Use ksa adapter for keystone conf & requests
nova.api.openstack.identity.verify_project_id now uses the common get_ksa_adapter utility to create an Adapter from common keystoneauth1 configuration options. This is effectively identical to the prior functionality, with the addition of support for Adapter conf options such as `region_name` and `valid_interfaces` which should almost never need to be overridden. As part of blueprint use-ksa-adapter-for-endpoints, this provides a consistent mechanism for endpoint communication from Nova. Change-Id: I2204c8bed8936d5bed0f410284d2a563f84e7100 Partial-Implements: bp use-ksa-adapter-for-endpoints
This commit is contained in:
parent
1606467b29
commit
667d19a2bc
|
@ -13,15 +13,13 @@
|
|||
# under the License.
|
||||
|
||||
from keystoneauth1 import exceptions as kse
|
||||
from keystoneauth1 import loading as ks_loading
|
||||
from oslo_log import log as logging
|
||||
import webob
|
||||
|
||||
import nova.conf
|
||||
from nova.i18n import _
|
||||
from nova import utils
|
||||
|
||||
|
||||
CONF = nova.conf.CONF
|
||||
LOG = logging.getLogger(__name__)
|
||||
|
||||
|
||||
|
@ -32,19 +30,15 @@ def verify_project_id(context, project_id):
|
|||
an HTTPBadRequest is emitted.
|
||||
|
||||
"""
|
||||
sess = ks_loading.load_session_from_conf_options(
|
||||
CONF, 'keystone', auth=context.get_auth_plugin())
|
||||
adap = utils.get_ksa_adapter(
|
||||
'identity', ksa_auth=context.get_auth_plugin(),
|
||||
min_version=(3, 0), max_version=(3, 'latest'))
|
||||
|
||||
failure = webob.exc.HTTPBadRequest(
|
||||
explanation=_("Project ID %s is not a valid project.") %
|
||||
project_id)
|
||||
try:
|
||||
resp = sess.get('/projects/%s' % project_id,
|
||||
endpoint_filter={
|
||||
'service_type': 'identity',
|
||||
'version': (3, 0)
|
||||
},
|
||||
raise_exc=False)
|
||||
resp = adap.get('/projects/%s' % project_id, raise_exc=False)
|
||||
except kse.EndpointNotFound:
|
||||
LOG.error(
|
||||
"Keystone identity service version 3.0 was not found. This might "
|
||||
|
|
|
@ -14,6 +14,10 @@
|
|||
from keystoneauth1 import loading as ks_loading
|
||||
from oslo_config import cfg
|
||||
|
||||
from nova.conf import utils as confutils
|
||||
|
||||
|
||||
DEFAULT_SERVICE_TYPE = 'identity'
|
||||
|
||||
keystone_group = cfg.OptGroup(
|
||||
'keystone',
|
||||
|
@ -23,12 +27,14 @@ keystone_group = cfg.OptGroup(
|
|||
|
||||
def register_opts(conf):
|
||||
conf.register_group(keystone_group)
|
||||
|
||||
ks_loading.register_session_conf_options(conf, keystone_group.name)
|
||||
confutils.register_ksa_opts(conf, keystone_group.name,
|
||||
DEFAULT_SERVICE_TYPE, include_auth=False)
|
||||
|
||||
|
||||
def list_opts():
|
||||
return {
|
||||
keystone_group: (
|
||||
ks_loading.get_session_conf_options())
|
||||
ks_loading.get_session_conf_options() +
|
||||
confutils.get_ksa_adapter_opts(DEFAULT_SERVICE_TYPE)
|
||||
)
|
||||
}
|
||||
|
|
|
@ -15,9 +15,8 @@
|
|||
|
||||
import mock
|
||||
|
||||
from keystoneauth1.adapter import Adapter
|
||||
from keystoneauth1 import exceptions as kse
|
||||
from keystoneauth1 import loading as ks_loading
|
||||
from keystoneauth1.session import Session
|
||||
import webob
|
||||
|
||||
from nova.api.openstack import identity
|
||||
|
@ -68,92 +67,79 @@ class IdentityValidationTest(test.NoDBTestCase):
|
|||
not exist.
|
||||
|
||||
"""
|
||||
def setUp(self):
|
||||
super(IdentityValidationTest, self).setUp()
|
||||
get_adap_p = mock.patch('nova.utils.get_ksa_adapter')
|
||||
self.addCleanup(get_adap_p.stop)
|
||||
self.mock_get_adap = get_adap_p.start()
|
||||
self.mock_adap = mock.create_autospec(Adapter)
|
||||
self.mock_get_adap.return_value = self.mock_adap
|
||||
|
||||
@mock.patch.object(ks_loading, 'load_session_from_conf_options')
|
||||
def test_good_id(self, mock_load):
|
||||
def validate_common(self):
|
||||
self.mock_get_adap.assert_called_once_with(
|
||||
'identity', ksa_auth=mock.ANY,
|
||||
min_version=(3, 0), max_version=(3, 'latest'))
|
||||
self.mock_adap.get.assert_called_once_with(
|
||||
'/projects/foo', raise_exc=False)
|
||||
|
||||
def test_good_id(self):
|
||||
"""Test response 200.
|
||||
|
||||
This indicates we have permissions, and we have definitively
|
||||
found the project exists.
