diff --git a/devstack/lib/magnum b/devstack/lib/magnum index f95b587d3c..6410e07a7d 100644 --- a/devstack/lib/magnum +++ b/devstack/lib/magnum @@ -204,6 +204,7 @@ function create_magnum_conf { --os-identity-api-version 3 role add \ --user $trustee_domain_admin_id --domain $trustee_domain_id \ admin + iniset $MAGNUM_CONF trust cluster_user_trust True iniset $MAGNUM_CONF trust trustee_domain_name magnum iniset $MAGNUM_CONF trust trustee_domain_admin_name trustee_domain_admin iniset $MAGNUM_CONF trust trustee_domain_admin_password $MAGNUM_TRUSTEE_DOMAIN_ADMIN_PASSWORD diff --git a/etc/magnum/policy.json b/etc/magnum/policy.json index 86cea7519f..19552ab5ad 100644 --- a/etc/magnum/policy.json +++ b/etc/magnum/policy.json @@ -4,35 +4,37 @@ "default": "rule:admin_or_owner", "admin_api": "rule:context_is_admin", "admin_or_user": "is_admin:True or user_id:%(user_id)s", + "cluster_user": "user_id:%(trustee_user_id)s", + "deny_cluster_user": "not domain_id:%(trustee_domain_id)s", - "bay:create": "rule:default", - "bay:delete": "rule:default", - "bay:detail": "rule:default", - "bay:get": "rule:default", - "bay:get_all": "rule:default", - "bay:update": "rule:default", + "bay:create": "rule:deny_cluster_user", + "bay:delete": "rule:deny_cluster_user", + "bay:detail": "rule:deny_cluster_user", + "bay:get": "rule:deny_cluster_user", + "bay:get_all": "rule:deny_cluster_user", + "bay:update": "rule:deny_cluster_user", - "baymodel:create": "rule:default", - "baymodel:delete": "rule:default", - "baymodel:detail": "rule:default", - "baymodel:get": "rule:default", - "baymodel:get_all": "rule:default", - "baymodel:update": "rule:default", + "baymodel:create": "rule:deny_cluster_user", + "baymodel:delete": "rule:deny_cluster_user", + "baymodel:detail": "rule:deny_cluster_user", + "baymodel:get": "rule:deny_cluster_user", + "baymodel:get_all": "rule:deny_cluster_user", + "baymodel:update": "rule:deny_cluster_user", "baymodel:publish": "rule:admin_or_owner", - "cluster:create": "rule:default", - "cluster:delete": "rule:default", - "cluster:detail": "rule:default", - "cluster:get": "rule:default", - "cluster:get_all": "rule:default", - "cluster:update": "rule:default", + "cluster:create": "rule:deny_cluster_user", + "cluster:delete": "rule:deny_cluster_user", + "cluster:detail": "rule:deny_cluster_user", + "cluster:get": "rule:deny_cluster_user", + "cluster:get_all": "rule:deny_cluster_user", + "cluster:update": "rule:deny_cluster_user", - "clustertemplate:create": "rule:default", - "clustertemplate:delete": "rule:default", - "clustertemplate:detail": "rule:default", - "clustertemplate:get": "rule:default", - "clustertemplate:get_all": "rule:default", - "clustertemplate:update": "rule:default", + "clustertemplate:create": "rule:deny_cluster_user", + "clustertemplate:delete": "rule:deny_cluster_user", + "clustertemplate:detail": "rule:deny_cluster_user", + "clustertemplate:get": "rule:deny_cluster_user", + "clustertemplate:get_all": "rule:deny_cluster_user", + "clustertemplate:update": "rule:deny_cluster_user", "clustertemplate:publish": "rule:admin_or_owner", "quotas:get": "rule:default", @@ -41,9 +43,9 @@ "quotas:update": "rule:admin_api", "quotas:delete": "rule:admin_api", - "certificate:create": "rule:admin_or_user", - "certificate:get": "rule:admin_or_user", "certificate:rotate_ca": "rule:admin_or_owner", + "certificate:create": "rule:admin_or_user or rule:cluster_user", + "certificate:get": "rule:admin_or_user or rule:cluster_user", "magnum-service:get_all": "rule:admin_api", "stats:get_all": "rule:admin_or_owner" diff --git a/magnum/common/keystone.py b/magnum/common/keystone.py index 682d0e90fa..711318578a 100644 --- a/magnum/common/keystone.py +++ b/magnum/common/keystone.py @@ -204,6 +204,7 @@ class KeystoneClientV3(object): project=trustor_project_id, trustee_user=trustee_user, impersonation=True, + delegation_depth=0, role_names=roles) except Exception: LOG.exception(_LE('Failed to create trust')) diff --git a/magnum/common/policy.py b/magnum/common/policy.py