + trustee_opts = auth.conf.get_common_conf_options() + trustee_opts.extend(auth.conf.get_plugin_options(V3_PASSWORD_PLUGIN)) + yield TRUSTEE_CONF_GROUP, trustee_opts + + class RequestContext(context.RequestContext): """Stores information about the security context. @@ -151,6 +169,7 @@ class RequestContext(context.RequestContext): cfg.CONF, TRUSTEE_CONF_GROUP, trust_id=self.trust_id) if self._trusts_auth_plugin: + LOG.warn(_LW('SHDEBUG NOT Using the keystone_authtoken')) return self._trusts_auth_plugin LOG.warn(_LW('Using the keystone_authtoken user as the heat ' diff --git a/setup.cfg b/setup.cfg index f1162d507e..123817e024 100644 --- a/setup.cfg +++ b/setup.cfg @@ -41,6 +41,7 @@ wsgi_scripts = oslo.config.opts = heat.common.config = heat.common.config:list_opts + heat.common.context = heat.common.context:list_opts heat.common.crypt = heat.common.crypt:list_opts heat.common.heat_keystoneclient = heat.common.heat_keystoneclient:list_opts heat.common.wsgi = heat.common.wsgi:list_opts