Merge "Fix CVE-2016-7404"
This commit is contained in:
commit
ed173776ca
|
@ -204,6 +204,7 @@ function create_magnum_conf {
|
|||
--os-identity-api-version 3 role add \
|
||||
--user $trustee_domain_admin_id --domain $trustee_domain_id \
|
||||
admin
|
||||
iniset $MAGNUM_CONF trust cluster_user_trust True
|
||||
iniset $MAGNUM_CONF trust trustee_domain_name magnum
|
||||
iniset $MAGNUM_CONF trust trustee_domain_admin_name trustee_domain_admin
|
||||
iniset $MAGNUM_CONF trust trustee_domain_admin_password $MAGNUM_TRUSTEE_DOMAIN_ADMIN_PASSWORD
|
||||
|
|
|
@ -4,35 +4,37 @@
|
|||
"default": "rule:admin_or_owner",
|
||||
"admin_api": "rule:context_is_admin",
|
||||
"admin_or_user": "is_admin:True or user_id:%(user_id)s",
|
||||
"cluster_user": "user_id:%(trustee_user_id)s",
|
||||
"deny_cluster_user": "not domain_id:%(trustee_domain_id)s",
|
||||
|
||||
"bay:create": "rule:default",
|
||||
"bay:delete": "rule:default",
|
||||
"bay:detail": "rule:default",
|
||||
"bay:get": "rule:default",
|
||||
"bay:get_all": "rule:default",
|
||||
"bay:update": "rule:default",
|
||||
"bay:create": "rule:deny_cluster_user",
|
||||
"bay:delete": "rule:deny_cluster_user",
|
||||
"bay:detail": "rule:deny_cluster_user",
|
||||
"bay:get": "rule:deny_cluster_user",
|
||||
"bay:get_all": "rule:deny_cluster_user",
|
||||
"bay:update": "rule:deny_cluster_user",
|
||||
|
||||
"baymodel:create": "rule:default",
|
||||
"baymodel:delete": "rule:default",
|
||||
"baymodel:detail": "rule:default",
|
||||
"baymodel:get": "rule:default",
|
||||
"baymodel:get_all": "rule:default",
|
||||
"baymodel:update": "rule:default",
|
||||
"baymodel:create": "rule:deny_cluster_user",
|
||||
"baymodel:delete": "rule:deny_cluster_user",
|
||||
"baymodel:detail": "rule:deny_cluster_user",
|
||||
"baymodel:get": "rule:deny_cluster_user",
|
||||
"baymodel:get_all": "rule:deny_cluster_user",
|
||||
"baymodel:update": "rule:deny_cluster_user",
|
||||
"baymodel:publish": "rule:admin_or_owner",
|
||||
|
||||
"cluster:create": "rule:default",
|
||||
"cluster:delete": "rule:default",
|
||||
"cluster:detail": "rule:default",
|
||||
"cluster:get": "rule:default",
|
||||
"cluster:get_all": "rule:default",
|
||||
"cluster:update": "rule:default",
|
||||
"cluster:create": "rule:deny_cluster_user",
|
||||
"cluster:delete": "rule:deny_cluster_user",
|
||||
"cluster:detail": "rule:deny_cluster_user",
|
||||
"cluster:get": "rule:deny_cluster_user",
|
||||
"cluster:get_all": "rule:deny_cluster_user",
|
||||
"cluster:update": "rule:deny_cluster_user",
|
||||
|
||||
"clustertemplate:create": "rule:default",
|
||||
