auth: Add keystonev3 support

In order to integrate with Kolla and to support newer deployments that have only keystonev3 enabled, we leverage keystoneauth1. I want to thank Fawad for taking a stab at fixing this earlier. Depends-On: Ia56b22963f5a2130a722403a14ee1a233ac6cff9 Closes-bug: #1622302 Change-Id: Id57420ef94ea9bd71b6581c4cdc24697465a3445 Signed-off-by: Antoni Segura Puimedon <antonisp@celebdor.com> Co-authored-by: Liping Mao <limao@cisco.com>
2016-09-08 02:58:26 +02:00 · 2016-09-08 02:58:26 +02:00 · d1353b38ae
parent bd4ccb0e67
commit d1353b38ae
6 changed files with 65 additions and 82 deletions
--- a/devstack/plugin.sh
+++ b/devstack/plugin.sh
@ -39,6 +39,39 @@ function check_docker {
    fi
 }

+function create_kuryr_cache_dir {
+    # Create cache dir
+    sudo install -d -o "$STACK_USER" "$KURYR_AUTH_CACHE_DIR"
+    if [[ ! "$KURYR_AUTH_CACHE_DIR" == "" ]]; then
+        rm -f "$KURYR_AUTH_CACHE_DIR"/*
+    fi
+
+}
+
+function create_kuryr_account {
+    if is_service_enabled kuryr-libnetwork; then
+        create_service_user "kuryr"
+        get_or_create_service "kuryr-libnetwork" "kuryr-libnetwork" \
+        "Kuryr-Libnetwork Service"
+    fi
+}
+
+function configure_kuryr {
+    sudo install -d -o "$STACK_USER" "$KURYR_CONFIG_DIR"
+
+    (cd "$KURYR_HOME" && exec ./tools/generate_config_file_samples.sh)
+
+    cp "$KURYR_HOME/etc/kuryr.conf.sample" "$KURYR_CONFIG"
+
+    create_kuryr_cache_dir
+
+    # Neutron API server & Neutron plugin
+    if is_service_enabled kuryr-libnetwork; then
+        configure_auth_token_middleware "$KURYR_CONFIG" kuryr \
+        "$KURYR_AUTH_CACHE_DIR" neutron
+    fi
+}
+

 # main loop
 if is_service_enabled kuryr-libnetwork; then
@ -60,26 +93,9 @@ if is_service_enabled kuryr-libnetwork; then
             echo "Done"
        fi

-        if [[ ! -d "${KURYR_CONFIG_DIR}" ]]; then
-            echo -n "${KURYR_CONFIG_DIR} directory is missing. Creating it... "
-            sudo mkdir -p ${KURYR_CONFIG_DIR}
-            echo "Done"
-        fi

-        if [[ ! -f "${KURYR_CONFIG}" ]]; then
-            if [[ -f "${KURYR_DEFAULT_CONFIG}" ]]; then
-                echo -n "${KURYR_CONFIG} is missing. Copying the default one... "
-                sudo cp ${KURYR_DEFAULT_CONFIG} ${KURYR_CONFIG}
-                echo "Done"
-            else
-                echo -n "${KURYR_CONFIG} and the  default config missing. Auto generating and copying one... "
-                cd ${KURYR_HOME}
-                tools/generate_config_file_samples.sh
-                sudo cp ${KURYR_DEFAULT_CONFIG}.sample ${KURYR_DEFAULT_CONFIG}
-                sudo cp ${KURYR_DEFAULT_CONFIG} ${KURYR_CONFIG}
-                cd -
-            fi
-        fi
+        create_kuryr_account
+        configure_kuryr

        # Run etcd first
        run_process etcd-server "$DEST/etcd/etcd-$ETCD_VERSION-linux-amd64/etcd --data-dir $DEST/etcd/db.etcd --advertise-client-urls http://0.0.0.0:$KURYR_ETCD_PORT  --listen-client-urls http://0.0.0.0:$KURYR_ETCD_PORT"
@ -129,7 +145,7 @@ if is_service_enabled kuryr-libnetwork; then
        #               If Kuryr start up in "post-config" phase, there is no way to make sure
        #               Kuryr can start before neutron-server, so Kuryr start in "extra" phase.
        #               Bug: https://bugs.launchpad.net/kuryr/+bug/1587522
-        run_process kuryr-libnetwork "sudo PYTHONPATH=$PYTHONPATH:$DEST/kuryr SERVICE_USER=admin SERVICE_PASSWORD=$SERVICE_PASSWORD SERVICE_TENANT_NAME=admin SERVICE_TOKEN=$SERVICE_TOKEN IDENTITY_URL=http://127.0.0.1:5000/v2.0 python $DEST/kuryr-libnetwork/scripts/run_server.py  --config-file /etc/kuryr/kuryr.conf"
+        run_process kuryr-libnetwork "sudo PYTHONPATH=$PYTHONPATH:$DEST/kuryr python $DEST/kuryr-libnetwork/scripts/run_server.py  --config-file $KURYR_CONFIG"

        neutron subnetpool-create --default-prefixlen $KURYR_POOL_PREFIX_LEN --pool-prefix $KURYR_POOL_PREFIX kuryr

