41c64b94b0
When the [service_user] section is configured in nova.conf, nova will have the ability to send a service user token alongside the user's token. The service user token is sent when nova calls other services' REST APIs to authenticate as a service, and service calls can sometimes have elevated privileges. Currently, nova does not however have the ability to send a service user token with an admin context. This means that when nova makes REST API calls to other services with an anonymous admin RequestContext (such as in nova-manage or periodic tasks), it will not be authenticated as a service. This adds a keyword argument to service_auth.get_auth_plugin() to enable callers to provide a user_auth object instead of attempting to extract the user_auth from the RequestContext. The cinder and neutron client modules are also adjusted to make use of the new user_auth keyword argument so that nova calls made with anonymous admin request contexts can authenticate as a service when configured. Related-Bug: #2004555 Change-Id: I14df2d55f4b2f0be58f1a6ad3f19e48f7a6bfcb4
56 lines
1.9 KiB
Python
56 lines
1.9 KiB
Python
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
|
|
from keystoneauth1 import loading as ks_loading
|
|
from keystoneauth1 import service_token
|
|
from oslo_log import log as logging
|
|
|
|
import nova.conf
|
|
|
|
|
|
CONF = nova.conf.CONF
|
|
LOG = logging.getLogger(__name__)
|
|
|
|
_SERVICE_AUTH = None
|
|
|
|
|
|
def reset_globals():
|
|
"""For async unit test consistency."""
|
|
global _SERVICE_AUTH
|
|
_SERVICE_AUTH = None
|
|
|
|
|
|
def get_auth_plugin(context, user_auth=None):
|
|
# user_auth may be passed in when the RequestContext is anonymous, such as
|
|
# when get_admin_context() is used for API calls by nova-manage.
|
|
user_auth = user_auth or context.get_auth_plugin()
|
|
|
|
if CONF.service_user.send_service_user_token:
|
|
global _SERVICE_AUTH
|
|
if not _SERVICE_AUTH:
|
|
_SERVICE_AUTH = ks_loading.load_auth_from_conf_options(
|
|
CONF,
|
|
group=
|
|
nova.conf.service_token.SERVICE_USER_GROUP)
|
|
if _SERVICE_AUTH is None:
|
|
# This indicates a misconfiguration so log a warning and
|
|
# return the user_auth.
|
|
LOG.warning('Unable to load auth from [service_user] '
|
|
'configuration. Ensure "auth_type" is set.')
|
|
return user_auth
|
|
return service_token.ServiceTokenAuthWrapper(
|
|
user_auth=user_auth,
|
|
service_auth=_SERVICE_AUTH)
|
|
|
|
return user_auth
|