openstack
/
nova
Code Issues Proposed changes

Use ksa adapter for keystone conf & requests 

nova.api.openstack.identity.verify_project_id now uses the common
get_ksa_adapter utility to create an Adapter from common keystoneauth1
configuration options.  This is effectively identical to the prior
functionality, with the addition of support for Adapter conf options
such as `region_name` and `valid_interfaces` which should almost never
need to be overridden.

As part of blueprint use-ksa-adapter-for-endpoints, this provides a
consistent mechanism for endpoint communication from Nova.

Change-Id: I2204c8bed8936d5bed0f410284d2a563f84e7100
Partial-Implements: bp use-ksa-adapter-for-endpoints
This commit is contained in:
Eric Fried 2017-09-26 17:01:39 -05:00 committed by Matt Riedemann
parent 1606467b29
commit 667d19a2bc
3 changed files with 47 additions and 62 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
nova/api/openstack/identity.py
View File

@ -13,15 +13,13 @@
# under the License.
from keystoneauth1 import exceptions as kse
from keystoneauth1 import loading as ks_loading
from oslo_log import log as logging
import webob
import nova.conf
from nova.i18n import _
from nova import utils
CONF = nova.conf.CONF
LOG = logging.getLogger(__name__)
@ -32,19 +30,15 @@ def verify_project_id(context, project_id):
an HTTPBadRequest is emitted.
"""
sess = ks_loading.load_session_from_conf_options(
CONF, 'keystone', auth=context.get_auth_plugin())
adap = utils.get_ksa_adapter(
'identity', ksa_auth=context.get_auth_plugin(),
min_version=(3, 0), max_version=(3, 'latest'))
failure = webob.exc.HTTPBadRequest(
explanation=_("Project ID %s is not a valid project.") %
project_id)
try:
resp = sess.get('/projects/%s' % project_id,
endpoint_filter={
'service_type': 'identity',
'version': (3, 0)
},
raise_exc=False)
resp = adap.get('/projects/%s' % project_id, raise_exc=False)
except kse.EndpointNotFound:
LOG.error(
"Keystone identity service version 3.0 was not found. This might "

12
nova/conf/keystone.py
View File

@ -14,6 +14,10 @@
from keystoneauth1 import loading as ks_loading
from oslo_config import cfg
from nova.conf import utils as confutils
DEFAULT_SERVICE_TYPE = 'identity'
keystone_group = cfg.OptGroup(
'keystone',
@ -23,12 +27,14 @@ keystone_group = cfg.OptGroup(
def register_opts(conf):
conf.register_group(keystone_group)
ks_loading.register_session_conf_options(conf, keystone_group.name)
confutils.register_ksa_opts(conf, keystone_group.name,
DEFAULT_SERVICE_TYPE, include_auth=False)
def list_opts():
return {
keystone_group: (
ks_loading.get_session_conf_options())
ks_loading.get_session_conf_options() +
confutils.get_ksa_adapter_opts(DEFAULT_SERVICE_TYPE)
)
}