index 980691f7a3..160cf153f0 100644 --- a/magnum/common/policy.py +++ b/magnum/common/policy.py @@ -20,6 +20,8 @@ from oslo_config import cfg from oslo_policy import policy import pecan +from magnum.common import clients +from magnum.common import context from magnum.common import exception @@ -92,10 +94,20 @@ def enforce(context, rule=None, target=None, if target is None: target = {'project_id': context.project_id, 'user_id': context.user_id} + add_policy_attributes(target) return enforcer.enforce(rule, target, credentials, do_raise=do_raise, exc=exc, *args, **kwargs) +def add_policy_attributes(target): + """Adds extra information for policy enforcement to raw target object""" + admin_context = context.make_admin_context() + admin_osc = clients.OpenStackClients(admin_context) + trustee_domain_id = admin_osc.keystone().trustee_domain_id + target['trustee_domain_id'] = trustee_domain_id + return target + + def enforce_wsgi(api_name, act=None): """This is a decorator to simplify wsgi action policy rule check. diff --git a/magnum/conductor/handlers/common/trust_manager.py b/magnum/conductor/handlers/common/trust_manager.py index 287953fbfa..415ff65fdc 100644 --- a/magnum/conductor/handlers/common/trust_manager.py +++ b/magnum/conductor/handlers/common/trust_manager.py @@ -22,15 +22,20 @@ LOG = logging.getLogger(__name__) def create_trustee_and_trust(osc, cluster): try: password = utils.generate_password(length=18) + trustee = osc.keystone().create_trustee( - cluster.uuid, + "%s_%s" % (cluster.uuid, cluster.project_id), password, ) + cluster.trustee_username = trustee.name cluster.trustee_user_id = trustee.id cluster.trustee_password = password - trust = osc.keystone().create_trust(trustee.id) + + trust = osc.keystone().create_trust( + cluster.trustee_user_id) cluster.trust_id = trust.id + except Exception: LOG.exception( _LE('Failed to create trustee and trust for Cluster: %s'), @@ -41,9 +46,11 @@ def create_trustee_and_trust(osc, cluster): def delete_trustee_and_trust(osc, context, cluster): try: + kst = osc.keystone() + # The cluster which is upgraded from Liberty doesn't have trust_id if cluster.trust_id: - osc.keystone().delete_trust(context, cluster) + kst.delete_trust(context, cluster) except Exception: # Exceptions are already logged by keystone().delete_trust pass diff --git a/magnum/conf/trust.py b/magnum/conf/trust.py index 1a079e26c9..ffa25e87d2 100644 --- a/magnum/conf/trust.py +++ b/magnum/conf/trust.py @@ -18,6 +18,17 @@ trust_group = cfg.OptGroup(name='trust', title='Trustee options for the magnum services') trust_opts = [ + cfg.BoolOpt('cluster_user_trust', + default=False, + help=_('This setting controls whether to assign a trust to' + ' the cluster user or not. You will need to set it to' + ' True for clusters with volume_driver=cinder or' + ' registry_enabled=true in the underlying cluster' + ' template to work. This is a potential security risk' + ' since the trust gives instances OpenStack API access' + " to the cluster's project. Note that this setting" + ' does not affect per-cluster trusts assigned to the' + 'Magnum service user.')), cfg.StrOpt('trustee_domain_id', help=_('Id of the domain to create trustee for clusters')), cfg.StrOpt('trustee_domain_name', diff --git a/magnum/db/sqlalchemy/api.py b/magnum/db/sqlalchemy/api.py index fd1857bcc2..8898239c76 100644 --- a/magnum/db/sqlalchemy/api.py +++ b/magnum/db/sqlalchemy/api.py @@ -26,6 +26,8 @@ from sqlalchemy.orm.exc import MultipleResultsFound from sqlalchemy.orm.exc import NoResultFound from sqlalchemy.sql import func +from magnum.common import clients +from magnum.common import context as request_context from magnum.common import exception import magnum.conf from magnum.db import api @@ -122,8 +124,21 @@ class Connection(api.Connection): if context.is_admin and context.all_tenants: return query - if context.project_id: + admin_context = request_context.make_admin_context(all_tenants=True) + osc = clients.OpenStackClients(admin_context) + kst = osc.keystone() + + # User