Merge "Centralize config option: keystone_auth section"

magnum/api/hooks.py

@@ -12,16 +12,13 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 
-
-from oslo_config import cfg
 from pecan import hooks
 
 from magnum.common import context
 from magnum.conductor import api as conductor_api
+import magnum.conf
 
-CONF = cfg.CONF
-CONF.import_opt('auth_uri', 'keystonemiddleware.auth_token',
-                group='keystone_authtoken')
+CONF = magnum.conf.CONF
 
 
 class ContextHook(hooks.PecanHook):
@@ -105,7 +102,7 @@ class NoExceptionTracebackHook(hooks.PecanHook):
         json_body = state.response.json
         # Do not remove traceback when server in debug mode (except 'Server'
         # errors when 'debuginfo' will be used for traces).
-        if cfg.CONF.debug and json_body.get('faultcode') != 'Server':
+        if CONF.debug and json_body.get('faultcode') != 'Server':
             return
 
         faultsting = json_body.get('faultstring')

magnum/common/keystone.py

@@ -17,39 +17,18 @@ from keystoneauth1.identity import v3 as ka_v3
 from keystoneauth1 import loading as ka_loading
 import keystoneclient.exceptions as kc_exception
 from keystoneclient.v3 import client as kc_v3
-from oslo_config import cfg
 from oslo_log import log as logging
 
 from magnum.common import exception
 import magnum.conf
+from magnum.conf import keystone as ksconf
 from magnum.i18n import _
 from magnum.i18n import _LE
 from magnum.i18n import _LW
 
 CONF = magnum.conf.CONF
-CFG_GROUP = 'keystone_auth'
-CFG_LEGACY_GROUP = 'keystone_authtoken'
 LOG = logging.getLogger(__name__)
 
-legacy_session_opts = {
-    'certfile': [cfg.DeprecatedOpt('certfile', CFG_LEGACY_GROUP)],
-    'keyfile': [cfg.DeprecatedOpt('keyfile', CFG_LEGACY_GROUP)],
-    'cafile': [cfg.DeprecatedOpt('cafile', CFG_LEGACY_GROUP)],
-    'insecure': [cfg.DeprecatedOpt('insecure', CFG_LEGACY_GROUP)],
-    'timeout': [cfg.DeprecatedOpt('timeout', CFG_LEGACY_GROUP)],
-}
-
-keystone_auth_opts = (ka_loading.get_auth_common_conf_options() +
-                      ka_loading.get_auth_plugin_conf_options('password'))
-
-# FIXME(pauloewerton): remove import of authtoken group and legacy options
-# after deprecation period
-CONF.import_group('keystone_authtoken', 'keystonemiddleware.auth_token')
-ka_loading.register_auth_conf_options(CONF, CFG_GROUP)
-ka_loading.register_session_conf_options(CONF, CFG_GROUP,
-                                         deprecated_opts=legacy_session_opts)
-CONF.set_default('auth_type', default='password', group=CFG_GROUP)
-
 
 class KeystoneClientV3(object):
     """Keystone client wrapper so we can encapsulate logic in one place."""
@@ -67,7 +46,7 @@ class KeystoneClientV3(object):
     def auth_url(self):
         # FIXME(pauloewerton): auth_url should be retrieved from keystone_auth
         # section by default
-        return CONF[CFG_LEGACY_GROUP].auth_uri.replace('v2.0', 'v3')
+        return CONF[ksconf.CFG_LEGACY_GROUP].auth_uri.replace('v2.0', 'v3')
 
     @property
     def auth_token(self):
@@ -84,13 +63,14 @@ class KeystoneClientV3(object):
 
     def _get_session(self, auth):
         session = ka_loading.load_session_from_conf_options(
-            CONF, CFG_GROUP, auth=auth)
+            CONF, ksconf.CFG_GROUP, auth=auth)
         return session
 
     def _get_auth(self):
         if self.context.is_admin:
             try:
-                auth = ka_loading.load_auth_from_conf_options(CONF, CFG_GROUP)
+                auth = ka_loading.load_auth_from_conf_options(
+                    CONF, ksconf.CFG_GROUP)
             except ka_exception.MissingRequiredOptions:
                 auth = self._get_legacy_auth()
         elif self.context.auth_token_info:
@@ -123,10 +103,10 @@ class KeystoneClientV3(object):
         LOG.warning(_LW('Auth plugin and its options for service user '
                         'must be provided in [%(new)s] section. '
                         'Using values from [%(old)s] section is '
-                        'deprecated.') % {'new': CFG_GROUP,
-                                          'old': CFG_LEGACY_GROUP})
+                        'deprecated.') % {'new': ksconf.CFG_GROUP,
+                                          'old': ksconf.CFG_LEGACY_GROUP})
 
-        conf = getattr(CONF, CFG_LEGACY_GROUP)
+        conf = getattr(CONF, ksconf.CFG_LEGACY_GROUP)
 
         # FIXME(htruta, pauloewerton): Conductor layer does not have
         # new v3 variables, such as project_name and project_domain_id.
@@ -178,10 +158,10 @@ class KeystoneClientV3(object):
         if not self._domain_admin_session:
             session = ka_loading.session.Session().load_from_options(
                 auth=self.domain_admin_auth,
-                insecure=CONF[CFG_LEGACY_GROUP].insecure,
-                cacert=CONF[CFG_LEGACY_GROUP].cafile,
-                key=CONF[CFG_LEGACY_GROUP].keyfile,
-                cert=CONF[CFG_LEGACY_GROUP].certfile)
+                insecure=CONF[ksconf.CFG_LEGACY_GROUP].insecure,
+                cacert=CONF[ksconf.CFG_LEGACY_GROUP].cafile,
+                key=CONF[ksconf.CFG_LEGACY_GROUP].keyfile,
+                cert=CONF[ksconf.CFG_LEGACY_GROUP].certfile)
             self._domain_admin_session = session
         return self._domain_admin_session
 