"clustertemplate:delete": "rule:default",
|
||||
"clustertemplate:detail": "rule:default",
|
||||
"clustertemplate:get": "rule:default",
|
||||
"clustertemplate:get_all": "rule:default",
|
||||
"clustertemplate:update": "rule:default",
|
||||
"clustertemplate:create": "rule:deny_cluster_user",
|
||||
"clustertemplate:delete": "rule:deny_cluster_user",
|
||||
"clustertemplate:detail": "rule:deny_cluster_user",
|
||||
"clustertemplate:get": "rule:deny_cluster_user",
|
||||
"clustertemplate:get_all": "rule:deny_cluster_user",
|
||||
"clustertemplate:update": "rule:deny_cluster_user",
|
||||
"clustertemplate:publish": "rule:admin_or_owner",
|
||||
|
||||
"quotas:get": "rule:default",
|
||||
|
@ -41,9 +43,9 @@
|
|||
"quotas:update": "rule:admin_api",
|
||||
"quotas:delete": "rule:admin_api",
|
||||
|
||||
"certificate:create": "rule:admin_or_user",
|
||||
"certificate:get": "rule:admin_or_user",
|
||||
"certificate:rotate_ca": "rule:admin_or_owner",
|
||||
"certificate:create": "rule:admin_or_user or rule:cluster_user",
|
||||
"certificate:get": "rule:admin_or_user or rule:cluster_user",
|
||||
|
||||
"magnum-service:get_all": "rule:admin_api",
|
||||
"stats:get_all": "rule:admin_or_owner"
|
||||
|
|
|
@ -204,6 +204,7 @@ class KeystoneClientV3(object):
|
|||
project=trustor_project_id,
|
||||
trustee_user=trustee_user,
|
||||
impersonation=True,
|
||||
delegation_depth=0,
|
||||
role_names=roles)
|
||||
except Exception:
|
||||
LOG.exception(_LE('Failed to create trust'))
|
||||
|
|
|
@ -20,6 +20,8 @@ from oslo_config import cfg
|
|||
from oslo_policy import policy
|
||||
import pecan
|
||||
|
||||
from magnum.common import clients
|
||||
from magnum.common import context
|
||||
from magnum.common import exception
|
||||
|
||||
|
||||
|
@ -92,10 +94,20 @@ def enforce(context, rule=None, target=None,
|
|||
if target is None:
|
||||
target = {'project_id': context.project_id,
|
||||
'user_id': context.user_id}
|
||||
add_policy_attributes(target)
|
||||
return enforcer.enforce(rule, target, credentials,
|
||||
do_raise=do_raise, exc=exc, *args, **kwargs)
|
||||
|
||||
|
||||
def add_policy_attributes(target):
|
||||
"""Adds extra information for policy enforcement to raw target object"""
|
||||
admin_context = context.make_admin_context()
|
||||
admin_osc = clients.OpenStackClients(admin_context)
|
||||
trustee_domain_id = admin_osc.keystone().trustee_domain_id
|
||||
target['trustee_domain_id'] = trustee_domain_id
|
||||
return target
|
||||
|
||||
|
||||
def enforce_wsgi(api_name, act=None):
|
||||
"""This is a decorator to simplify wsgi action policy rule check.