in a regular project (not in the trustee domain) + if context.project_id and context.domain_id != kst.trustee_domain_id: query = query.filter_by(project_id=context.project_id) + # Match project ID component in trustee user's user name against + # cluster's project_id to associate per-cluster trustee users who have + # no project information with the project their clusters/cluster models + # reside in. This is equivalent to the project filtering above. + elif context.domain_id == kst.trustee_domain_id: + user_name = kst.client.users.get(context.user_id).name + user_project = user_name.split('_', 2)[1] + query = query.filter_by(project_id=user_project) else: query = query.filter_by(user_id=context.user_id) diff --git a/magnum/drivers/common/templates/kubernetes/fragments/make-cert-client.sh b/magnum/drivers/common/templates/kubernetes/fragments/make-cert-client.sh index 34d05ba75a..97d9bf47fc 100644 --- a/magnum/drivers/common/templates/kubernetes/fragments/make-cert-client.sh +++ b/magnum/drivers/common/templates/kubernetes/fragments/make-cert-client.sh @@ -49,11 +49,6 @@ auth_json=$(cat << EOF "password": "$TRUSTEE_PASSWORD" } } - }, - "scope": { - "OS-TRUST:trust": { - "id": "$TRUST_ID" - } } } } diff --git a/magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh b/magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh index 3dd2c71a5c..4eaad6283e 100644 --- a/magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh +++ b/magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh @@ -71,11 +71,6 @@ auth_json=$(cat << EOF "password": "$TRUSTEE_PASSWORD" } } - }, - "scope": { - "OS-TRUST:trust": { - "id": "$TRUST_ID" - } } } } diff --git a/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml b/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml index 19fa0ed9f7..2feb88a07a 100644 --- a/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml +++ b/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml @@ -3,7 +3,7 @@ merge_how: dict(recurse_array)+list(append) write_files: - path: /etc/sysconfig/heat-params owner: "root:root" - permissions: "0644" + permissions: "0600" content: | KUBE_API_PUBLIC_ADDRESS="$KUBE_API_PUBLIC_ADDRESS" KUBE_API_PRIVATE_ADDRESS="$KUBE_API_PRIVATE_ADDRESS" diff --git a/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params.yaml b/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params.yaml index cc906e7c63..20a98fa909 100644 --- a/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params.yaml +++ b/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params.yaml @@ -3,7 +3,7 @@ merge_how: dict(recurse_array)+list(append) write_files: - path: /etc/sysconfig/heat-params owner: "root:root" - permissions: "0644" + permissions: "0600" content: | KUBE_ALLOW_PRIV="$KUBE_ALLOW_PRIV" KUBE_MASTER_IP="$KUBE_MASTER_IP" diff --git a/magnum/drivers/common/templates/swarm/fragments/make-cert.py b/magnum/drivers/common/templates/swarm/fragments/make-cert.py index 9782dcbf6c..896beacc84 100644 --- a/magnum/drivers/common/templates/swarm/fragments/make-cert.py +++ b/magnum/drivers/common/templates/swarm/fragments/make-cert.py @@ -150,11 +150,6 @@ def get_user_token(config): "password": "%(trustee_password)s" } } - }, - "scope": { - "OS-TRUST:trust": { - "id": "%(trust_id)s" - } } } } @@ -162,7 +157,6 @@ def get_user_token(config): params = { 'trustee_user_id': config['TRUSTEE_USER_ID'], 'trustee_password': config['TRUSTEE_PASSWORD'], - 'trust_id': config['TRUST_ID'] } creds = creds_str % params headers = {'Content-Type': 'application/json'} diff --git a/magnum/drivers/common/templates/swarm/fragments/write-heat-params-master.yaml b/magnum/drivers/common/templates/swarm/fragments/write-heat-params-master.yaml index 0a3504cbef..435e891be9 100644 --- a/magnum/drivers/common/templates/swarm/fragments/write-heat-params-master.yaml +++ b/magnum/drivers/common/templates/swarm/fragments/write-heat-params-master.yaml @@ -3,7 +3,7 @@ merge_how: dict(recurse_array)+list(append) write_files: - path: /etc/sysconfig/heat-params