auth: Add keystonev3 support
In order to integrate with Kolla and to support newer deployments that have only keystonev3 enabled, we leverage keystoneauth1. I want to thank Fawad for taking a stab at fixing this earlier. Depends-On: Ia56b22963f5a2130a722403a14ee1a233ac6cff9 Closes-bug: #1622302 Change-Id: Id57420ef94ea9bd71b6581c4cdc24697465a3445 Signed-off-by: Antoni Segura Puimedon <antonisp@celebdor.com> Co-authored-by: Liping Mao <limao@cisco.com>
This commit is contained in:
parent
bd4ccb0e67
commit
d1353b38ae
|
@ -39,6 +39,39 @@ function check_docker {
|
|||
fi
|
||||
}
|
||||
|
||||
function create_kuryr_cache_dir {
|
||||
# Create cache dir
|
||||
sudo install -d -o "$STACK_USER" "$KURYR_AUTH_CACHE_DIR"
|
||||
if [[ ! "$KURYR_AUTH_CACHE_DIR" == "" ]]; then
|
||||
rm -f "$KURYR_AUTH_CACHE_DIR"/*
|
||||
fi
|
||||
|
||||
}
|
||||
|
||||
function create_kuryr_account {
|
||||
if is_service_enabled kuryr-libnetwork; then
|
||||
create_service_user "kuryr"
|
||||
get_or_create_service "kuryr-libnetwork" "kuryr-libnetwork" \
|
||||
"Kuryr-Libnetwork Service"
|
||||
fi
|
||||
}
|
||||
|
||||
function configure_kuryr {
|
||||
sudo install -d -o "$STACK_USER" "$KURYR_CONFIG_DIR"
|
||||
|
||||
(cd "$KURYR_HOME" && exec ./tools/generate_config_file_samples.sh)
|
||||
|
||||
cp "$KURYR_HOME/etc/kuryr.conf.sample" "$KURYR_CONFIG"
|
||||
|
||||
create_kuryr_cache_dir
|
||||
|
||||
# Neutron API server & Neutron plugin
|
||||
if is_service_enabled kuryr-libnetwork; then
|
||||
configure_auth_token_middleware "$KURYR_CONFIG" kuryr \
|
||||
"$KURYR_AUTH_CACHE_DIR" neutron
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
# main loop
|
||||
if is_service_enabled kuryr-libnetwork; then
|
||||
|
@ -60,26 +93,9 @@ if is_service_enabled kuryr-libnetwork; then
|
|||
echo "Done"
|
||||
fi
|
||||
|
||||
if [[ ! -d "${KURYR_CONFIG_DIR}" ]]; then
|
||||
echo -n "${KURYR_CONFIG_DIR} directory is missing. Creating it... "
|
||||
sudo mkdir -p ${KURYR_CONFIG_DIR}
|
||||
echo "Done"
|
||||
fi
|
||||
|
||||
if [[ ! -f "${KURYR_CONFIG}" ]]; then
|
||||
if [[ -f "${KURYR_DEFAULT_CONFIG}" ]]; then
|
||||
echo -n "${KURYR_CONFIG} is missing. Copying the default one... "
|
||||
sudo cp ${KURYR_DEFAULT_CONFIG} ${KURYR_CONFIG}
|
||||
echo "Done"
|
||||
else
|
||||
echo -n "${KURYR_CONFIG} and the default config missing. Auto generating and copying one... "
|
||||
cd ${KURYR_HOME}
|
||||
tools/generate_config_file_samples.sh
|
||||
sudo cp ${KURYR_DEFAULT_CONFIG}.sample ${KURYR_DEFAULT_CONFIG}
|
||||
sudo cp ${KURYR_DEFAULT_CONFIG} ${KURYR_CONFIG}
|
||||
cd -
|
||||
fi
|
||||
fi
|
||||
create_kuryr_account
|
||||
configure_kuryr
|
||||
|
||||
# Run etcd first
|
||||
run_process etcd-server "$DEST/etcd/etcd-$ETCD_VERSION-linux-amd64/etcd --data-dir $DEST/etcd/db.etcd --advertise-client-urls http://0.0.0.0:$KURYR_ETCD_PORT --listen-client-urls http://0.0.0.0:$KURYR_ETCD_PORT"