|
||||
|
||||
|
|
|
@ -22,15 +22,20 @@ LOG = logging.getLogger(__name__)
|
|||
def create_trustee_and_trust(osc, cluster):
|
||||
try:
|
||||
password = utils.generate_password(length=18)
|
||||
|
||||
trustee = osc.keystone().create_trustee(
|
||||
cluster.uuid,
|
||||
"%s_%s" % (cluster.uuid, cluster.project_id),
|
||||
password,
|
||||
)
|
||||
|
||||
cluster.trustee_username = trustee.name
|
||||
cluster.trustee_user_id = trustee.id
|
||||
cluster.trustee_password = password
|
||||
trust = osc.keystone().create_trust(trustee.id)
|
||||
|
||||
trust = osc.keystone().create_trust(
|
||||
cluster.trustee_user_id)
|
||||
cluster.trust_id = trust.id
|
||||
|
||||
except Exception:
|
||||
LOG.exception(
|
||||
_LE('Failed to create trustee and trust for Cluster: %s'),
|
||||
|
@ -41,9 +46,11 @@ def create_trustee_and_trust(osc, cluster):
|
|||
|
||||
def delete_trustee_and_trust(osc, context, cluster):
|
||||
try:
|
||||
kst = osc.keystone()
|
||||
|
||||
# The cluster which is upgraded from Liberty doesn't have trust_id
|
||||
if cluster.trust_id:
|
||||
osc.keystone().delete_trust(context, cluster)
|
||||
kst.delete_trust(context, cluster)
|
||||
except Exception:
|
||||
# Exceptions are already logged by keystone().delete_trust
|
||||
pass
|
||||
|
|
|
@ -18,6 +18,17 @@ trust_group = cfg.OptGroup(name='trust',
|
|||
title='Trustee options for the magnum services')
|
||||
|
||||
trust_opts = [
|
||||
cfg.BoolOpt('cluster_user_trust',
|
||||
default=False,
|
||||
help=_('This setting controls whether to assign a trust to'
|
||||
' the cluster user or not. You will need to set it to'
|
||||
' True for clusters with volume_driver=cinder or'
|
||||
' registry_enabled=true in the underlying cluster'
|
||||
' template to work. This is a potential security risk'
|
||||
' since the trust gives instances OpenStack API access'
|
||||
" to the cluster's project. Note that this setting"
|
||||
' does not affect per-cluster trusts assigned to the'
|
||||
'Magnum service user.')),
|
||||
cfg.StrOpt('trustee_domain_id',
|
||||
help=_('Id of the domain to create trustee for clusters')),
|
||||
cfg.StrOpt('trustee_domain_name',
|
||||
|
|
|
@ -26,6 +26,8 @@ from sqlalchemy.orm.exc import MultipleResultsFound
|
|||
from sqlalchemy.orm.exc import NoResultFound
|
||||
from sqlalchemy.sql import func
|
||||
|
||||
from magnum.common import clients
|
||||
from magnum.common import context as request_context
|
||||
from magnum.common import exception
|
||||
import magnum.conf
|
||||
from magnum.db import api
|
||||
|
@ -122,8 +124,21 @@ class Connection(api.Connection):
|
|||
if context.is_admin and context.all_tenants:
|
||||
return query
|
||||
|
||||
if context.project_id:
|
||||
admin_context = request_context.make_admin_context(all_tenants=True)
|
||||
osc = clients.OpenStackClients(admin_context)
|
||||
kst = osc.keystone()
|
||||
|
||||
# User in a regular project (not in the trustee domain)
|
||||
if context.project_id and context.domain_id != kst.trustee_domain_id:
|
||||
query = query.filter_by(project_id=context.project_id)
