Handle service client authorization errors

Authorization errors when connecting to nova/glance/neutron/cinder can be raised as BadConfigurationExceptions in the logs. We shouldn't be raising exceptions derived from the service client libraries. Change-Id: I2d47dbb1251dfa8d529f813724fb7fd97d7d3a0b Closes-Bug: #1921927 Signed-off-by: Goutham Pacha Ravi <gouthampravi@gmail.com>
2021-03-30 09:13:08 -07:00 · 2021-03-30 09:13:08 -07:00 · 04e06968fd
parent a4765cff1e
commit 04e06968fd
11 changed files with 18 additions and 22 deletions
--- a/manila/common/client_auth.py
+++ b/manila/common/client_auth.py
@ -34,9 +34,8 @@ needed to load all needed parameters dynamically.


 class AuthClientLoader(object):
-    def __init__(self, client_class, exception_module, cfg_group):
+    def __init__(self, client_class, cfg_group):
        self.client_class = client_class
-        self.exception_module = exception_module
        self.group = cfg_group
        self.admin_auth = None
        self.conf = CONF
@ -75,7 +74,7 @@ class AuthClientLoader(object):
            return self.auth_plugin

        msg = _('Cannot load auth plugin for %s') % self.group
-        raise self.exception_module.Unauthorized(message=msg)
+        raise exception.BadConfigurationException(reason=msg)

    def get_client(self, context, admin=False, **kwargs):
        """Get's the client with the correct auth/session context
--- a/manila/compute/nova.py
+++ b/manila/compute/nova.py
@ -61,9 +61,7 @@ def novaclient(context):
    global AUTH_OBJ
    if not AUTH_OBJ:
        AUTH_OBJ = client_auth.AuthClientLoader(
-            client_class=nova_client.Client,
-            exception_module=nova_exception,
-            cfg_group=NOVA_GROUP)
+            client_class=nova_client.Client, cfg_group=NOVA_GROUP)
    return AUTH_OBJ.get_client(context,
                               version=CONF[NOVA_GROUP].api_microversion,
                               endpoint_type=CONF[NOVA_GROUP].endpoint_type,
--- a/manila/image/glance.py
+++ b/manila/image/glance.py
@ -17,7 +17,6 @@ Handles all requests to Glance.
 """

 from glanceclient import client as glance_client
-from glanceclient import exc as glance_exception
 from keystoneauth1 import loading as ks_loading
 from oslo_config import cfg

@ -53,9 +52,7 @@ def glanceclient(context):
    global AUTH_OBJ
    if not AUTH_OBJ:
        AUTH_OBJ = client_auth.AuthClientLoader(
-            client_class=glance_client.Client,
-            exception_module=glance_exception,
-            cfg_group=GLANCE_GROUP)
+            client_class=glance_client.Client, cfg_group=GLANCE_GROUP)
    return AUTH_OBJ.get_client(context,
                               version=CONF[GLANCE_GROUP].api_microversion,
                               region_name=CONF[GLANCE_GROUP].region_name)
--- a/manila/network/neutron/api.py
+++ b/manila/network/neutron/api.py
@ -85,9 +85,7 @@ class API(object):
    def get_client(self, context):
        if not self.auth_obj:
            self.auth_obj = client_auth.AuthClientLoader(
-                client_class=clientv20.Client,
-                exception_module=neutron_client_exc,
-                cfg_group=NEUTRON_GROUP)
+                client_class=clientv20.Client, cfg_group=NEUTRON_GROUP)

        return self.auth_obj.get_client(
            self,
--- a/manila/tests/common/test_client_auth.py
+++ b/manila/tests/common/test_client_auth.py
@ -30,8 +30,7 @@ class ClientAuthTestCase(test.TestCase):
        self.context = mock.Mock()
        self.fake_client = mock.Mock()
        self.exception_mod = fake_client_exception_class
-        self.auth = client_auth.AuthClientLoader(
-            self.fake_client, self.exception_mod, 'foo_group')
+        self.auth = client_auth.AuthClientLoader(self.fake_client, 'foo_group')

    def test_get_client_admin_true(self):
        mock_load_session = self.mock_object(auth,
@ -61,7 +60,7 @@ class ClientAuthTestCase(test.TestCase):
    def test_load_auth_plugin_no_auth(self):
        auth.load_auth_from_conf_options.return_value = None

-        self.assertRaises(fake_client_exception_class.Unauthorized,
+        self.assertRaises(exception.BadConfigurationException,
                          self.auth._load_auth_plugin)

    @mock.patch.object(auth, 'get_session_conf_options')
--- a/manila/tests/compute/test_nova.py
+++ b/manila/tests/compute/test_nova.py
@ -146,7 +146,6 @@ class NovaclientTestCase(test.TestCase):

        mock_client_loader.assert_called_once_with(
            client_class=nova.nova_client.Client,
-            exception_module=nova.nova_exception,
            cfg_group=nova.NOVA_GROUP
        )
        mock_client_loader.return_value.get_client.assert_called_once_with(
--- a/manila/tests/image/test_image.py
+++ b/manila/tests/image/test_image.py
@ -56,6 +56,10 @@ class GlanceClientTestCase(test.TestCase):
        with test_utils.create_temp_config_with_opts(data):
            glance.glanceclient(fake_context)

+        mock_client_loader.assert_called_once_with(
+            client_class=glance.glance_client.Client,
+            cfg_group=glance.GLANCE_GROUP
+        )
        mock_client_loader.return_value.get_client.assert_called_once_with(
            fake_context,
            version=data['glance']['api_microversion'],
--- a/manila/tests/network/neutron/test_neutron_api.py
+++ b/manila/tests/network/neutron/test_neutron_api.py
@ -102,7 +102,6 @@ class NeutronclientTestCase(test.TestCase):

        mock_client_loader.assert_called_once_with(
            client_class=neutron_api.clientv20.Client,
-            exception_module=neutron_api.neutron_client_exc,
            cfg_group=neutron_api.NEUTRON_GROUP
        )
        mock_client_loader.return_value.get_client.assert_called_once_with(
--- a/manila/tests/volume/test_cinder.py
+++ b/manila/tests/volume/test_cinder.py
@ -67,7 +67,6 @@ class CinderclientTestCase(test.TestCase):

        mock_client_loader.assert_called_once_with(
            client_class=cinder.cinder_client.Client,
-            exception_module=cinder.cinder_exception,
            cfg_group=cinder.CINDER_GROUP
        )
        mock_client_loader.return_value.get_client.assert_called_once_with(
--- a/manila/volume/cinder.py
+++ b/manila/volume/cinder.py
@ -67,9 +67,7 @@ def cinderclient(context):
    global AUTH_OBJ
    if not AUTH_OBJ:
        AUTH_OBJ = client_auth.AuthClientLoader(
-            client_class=cinder_client.Client,
-            exception_module=cinder_exception,
-            cfg_group=CINDER_GROUP)
+            client_class=cinder_client.Client, cfg_group=CINDER_GROUP)
    return AUTH_OBJ.get_client(context,
                               retries=CONF[CINDER_GROUP].http_retries,
                               endpoint_type=CONF[CINDER_GROUP].endpoint_type,
--- a/releasenotes/notes/bug-1921927-handle-service-client-unauthorized-exceptions-b2ebc08a072f7e12.yaml
+++ b/releasenotes/notes/bug-1921927-handle-service-client-unauthorized-exceptions-b2ebc08a072f7e12.yaml
@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    Authentication errors when loading service clients of OpenStack Compute
+    (nova), OpenStack Image (glance), OpenStack Volume (cinder) and OpenStack
+    Networking (neutron) services are now handled in a better manner.