owner: "root:root" - permissions: "0644" + permissions: "0600" content: | WAIT_HANDLE_ENDPOINT="$WAIT_HANDLE_ENDPOINT" WAIT_HANDLE_TOKEN="$WAIT_HANDLE_TOKEN" diff --git a/magnum/drivers/common/templates/swarm/fragments/write-heat-params-node.yaml b/magnum/drivers/common/templates/swarm/fragments/write-heat-params-node.yaml index d201654905..af0b65010b 100644 --- a/magnum/drivers/common/templates/swarm/fragments/write-heat-params-node.yaml +++ b/magnum/drivers/common/templates/swarm/fragments/write-heat-params-node.yaml @@ -3,7 +3,7 @@ merge_how: dict(recurse_array)+list(append) write_files: - path: /etc/sysconfig/heat-params owner: "root:root" - permissions: "0644" + permissions: "0600" content: | WAIT_HANDLE_ENDPOINT="$WAIT_HANDLE_ENDPOINT" WAIT_HANDLE_TOKEN="$WAIT_HANDLE_TOKEN" diff --git a/magnum/drivers/heat/template_def.py b/magnum/drivers/heat/template_def.py index 13ac63043b..5485c105cb 100644 --- a/magnum/drivers/heat/template_def.py +++ b/magnum/drivers/heat/template_def.py @@ -21,6 +21,7 @@ import six from magnum.common import clients from magnum.common import exception import magnum.conf +from magnum.i18n import _LE from magnum.i18n import _LW from requests import exceptions as req_exceptions @@ -245,7 +246,20 @@ class BaseTemplateDefinition(TemplateDefinition): extra_params['trustee_user_id'] = cluster.trustee_user_id extra_params['trustee_username'] = cluster.trustee_username extra_params['trustee_password'] = cluster.trustee_password - extra_params['trust_id'] = cluster.trust_id + + # Only pass trust ID into the template when it is needed. + if (cluster_template.volume_driver == 'rexray' or + cluster_template.registry_enabled): + if CONF.trust.cluster_user_trust: + extra_params['trust_id'] = cluster.trust_id + else: + missing_setting = ('trust/cluster_user_trust = True') + msg = _LE('This cluster can only be created with %s in ' + 'magnum.conf') + raise exception.ConfigInvalid(msg % missing_setting) + else: + extra_params['trust_id'] = "" + extra_params['auth_url'] = context.auth_url return super(BaseTemplateDefinition, diff --git a/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert-client.yaml b/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert-client.yaml index 53a282a6d2..9ee9377c83 100644 --- a/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert-client.yaml +++ b/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert-client.yaml @@ -66,11 +66,6 @@ write_files: "password": "$TRUSTEE_PASSWORD" } } - }, - "scope": { - "OS-TRUST:trust": { - "id": "$TRUST_ID" - } } } } diff --git a/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml b/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml index f8a8d28e99..4d4d634b81 100644 --- a/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml +++ b/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml @@ -89,11 +89,6 @@ write_files: "password": "$TRUSTEE_PASSWORD" } } - }, - "scope": { - "OS-TRUST:trust": { - "id": "$TRUST_ID" - } } } } diff --git a/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params-master.yaml b/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params-master.yaml index d472bb87a6..469b90246c 100644 --- a/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params-master.yaml +++ b/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params-master.yaml @@ -3,7 +3,7 @@ merge_how: dict(recurse_array)+list(append) write_files: - path: /etc/sysconfig/heat-params owner: "root:root" - permissions: "0644" + permissions: "0600" content: | KUBE_API_PUBLIC_ADDRESS="$KUBE_API_PUBLIC_ADDRESS" KUBE_API_PRIVATE_ADDRESS="$KUBE_API_PRIVATE_ADDRESS" diff --git a/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params.yaml b/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params.yaml index b8d501c802..955e78a195 100644 --- a/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params.yaml +++ b/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params.yaml @@ -3,7 +3,7 @@ merge_how: dict(recurse_array)+list(append) write_files: - path: /etc/sysconfig/heat-params owner: "root:root" - permissions: "0644" + permissions: "0600" content: | KUBE_ALLOW_PRIV="$KUBE_ALLOW_PRIV" KUBE_MASTER_IP="$KUBE_MASTER_IP" diff --git a/magnum/drivers/mesos_ubuntu_v1/templates/fragments/write-heat-params.yaml b/magnum/drivers/mesos_ubuntu_v1/templates/fragments/write-heat-params.yaml index d9a4b91cc8..2716480492 100644 --- a/magnum/drivers/mesos_ubuntu_v1/templates/fragments/write-heat-params.yaml +++ b/magnum/drivers/mesos_ubuntu_v1/templates/fragments/write-heat-params.yaml @@ -3,7 +3,7 @@ merge_how: dict(recurse_array)+list(append) write_files: - path: /etc/sysconfig/heat-params owner: "root:root" - permissions: "0644" + permissions: "0600" content: | MESOS_MASTERS_IPS="$MESOS_MASTERS_IPS" EXECUTOR_REGISTRATION_TIMEOUT="$EXECUTOR_REGISTRATION_TIMEOUT" diff --git a/magnum/tests/base.py b/magnum/tests/base.py index 670b04a7fc..d66cba3de0 100644 --- a/magnum/tests/base.py +++ b/magnum/tests/base.py @@ -26,6 +26,7 @@ import pecan import testscenarios from magnum.common import context as magnum_context +from magnum.common import keystone as magnum_keystone from magnum.objects import base as objects_base from magnum.tests import conf_fixture from magnum.tests import fake_notifier @@ -63,11 +64,18 @@ class TestCase(base.BaseTestCase): } } } + + trustee_domain_id = '12345678-9012-3456-7890-123456789abc' + self.context = magnum_context.RequestContext( auth_token_info=token_info, project_id='fake_project', user_id='fake_user') + self.global_mocks = {} + + self.keystone_client = magnum_keystone.KeystoneClientV3(self.context) + self.policy = self.useFixture(policy_fixture.PolicyFixture()) self.useFixture(fixtures.MockPatchObject( @@ -89,9 +97,22 @@ class TestCase(base.BaseTestCase): p = mock.patch.object(magnum_context, 'make_context', side_effect=make_context) + + self.global_mocks['magnum.common.context.make_context'] = p + + q = mock.patch.object(magnum_keystone.KeystoneClientV3, + 'trustee_domain_id', + return_value=trustee_domain_id) + + self.global_mocks[ + 'magnum.common.keystone.KeystoneClientV3.trustee_domain_id'] = q + self.mock_make_context = p.start() self.addCleanup(p.stop) + self.mock_make_trustee_domain_id = q.start() + self.addCleanup(q.stop) + self.useFixture(conf_fixture.ConfFixture()) self.useFixture(fixtures.NestedTempfile()) @@ -104,6 +125,12 @@ class TestCase(base.BaseTestCase): self.addCleanup(reset_pecan) + def start_global(self, name): + self.global_mocks[name].start() + + def stop_global(self, name): + self.global_mocks[name].stop() + def _restore_obj_registry(self): objects_base.MagnumObjectRegistry._registry._obj_classes \ = self._base_test_obj_backup diff --git a/magnum/tests/unit/common/test_keystone.py b/magnum/tests/unit/common/test_keystone.py index b927b8d545..11aae1a6bb 100644 --- a/magnum/tests/unit/common/test_keystone.py +++ b/magnum/tests/unit/common/test_keystone.py @@ -55,6 +55,19 @@ class KeystoneClientTest(base.TestCase): admin_tenant_name='service', group=ksconf.CFG_LEGACY_GROUP) + # Disable global mocking for trustee_domain_id + self.stop_global( + 'magnum.common.keystone.KeystoneClientV3.trustee_domain_id') + + def tearDown(self): + # Re-enable global mocking for trustee_domain_id. We need this because + # mock blows up when trying to stop an already stopped patch (which it + # will do due to the addCleanup() in base.TestCase). + self.start_global( + 'magnum.common.keystone.KeystoneClientV3.trustee_domain_id') + + super(KeystoneClientTest, self).tearDown() + def test_client_with_password(self, mock_ks): self.ctx.is_admin = True ks_client = keystone.KeystoneClientV3(self.ctx) @@ -136,6 +149,7 @@ class KeystoneClientTest(base.TestCase): ks_client.create_trust(trustee_user='888888') mock_ks.return_value.trusts.create.assert_called_once_with( + delegation_depth=0, trustor_user='123456', project='654321', trustee_user='888888', role_names=['role1', 'role2'], impersonation=True) @@ -152,6 +166,7 @@ class