Merge "Use recommended function to setup auth middleware in devstack"

devstack/plugin.sh

@@ -59,6 +59,11 @@ function mkdir_chown_stack {
 
 # configure_mistral - Set config files, create data dirs, etc
 function configure_mistral {
+
+    # create and clean up auth cache dir
+    mkdir_chown_stack "$MISTRAL_AUTH_CACHE_DIR"
+    rm -f "$MISTRAL_AUTH_CACHE_DIR"/*
+
     mkdir_chown_stack "$MISTRAL_CONF_DIR"
 
     # Generate Mistral configuration file and configure common parameters.
@@ -75,14 +80,8 @@ function configure_mistral {
     #-------------------------
 
     # Setup keystone_authtoken section
-    iniset $MISTRAL_CONF_FILE keystone_authtoken auth_host $KEYSTONE_AUTH_HOST
-    iniset $MISTRAL_CONF_FILE keystone_authtoken auth_port $KEYSTONE_AUTH_PORT
-    iniset $MISTRAL_CONF_FILE keystone_authtoken auth_protocol $KEYSTONE_AUTH_PROTOCOL
-    iniset $MISTRAL_CONF_FILE keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME
-    iniset $MISTRAL_CONF_FILE keystone_authtoken admin_user $MISTRAL_ADMIN_USER
-    iniset $MISTRAL_CONF_FILE keystone_authtoken admin_password $SERVICE_PASSWORD
+    configure_auth_token_middleware $MISTRAL_CONF_FILE mistral $MISTRAL_AUTH_CACHE_DIR
     iniset $MISTRAL_CONF_FILE keystone_authtoken auth_uri $KEYSTONE_AUTH_URI_V3
-    iniset $MISTRAL_CONF_FILE keystone_authtoken identity_uri $KEYSTONE_AUTH_URI
 
     # Setup RabbitMQ credentials
     iniset $MISTRAL_CONF_FILE oslo_messaging_rabbit rabbit_userid $RABBIT_USERID
@@ -250,8 +249,8 @@ if is_service_enabled mistral; then
         install_mistral_pythonclient
     elif [[ "$1" == "stack" && "$2" == "post-config" ]]; then
         echo_summary "Configuring mistral"
-        configure_mistral
         create_mistral_accounts
+        configure_mistral
     elif [[ "$1" == "stack" && "$2" == "extra" ]]; then
         echo_summary "Initializing mistral"
         init_mistral

devstack/settings

@@ -29,6 +29,7 @@ MISTRAL_DASHBOARD_DIR=$DEST/mistral-dashboard
 MISTRAL_CONF_DIR=${MISTRAL_CONF_DIR:-/etc/mistral}
 MISTRAL_CONF_FILE=${MISTRAL_CONF_DIR}/mistral.conf
 MISTRAL_DEBUG=${MISTRAL_DEBUG:-True}
+MISTRAL_AUTH_CACHE_DIR=${MISTRAL_AUTH_CACHE_DIR:-/var/cache/mistral}
 
 MISTRAL_SERVICE_HOST=${MISTRAL_SERVICE_HOST:-$SERVICE_HOST}
 MISTRAL_SERVICE_PORT=${MISTRAL_SERVICE_PORT:-8989}

mistral/services/security.py

@@ -42,8 +42,7 @@ def create_trust():
 
     ctx = auth_ctx.ctx()
 
-    trustee_id = keystone.client_for_admin(
-        CONF.keystone_authtoken.admin_tenant_name).user_id
+    trustee_id = keystone.client_for_admin().session.get_user_id()
 
     return client.trusts.create(
         trustor_user=client.user_id,

mistral/utils/openstack/keystone.py

@@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-import keystoneauth1.identity.generic as auth_plugins
+from keystoneauth1 import loading
 from keystoneauth1 import session as ks_session
 from keystoneauth1.token_endpoint import Token
 from keystoneclient import service_catalog as ks_service_catalog
@@ -27,6 +27,7 @@ from mistral import context
 from mistral import exceptions
 
 CONF = cfg.CONF
+CONF.register_opt(cfg.IntOpt('timeout'), group='keystone_authtoken')
 
 
 def client():
@@ -92,23 +93,32 @@ def get_session_and_auth(context, **kwargs):
 
 
 def _admin_client(trust_id=None, project_name=None):
-    auth_url = CONF.keystone_authtoken.auth_uri
+    kwargs = {}
 
-    cl = ks_client.Client(
-        username=CONF.keystone_authtoken.admin_user,
-        password=CONF.keystone_authtoken.admin_password,
-        project_name=project_name,
-        auth_url=auth_url,
-        trust_id=trust_id
+    if trust_id:
+        # Remove project_name and project_id, since we need a trust scoped
+        # auth object
+        kwargs['project_name'] = None
+        kwargs['project_domain_name'] = None
+        kwargs['project_id'] = None
+        kwargs['trust_id'] = trust_id
+
+    auth = loading.load_auth_from_conf_options(
+        CONF,
+        'keystone_authtoken',
+        **kwargs
+    )
+    sess = loading.load_session_from_conf_options(
+        CONF,
+        'keystone_authtoken',
+        auth=auth
     )
 
-    cl.management_url = auth_url
-
-    return cl
+    return ks_client.Client(session=sess)
 
 
-def client_for_admin(project_name):
-    return _admin_client(project_name=project_name)
+def client_for_admin():
+    return _admin_client()
 
 
 def client_for_trusts(trust_id):
@@ -230,28 +240,21 @@ def format_url(url_template, values):
 
 
 def is_token_trust_scoped(auth_token):
-    admin_project_name = CONF.keystone_authtoken.admin_tenant_name
-    keystone_client = _admin_client(project_name=admin_project_name)
-
-    token_info = keystone_client.tokens.validate(auth_token)
-
-    return 'OS-TRUST:trust' in token_info
+    return 'OS-TRUST:trust' in client_for_admin().tokens.validate(auth_token)
 
 
 def get_admin_session():
     """Returns a keystone session from Mistral's service credentials."""
+    auth = loading.load_auth_from_conf_options(
+        CONF,
+        'keystone_authtoken'
+    )
 
-    auth = auth_plugins.Password(
-        CONF.keystone_authtoken.auth_uri,
-        username=CONF.keystone_authtoken.admin_user,
-        password=CONF.keystone_authtoken.admin_password,
-        project_name=CONF.keystone_authtoken.admin_tenant_name,
-        # NOTE(jaosorior): Once mistral supports keystone v3 properly, we can
-        # fetch the following values from the configuration.
-        user_domain_name='Default',
-        project_domain_name='Default')
-
-    return ks_session.Session(auth=auth)
+    return loading.load_session_from_conf_options(
+        CONF,
+        'keystone_authtoken',
+        auth=auth
+    )
 
 
 def will_expire_soon(expires_at):