81
nova/tests/unit/test_identity.py
View File

@ -15,9 +15,8 @@
import mock
from keystoneauth1.adapter import Adapter
from keystoneauth1 import exceptions as kse
from keystoneauth1 import loading as ks_loading
from keystoneauth1.session import Session
import webob
from nova.api.openstack import identity
@ -68,92 +67,79 @@ class IdentityValidationTest(test.NoDBTestCase):
not exist.
"""
def setUp(self):
super(IdentityValidationTest, self).setUp()
get_adap_p = mock.patch('nova.utils.get_ksa_adapter')
self.addCleanup(get_adap_p.stop)
self.mock_get_adap = get_adap_p.start()
self.mock_adap = mock.create_autospec(Adapter)
self.mock_get_adap.return_value = self.mock_adap
@mock.patch.object(ks_loading, 'load_session_from_conf_options')
def test_good_id(self, mock_load):
def validate_common(self):
self.mock_get_adap.assert_called_once_with(
'identity', ksa_auth=mock.ANY,
min_version=(3, 0), max_version=(3, 'latest'))
self.mock_adap.get.assert_called_once_with(
'/projects/foo', raise_exc=False)
def test_good_id(self):
"""Test response 200.
This indicates we have permissions, and we have definitively
found the project exists.
"""
session = mock.create_autospec(Session)
session.get.return_value = FakeResponse(200)
mock_load.return_value = session
self.mock_adap.get.return_value = FakeResponse(200)
self.assertTrue(identity.verify_project_id(mock.MagicMock(), "foo"))
session.get.assert_called_once_with(
'/projects/foo',
endpoint_filter={'service_type': 'identity', 'version': (3, 0)},
raise_exc=False)
self.validate_common()
@mock.patch.object(ks_loading, 'load_session_from_conf_options')
def test_no_project(self, mock_load):
def test_no_project(self):
"""Test response 404.
This indicates that we have permissions, and we have
definitively found the project does not exist.
"""
session = mock.create_autospec(Session)
session.get.return_value = FakeResponse(404)
mock_load.return_value = session
self.mock_adap.get.return_value = FakeResponse(404)
self.assertRaises(webob.exc.HTTPBadRequest,
identity.verify_project_id,
mock.MagicMock(), "foo")
session.get.assert_called_once_with(
'/projects/foo',
endpoint_filter={'service_type': 'identity', 'version': (3, 0)},
raise_exc=False)
self.validate_common()
@mock.patch.object(ks_loading, 'load_session_from_conf_options')
def test_unknown_id(self, mock_load):
def test_unknown_id(self):
"""Test response 403.
This indicates we don't have permissions. We fail open here
and assume the project exists.
"""
session = mock.create_autospec(Session)
session.get.return_value = FakeResponse(403)
mock_load.return_value = session
self.mock_adap.get.return_value = FakeResponse(403)
self.assertTrue(identity.verify_project_id(mock.MagicMock(), "foo"))
session.get.assert_called_once_with(
'/projects/foo',
endpoint_filter={'service_type': 'identity', 'version': (3, 0)},
raise_exc=False)
self.validate_common()
@mock.patch.object(ks_loading, 'load_session_from_conf_options')
def test_unknown_error(self, mock_load):
def test_unknown_error(self):
"""Test some other return from keystone.
If we got anything else, something is wrong on the keystone
side. We don't want to fail on our side.
"""
session = mock.create_autospec(Session)
session.get.return_value = FakeResponse(500, "Oh noes!")
mock_load.return_value = session
self.mock_adap.get.return_value = FakeResponse(500, "Oh noes!")
self.assertTrue(identity.verify_project_id(mock.MagicMock(), "foo"))
session.get.assert_called_once_with(
'/projects/foo',
endpoint_filter={'service_type': 'identity', 'version': (3, 0)},
raise_exc=False)
self.validate_common()
@mock.patch.object(ks_loading, 'load_session_from_conf_options')
def test_early_fail(self, mock_load):
def test_early_fail(self):
"""Test if we get a keystoneauth exception.
If we get a random keystoneauth exception, fall back and
assume the project exists.
"""
session = mock.create_autospec(Session)
session.get.side_effect = kse.ConnectionError()
mock_load.return_value = session
self.mock_adap.get.side_effect = kse.ConnectionError()
self.assertTrue(identity.verify_project_id(mock.MagicMock(), "foo"))
self.validate_common()
@mock.patch.object(ks_loading, 'load_session_from_conf_options')
def test_wrong_version(self, mock_load):
def test_wrong_version(self):
"""Test endpoint not found.
EndpointNotFound will be made when the keystone v3 API is not
@ -161,9 +147,8 @@ class IdentityValidationTest(test.NoDBTestCase):
registered as the root endpoint. We treat this the same as 404.
"""
session = mock.create_autospec(Session)
session.get.side_effect = kse.EndpointNotFound()
mock_load.return_value = session
self.mock_adap.get.side_effect = kse.EndpointNotFound()
self.assertRaises(webob.exc.HTTPBadRequest,
identity.verify_project_id,
mock.MagicMock(), "foo")
self.validate_common()