|
||||
|
@ -129,7 +145,7 @@ if is_service_enabled kuryr-libnetwork; then
|
|||
# If Kuryr start up in "post-config" phase, there is no way to make sure
|
||||
# Kuryr can start before neutron-server, so Kuryr start in "extra" phase.
|
||||
# Bug: https://bugs.launchpad.net/kuryr/+bug/1587522
|
||||
run_process kuryr-libnetwork "sudo PYTHONPATH=$PYTHONPATH:$DEST/kuryr SERVICE_USER=admin SERVICE_PASSWORD=$SERVICE_PASSWORD SERVICE_TENANT_NAME=admin SERVICE_TOKEN=$SERVICE_TOKEN IDENTITY_URL=http://127.0.0.1:5000/v2.0 python $DEST/kuryr-libnetwork/scripts/run_server.py --config-file /etc/kuryr/kuryr.conf"
|
||||
run_process kuryr-libnetwork "sudo PYTHONPATH=$PYTHONPATH:$DEST/kuryr python $DEST/kuryr-libnetwork/scripts/run_server.py --config-file $KURYR_CONFIG"
|
||||
|
||||
neutron subnetpool-create --default-prefixlen $KURYR_POOL_PREFIX_LEN --pool-prefix $KURYR_POOL_PREFIX kuryr
|
||||
|
||||
|
|
|
@ -12,6 +12,7 @@ KURYR_CONFIG_FILENAME=kuryr.conf
|
|||
KURYR_DEFAULT_CONFIG=${KURYR_HOME}/etc/${KURYR_CONFIG_FILENAME}
|
||||
KURYR_CONFIG_DIR=${KURYR_CONFIG_DIR:-/etc/kuryr}
|
||||
KURYR_CONFIG=${KURYR_CONFIG_DIR}/${KURYR_CONFIG_FILENAME}
|
||||
KURYR_AUTH_CACHE_DIR=${KURYR_AUTH_CACHE_DIR:-/var/cache/kuryr}
|
||||
|
||||
KURYR_POOL_PREFIX=${KURYR_POOL_PREFIX:-10.10.0.0/16}
|
||||
KURYR_POOL_PREFIX_LEN=${KURYR_POOL_PREFIX_LEN:-24}
|
||||
|
|
|
@ -49,9 +49,8 @@ CONF = cfg.CONF
|
|||
CONF.register_opts(core_opts)
|
||||
|
||||
CONF.register_opts(lib_config.core_opts)
|
||||
CONF.register_opts(lib_config.neutron_opts, group='neutron_client')
|
||||
CONF.register_opts(lib_config.keystone_opts, group='keystone_client')
|
||||
CONF.register_opts(lib_config.binding_opts, 'binding')
|
||||
lib_config.register_neutron_opts(CONF)