KeystoneClientTest(base.TestCase): ks_client.create_trust(trustee_user='888888') mock_ks.return_value.trusts.create.assert_called_once_with( + delegation_depth=0, trustor_user='123456', project='654321', trustee_user='888888', role_names=['role3'], impersonation=True) diff --git a/magnum/tests/unit/conductor/handlers/common/test_trust_manager.py b/magnum/tests/unit/conductor/handlers/common/test_trust_manager.py index be758c7d59..3860bb8bbc 100644 --- a/magnum/tests/unit/conductor/handlers/common/test_trust_manager.py +++ b/magnum/tests/unit/conductor/handlers/common/test_trust_manager.py @@ -37,6 +37,7 @@ class TrustManagerTestCase(base.BaseTestCase): mock_generate_password.return_value = mock_password mock_cluster = mock.MagicMock() mock_cluster.uuid = 'mock_cluster_uuid' + mock_cluster.project_id = 'mock_cluster_project_id' mock_keystone = mock.MagicMock() mock_trustee = mock.MagicMock() mock_trustee.id = 'mock_trustee_id' @@ -52,7 +53,7 @@ class TrustManagerTestCase(base.BaseTestCase): trust_manager.create_trustee_and_trust(self.osc, mock_cluster) mock_keystone.create_trustee.assert_called_once_with( - mock_cluster.uuid, + '%s_%s' % (mock_cluster.uuid, mock_cluster.project_id), mock_password, ) mock_keystone.create_trust.assert_called_once_with( diff --git a/magnum/tests/unit/conductor/handlers/test_cluster_conductor.py b/magnum/tests/unit/conductor/handlers/test_cluster_conductor.py index b527b49433..251af785cc 100644 --- a/magnum/tests/unit/conductor/handlers/test_cluster_conductor.py +++ b/magnum/tests/unit/conductor/handlers/test_cluster_conductor.py @@ -181,6 +181,11 @@ class TestHandler(db_base.DbTestCase): mock_poller.poll_and_check.return_value = loopingcall.LoopingCallDone() mock_heat_poller_class.return_value = mock_poller osc = mock.sentinel.osc + + def return_keystone(): + return self.keystone_client + + osc.keystone = return_keystone mock_openstack_client_class.return_value = osc mock_dr = mock.MagicMock() mock_driver.return_value = mock_dr diff --git a/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py b/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py index 54d7b2678e..7e41124fb3 100644 --- a/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py +++ b/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py @@ -191,7 +191,7 @@ class TestClusterConductorWithK8s(base.TestCase): 'trustee_username': 'fake_trustee', 'trustee_password': 'fake_trustee_password', 'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656', - 'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de', + 'trust_id': '', 'auth_url': 'http://192.168.10.10:5000/v3', 'insecure_registry_url': '10.0.0.1:5000', 'kube_version': 'fake-version', @@ -233,6 +233,10 @@ class TestClusterConductorWithK8s(base.TestCase): 'RegionOne', group='docker_registry') + CONF.set_override('cluster_user_trust', + True, + group='trust') + (template_path, definition, env_files) = mock_driver()._extract_template_definition(self.context, @@ -345,7 +349,7 @@ class TestClusterConductorWithK8s(base.TestCase): 'ssh_key_name': 'keypair_id', 'tenant_name': 'fake_tenant', 'tls_disabled': False, - 'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de', + 'trust_id': '', 'trustee_domain_id': 'trustee_domain_id', 'trustee_password': 'fake_trustee_password', 'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656', @@ -415,7 +419,7 @@ class TestClusterConductorWithK8s(base.TestCase): 'trustee_username': 'fake_trustee', 'trustee_password': 'fake_trustee_password', 'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656', - 'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de', + 'trust_id': '', 'auth_url': 'http://192.168.10.10:5000/v3', 'cluster_uuid': self.cluster_dict['uuid'], 'magnum_url': self.mock_osc.magnum_url.return_value, @@ -481,7 +485,7 @@ class TestClusterConductorWithK8s(base.TestCase): 'trustee_username': 'fake_trustee', 'trustee_password': 'fake_trustee_password', 'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656', - 'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de', + 'trust_id': '', 'auth_url': 