Add support for system-scoped tokens
Since Ussuri, nova can be configured with new policy defaults. These defaults enforce the need to use system-scoped tokens for admin operations like listing hypervisors. The new os_system_scope configuration allows masakari to request a system-scoped token using keystoneauth1 to query nova. Implements: blueprint support-nova-system-scope-policies Change-Id: I5f5b3f05358c28d60cfd05bc62a388f9087d75ac
This commit is contained in:
parent
ae8347df1a
commit
0a5ae8b402
@ -112,7 +112,8 @@ def novaclient(context, timeout=None):
|
||||
password=context.auth_token,
|
||||
project_name=context.project_name,
|
||||
user_domain_name=CONF.os_user_domain_name,
|
||||
project_domain_name=CONF.os_project_domain_name)
|
||||
project_domain_name=CONF.os_project_domain_name,
|
||||
system_scope=CONF.os_system_scope)
|
||||
session_loader = keystoneauth1.loading.session.Session()
|
||||
keystone_session = session_loader.load_from_options(
|
||||
auth=auth, cacert=CONF.nova_ca_certificates_file,
|
||||
|
@ -53,6 +53,8 @@ nova_opts = [
|
||||
default="default",
|
||||
help='Project domain name associated with the OpenStack '
|
||||
'privileged account.'),
|
||||
cfg.StrOpt('os_system_scope',
|
||||
help='Scope for system operations.'),
|
||||
]
|
||||
|
||||
|
||||
|
@ -52,7 +52,8 @@ class NovaClientTestCase(test.TestCase):
|
||||
p_plugin_loader.return_value.load_from_options.assert_called_once_with(
|
||||
auth_url='http://keystonehost/identity',
|
||||
password='strongpassword', project_domain_name='default',
|
||||
project_name=None, user_domain_name='default', username='adminuser'
|
||||
project_name=None, user_domain_name='default',
|
||||
system_scope=None, username='adminuser'
|
||||
)
|
||||
p_client.assert_called_once_with(
|
||||
p_api_version(nova.NOVA_API_VERSION),
|
||||
@ -72,7 +73,8 @@ class NovaClientTestCase(test.TestCase):
|
||||
p_plugin_loader.return_value.load_from_options.assert_called_once_with(
|
||||
auth_url='http://keystonehost/identity',
|
||||
password='strongpassword', project_domain_name='default',
|
||||
project_name=None, user_domain_name='default', username='adminuser'
|
||||
project_name=None, user_domain_name='default',
|
||||
system_scope=None, username='adminuser'
|
||||
)
|
||||
p_client.assert_called_once_with(
|
||||
p_api_version(nova.NOVA_API_VERSION),
|
||||
@ -94,7 +96,8 @@ class NovaClientTestCase(test.TestCase):
|
||||
p_plugin_loader.return_value.load_from_options.assert_called_once_with(
|
||||
auth_url='http://keystonehost/identity',
|
||||
password='strongpassword', project_domain_name='default',
|
||||
project_name=None, user_domain_name='default', username='adminuser'
|
||||
project_name=None, user_domain_name='default',
|
||||
system_scope=None, username='adminuser'
|
||||
)
|
||||
p_client.assert_called_once_with(
|
||||
p_api_version(nova.NOVA_API_VERSION),
|
||||
@ -115,7 +118,8 @@ class NovaClientTestCase(test.TestCase):
|
||||
p_plugin_loader.return_value.load_from_options.assert_called_once_with(
|
||||
auth_url='http://keystonehost/identity',
|
||||
password='strongpassword', project_domain_name='default',
|
||||
project_name=None, user_domain_name='default', username='adminuser'
|
||||
project_name=None, user_domain_name='default',
|
||||
system_scope=None, username='adminuser'
|
||||
)
|
||||
p_client.assert_called_once_with(
|
||||
p_api_version(nova.NOVA_API_VERSION),
|
||||
@ -125,6 +129,21 @@ class NovaClientTestCase(test.TestCase):
|
||||
cacert=None, timeout=None, global_request_id=self.ctx.global_id,
|
||||
extensions=nova.nova_extensions)
|
||||
|
||||
@mock.patch('novaclient.api_versions.APIVersion')
|
||||
@mock.patch('novaclient.client.Client')
|
||||
@mock.patch('keystoneauth1.loading.get_plugin_loader')
|
||||
@mock.patch('keystoneauth1.session.Session')
|
||||
def test_nova_client_system_scope(self, p_session, p_plugin_loader,
|
||||
p_client, p_api_version):
|
||||
self.override_config('os_system_scope', 'all')
|
||||
nova.novaclient(self.ctx)
|
||||
p_plugin_loader.return_value.load_from_options.assert_called_once_with(
|
||||
auth_url='http://keystonehost/identity',
|
||||
password='strongpassword', project_domain_name='default',
|
||||
project_name=None, user_domain_name='default',
|
||||
system_scope='all', username='adminuser'
|
||||
)
|
||||
|
||||
|
||||
class NovaApiTestCase(test.TestCase):
|
||||
def setUp(self):
|
||||
|
@ -0,0 +1,5 @@
|
||||
---
|
||||
features:
|
||||
- |
|
||||
Allows to use system-scoped tokens when contacting Nova.
|
||||
`Blueprint support-nova-system-scope-policies <https://blueprints.launchpad.net/masakari/+spec/support-nova-system-scope-policies>`__
|
Loading…
x
Reference in New Issue
Block a user