|
||||
# Match project ID component in trustee user's user name against
|
||||
# cluster's project_id to associate per-cluster trustee users who have
|
||||
# no project information with the project their clusters/cluster models
|
||||
# reside in. This is equivalent to the project filtering above.
|
||||
elif context.domain_id == kst.trustee_domain_id:
|
||||
user_name = kst.client.users.get(context.user_id).name
|
||||
user_project = user_name.split('_', 2)[1]
|
||||
query = query.filter_by(project_id=user_project)
|
||||
else:
|
||||
query = query.filter_by(user_id=context.user_id)
|
||||
|
||||
|
|
|
@ -49,11 +49,6 @@ auth_json=$(cat << EOF
|
|||
"password": "$TRUSTEE_PASSWORD"
|
||||
}
|
||||
}
|
||||
},
|
||||
"scope": {
|
||||
"OS-TRUST:trust": {
|
||||
"id": "$TRUST_ID"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -75,11 +75,6 @@ auth_json=$(cat << EOF
|
|||
"password": "$TRUSTEE_PASSWORD"
|
||||
}
|
||||
}
|
||||
},
|
||||
"scope": {
|
||||
"OS-TRUST:trust": {
|
||||
"id": "$TRUST_ID"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -3,7 +3,7 @@ merge_how: dict(recurse_array)+list(append)
|
|||
write_files:
|
||||
- path: /etc/sysconfig/heat-params
|
||||
owner: "root:root"
|
||||
permissions: "0644"
|
||||
permissions: "0600"
|
||||
content: |
|
||||
KUBE_API_PUBLIC_ADDRESS="$KUBE_API_PUBLIC_ADDRESS"
|
||||
KUBE_API_PRIVATE_ADDRESS="$KUBE_API_PRIVATE_ADDRESS"
|
||||
|
|
|
@ -3,7 +3,7 @@ merge_how: dict(recurse_array)+list(append)
|
|||
write_files:
|
||||
- path: /etc/sysconfig/heat-params
|
||||
owner: "root:root"
|
||||
permissions: "0644"
|
||||
permissions: "0600"
|
||||
content: |
|
||||
KUBE_ALLOW_PRIV="$KUBE_ALLOW_PRIV"
|
||||
KUBE_MASTER_IP="$KUBE_MASTER_IP"
|
||||
|
|
|
@ -150,11 +150,6 @@ def get_user_token(config):
|
|||
"password": "%(trustee_password)s"
|
||||
}
|
||||
}
|
||||
},
|
||||
"scope": {
|
||||
"OS-TRUST:trust": {
|
||||
"id": "%(trust_id)s"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -162,7 +157,6 @@ def get_user_token(config):
|
|||
params = {
|
||||
'trustee_user_id': config['TRUSTEE_USER_ID'],
|
||||
'trustee_password': config['TRUSTEE_PASSWORD'],
|
||||
'trust_id': config['TRUST_ID']
|
||||
}
|
||||
creds = creds_str % params
|
||||
headers = {'Content-Type': 'application/json'}
|
||||
|
|
|
@ -3,7 +3,7 @@ merge_how: dict(recurse_array)+list(append)
|
|||
write_files:
|
||||
- path: /etc/sysconfig/heat-params
|
||||
owner: "root:root"
|
||||
permissions: "0644"
|
||||
permissions: "0600"
|
||||
content: |
|
||||
WAIT_HANDLE_ENDPOINT="$WAIT_HANDLE_ENDPOINT"
|
||||
WAIT_HANDLE_TOKEN="$WAIT_HANDLE_TOKEN"
|
||||
|
|
|
@ -3,7 +3,7 @@ merge_how: dict(recurse_array)+list(append)
|
|||
write_files:
|
||||
- path: /etc/sysconfig/heat-params
|
||||
owner: "root:root"
|
||||
permissions: "0644"
|
||||
permissions: "0600"
|
||||
content: |
|
||||
WAIT_HANDLE_ENDPOINT="$WAIT_HANDLE_ENDPOINT"
|
||||
WAIT_HANDLE_TOKEN="$WAIT_HANDLE_TOKEN"
|
||||
|
|
|
@ -21,6 +21,7 @@ import six
|
|||
from magnum.common import clients
|
||||
from magnum.common import exception
|
||||
import magnum.conf
|
||||
from magnum.i18n import _LE
|
||||
from magnum.i18n import _LW
|
||||
|
||||
from requests import exceptions as req_exceptions
|
||||
|
@ -245,7 +246,20 @@ class BaseTemplateDefinition(TemplateDefinition):
