Fix fall back to newer keystonemiddleware options

admin_{user,password,tenant_name} are deprecated in keystonemiddleware. When a user switches to newer "username", "password" and "project_name", we stop properly falling back to them, which cases failures. This change makes legacy auth code path first try these new options. Change-Id: I13d1d0381b1fca2cdd15205f3443b38ebac297fb Closes-Bug: #1616873
2016-08-25 14:12:35 +02:00 · 2016-08-25 14:12:35 +02:00 · 0d62aec057
parent 4ce008e8ff
commit 0d62aec057
2 changed files with 29 additions and 0 deletions
--- a/ironic/common/keystone.py
+++ b/ironic/common/keystone.py
@ -90,6 +90,13 @@ def _get_legacy_auth():
    Used only to provide backward compatibility with old configs.
    """
    conf = getattr(CONF, ironic_auth.LEGACY_SECTION)
+    # NOTE(pas-ha) first try to load auth from legacy section
+    # using the new keystoneauth options that might be already set there
+    auth = ironic_auth.load_auth(CONF, ironic_auth.LEGACY_SECTION)
+    if auth:
+        return auth
+    # NOTE(pas-ha) now we surely have legacy config section for auth
+    # and with legacy options set in it, deal with it.
    legacy_loader = kaloading.get_plugin_loader('password')
    auth_params = {
        'auth_url': conf.auth_uri,
--- a/ironic/tests/unit/common/test_keystone.py
+++ b/ironic/tests/unit/common/test_keystone.py
@ -139,6 +139,7 @@ class KeystoneLegacyTestCase(base.TestCase):
    def test_legacy_loading_v2(self, load_auth_mock, load_mock):
        keystone.get_session(self.test_group)
        load_mock.assert_called_once_with(**self.expected)
+        self.assertEqual(2, load_auth_mock.call_count)

    @mock.patch.object(ironic_auth, 'load_auth', return_value=None)
    def test_legacy_loading_v3(self, load_auth_mock, load_mock):
@ -150,3 +151,24 @@ class KeystoneLegacyTestCase(base.TestCase):
            user_domain_id='default'))
        keystone.get_session(self.test_group)
        load_mock.assert_called_once_with(**self.expected)
+        self.assertEqual(2, load_auth_mock.call_count)
+
+    @mock.patch.object(ironic_auth, 'load_auth')
+    def test_legacy_loading_new_in_legacy(self, load_auth_mock, load_mock):
+        # NOTE(pas-ha) this is due to auth_plugin options
+        # being dynamically registered on first load,
+        # but we need to set the config before
+        plugin = kaloading.get_plugin_loader('password')
+        opts = kaloading.get_auth_plugin_conf_options(plugin)
+        self.cfg_fixture.register_opts(opts, group=ironic_auth.LEGACY_SECTION)
+        self.config(group=ironic_auth.LEGACY_SECTION,
+                    auth_uri='http://127.0.0.1:9898',
+                    username='fake_user',
+                    password='fake_pass',
+                    project_name='fake_tenant',
+                    auth_url='http://127.0.0.1:9898',
+                    auth_type='password')
+        load_auth_mock.side_effect = [None, mock.Mock()]
+        keystone.get_session(self.test_group)
+        self.assertFalse(load_mock.called)
+        self.assertEqual(2, load_auth_mock.call_count)