openstack/mistral
Code Issues Proposed changes

Support transition to keystone auth plugin

Browse Source 
The puppet module puppet-mistral is moving to use a proper keystone
authtoken module. This supports that transition. A follow on patch
will remove the transition code.

Change-Id: Ief32ae01372c8c8d32fc5e2c89a2927510983a5b
This commit is contained in:
Brad P. Crochet 2017-05-04 08:51:25 -04:00
parent 97e2d359b6
commit 1c485867c4
4 changed files with 68 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
devstack/plugin.sh
View File

@ -75,14 +75,15 @@ function configure_mistral {
#-------------------------
# Setup keystone_authtoken section
iniset $MISTRAL_CONF_FILE keystone_authtoken auth_host $KEYSTONE_AUTH_HOST
iniset $MISTRAL_CONF_FILE keystone_authtoken auth_port $KEYSTONE_AUTH_PORT
iniset $MISTRAL_CONF_FILE keystone_authtoken auth_protocol $KEYSTONE_AUTH_PROTOCOL
iniset $MISTRAL_CONF_FILE keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME
iniset $MISTRAL_CONF_FILE keystone_authtoken admin_user $MISTRAL_ADMIN_USER
iniset $MISTRAL_CONF_FILE keystone_authtoken admin_password $SERVICE_PASSWORD
iniset $MISTRAL_CONF_FILE keystone_authtoken project_name $SERVICE_TENANT_NAME
iniset $MISTRAL_CONF_FILE keystone_authtoken username $MISTRAL_ADMIN_USER
iniset $MISTRAL_CONF_FILE keystone_authtoken password $SERVICE_PASSWORD
iniset $MISTRAL_CONF_FILE keystone_authtoken auth_uri $KEYSTONE_AUTH_URI_V3
iniset $MISTRAL_CONF_FILE keystone_authtoken identity_uri $KEYSTONE_AUTH_URI
iniset $MISTRAL_CONF_FILE keystone_authtoken service_token_roles_required True
iniset $MISTRAL_CONF_FILE keystone_authtoken auth_type password
iniset $MISTRAL_CONF_FILE keystone_authtoken auth_url $KEYSTONE_SERVICE_URI
iniset $MISTRAL_CONF_FILE keystone_authtoken user_domain_name Default
iniset $MISTRAL_CONF_FILE keystone_authtoken project_domain_name Default
# Setup RabbitMQ credentials
iniset $MISTRAL_CONF_FILE oslo_messaging_rabbit rabbit_userid $RABBIT_USERID

29
mistral/context.py
View File

@ -88,6 +88,8 @@ class MistralContext(BaseContext):
"expires_at",
"trust_id",
"is_target",
"user_domain_name",
"project_domain_name",
])
def __repr__(self):
@ -206,10 +208,25 @@ def _extract_service_catalog_from_headers(headers):
def context_from_config():
username = (
CONF.keystone_authtoken.username or
CONF.keystone_authtoken.admin_user)
password = (
CONF.keystone_authtoken.password or
CONF.keystone_authtoken.admin_password)
project_name = (
CONF.keystone_authtoken.project_name or
CONF.keystone_authtoken.admin_tenant_name)
user_domain_name = (
CONF.keystone_authtoken.user_domain_name or 'Default')
project_domain_name = (
CONF.keystone_authtoken.project_domain_name or 'Default')
keystone = keystone_client.Client(
username=CONF.keystone_authtoken.admin_user,
password=CONF.keystone_authtoken.admin_password,
tenant_name=CONF.keystone_authtoken.admin_tenant_name,
username=username,
password=password,
project_name=project_name,
user_domain_name=user_domain_name,
project_domain_name=project_domain_name,
auth_url=CONF.keystone_authtoken.auth_uri,
is_trust_scoped=False,
)
@ -220,8 +237,10 @@ def context_from_config():
user_id=keystone.user_id,
project_id=keystone.project_id,
auth_token=keystone.auth_token,
project_name=CONF.keystone_authtoken.admin_tenant_name,
user_name=CONF.keystone_authtoken.admin_user,
project_name=project_name,
user_name=username,
user_domain_name=user_domain_name,
project_domain_name=project_domain_name,
is_trust_scoped=False,
)

7
mistral/services/security.py
View File

@ -40,8 +40,11 @@ def create_trust():
ctx = auth_ctx.ctx()
trustee_id = keystone.client_for_admin(
CONF.keystone_authtoken.admin_tenant_name).user_id
project_name = (
CONF.keystone_authtoken.project_name or
CONF.keystone_authtoken.admin_tenant_name)
trustee_id = keystone.client_for_admin(project_name).user_id
return client.trusts.create(
trustor_user=client.user_id,

41
mistral/utils/openstack/keystone.py
View File

@ -47,9 +47,16 @@ def client():
def _admin_client(trust_id=None, project_name=None):
auth_url = CONF.keystone_authtoken.auth_uri
username = (
CONF.keystone_authtoken.admin_user or
CONF.keystone_authtoken.username)
password = (
CONF.keystone_authtoken.admin_password or
CONF.keystone_authtoken.password)
cl = ks_client.Client(
username=CONF.keystone_authtoken.admin_user,
password=CONF.keystone_authtoken.admin_password,
username=username,
password=password,
project_name=project_name,
auth_url=auth_url,
trust_id=trust_id
@ -168,7 +175,9 @@ def format_url(url_template, values):
def is_token_trust_scoped(auth_token):
admin_project_name = CONF.keystone_authtoken.admin_tenant_name
admin_project_name = (
CONF.keystone_authtoken.admin_tenant_name or
CONF.keystone_authtoken.project_name)
keystone_client = _admin_client(project_name=admin_project_name)
token_info = keystone_client.tokens.validate(auth_token)
@ -179,15 +188,27 @@ def is_token_trust_scoped(auth_token):
def get_admin_session():
"""Returns a keystone session from Mistral's service credentials."""
username = (
CONF.keystone_authtoken.username or
CONF.keystone_authtoken.admin_user)
password = (
CONF.keystone_authtoken.password or
CONF.keystone_authtoken.admin_password)
project_name = (
CONF.keystone_authtoken.project_name or
CONF.keystone_authtoken.admin_tenant_name)
user_domain_name = (
CONF.keystone_authtoken.user_domain_name or 'Default')
project_domain_name = (
CONF.keystone_authtoken.project_domain_name or 'Default')
auth = auth_plugins.Password(
CONF.keystone_authtoken.auth_uri,
username=CONF.keystone_authtoken.admin_user,
password=CONF.keystone_authtoken.admin_password,
project_name=CONF.keystone_authtoken.admin_tenant_name,
# NOTE(jaosorior): Once mistral supports keystone v3 properly, we can
# fetch the following values from the configuration.
user_domain_name='Default',
project_domain_name='Default')
username=username,
password=password,
project_name=project_name,
user_domain_name=user_domain_name,
project_domain_name=project_domain_name)
return ks_session.Session(auth=auth)