|
|||
extra_params['trustee_user_id'] = cluster.trustee_user_id
|
||||
extra_params['trustee_username'] = cluster.trustee_username
|
||||
extra_params['trustee_password'] = cluster.trustee_password
|
||||
|
||||
# Only pass trust ID into the template when it is needed.
|
||||
if (cluster_template.volume_driver == 'rexray' or
|
||||
cluster_template.registry_enabled):
|
||||
if CONF.trust.cluster_user_trust:
|
||||
extra_params['trust_id'] = cluster.trust_id
|
||||
else:
|
||||
missing_setting = ('trust/cluster_user_trust = True')
|
||||
msg = _LE('This cluster can only be created with %s in '
|
||||
'magnum.conf')
|
||||
raise exception.ConfigInvalid(msg % missing_setting)
|
||||
else:
|
||||
extra_params['trust_id'] = ""
|
||||
|
||||
extra_params['auth_url'] = context.auth_url
|
||||
|
||||
return super(BaseTemplateDefinition,
|
||||
|
|
|
@ -63,11 +63,6 @@ write_files:
|
|||
"password": "$TRUSTEE_PASSWORD"
|
||||
}
|
||||
}
|
||||
},
|
||||
"scope": {
|
||||
"OS-TRUST:trust": {
|
||||
"id": "$TRUST_ID"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -90,11 +90,6 @@ write_files:
|
|||
"password": "$TRUSTEE_PASSWORD"
|
||||
}
|
||||
}
|
||||
},
|
||||
"scope": {
|
||||
"OS-TRUST:trust": {
|
||||
"id": "$TRUST_ID"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -3,7 +3,7 @@ merge_how: dict(recurse_array)+list(append)
|
|||
write_files:
|
||||
- path: /etc/sysconfig/heat-params
|
||||
owner: "root:root"
|
||||
permissions: "0644"
|
||||
permissions: "0600"
|
||||
content: |
|
||||
KUBE_API_PUBLIC_ADDRESS="$KUBE_API_PUBLIC_ADDRESS"
|
||||
KUBE_API_PRIVATE_ADDRESS="$KUBE_API_PRIVATE_ADDRESS"
|
||||
|
|
|
@ -3,7 +3,7 @@ merge_how: dict(recurse_array)+list(append)
|
|||
write_files:
|
||||
- path: /etc/sysconfig/heat-params
|
||||
owner: "root:root"
|
||||
permissions: "0644"
|
||||
permissions: "0600"
|
||||
content: |
|
||||
KUBE_ALLOW_PRIV="$KUBE_ALLOW_PRIV"
|
||||
KUBE_MASTER_IP="$KUBE_MASTER_IP"
|
||||
|
|
|
@ -3,7 +3,7 @@ merge_how: dict(recurse_array)+list(append)
|
|||
write_files:
|
||||
- path: /etc/sysconfig/heat-params
|
||||
owner: "root:root"
|
||||
permissions: "0644"
|
||||
permissions: "0600"
|
||||
content: |
|
||||
MESOS_MASTERS_IPS="$MESOS_MASTERS_IPS"
|
||||
EXECUTOR_REGISTRATION_TIMEOUT="$EXECUTOR_REGISTRATION_TIMEOUT"
|
||||
|
|
|
@ -26,6 +26,7 @@ import pecan
|
|||
import testscenarios
|
||||
|
||||
from magnum.common import context as magnum_context
|
||||
from magnum.common import keystone as magnum_keystone
|
||||
from magnum.objects import base as objects_base
|
||||
from magnum.tests import conf_fixture
|
||||
from magnum.tests import fake_notifier
|
||||
|
@ -63,11 +64,18 @@ class TestCase(base.BaseTestCase):
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
trustee_domain_id = '12345678-9012-3456-7890-123456789abc'
|
||||
|
||||
self.context = magnum_context.RequestContext(
|
||||
auth_token_info=token_info,
|
||||
project_id='fake_project',
|
||||
user_id='fake_user')
|
||||
|
||||
self.global_mocks = {}
|
||||
|
||||
self.keystone_client = magnum_keystone.KeystoneClientV3(self.context)
|
||||
|
||||
self.policy = self.useFixture(policy_fixture.PolicyFixture())
|
||||
|
||||
self.useFixture(fixtures.MockPatchObject(
|
||||
|
@ -89,9 +97,22 @@ class TestCase(base.BaseTestCase):
|
|||
|
||||
