Merge "Backend Keystone authentication"
This commit is contained in:
Jenkins
Gerrit Code Review
commit
7f13dbc917
@ -42,22 +42,24 @@ function build_octavia_worker_image {
|
||||
}
|
||||
|
||||
function create_octavia_accounts {
|
||||
create_service_user "neutron"
|
||||
create_service_user "octavia"
|
||||
|
||||
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
||||
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
||||
|
||||
local neutron_service=$(get_or_create_service "octavia" \
|
||||
"octavia" "Octavia Service")
|
||||
get_or_create_endpoint $neutron_service \
|
||||
"$REGION_NAME" \
|
||||
"$OCTAVIA_PROTOCOL://$SERVICE_HOST:$OCTAVIA_PORT/" \
|
||||
"$OCTAVIA_PROTOCOL://$SERVICE_HOST:$OCTAVIA_PORT/" \
|
||||
"$OCTAVIA_PROTOCOL://$SERVICE_HOST:$OCTAVIA_PORT/"
|
||||
fi
|
||||
local octavia_service=$(get_or_create_service "octavia" \
|
||||
"octavia" "Octavia Service")
|
||||
get_or_create_endpoint $octavia_service \
|
||||
"$REGION_NAME" \
|
||||
"$OCTAVIA_PROTOCOL://$SERVICE_HOST:$OCTAVIA_PORT/" \
|
||||
"$OCTAVIA_PROTOCOL://$SERVICE_HOST:$OCTAVIA_PORT/" \
|
||||
"$OCTAVIA_PROTOCOL://$SERVICE_HOST:$OCTAVIA_PORT/"
|
||||
fi
|
||||
}
|
||||
|
||||
function octavia_configure {
|
||||
|
||||
create_octavia_cache_dir
|
||||
|
||||
sudo mkdir -m 755 -p $OCTAVIA_CONF_DIR
|
||||
safe_chown $STACK_USER $OCTAVIA_CONF_DIR
|
||||
|
||||
@ -67,16 +69,20 @@ function octavia_configure {
|
||||
|
||||
iniset $OCTAVIA_CONF database connection "mysql+pymysql://${DATABASE_USER}:${DATABASE_PASSWORD}@${DATABASE_HOST}:3306/octavia"
|
||||
|
||||
if [ "$OCTAVIA_AUTH_VERSION" == "2" ] ; then
|
||||
AUTH_URI=${KEYSTONE_AUTH_URI%/v3}/v2.0
|
||||
else
|
||||
AUTH_URI=${KEYSTONE_AUTH_URI}
|
||||
fi
|
||||
iniset $OCTAVIA_CONF keystone_authtoken auth_uri ${AUTH_URI}
|
||||
iniset $OCTAVIA_CONF keystone_authtoken admin_user ${OCTAVIA_ADMIN_USER}
|
||||
iniset $OCTAVIA_CONF keystone_authtoken admin_tenant_name ${OCTAVIA_ADMIN_TENANT_NAME}
|
||||
iniset $OCTAVIA_CONF keystone_authtoken admin_password ${OCTAVIA_ADMIN_PASSWORD}
|
||||
iniset $OCTAVIA_CONF keystone_authtoken auth_version ${OCTAVIA_AUTH_VERSION}
|
||||
# Configure keystone auth_token for all users
|
||||
configure_auth_token_middleware $OCTAVIA_CONF octavia $OCTAVIA_AUTH_CACHE_DIR
|
||||
|
||||
# Ensure config is set up properly for authentication as admin
|
||||
iniset $OCTAVIA_CONF service_auth auth_url $KEYSTONE_AUTH_URI
|
||||
iniset $OCTAVIA_CONF service_auth auth_type password
|
||||
iniset $OCTAVIA_CONF service_auth username $OCTAVIA_USERNAME
|
||||
iniset $OCTAVIA_CONF service_auth password $OCTAVIA_PASSWORD
|
||||
iniset $OCTAVIA_CONF service_auth user_domain_name $OCTAVIA_USER_DOMAIN_NAME
|
||||
iniset $OCTAVIA_CONF service_auth project_name $OCTAVIA_PROJECT_NAME
|
||||
iniset $OCTAVIA_CONF service_auth project_domain_name $OCTAVIA_PROJECT_DOMAIN_NAME
|
||||
iniset $OCTAVIA_CONF service_auth cafile $SSL_BUNDLE_FILE
|
||||
iniset $OCTAVIA_CONF service_auth signing_dir $signing_dir
|
||||
iniset $OCTAVIA_CONF service_auth memcached_servers $SERVICE_HOST:11211
|
||||
|
||||
# Setting other required default options
|
||||
iniset $OCTAVIA_CONF controller_worker amphora_driver ${OCTAVIA_AMPHORA_DRIVER}
|
||||
@ -373,6 +379,15 @@ function octavia_cleanup {
|
||||
openstack keypair delete ${OCTAVIA_AMP_SSH_KEY_NAME}
|
||||
fi
|
||||
fi
|
||||
|
||||
sudo rm -rf $NOVA_STATE_PATH $NOVA_AUTH_CACHE_DIR