--- a/devstack/settings
+++ b/devstack/settings
@ -12,6 +12,7 @@ KURYR_CONFIG_FILENAME=kuryr.conf
 KURYR_DEFAULT_CONFIG=${KURYR_HOME}/etc/${KURYR_CONFIG_FILENAME}
 KURYR_CONFIG_DIR=${KURYR_CONFIG_DIR:-/etc/kuryr}
 KURYR_CONFIG=${KURYR_CONFIG_DIR}/${KURYR_CONFIG_FILENAME}
+KURYR_AUTH_CACHE_DIR=${KURYR_AUTH_CACHE_DIR:-/var/cache/kuryr}

 KURYR_POOL_PREFIX=${KURYR_POOL_PREFIX:-10.10.0.0/16}
 KURYR_POOL_PREFIX_LEN=${KURYR_POOL_PREFIX_LEN:-24}
--- a/kuryr_libnetwork/config.py
+++ b/kuryr_libnetwork/config.py
@ -49,9 +49,8 @@ CONF = cfg.CONF
 CONF.register_opts(core_opts)

 CONF.register_opts(lib_config.core_opts)
-CONF.register_opts(lib_config.neutron_opts, group='neutron_client')
-CONF.register_opts(lib_config.keystone_opts, group='keystone_client')
 CONF.register_opts(lib_config.binding_opts, 'binding')
+lib_config.register_neutron_opts(CONF)

 # Setting oslo.log options for logging.
 log.register_options(CONF)
--- a/kuryr_libnetwork/controllers.py
+++ b/kuryr_libnetwork/controllers.py
@ -18,7 +18,7 @@ import netaddr
 import time

 from neutronclient.common import exceptions as n_exceptions
-from neutronclient.neutron import client
+from neutronclient.v2_0 import client
 from oslo_concurrency import processutils
 from oslo_config import cfg
 from oslo_log import log
@ -39,16 +39,12 @@ LOG = log.getLogger(__name__)

 MANDATORY_NEUTRON_EXTENSION = "subnet_allocation"
 TAG_NEUTRON_EXTENSION = "tag"
-SUBNET_POOLS_V4 = [cfg.CONF.neutron_client.default_subnetpool_v4]
-SUBNET_POOLS_V6 = [cfg.CONF.neutron_client.default_subnetpool_v6]
+SUBNET_POOLS_V4 = [cfg.CONF.neutron.default_subnetpool_v4]
+SUBNET_POOLS_V6 = [cfg.CONF.neutron.default_subnetpool_v6]


-def _get_cloud_config(cloud='devstack-admin'):
-    return os_client_config.OpenStackConfig().get_one_cloud(cloud=cloud)
-
-
-def _credentials(cloud='devstack-admin'):
-    """Retrieves credentials to run functional tests
+def _get_cloud_config_auth_data(cloud='devstack-admin'):
+    """Retrieves Keystone auth data to run functional tests

    Credentials are either read via os-client-config from the environment
    or from a config file ('clouds.yaml'). Environment variables override
@ -59,20 +55,13 @@ def _credentials(cloud='devstack-admin'):
    has admin privs. This function will default to getting the devstack-admin
    cloud as that is the current expected behavior.
    """
-    return _get_cloud_config(cloud=cloud).get_auth_args()
+    cloud_config = os_client_config.OpenStackConfig().get_one_cloud(cloud)
+    return cloud_config.get_auth(), cloud_config.get_session()


 def _get_neutron_client_from_creds():
-    creds = _credentials()
-    username = creds['username']
-    tenant_name = creds['project_name']
-    password = creds['password']
-    auth_url = creds['auth_url'] + "/v2.0"
-    neutron_client = client.Client('2.0', username=username,
-                                   tenant_name=tenant_name,
-                                   password=password,
-                                   auth_url=auth_url)
-    return neutron_client
+    auth_plugin, session = _get_cloud_config_auth_data()
+    return client.Client(session=session, auth=auth_plugin)


 def get_neutron_client():
@ -83,40 +72,18 @@ def get_neutron_client():
        # Since this always use admin credentials, next patch will introduce
        # a config parameter that disable this for production environments
        neutron_client = _get_neutron_client_from_creds()
-        return neutron_client
    except Exception:
-            pass
-    cfg.CONF.import_group('neutron_client', 'kuryr_libnetwork.config')
-    cfg.CONF.import_group('keystone_client', 'kuryr_libnetwork.config')
+        neutron_client = lib_utils.get_neutron_client()