p = mock.patch.object(magnum_context, 'make_context',
|
||||
side_effect=make_context)
|
||||
|
||||
self.global_mocks['magnum.common.context.make_context'] = p
|
||||
|
||||
q = mock.patch.object(magnum_keystone.KeystoneClientV3,
|
||||
'trustee_domain_id',
|
||||
return_value=trustee_domain_id)
|
||||
|
||||
self.global_mocks[
|
||||
'magnum.common.keystone.KeystoneClientV3.trustee_domain_id'] = q
|
||||
|
||||
self.mock_make_context = p.start()
|
||||
self.addCleanup(p.stop)
|
||||
|
||||
self.mock_make_trustee_domain_id = q.start()
|
||||
self.addCleanup(q.stop)
|
||||
|
||||
self.useFixture(conf_fixture.ConfFixture())
|
||||
self.useFixture(fixtures.NestedTempfile())
|
||||
|
||||
|
@ -104,6 +125,12 @@ class TestCase(base.BaseTestCase):
|
|||
|
||||
self.addCleanup(reset_pecan)
|
||||
|
||||
def start_global(self, name):
|
||||
self.global_mocks[name].start()
|
||||
|
||||
def stop_global(self, name):
|
||||
self.global_mocks[name].stop()
|
||||
|
||||
def _restore_obj_registry(self):
|
||||
objects_base.MagnumObjectRegistry._registry._obj_classes \
|
||||
= self._base_test_obj_backup
|
||||
|
|
|
@ -55,6 +55,19 @@ class KeystoneClientTest(base.TestCase):
|
|||
admin_tenant_name='service',
|
||||
group=ksconf.CFG_LEGACY_GROUP)
|
||||
|
||||
# Disable global mocking for trustee_domain_id
|
||||
self.stop_global(
|
||||
'magnum.common.keystone.KeystoneClientV3.trustee_domain_id')
|
||||
|
||||
def tearDown(self):
|
||||
# Re-enable global mocking for trustee_domain_id. We need this because
|
||||
# mock blows up when trying to stop an already stopped patch (which it
|
||||
# will do due to the addCleanup() in base.TestCase).
|
||||
self.start_global(
|
||||
'magnum.common.keystone.KeystoneClientV3.trustee_domain_id')
|
||||
|
||||
super(KeystoneClientTest, self).tearDown()
|
||||
|
||||
def test_client_with_password(self, mock_ks):
|
||||
self.ctx.is_admin = True
|
||||
ks_client = keystone.KeystoneClientV3(self.ctx)
|
||||
|
@ -136,6 +149,7 @@ class KeystoneClientTest(base.TestCase):
|
|||
ks_client.create_trust(trustee_user='888888')
|
||||
|
||||
mock_ks.return_value.trusts.create.assert_called_once_with(
|
||||
delegation_depth=0,
|
||||
trustor_user='123456', project='654321',
|
||||
trustee_user='888888', role_names=['role1', 'role2'],
|
||||
impersonation=True)
|
||||
|
@ -152,6 +166,7 @@ class KeystoneClientTest(base.TestCase):
|
|||
ks_client.create_trust(trustee_user='888888')
|
||||
|
||||
mock_ks.return_value.trusts.create.assert_called_once_with(
|
||||
delegation_depth=0,
|
||||
trustor_user='123456', project='654321',
|
||||
trustee_user='888888', role_names=['role3'],
|
||||
impersonation=True)
|
||||
|
|
|
@ -37,6 +37,7 @@ class TrustManagerTestCase(base.BaseTestCase):
|
|||
mock_generate_password.return_value = mock_password
|
||||
mock_cluster = mock.MagicMock()
|
||||
mock_cluster.uuid = 'mock_cluster_uuid'
|
||||
mock_cluster.project_id = 'mock_cluster_project_id'
|
||||
mock_keystone = mock.MagicMock()
|
||||
mock_trustee = mock.MagicMock()
|
||||
mock_trustee.id = 'mock_trustee_id'
|
||||
|
@ -52,7 +53,7 @@ class TrustManagerTestCase(base.BaseTestCase):
|
|||
trust_manager.create_trustee_and_trust(self.osc, mock_cluster)
|
||||
|
||||
mock_keystone.create_trustee.assert_called_once_with(
|
||||
mock_cluster.uuid,
|
||||
