diff --git a/magnum/api/hooks.py b/magnum/api/hooks.py index ca907ef2f0..aff26d701b 100644 --- a/magnum/api/hooks.py +++ b/magnum/api/hooks.py @@ -12,16 +12,13 @@ # License for the specific language governing permissions and limitations # under the License. - -from oslo_config import cfg from pecan import hooks from magnum.common import context from magnum.conductor import api as conductor_api +import magnum.conf -CONF = cfg.CONF -CONF.import_opt('auth_uri', 'keystonemiddleware.auth_token', - group='keystone_authtoken') +CONF = magnum.conf.CONF class ContextHook(hooks.PecanHook): @@ -105,7 +102,7 @@ class NoExceptionTracebackHook(hooks.PecanHook): json_body = state.response.json # Do not remove traceback when server in debug mode (except 'Server' # errors when 'debuginfo' will be used for traces). - if cfg.CONF.debug and json_body.get('faultcode') != 'Server': + if CONF.debug and json_body.get('faultcode') != 'Server': return faultsting = json_body.get('faultstring') diff --git a/magnum/common/keystone.py b/magnum/common/keystone.py index f52cc01f1a..be397f03ec 100644 --- a/magnum/common/keystone.py +++ b/magnum/common/keystone.py @@ -17,39 +17,18 @@ from keystoneauth1.identity import v3 as ka_v3 from keystoneauth1 import loading as ka_loading import keystoneclient.exceptions as kc_exception from keystoneclient.v3 import client as kc_v3 -from oslo_config import cfg from oslo_log import log as logging from magnum.common import exception import magnum.conf +from magnum.conf import keystone as ksconf from magnum.i18n import _ from magnum.i18n import _LE from magnum.i18n import _LW CONF = magnum.conf.CONF -CFG_GROUP = 'keystone_auth' -CFG_LEGACY_GROUP = 'keystone_authtoken' LOG = logging.getLogger(__name__) -legacy_session_opts = { - 'certfile': [cfg.DeprecatedOpt('certfile', CFG_LEGACY_GROUP)], - 'keyfile': [cfg.DeprecatedOpt('keyfile', CFG_LEGACY_GROUP)], - 'cafile': [cfg.DeprecatedOpt('cafile', CFG_LEGACY_GROUP)], - 'insecure': [cfg.DeprecatedOpt('insecure', CFG_LEGACY_GROUP)], - 'timeout': [cfg.DeprecatedOpt('timeout', CFG_LEGACY_GROUP)], -} - -keystone_auth_opts = (ka_loading.get_auth_common_conf_options() + - ka_loading.get_auth_plugin_conf_options('password')) - -# FIXME(pauloewerton): remove import of authtoken group and legacy options -# after deprecation period -CONF.import_group('keystone_authtoken', 'keystonemiddleware.auth_token') -ka_loading.register_auth_conf_options(CONF, CFG_GROUP) -ka_loading.register_session_conf_options(CONF, CFG_GROUP, - deprecated_opts=legacy_session_opts) -CONF.set_default('auth_type', default='password', group=CFG_GROUP) - class KeystoneClientV3(object): """Keystone client wrapper so we can encapsulate logic in one place.""" @@ -67,7 +46,7 @@ class KeystoneClientV3(object): def auth_url(self): # FIXME(pauloewerton): auth_url should be retrieved from keystone_auth # section by default - return CONF[CFG_LEGACY_GROUP].auth_uri.replace('v2.0', 'v3') + return CONF[ksconf.CFG_LEGACY_GROUP].auth_uri.replace('v2.0', 'v3') @property def auth_token(self): @@ -84,13 +63,14 @@ class KeystoneClientV3(object): def _get_session(self, auth): session = ka_loading.load_session_from_conf_options( - CONF, CFG_GROUP, auth=auth) + CONF, ksconf.CFG_GROUP, auth=auth) return session def _get_auth(self): if self.context.is_admin: try: - auth = ka_loading.load_auth_from_conf_options(CONF, CFG_GROUP) + auth = ka_loading.load_auth_from_conf_options( + CONF, ksconf.CFG_GROUP) except ka_exception.MissingRequiredOptions: auth = self._get_legacy_auth() elif self.context.auth_token_info: @@ -123,10 +103,10 @@ class KeystoneClientV3(object): LOG.warning(_LW('Auth plugin and its options for service user ' 'must be provided in [%(new)s] section. ' 'Using values from [%(old)s] section is ' - 'deprecated.') % {'new': CFG_GROUP, - 'old': CFG_LEGACY_GROUP}) + 'deprecated.') % {'new': ksconf.CFG_GROUP, + 'old': ksconf.CFG_LEGACY_GROUP}) - conf = getattr(CONF, CFG_LEGACY_GROUP) + conf = getattr(CONF, ksconf.CFG_LEGACY_GROUP) # FIXME(htruta, pauloewerton): Conductor layer does not have # new v3 variables, such as project_name and project_domain_id. @@ -178,10 +158,10 @@ class KeystoneClientV3(object): if not self._domain_admin_session: session = ka_loading.session.Session().load_from_options( auth=self.domain_admin_auth, - insecure=CONF[CFG_LEGACY_GROUP].insecure, - cacert=CONF[CFG_LEGACY_GROUP].cafile, - key=CONF[CFG_LEGACY_GROUP].keyfile, - cert=CONF[CFG_LEGACY_GROUP].certfile) + insecure=CONF[ksconf.CFG_LEGACY_GROUP].insecure, + cacert=CONF[ksconf.CFG_LEGACY_GROUP].cafile, + key=CONF[ksconf.CFG_LEGACY_GROUP].keyfile, + cert=CONF[ksconf.CFG_LEGACY_GROUP].certfile) self._domain_admin_session = session return self._domain_admin_session @@ -249,10 +229,10 @@ class KeystoneClientV3(object): sess = ka_loading.session.Session().load_from_options( auth=auth, - insecure=CONF[CFG_LEGACY_GROUP].insecure, - cacert=CONF[CFG_LEGACY_GROUP].cafile, - key=CONF[CFG_LEGACY_GROUP].keyfile, - cert=CONF[CFG_LEGACY_GROUP].certfile) + insecure=CONF[ksconf.CFG_LEGACY_GROUP].insecure, + cacert=CONF[ksconf.CFG_LEGACY_GROUP].cafile, + key=CONF[ksconf.CFG_LEGACY_GROUP].keyfile, + cert=CONF[ksconf.CFG_LEGACY_GROUP].certfile) client = kc_v3.Client(session=sess) try: client.trusts.delete(cluster.trust_id) diff --git a/magnum/conf/__init__.py b/magnum/conf/__init__.py index e1f5dc3055..43fa675b41 100644 --- a/magnum/conf/__init__.py +++ b/magnum/conf/__init__.py @@ -27,7 +27,7 @@ from magnum.conf import database from magnum.conf import docker from magnum.conf import glance from magnum.conf import heat -# from magnum.conf import keystone +from magnum.conf import keystone from magnum.conf import magnum_client from magnum.conf import neutron from magnum.conf import nova @@ -52,7 +52,7 @@ database.register_opts(CONF) docker.register_opts(CONF) glance.register_opts(CONF) heat.register_opts(CONF) -# keystone.register_opts(CONF) +keystone.register_opts(CONF) magnum_client.register_opts(CONF) neutron.register_opts(CONF) nova.register_opts(CONF) diff --git a/magnum/conf/keystone.py b/magnum/conf/keystone.py new file mode 100644 index 0000000000..74b582fbba --- /dev/null +++ b/magnum/conf/keystone.py @@ -0,0 +1,46 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from keystoneauth1 import loading as ka_loading +from oslo_config import cfg + +CFG_GROUP = 'keystone_auth' +CFG_LEGACY_GROUP = 'keystone_authtoken' + +legacy_session_opts = { + 'certfile': [cfg.DeprecatedOpt('certfile', CFG_LEGACY_GROUP)], + 'keyfile': [cfg.DeprecatedOpt('keyfile', CFG_LEGACY_GROUP)], + 'cafile': [cfg.DeprecatedOpt('cafile', CFG_LEGACY_GROUP)], + 'insecure': [cfg.DeprecatedOpt('insecure', CFG_LEGACY_GROUP)], + 'timeout': [cfg.DeprecatedOpt('timeout', CFG_LEGACY_GROUP)], +} + +keystone_auth_group = cfg.OptGroup(name=CFG_GROUP, + title='Options for Keystone in Magnum') + + +def register_opts(conf): + # FIXME(pauloewerton): remove import of authtoken group and legacy options + # after deprecation period + conf.import_group(CFG_LEGACY_GROUP, 'keystonemiddleware.auth_token') + ka_loading.register_auth_conf_options(conf, CFG_GROUP) + ka_loading.register_session_conf_options( + conf, CFG_GROUP, deprecated_opts=legacy_session_opts) + conf.set_default('auth_type', default='password', group=CFG_GROUP) + + +def list_opts(): + keystone_auth_opts = (ka_loading.get_auth_common_conf_options() + + ka_loading.get_auth_plugin_conf_options('password')) + return { + keystone_auth_group: keystone_auth_opts + } diff --git a/magnum/opts.py b/magnum/opts.py index d0ca71963a..14e5ffc70a 100644 --- a/magnum/opts.py +++ b/magnum/opts.py @@ -13,16 +13,13 @@ # See the License for the specific language governing permissions and # limitations under the License. -import magnum.common.exception import magnum.common.x509.config -import magnum.db import magnum.drivers.common.template_def def list_opts(): return [ ('x509', magnum.common.x509.config.x509_opts), - ('keystone_auth', magnum.common.keystone.keystone_auth_opts), ('docker_registry', magnum.drivers.common.template_def.docker_registry_opts) ] diff --git a/magnum/tests/unit/common/test_keystone.py b/magnum/tests/unit/common/test_keystone.py index e476cdf15f..b927b8d545 100644 --- a/magnum/tests/unit/common/test_keystone.py +++ b/magnum/tests/unit/common/test_keystone.py @@ -20,6 +20,7 @@ import keystoneclient.exceptions as kc_exception from magnum.common import exception from magnum.common import keystone import magnum.conf +from magnum.conf import keystone as ksconf from magnum.tests import base from magnum.tests import utils @@ -40,19 +41,19 @@ class KeystoneClientTest(base.TestCase): plugin = keystone.ka_loading.get_plugin_loader('password') opts = keystone.ka_loading.get_auth_plugin_conf_options(plugin) cfg_fixture = self.useFixture(fixture.Config()) - cfg_fixture.register_opts(opts, group=keystone.CFG_GROUP) + cfg_fixture.register_opts(opts, group=ksconf.CFG_GROUP) self.config(auth_type='password', auth_url=dummy_url, username='fake_user', password='fake_pass', project_name='fake_project', - group=keystone.CFG_GROUP) + group=ksconf.CFG_GROUP) self.config(auth_uri=dummy_url, admin_user='magnum', admin_password='varybadpass', admin_tenant_name='service', - group=keystone.CFG_LEGACY_GROUP) + group=ksconf.CFG_LEGACY_GROUP) def test_client_with_password(self, mock_ks): self.ctx.is_admin = True