Fix barbican client with application credentials/trusts

It seems that keystoneauth1.identity.generic.token doesn't handle
properly the application credential/trust tokens passed by the context
of the requests. When using app credentials, Octavia failed to retrieve
the certificates from barbican.
Switching to keystoneauth1.token_endpoint fixes the issue, the
auth tokens are correctly passed to the barbican client.

Story: 2007619
Task: 39737

Change-Id: Id77ce36f59b71d309f153e5c1d44059f162ee440
(cherry picked from commit ce7f27e3b7ef6a94501ce975fb0e9dadcffb822b)
This commit is contained in:
Gregory Thiemonge 2022-08-25 10:33:21 +02:00 committed by Dmitriy Rabotyagov
parent 0d8a06bd2a
commit 747368707d
3 changed files with 20 additions and 15 deletions

View File

@ -17,8 +17,8 @@
Barbican ACL auth class for Barbican certificate handling
"""
from barbicanclient import client as barbican_client
from keystoneauth1.identity.generic import token
from keystoneauth1 import session
from keystoneauth1 import token_endpoint
from oslo_config import cfg
from oslo_log import log as logging
@ -79,20 +79,21 @@ class BarbicanACLAuth(barbican_common.BarbicanAuth):
@classmethod
def get_barbican_client_user_auth(cls, context):
# get a normal session
ksession = keystone.KeystoneSession()
service_auth = ksession.get_auth()
barbican_endpoint = CONF.certificates.endpoint
if not barbican_endpoint:
ksession = keystone.KeystoneSession().get_session()
endpoint_data = ksession.get_endpoint_data(
service_type='key-manager',
region_name=CONF.certificates.region_name,
interface=CONF.certificates.endpoint_type)
barbican_endpoint = endpoint_data.catalog_url
auth_token = token_endpoint.Token(barbican_endpoint,
context.auth_token)
# make our own auth and swap it in
user_auth = token.Token(auth_url=service_auth.auth_url,
token=context.auth_token,
project_id=context.project_id)
user_session = session.Session(
auth=user_auth,
auth=auth_token,
verify=CONF.certificates.ca_certificates_file)
# create a special barbican client with our user's session
return barbican_client.Client(
session=user_session,
region_name=CONF.certificates.region_name,
interface=CONF.certificates.endpoint_type)
endpoint=barbican_endpoint)

View File

@ -91,5 +91,4 @@ class TestBarbicanACLAuth(base.TestCase):
bc = acl_auth_object.get_barbican_client_user_auth(mock.Mock())
self.assertTrue(hasattr(bc, 'containers') and
hasattr(bc.containers, 'register_consumer'))
self.assertEqual('publicURL', bc.client.interface)
self.assertEqual('RegionOne', bc.client.region_name)
self.assertEqual('public', bc.client.interface)

View File

@ -0,0 +1,5 @@
---
fixes:
- |
Fix an authentication error with Barbican when creating a TERMINATED_HTTPS
listener with application credential tokens or trust IDs.