openstack
/
mistral
Code Issues Proposed changes

Fix OS action client initialization 

* Fix work with trust-scoped token
 * Fix NovaAction and KeystoneAction
 * Added new field to MistralContext - is_trust_scoped

Change-Id: Id1a8c959ffd07032f9ab03e5fdbafbdc66374ce3
This commit is contained in:
Nikolay Mahotkin 2015-02-17 18:12:30 +03:00
parent 67454a11df
commit bb56092316
4 changed files with 41 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
mistral/actions/openstack/actions.py
View File

@ -44,6 +44,7 @@ class NovaAction(base.OpenStackAction):
LOG.debug("Nova action security context: %s" % ctx)
keystone_endpoint = keystone_utils.get_keystone_endpoint_v2()
nova_endpoint = keystone_utils.get_endpoint_for_project('nova')
client = self._client_class(
username=None,
@ -56,6 +57,11 @@ class NovaAction(base.OpenStackAction):
auth_url=keystone_endpoint.url
)
client.client.management_url = keystone_utils.format_url(
nova_endpoint.url,
{'tenant_id': ctx.project_id}
)
return client
@ -88,12 +94,23 @@ class KeystoneAction(base.OpenStackAction):
LOG.debug("Keystone action security context: %s" % ctx)
return self._client_class(
token=ctx.auth_token,
auth_url=CONF.keystone_authtoken.auth_uri,
project_id=ctx.project_id,
cacert=CONF.keystone_authtoken.cafile
)
kwargs = {
'token': ctx.auth_token,
'auth_url': CONF.keystone_authtoken.auth_uri,
'project_id': ctx.project_id,
'cacert': CONF.keystone_authtoken.cafile,
}
# In case of trust-scoped token explicitly pass endpoint parameter.
if (ctx.is_trust_scoped
or keystone_utils.is_token_trust_scoped(ctx.auth_token)):
kwargs['endpoint'] = CONF.keystone_authtoken.auth_uri
client = self._client_class(**kwargs)
client.management_url = CONF.keystone_authtoken.auth_uri
return client
@classmethod
def _get_fake_client(cls):

10
mistral/context.py
View File

@ -76,6 +76,7 @@ class MistralContext(BaseContext):
"project_name",
"roles",
"is_admin",
"is_trust_scoped",
])
def __repr__(self):
@ -127,7 +128,8 @@ def context_from_headers(headers):
service_catalog=headers.get('X-Service-Catalog'),
user_name=headers.get('X-User-Name'),
project_name=headers.get('X-Project-Name'),
roles=headers.get('X-Roles', "").split(",")
roles=headers.get('X-Roles', "").split(","),
is_trust_scoped=False,
)
@ -136,7 +138,8 @@ def context_from_config():
username=CONF.keystone_authtoken.admin_user,
password=CONF.keystone_authtoken.admin_password,
tenant_name=CONF.keystone_authtoken.admin_tenant_name,
auth_url=CONF.keystone_authtoken.auth_uri
auth_url=CONF.keystone_authtoken.auth_uri,
is_trust_scoped=False,
)
keystone.authenticate()
@ -146,7 +149,8 @@ def context_from_config():
project_id=keystone.project_id,
auth_token=keystone.auth_token,
project_name=CONF.keystone_authtoken.admin_tenant_name,
user_name=CONF.keystone_authtoken.admin_user
user_name=CONF.keystone_authtoken.admin_user,
is_trust_scoped=False,
)

3
mistral/services/security.py
View File

@ -70,7 +70,8 @@ def create_context(trust_id, project_id):
return auth_ctx.MistralContext(
user_id=client.user_id,
project_id=project_id,
auth_token=client.auth_token
auth_token=client.auth_token,
is_trust_scoped=True,
)
return auth_ctx.MistralContext(

9
mistral/utils/openstack/keystone.py
View File

@ -104,3 +104,12 @@ def format_url(url_template, values):
# see https://github.com/openstack/keystone/blob/master/keystone/
# catalog/core.py#L42-L60
return url_template.replace('$(', '%(') % values
def is_token_trust_scoped(auth_token):
admin_project_name = CONF.keystone_authtoken.admin_tenant_name
keystone_client = _admin_client(project_name=admin_project_name)
token_info = keystone_client.tokens.validate(auth_token)
return 'OS-TRUST:trust' in token_info