'http://192.168.10.10:5000/v3', 'cluster_uuid': self.cluster_dict['uuid'], 'magnum_url': self.mock_osc.magnum_url.return_value, @@ -678,7 +682,7 @@ class TestClusterConductorWithK8s(base.TestCase): 'trustee_username': 'fake_trustee', 'trustee_password': 'fake_trustee_password', 'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656', - 'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de', + 'trust_id': '', 'auth_url': 'http://192.168.10.10:5000/v3', 'insecure_registry_url': '10.0.0.1:5000', 'kube_version': 'fake-version', diff --git a/magnum/tests/unit/conductor/handlers/test_mesos_cluster_conductor.py b/magnum/tests/unit/conductor/handlers/test_mesos_cluster_conductor.py index ff14d92f7c..c21f3b613f 100644 --- a/magnum/tests/unit/conductor/handlers/test_mesos_cluster_conductor.py +++ b/magnum/tests/unit/conductor/handlers/test_mesos_cluster_conductor.py @@ -37,6 +37,7 @@ class TestClusterConductorWithMesos(base.TestCase): 'http_proxy': 'http_proxy', 'https_proxy': 'https_proxy', 'no_proxy': 'no_proxy', + 'registry_enabled': False, 'server_type': 'vm', 'volume_driver': 'volume_driver', 'labels': {'rexray_preempt': 'False', @@ -117,7 +118,7 @@ class TestClusterConductorWithMesos(base.TestCase): 'trustee_username': 'fake_trustee', 'trustee_password': 'fake_trustee_password', 'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656', - 'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de', + 'trust_id': '', 'volume_driver': 'volume_driver', 'auth_url': 'http://192.168.10.10:5000/v3', 'region_name': self.mock_osc.cinder_region_name.return_value, @@ -171,7 +172,7 @@ class TestClusterConductorWithMesos(base.TestCase): 'trustee_username': 'fake_trustee', 'trustee_password': 'fake_trustee_password', 'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656', - 'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de', + 'trust_id': '', 'auth_url': 'http://192.168.10.10:5000/v3', 'region_name': self.mock_osc.cinder_region_name.return_value, 'username': 'mesos_user', @@ -227,7 +228,7 @@ class TestClusterConductorWithMesos(base.TestCase): 'trustee_username': 'fake_trustee', 'trustee_password': 'fake_trustee_password', 'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656', - 'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de', + 'trust_id': '', 'volume_driver': 'volume_driver', 'auth_url': 'http://192.168.10.10:5000/v3', 'region_name': self.mock_osc.cinder_region_name.return_value, @@ -285,7 +286,7 @@ class TestClusterConductorWithMesos(base.TestCase): 'trustee_username': 'fake_trustee', 'trustee_password': 'fake_trustee_password', 'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656', - 'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de', + 'trust_id': '', 'volume_driver': 'volume_driver', 'auth_url': 'http://192.168.10.10:5000/v3', 'region_name': self.mock_osc.cinder_region_name.return_value, diff --git a/magnum/tests/unit/conductor/handlers/test_swarm_cluster_conductor.py b/magnum/tests/unit/conductor/handlers/test_swarm_cluster_conductor.py index 6e531ad010..e3b3036f14 100644 --- a/magnum/tests/unit/conductor/handlers/test_swarm_cluster_conductor.py +++ b/magnum/tests/unit/conductor/handlers/test_swarm_cluster_conductor.py @@ -74,6 +74,12 @@ class TestClusterConductorWithSwarm(base.TestCase): 'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de', 'coe_version': 'fake-version' } + + # We need this due to volume_driver=rexray + CONF.set_override('cluster_user_trust', + True, + group='trust') + osc_patcher = mock.patch('magnum.common.clients.OpenStackClients') self.mock_osc_class = osc_patcher.start() self.addCleanup(osc_patcher.stop) @@ -280,7 +286,7 @@ class TestClusterConductorWithSwarm(base.TestCase): 'trustee_username': 'fake_trustee', 'trustee_password': 'fake_trustee_password', 'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656', - 'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de', + 'trust_id': '', 'auth_url': 'http://192.168.10.10:5000/v3', 'swarm_version': 'fake-version', 'swarm_strategy': u'spread',