-    keystone_conf = cfg.CONF.keystone_client
-    username = keystone_conf.admin_user
-    tenant_name = keystone_conf.admin_tenant_name
-    password = keystone_conf.admin_password
-    auth_token = keystone_conf.admin_token
-    auth_uri = keystone_conf.auth_uri.rstrip('/')
-    ca_cert = keystone_conf.auth_ca_cert
-    insecure = keystone_conf.auth_insecure
-
-    neutron_uri = cfg.CONF.neutron_client.neutron_uri
-    if username and password:
-        # Authenticate with password crentials
-        neutron_client = lib_utils.get_neutron_client(
-            url=neutron_uri, username=username, tenant_name=tenant_name,
-            password=password, auth_url=auth_uri,
-            ca_cert=ca_cert, insecure=insecure)
-    else:
-        neutron_client = lib_utils.get_neutron_client_simple(
-            url=neutron_uri, auth_url=auth_uri, token=auth_token)
    return neutron_client


 def neutron_client():
    if not hasattr(app, 'neutron'):
        app.neutron = get_neutron_client()
-        app.enable_dhcp = cfg.CONF.neutron_client.enable_dhcp
-        app.vif_plug_is_fatal = cfg.CONF.neutron_client.vif_plugging_is_fatal
-        app.vif_plug_timeout = cfg.CONF.neutron_client.vif_plugging_timeout
+        app.enable_dhcp = cfg.CONF.neutron.enable_dhcp
+        app.vif_plug_is_fatal = cfg.CONF.neutron.vif_plugging_is_fatal
+        app.vif_plug_timeout = cfg.CONF.neutron.vif_plugging_timeout
        app.neutron.format = 'json'


--- a/kuryr_libnetwork/opts.py
+++ b/kuryr_libnetwork/opts.py
@ -19,7 +19,7 @@ import itertools

 from oslo_log import _options

-from kuryr.lib import config as lib_config
+from kuryr.lib import opts as lib_opts
 from kuryr_libnetwork import config


@ -30,9 +30,6 @@ _core_opts_with_logging += _options.generic_log_opts

 _kuryr_libnetwork_opts = [
    (None, list(itertools.chain(_core_opts_with_logging))),
-    ('neutron_client', lib_config.neutron_opts),
-    ('keystone_client', lib_config.keystone_opts),
-    ('binding', lib_config.binding_opts),
 ]


@ -53,4 +50,5 @@ def list_kuryr_libnetwork_opts():
    :returns: a list of (group_name, opts) tuples
    """

-    return [(k, copy.deepcopy(o)) for k, o in _kuryr_libnetwork_opts]
+    return ([(k, copy.deepcopy(o)) for k, o in _kuryr_libnetwork_opts] +
+            lib_opts.list_kuryr_opts())
--- a/kuryr_libnetwork/tests/unit/test_config.py
+++ b/kuryr_libnetwork/tests/unit/test_config.py
@ -36,23 +36,25 @@ class ConfigurationTest(base.TestKuryrBase):
        self.assertEqual('http://127.0.0.1:23750',
                         config.CONF.kuryr_uri)

-        self.assertEqual('http://127.0.0.1:9696',
-                         config.CONF.neutron_client.neutron_uri)
-
        self.assertEqual('kuryr',
-                         config.CONF.neutron_client.default_subnetpool_v4)
+                         config.CONF.neutron.default_subnetpool_v4)

        self.assertEqual('kuryr6',
-                         config.CONF.neutron_client.default_subnetpool_v6)
-
-        self.assertEqual('http://127.0.0.1:35357/v2.0',
-                         config.CONF.keystone_client.auth_uri)
+                         config.CONF.neutron.default_subnetpool_v6)

    @mock.patch.object(sys, 'argv', return_value='[]')
+    @mock.patch('kuryr_libnetwork.controllers.check_for_neutron_ext_tag')
+    @mock.patch('kuryr_libnetwork.controllers.check_for_neutron_ext_support')
+    @mock.patch('kuryr_libnetwork.controllers.neutron_client')
    @mock.patch('kuryr_libnetwork.app.run')
-    def test_start(self, mock_run, mock_sys_argv):
+    def test_start(self, mock_run, mock_neutron_client,
+                   mock_check_neutron_ext_support, mock_check_neutron_ext_tag,
+                   mock_sys_argv):
        start()
        kuryr_uri = parse.urlparse(config.CONF.kuryr_uri)
+        mock_neutron_client.assert_called_once()
+        mock_check_neutron_ext_support.assert_called_once()
+        mock_check_neutron_ext_tag.assert_called_once()
        mock_run.assert_called_once_with(kuryr_uri.hostname, 23750)

    def test_check_for_neutron_ext_support_with_ex(self):