@@ -249,10 +229,10 @@ class KeystoneClientV3(object):
 
             sess = ka_loading.session.Session().load_from_options(
                 auth=auth,
-                insecure=CONF[CFG_LEGACY_GROUP].insecure,
-                cacert=CONF[CFG_LEGACY_GROUP].cafile,
-                key=CONF[CFG_LEGACY_GROUP].keyfile,
-                cert=CONF[CFG_LEGACY_GROUP].certfile)
+                insecure=CONF[ksconf.CFG_LEGACY_GROUP].insecure,
+                cacert=CONF[ksconf.CFG_LEGACY_GROUP].cafile,
+                key=CONF[ksconf.CFG_LEGACY_GROUP].keyfile,
+                cert=CONF[ksconf.CFG_LEGACY_GROUP].certfile)
             client = kc_v3.Client(session=sess)
         try:
             client.trusts.delete(cluster.trust_id)

magnum/conf/__init__.py

@@ -27,7 +27,7 @@ from magnum.conf import database
 from magnum.conf import docker
 from magnum.conf import glance
 from magnum.conf import heat
-# from magnum.conf import keystone
+from magnum.conf import keystone
 from magnum.conf import magnum_client
 from magnum.conf import neutron
 from magnum.conf import nova
@@ -52,7 +52,7 @@ database.register_opts(CONF)
 docker.register_opts(CONF)
 glance.register_opts(CONF)
 heat.register_opts(CONF)
-# keystone.register_opts(CONF)
+keystone.register_opts(CONF)
 magnum_client.register_opts(CONF)
 neutron.register_opts(CONF)
 nova.register_opts(CONF)

magnum/conf/keystone.py

@@ -0,0 +1,46 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from keystoneauth1 import loading as ka_loading
+from oslo_config import cfg
+
+CFG_GROUP = 'keystone_auth'
+CFG_LEGACY_GROUP = 'keystone_authtoken'
+
+legacy_session_opts = {
+    'certfile': [cfg.DeprecatedOpt('certfile', CFG_LEGACY_GROUP)],
+    'keyfile': [cfg.DeprecatedOpt('keyfile', CFG_LEGACY_GROUP)],
+    'cafile': [cfg.DeprecatedOpt('cafile', CFG_LEGACY_GROUP)],
+    'insecure': [cfg.DeprecatedOpt('insecure', CFG_LEGACY_GROUP)],
+    'timeout': [cfg.DeprecatedOpt('timeout', CFG_LEGACY_GROUP)],
+}
+
+keystone_auth_group = cfg.OptGroup(name=CFG_GROUP,
+                                   title='Options for Keystone in Magnum')
+
+
+def register_opts(conf):
+    # FIXME(pauloewerton): remove import of authtoken group and legacy options
+    # after deprecation period
+    conf.import_group(CFG_LEGACY_GROUP, 'keystonemiddleware.auth_token')
+    ka_loading.register_auth_conf_options(conf, CFG_GROUP)
+    ka_loading.register_session_conf_options(
+        conf, CFG_GROUP, deprecated_opts=legacy_session_opts)
+    conf.set_default('auth_type', default='password', group=CFG_GROUP)
+
+
+def list_opts():
+    keystone_auth_opts = (ka_loading.get_auth_common_conf_options() +
+                          ka_loading.get_auth_plugin_conf_options('password'))
+    return {
+        keystone_auth_group: keystone_auth_opts
+    }

magnum/opts.py

@@ -13,16 +13,13 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-import magnum.common.exception
 import magnum.common.x509.config
-import magnum.db
 import magnum.drivers.common.template_def
 
 
 def list_opts():
     return [
         ('x509', magnum.common.x509.config.x509_opts),
-        ('keystone_auth', magnum.common.keystone.keystone_auth_opts),
         ('docker_registry',
          magnum.drivers.common.template_def.docker_registry_opts)
     ]

magnum/tests/unit/common/test_keystone.py

@@ -20,6 +20,7 @@ import keystoneclient.exceptions as kc_exception
 from magnum.common import exception
 from magnum.common import keystone
 import magnum.conf
+from magnum.conf import keystone as ksconf
 from magnum.tests import base
 from magnum.tests import utils
 
@@ -40,19 +41,19 @@ class KeystoneClientTest(base.TestCase):
         plugin = keystone.ka_loading.get_plugin_loader('password')
         opts = keystone.ka_loading.get_auth_plugin_conf_options(plugin)
         cfg_fixture = self.useFixture(fixture.Config())
-        cfg_fixture.register_opts(opts, group=keystone.CFG_GROUP)
+        cfg_fixture.register_opts(opts, group=ksconf.CFG_GROUP)
         self.config(auth_type='password',
                     auth_url=dummy_url,
                     username='fake_user',
                     password='fake_pass',
                     project_name='fake_project',
-                    group=keystone.CFG_GROUP)
+                    group=ksconf.CFG_GROUP)
 
         self.config(auth_uri=dummy_url,
                     admin_user='magnum',
                     admin_password='varybadpass',
                     admin_tenant_name='service',
-                    group=keystone.CFG_LEGACY_GROUP)
+                    group=ksconf.CFG_LEGACY_GROUP)
 
     def test_client_with_password(self, mock_ks):
         self.ctx.is_admin = True