Add support for system-scoped tokens

Since Ussuri, nova can be configured with new policy defaults. These defaults enforce the need to use system-scoped tokens for admin operations like listing hypervisors. The new os_system_scope configuration allows masakari to request a system-scoped token using keystoneauth1 to query nova. Implements: blueprint support-nova-system-scope-policies Change-Id: I5f5b3f05358c28d60cfd05bc62a388f9087d75ac
2020-11-17 15:31:50 +01:00 · 2020-11-17 15:31:50 +01:00 · 0a5ae8b402
commit 0a5ae8b402
parent ae8347df1a
4 changed files with 32 additions and 5 deletions
--- a/masakari/compute/nova.py
+++ b/masakari/compute/nova.py
@ -112,7 +112,8 @@ def novaclient(context, timeout=None):
        password=context.auth_token,
        project_name=context.project_name,
        user_domain_name=CONF.os_user_domain_name,
-        project_domain_name=CONF.os_project_domain_name)
+        project_domain_name=CONF.os_project_domain_name,
+        system_scope=CONF.os_system_scope)
    session_loader = keystoneauth1.loading.session.Session()
    keystone_session = session_loader.load_from_options(
        auth=auth, cacert=CONF.nova_ca_certificates_file,
--- a/masakari/conf/nova.py
+++ b/masakari/conf/nova.py
@ -53,6 +53,8 @@ nova_opts = [
               default="default",
               help='Project domain name associated with the OpenStack '
                    'privileged account.'),
+    cfg.StrOpt('os_system_scope',
+               help='Scope for system operations.'),
 ]


--- a/masakari/tests/unit/compute/test_nova.py
+++ b/masakari/tests/unit/compute/test_nova.py
@ -52,7 +52,8 @@ class NovaClientTestCase(test.TestCase):
        p_plugin_loader.return_value.load_from_options.assert_called_once_with(
            auth_url='http://keystonehost/identity',
            password='strongpassword', project_domain_name='default',
-            project_name=None, user_domain_name='default', username='adminuser'
+            project_name=None, user_domain_name='default',
+            system_scope=None, username='adminuser'
        )
        p_client.assert_called_once_with(
            p_api_version(nova.NOVA_API_VERSION),
@ -72,7 +73,8 @@ class NovaClientTestCase(test.TestCase):
        p_plugin_loader.return_value.load_from_options.assert_called_once_with(
            auth_url='http://keystonehost/identity',
            password='strongpassword', project_domain_name='default',
-            project_name=None, user_domain_name='default', username='adminuser'
+            project_name=None, user_domain_name='default',
+            system_scope=None, username='adminuser'
        )
        p_client.assert_called_once_with(
            p_api_version(nova.NOVA_API_VERSION),
@ -94,7 +96,8 @@ class NovaClientTestCase(test.TestCase):
        p_plugin_loader.return_value.load_from_options.assert_called_once_with(
            auth_url='http://keystonehost/identity',
            password='strongpassword', project_domain_name='default',
-            project_name=None, user_domain_name='default', username='adminuser'
+            project_name=None, user_domain_name='default',
+            system_scope=None, username='adminuser'
        )
        p_client.assert_called_once_with(
            p_api_version(nova.NOVA_API_VERSION),
@ -115,7 +118,8 @@ class NovaClientTestCase(test.TestCase):
        p_plugin_loader.return_value.load_from_options.assert_called_once_with(
            auth_url='http://keystonehost/identity',
            password='strongpassword', project_domain_name='default',
-            project_name=None, user_domain_name='default', username='adminuser'
+            project_name=None, user_domain_name='default',
+            system_scope=None, username='adminuser'
        )
        p_client.assert_called_once_with(
            p_api_version(nova.NOVA_API_VERSION),
@ -125,6 +129,21 @@ class NovaClientTestCase(test.TestCase):
            cacert=None, timeout=None, global_request_id=self.ctx.global_id,
            extensions=nova.nova_extensions)

+    @mock.patch('novaclient.api_versions.APIVersion')
+    @mock.patch('novaclient.client.Client')
+    @mock.patch('keystoneauth1.loading.get_plugin_loader')
+    @mock.patch('keystoneauth1.session.Session')
+    def test_nova_client_system_scope(self, p_session, p_plugin_loader,
+                                      p_client, p_api_version):
+        self.override_config('os_system_scope', 'all')
+        nova.novaclient(self.ctx)
+        p_plugin_loader.return_value.load_from_options.assert_called_once_with(
+            auth_url='http://keystonehost/identity',
+            password='strongpassword', project_domain_name='default',
+            project_name=None, user_domain_name='default',
+            system_scope='all', username='adminuser'
+        )
+

 class NovaApiTestCase(test.TestCase):
    def setUp(self):
--- a/releasenotes/notes/blueprint-support-nova-system-scope-policies-c4dbd244dd3fcf1a.yaml
+++ b/releasenotes/notes/blueprint-support-nova-system-scope-policies-c4dbd244dd3fcf1a.yaml
@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Allows to use system-scoped tokens when contacting Nova.
+    `Blueprint support-nova-system-scope-policies <https://blueprints.launchpad.net/masakari/+spec/support-nova-system-scope-policies>`__