|
||||
|
||||
# Setting oslo.log options for logging.
|
||||
log.register_options(CONF)
|
||||
|
|
|
@ -18,7 +18,7 @@ import netaddr
|
|||
import time
|
||||
|
||||
from neutronclient.common import exceptions as n_exceptions
|
||||
from neutronclient.neutron import client
|
||||
from neutronclient.v2_0 import client
|
||||
from oslo_concurrency import processutils
|
||||
from oslo_config import cfg
|
||||
from oslo_log import log
|
||||
|
@ -39,16 +39,12 @@ LOG = log.getLogger(__name__)
|
|||
|
||||
MANDATORY_NEUTRON_EXTENSION = "subnet_allocation"
|
||||
TAG_NEUTRON_EXTENSION = "tag"
|
||||
SUBNET_POOLS_V4 = [cfg.CONF.neutron_client.default_subnetpool_v4]
|
||||
SUBNET_POOLS_V6 = [cfg.CONF.neutron_client.default_subnetpool_v6]
|
||||
SUBNET_POOLS_V4 = [cfg.CONF.neutron.default_subnetpool_v4]
|
||||
SUBNET_POOLS_V6 = [cfg.CONF.neutron.default_subnetpool_v6]
|
||||
|
||||
|
||||
def _get_cloud_config(cloud='devstack-admin'):
|
||||
return os_client_config.OpenStackConfig().get_one_cloud(cloud=cloud)
|
||||
|
||||
|
||||
def _credentials(cloud='devstack-admin'):
|
||||
"""Retrieves credentials to run functional tests
|
||||
def _get_cloud_config_auth_data(cloud='devstack-admin'):
|
||||
"""Retrieves Keystone auth data to run functional tests
|
||||
|
||||
Credentials are either read via os-client-config from the environment
|
||||
or from a config file ('clouds.yaml'). Environment variables override
|
||||
|
@ -59,20 +55,13 @@ def _credentials(cloud='devstack-admin'):
|
|||
has admin privs. This function will default to getting the devstack-admin
|
||||
cloud as that is the current expected behavior.
|
||||
"""
|
||||
return _get_cloud_config(cloud=cloud).get_auth_args()
|
||||
cloud_config = os_client_config.OpenStackConfig().get_one_cloud(cloud)
|
||||
return cloud_config.get_auth(), cloud_config.get_session()
|
||||
|
||||
|
||||
def _get_neutron_client_from_creds():
|
||||
creds = _credentials()
|
||||
username = creds['username']
|
||||
tenant_name = creds['project_name']
|
||||
password = creds['password']
|
||||
auth_url = creds['auth_url'] + "/v2.0"
|
||||
neutron_client = client.Client('2.0', username=username,
|
||||
tenant_name=tenant_name,
|
||||
password=password,
|
||||
auth_url=auth_url)
|
||||
return neutron_client
|
||||
auth_plugin, session = _get_cloud_config_auth_data()
|
||||
return client.Client(session=session, auth=auth_plugin)
|
||||
|
||||
|
||||
def get_neutron_client():
|
||||
|
@ -83,40 +72,18 @@ def get_neutron_client():
|
|||
# Since this always use admin credentials, next patch will introduce
|
||||
# a config parameter that disable this for production environments
|
||||
neutron_client = _get_neutron_client_from_creds()
|
||||
return neutron_client
|
||||
except Exception:
|
||||
pass
|
||||
cfg.CONF.import_group('neutron_client', 'kuryr_libnetwork.config')
|
||||
cfg.CONF.import_group('keystone_client', 'kuryr_libnetwork.config')
|
||||
neutron_client = lib_utils.get_neutron_client()
|
||||
|
||||
keystone_conf = cfg.CONF.keystone_client
|
||||
username = keystone_conf.admin_user
|
||||
tenant_name = keystone_conf.admin_tenant_name
|
||||
password = keystone_conf.admin_password
|
||||
auth_token = keystone_conf.admin_token
|
||||
auth_uri = keystone_conf.auth_uri.rstrip('/')
|
||||
ca_cert = keystone_conf.auth_ca_cert
|
||||
insecure = keystone_conf.auth_insecure
|
||||
|
||||
neutron_uri = cfg.CONF.neutron_client.neutron_uri
|
||||
if username and password:
|
||||
# Authenticate with password crentials
|