'%s_%s' % (mock_cluster.uuid, mock_cluster.project_id),
|
||||
mock_password,
|
||||
)
|
||||
mock_keystone.create_trust.assert_called_once_with(
|
||||
|
|
|
@ -181,6 +181,11 @@ class TestHandler(db_base.DbTestCase):
|
|||
mock_poller.poll_and_check.return_value = loopingcall.LoopingCallDone()
|
||||
mock_heat_poller_class.return_value = mock_poller
|
||||
osc = mock.sentinel.osc
|
||||
|
||||
def return_keystone():
|
||||
return self.keystone_client
|
||||
|
||||
osc.keystone = return_keystone
|
||||
mock_openstack_client_class.return_value = osc
|
||||
mock_dr = mock.MagicMock()
|
||||
mock_driver.return_value = mock_dr
|
||||
|
|
|
@ -194,7 +194,7 @@ class TestClusterConductorWithK8s(base.TestCase):
|
|||
'trustee_username': 'fake_trustee',
|
||||
'trustee_password': 'fake_trustee_password',
|
||||
'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656',
|
||||
'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de',
|
||||
'trust_id': '',
|
||||
'auth_url': 'http://192.168.10.10:5000/v3',
|
||||
'insecure_registry_url': '10.0.0.1:5000',
|
||||
'kube_version': 'fake-version',
|
||||
|
@ -236,6 +236,10 @@ class TestClusterConductorWithK8s(base.TestCase):
|
|||
'RegionOne',
|
||||
group='docker_registry')
|
||||
|
||||
CONF.set_override('cluster_user_trust',
|
||||
True,
|
||||
group='trust')
|
||||
|
||||
(template_path,
|
||||
definition,
|
||||
env_files) = mock_driver()._extract_template_definition(self.context,
|
||||
|
@ -350,7 +354,7 @@ class TestClusterConductorWithK8s(base.TestCase):
|
|||
'ssh_key_name': 'keypair_id',
|
||||
'tenant_name': 'fake_tenant',
|
||||
'tls_disabled': False,
|
||||
'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de',
|
||||
'trust_id': '',
|
||||
'trustee_domain_id': 'trustee_domain_id',
|
||||
'trustee_password': 'fake_trustee_password',
|
||||
'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656',
|
||||
|
@ -421,7 +425,7 @@ class TestClusterConductorWithK8s(base.TestCase):
|
|||
'trustee_username': 'fake_trustee',
|
||||
'trustee_password': 'fake_trustee_password',
|
||||
'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656',
|
||||
'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de',
|
||||
'trust_id': '',
|
||||
'auth_url': 'http://192.168.10.10:5000/v3',
|
||||
'cluster_uuid': self.cluster_dict['uuid'],
|
||||
'magnum_url': self.mock_osc.magnum_url.return_value,
|
||||
|
@ -488,7 +492,7 @@ class TestClusterConductorWithK8s(base.TestCase):
|
|||
'trustee_username': 'fake_trustee',
|
||||
'trustee_password': 'fake_trustee_password',
|
||||
'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656',
|
||||
'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de',
|
||||
'trust_id': '',
|
||||
'auth_url': 'http://192.168.10.10:5000/v3',
|
||||
'cluster_uuid': self.cluster_dict['uuid'],
|
||||
'magnum_url': self.mock_osc.magnum_url.return_value,
|
||||
|
@ -686,7 +690,7 @@ class TestClusterConductorWithK8s(base.TestCase):
|
|||
'trustee_username': 'fake_trustee',
|
||||
'trustee_password': 'fake_trustee_password',
|
||||
'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656',
|
||||
'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de',
|
||||
'trust_id': '',
|
||||
'auth_url': 'http://192.168.10.10:5000/v3',
|
||||
'insecure_registry_url': '10.0.0.1:5000',
|
||||
'kube_version': 'fake-version',
