openstack/kolla-ansible
Code Issues Proposed changes

[skydive] fix: Use Keystone backend to authenticate API users

Browse Source 
Update Skydive Analyzer's configuration to use Keystone as its backend
for authenticating users.  Any user with a role in the project defined
by the variable skydive_admin_tenant_name will be able to access
Skydive.

Change-Id: I64c811d5eb72c7406fd52b649fa00edaf2d0c07b
Closes-Bug: 1870903
This commit is contained in:
Nick Jones 2020-04-05 12:46:20 +01:00 committed by Mark Goddard
parent fa65e0402b
commit 7e5aa63728
3 changed files with 12 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
ansible/roles/skydive/defaults/main.yml
View File

@ -37,6 +37,7 @@ skydive_analyzer_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{
skydive_analyzer_tag: "{{ openstack_tag }}" skydive_analyzer_tag: "{{ openstack_tag }}"
skydive_analyzer_image_full: "{{ skydive_analyzer_image }}:{{ skydive_analyzer_tag }}" skydive_analyzer_image_full: "{{ skydive_analyzer_image }}:{{ skydive_analyzer_tag }}"
skydive_admin_tenant_name: "{{ openstack_auth['project_name'] }}"
skydive_agent_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{{ docker_namespace }}/{{ kolla_base_distro }}-{{ skydive_install_type }}-skydive-agent" skydive_agent_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{{ docker_namespace }}/{{ kolla_base_distro }}-{{ skydive_install_type }}-skydive-agent"
skydive_agent_tag: "{{ openstack_tag }}" skydive_agent_tag: "{{ openstack_tag }}"
skydive_agent_image_full: "{{ skydive_agent_image }}:{{ skydive_agent_tag }}" skydive_agent_image_full: "{{ skydive_agent_image }}:{{ skydive_agent_tag }}"

9
ansible/roles/skydive/templates/skydive-analyzer.conf.j2
View File

@ -1,13 +1,11 @@
### Skydive analyzer config file ### Skydive analyzer config file
auth: auth:
type: keystone
analyzer_username: {{ openstack_auth['username'] }}
analyzer_password: {{ openstack_auth['password'] }}
keystone: keystone:
type: keystone
auth_url: {{ keystone_internal_url }}/v3 auth_url: {{ keystone_internal_url }}/v3
region_name: {{ openstack_region_name }} region_name: {{ openstack_region_name }}
tenant_name: {{ skydive_admin_tenant_name }}
domain_name: Default domain_name: Default
logging: logging:
@ -40,6 +38,9 @@ etcd:
{% endif %} {% endif %}
analyzer: analyzer:
auth:
api:
backend: keystone
listen: {{ api_interface_address | put_address_in_context('url') }}:{{ skydive_analyzer_port }} listen: {{ api_interface_address | put_address_in_context('url') }}:{{ skydive_analyzer_port }}
storage: storage:
backend: elasticsearch backend: elasticsearch

6
releasenotes/notes/skydive-keystone-auth-0fe96463b27dd914.yaml Normal file
View File

@ -0,0 +1,6 @@
---
fixes:
- Skydive's API and the web UI now rely on Keystone for
authentication. Only users in the Keystone project defined by
skydive_admin_tenant_name will be able to authenticate. See
`LP#1870903 <https://launchpad.net/bugs/1870903>` for more details.