||||
neutron_client = lib_utils.get_neutron_client(
|
||||
url=neutron_uri, username=username, tenant_name=tenant_name,
|
||||
password=password, auth_url=auth_uri,
|
||||
ca_cert=ca_cert, insecure=insecure)
|
||||
else:
|
||||
neutron_client = lib_utils.get_neutron_client_simple(
|
||||
url=neutron_uri, auth_url=auth_uri, token=auth_token)
|
||||
return neutron_client
|
||||
|
||||
|
||||
def neutron_client():
|
||||
if not hasattr(app, 'neutron'):
|
||||
app.neutron = get_neutron_client()
|
||||
app.enable_dhcp = cfg.CONF.neutron_client.enable_dhcp
|
||||
app.vif_plug_is_fatal = cfg.CONF.neutron_client.vif_plugging_is_fatal
|
||||
app.vif_plug_timeout = cfg.CONF.neutron_client.vif_plugging_timeout
|
||||
app.enable_dhcp = cfg.CONF.neutron.enable_dhcp
|
||||
app.vif_plug_is_fatal = cfg.CONF.neutron.vif_plugging_is_fatal
|
||||
app.vif_plug_timeout = cfg.CONF.neutron.vif_plugging_timeout
|
||||
app.neutron.format = 'json'
|
||||
|
||||
|
||||
|
|
|
@ -19,7 +19,7 @@ import itertools
|
|||
|
||||
from oslo_log import _options
|
||||
|
||||
from kuryr.lib import config as lib_config
|
||||
from kuryr.lib import opts as lib_opts
|
||||
from kuryr_libnetwork import config
|
||||
|
||||
|
||||
|
@ -30,9 +30,6 @@ _core_opts_with_logging += _options.generic_log_opts
|
|||
|
||||
_kuryr_libnetwork_opts = [
|
||||
(None, list(itertools.chain(_core_opts_with_logging))),
|
||||
('neutron_client', lib_config.neutron_opts),
|
||||
('keystone_client', lib_config.keystone_opts),
|
||||
('binding', lib_config.binding_opts),
|
||||
]
|
||||
|
||||
|
||||
|
@ -53,4 +50,5 @@ def list_kuryr_libnetwork_opts():
|
|||
:returns: a list of (group_name, opts) tuples
|
||||
"""
|
||||
|
||||
return [(k, copy.deepcopy(o)) for k, o in _kuryr_libnetwork_opts]
|
||||
return ([(k, copy.deepcopy(o)) for k, o in _kuryr_libnetwork_opts] +
|
||||
lib_opts.list_kuryr_opts())
|
||||
|
|
|
@ -36,23 +36,25 @@ class ConfigurationTest(base.TestKuryrBase):
|
|||
self.assertEqual('http://127.0.0.1:23750',
|
||||
config.CONF.kuryr_uri)
|
||||
|
||||
self.assertEqual('http://127.0.0.1:9696',
|
||||
config.CONF.neutron_client.neutron_uri)
|
||||
|
||||
self.assertEqual('kuryr',
|
||||
config.CONF.neutron_client.default_subnetpool_v4)
|
||||
config.CONF.neutron.default_subnetpool_v4)
|
||||
|
||||
self.assertEqual('kuryr6',
|
||||
config.CONF.neutron_client.default_subnetpool_v6)
|
||||
|
||||
self.assertEqual('http://127.0.0.1:35357/v2.0',
|
||||
config.CONF.keystone_client.auth_uri)
|
||||
config.CONF.neutron.default_subnetpool_v6)
|
||||
|
||||
@mock.patch.object(sys, 'argv', return_value='[]')
|
||||
@mock.patch('kuryr_libnetwork.controllers.check_for_neutron_ext_tag')
|
||||
@mock.patch('kuryr_libnetwork.controllers.check_for_neutron_ext_support')
|
||||
@mock.patch('kuryr_libnetwork.controllers.neutron_client')
|
||||
@mock.patch('kuryr_libnetwork.app.run')
|
||||
def test_start(self, mock_run, mock_sys_argv):
|
||||
def test_start(self, mock_run, mock_neutron_client,
|
||||
mock_check_neutron_ext_support, mock_check_neutron_ext_tag,
|
||||
mock_sys_argv):
|
||||
start()
|
||||
kuryr_uri = parse.urlparse(config.CONF.kuryr_uri)
|
||||
mock_neutron_client.assert_called_once()
|
||||
mock_check_neutron_ext_support.assert_called_once()
|
||||
mock_check_neutron_ext_tag.assert_called_once()
|
||||
mock_run.assert_called_once_with(kuryr_uri.hostname, 23750)
|
||||
|
||||
def test_check_for_neutron_ext_support_with_ex(self):
|
||||
|
|
Loading…
Reference in New Issue