|
||||
|
|
|
@ -37,6 +37,7 @@ class TestClusterConductorWithMesos(base.TestCase):
|
|||
'http_proxy': 'http_proxy',
|
||||
'https_proxy': 'https_proxy',
|
||||
'no_proxy': 'no_proxy',
|
||||
'registry_enabled': False,
|
||||
'server_type': 'vm',
|
||||
'volume_driver': 'volume_driver',
|
||||
'labels': {'rexray_preempt': 'False',
|
||||
|
@ -117,7 +118,7 @@ class TestClusterConductorWithMesos(base.TestCase):
|
|||
'trustee_username': 'fake_trustee',
|
||||
'trustee_password': 'fake_trustee_password',
|
||||
'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656',
|
||||
'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de',
|
||||
'trust_id': '',
|
||||
'volume_driver': 'volume_driver',
|
||||
'auth_url': 'http://192.168.10.10:5000/v3',
|
||||
'region_name': self.mock_osc.cinder_region_name.return_value,
|
||||
|
@ -171,7 +172,7 @@ class TestClusterConductorWithMesos(base.TestCase):
|
|||
'trustee_username': 'fake_trustee',
|
||||
'trustee_password': 'fake_trustee_password',
|
||||
'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656',
|
||||
'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de',
|
||||
'trust_id': '',
|
||||
'auth_url': 'http://192.168.10.10:5000/v3',
|
||||
'region_name': self.mock_osc.cinder_region_name.return_value,
|
||||
'username': 'mesos_user',
|
||||
|
@ -227,7 +228,7 @@ class TestClusterConductorWithMesos(base.TestCase):
|
|||
'trustee_username': 'fake_trustee',
|
||||
'trustee_password': 'fake_trustee_password',
|
||||
'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656',
|
||||
'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de',
|
||||
'trust_id': '',
|
||||
'volume_driver': 'volume_driver',
|
||||
'auth_url': 'http://192.168.10.10:5000/v3',
|
||||
'region_name': self.mock_osc.cinder_region_name.return_value,
|
||||
|
@ -285,7 +286,7 @@ class TestClusterConductorWithMesos(base.TestCase):
|
|||
'trustee_username': 'fake_trustee',
|
||||
'trustee_password': 'fake_trustee_password',
|
||||
'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656',
|
||||
'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de',
|
||||
'trust_id': '',
|
||||
'volume_driver': 'volume_driver',
|
||||
'auth_url': 'http://192.168.10.10:5000/v3',
|
||||
'region_name': self.mock_osc.cinder_region_name.return_value,
|
||||
|
|
|
@ -74,6 +74,12 @@ class TestClusterConductorWithSwarm(base.TestCase):
|
|||
'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de',
|
||||
'coe_version': 'fake-version'
|
||||
}
|
||||
|
||||
# We need this due to volume_driver=rexray
|
||||
CONF.set_override('cluster_user_trust',
|
||||
True,
|
||||
group='trust')
|
||||
|
||||
osc_patcher = mock.patch('magnum.common.clients.OpenStackClients')
|
||||
self.mock_osc_class = osc_patcher.start()
|
||||
self.addCleanup(osc_patcher.stop)
|
||||
|
@ -280,7 +286,7 @@ class TestClusterConductorWithSwarm(base.TestCase):
|
|||
'trustee_username': 'fake_trustee',
|
||||
'trustee_password': 'fake_trustee_password',
|
||||
'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656',
|
||||
'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de',
|
||||
'trust_id': '',
|
||||
'auth_url': 'http://192.168.10.10:5000/v3',
|
||||
'swarm_version': 'fake-version',
|
||||
'swarm_strategy': u'spread',
|
||||
|
|
Loading…
Reference in New Issue