|
||||
|
||||
"""
|
||||
session = mock.create_autospec(Session)
|
||||
session.get.return_value = FakeResponse(200)
|
||||
mock_load.return_value = session
|
||||
self.mock_adap.get.return_value = FakeResponse(200)
|
||||
self.assertTrue(identity.verify_project_id(mock.MagicMock(), "foo"))
|
||||
session.get.assert_called_once_with(
|
||||
'/projects/foo',
|
||||
endpoint_filter={'service_type': 'identity', 'version': (3, 0)},
|
||||
raise_exc=False)
|
||||
self.validate_common()
|
||||
|
||||
@mock.patch.object(ks_loading, 'load_session_from_conf_options')
|
||||
def test_no_project(self, mock_load):
|
||||
def test_no_project(self):
|
||||
"""Test response 404.
|
||||
|
||||
This indicates that we have permissions, and we have
|
||||
definitively found the project does not exist.
|
||||
|
||||
"""
|
||||
session = mock.create_autospec(Session)
|
||||
session.get.return_value = FakeResponse(404)
|
||||
mock_load.return_value = session
|
||||
self.mock_adap.get.return_value = FakeResponse(404)
|
||||
self.assertRaises(webob.exc.HTTPBadRequest,
|
||||
identity.verify_project_id,
|
||||
mock.MagicMock(), "foo")
|
||||
session.get.assert_called_once_with(
|
||||
'/projects/foo',
|
||||
endpoint_filter={'service_type': 'identity', 'version': (3, 0)},
|
||||
raise_exc=False)
|
||||
self.validate_common()
|
||||
|
||||
@mock.patch.object(ks_loading, 'load_session_from_conf_options')
|
||||
def test_unknown_id(self, mock_load):
|
||||
def test_unknown_id(self):
|
||||
"""Test response 403.
|
||||
|
||||
This indicates we don't have permissions. We fail open here
|
||||
and assume the project exists.
|
||||
|
||||
"""
|
||||
session = mock.create_autospec(Session)
|
||||
session.get.return_value = FakeResponse(403)
|
||||
mock_load.return_value = session
|
||||
self.mock_adap.get.return_value = FakeResponse(403)
|
||||
self.assertTrue(identity.verify_project_id(mock.MagicMock(), "foo"))
|
||||
session.get.assert_called_once_with(
|
||||
'/projects/foo',
|
||||
endpoint_filter={'service_type': 'identity', 'version': (3, 0)},
|
||||
raise_exc=False)
|
||||
self.validate_common()
|
||||
|
||||
@mock.patch.object(ks_loading, 'load_session_from_conf_options')
|
||||
def test_unknown_error(self, mock_load):
|
||||
def test_unknown_error(self):
|
||||
"""Test some other return from keystone.
|
||||
|
||||
If we got anything else, something is wrong on the keystone
|
||||
side. We don't want to fail on our side.
|
||||
|
||||
"""
|
||||
session = mock.create_autospec(Session)
|
||||
session.get.return_value = FakeResponse(500, "Oh noes!")
|
||||
mock_load.return_value = session
|
||||
self.mock_adap.get.return_value = FakeResponse(500, "Oh noes!")
|
||||
self.assertTrue(identity.verify_project_id(mock.MagicMock(), "foo"))
|
||||
session.get.assert_called_once_with(
|
||||
'/projects/foo',
|
||||
endpoint_filter={'service_type': 'identity', 'version': (3, 0)},
|
||||
raise_exc=False)
|
||||
self.validate_common()
|
||||
|
||||
@mock.patch.object(ks_loading, 'load_session_from_conf_options')
|
||||
def test_early_fail(self, mock_load):
|
||||
def test_early_fail(self):
|
||||
"""Test if we get a keystoneauth exception.
|
||||
|
||||
If we get a random keystoneauth exception, fall back and
|
||||
assume the project exists.
|
||||
|
||||
"""
|
||||
session = mock.create_autospec(Session)
|
||||
session.get.side_effect = kse.ConnectionError()
|
||||
mock_load.return_value = session
|
||||
self.mock_adap.get.side_effect = kse.ConnectionError()
|
||||
self.assertTrue(identity.verify_project_id(mock.MagicMock(), "foo"))
|
||||
self.validate_common()
|
||||
|
||||
@mock.patch.object(ks_loading, 'load_session_from_conf_options')
|
||||
def test_wrong_version(self, mock_load):
|
||||
def test_wrong_version(self):
|
||||
"""Test endpoint not found.
|
||||
|
||||
EndpointNotFound will be made when the keystone v3 API is not
|
||||
|
@ -161,9 +147,8 @@ class IdentityValidationTest(test.NoDBTestCase):
|
|||
registered as the root endpoint. We treat this the same as 404.
|
||||
|
||||
"""
|
||||
session = mock.create_autospec(Session)
|
||||
session.get.side_effect = kse.EndpointNotFound()
|
||||
mock_load.return_value = session
|
||||
self.mock_adap.get.side_effect = kse.EndpointNotFound()
|
||||
self.assertRaises(webob.exc.HTTPBadRequest,
|
||||
identity.verify_project_id,
|
||||
mock.MagicMock(), "foo")
|
||||
self.validate_common()
|
||||
|
|
Loading…
Reference in New Issue