|
||||
}
|
||||
|
||||
# create_octavia_cache_dir() - Part of the configure_octavia() process
|
||||
function create_octavia_cache_dir {
|
||||
# Create cache dir
|
||||
sudo install -d -o $STACK_USER $OCTAVIA_AUTH_CACHE_DIR
|
||||
rm -f $OCTAVIA_AUTH_CACHE_DIR/*
|
||||
}
|
||||
|
||||
# check for service enabled
|
||||
|
||||
@ -10,6 +10,7 @@ TRIPLEO_IMAGE_ELEMENTS_BRANCH=${TRIPLEO_IMAGE_ELEMENTS_BRANCH:-master}
|
||||
TRIPLEO_IMAGE_ELEMENTS_DIR=$DEST/tripleo-image-elements
|
||||
OCTAVIA_BIN_DIR=${OCTAVIA_BIN_DIR:-$(get_python_exec_prefix)}
|
||||
OCTAVIA_CONF_DIR=${OCTAVIA_CONF_DIR:-"/etc/octavia"}
|
||||
OCTAVIA_AUTH_CACHE_DIR=${OCTAVIA_AUTH_CACHE_DIR:-"/var/cache/octavia"}
|
||||
OCTAVIA_SSH_DIR=${OCTAVIA_SSH_DIR:-${OCTAVIA_CONF_DIR}/.ssh}
|
||||
OCTAVIA_CERTS_DIR=${OCTAVIA_CERTS_DIR:-${OCTAVIA_CONF_DIR}/certs}
|
||||
OCTAVIA_DHCLIENT_DIR=${OCTAVIA_DHCLIENT_DIR:-${OCTAVIA_CONF_DIR}/dhcp}
|
||||
@ -21,13 +22,11 @@ OCTAVIA_AMPHORA_DRIVER=${OCTAVIA_AMPHORA_DRIVER:-"amphora_haproxy_rest_driver"}
|
||||
OCTAVIA_NETWORK_DRIVER=${OCTAVIA_NETWORK_DRIVER:-"allowed_address_pairs_driver"}
|
||||
OCTAVIA_COMPUTE_DRIVER=${OCTAVIA_COMPUTE_DRIVER:-"compute_nova_driver"}
|
||||
|
||||
OCTAVIA_ADMIN_USER=${OCTAVIA_ADMIN_USER:-"admin"}
|
||||
OCTAVIA_USER=${OCTAVIA_USER:-${OCTAVIA_ADMIN_USER}}
|
||||
OCTAVIA_USERNAME=${OCTAVIA_ADMIN_USER:-"admin"}
|
||||
OCTAVIA_PASSWORD=${OCTAVIA_PASSWORD:-${ADMIN_PASSWORD}}
|
||||
OCTAVIA_TENANT_ID=${OCTAVIA_TENANT_ID:-${ADMIN_TENANT_ID}}
|
||||
OCTAVIA_AUTH_VERSION=${OCTAVIA_AUTH_VERSION:-"2"}
|
||||
OCTAVIA_ADMIN_TENANT_NAME=${OCTAVIA_ADMIN_TENANT_NAME:-${OCTAVIA_ADMIN_USER}}
|
||||
OCTAVIA_ADMIN_PASSWORD=${OCTAVIA_ADMIN_PASSWORD:-${ADMIN_PASSWORD}}
|
||||
OCTAVIA_PROJECT_NAME=${OCTAVIA_PROJECT_NAME:-$OCTAVIA_USERNAME}
|
||||
OCTAVIA_USER_DOMAIN_NAME=${OCTAVIA_USER_DOMAIN_NAME:-"Default"}
|
||||
OCTAVIA_PROJECT_DOMAIN_NAME=${OCTAVIA_PROJECT_DOMAIN_NAME:-"Default"}
|
||||
|
||||
OCTAVIA_PROTOCOL=${OCTAVIA_PROTOCOL:-"http"}
|
||||
OCTAVIA_PORT=${OCTAVIA_PORT:-"9876"}
|
||||
|
||||
@ -47,8 +47,6 @@
|
||||
# noop_event_streamer
|
||||
# event_streamer_driver = noop_event_streamer
|
||||
|
||||
|
||||
|
||||
[keystone_authtoken]
|
||||
# This group of config options are imported from keystone middleware. Thus the
|
||||
# option names should match the names declared in the middleware.
|
||||
@ -59,11 +57,6 @@
|
||||
# insecure = False
|
||||
# cafile =
|
||||
|
||||
[keystone_authtoken_v3]
|
||||
# If using Keystone v3
|
||||
# admin_user_domain = default
|
||||
# admin_project_domain = default
|
||||
|
||||
[certificates]
|
||||
# cert_generator = local_cert_generator
|
||||
|
||||
@ -241,22 +234,17 @@
|
||||
# vrrp_garp_refresh_interval = 5
|
||||
# vrrp_garp_refresh_count = 2
|
||||
|
||||
[glance]
|
||||
# The name of the glance service in the keystone catalog
|
||||
# service_name =
|
||||
# Custom glance endpoint if override is necessary
|
||||
# endpoint =
|
||||
|
||||
# Region in Identity service catalog to use for communication with the OpenStack services.
|
||||
# region_name =
|
||||
|
||||
# Endpoint type in Identity service catalog to use for communication with
|
||||
# the OpenStack services.
|
||||
# endpoint_type = publicURL
|
||||
|
||||
# CA certificates file to verify glance connections when TLS is enabled
|
||||
# insecure = False
|
||||
# ca_certificates_file =
|
||||
[service_auth]
|
||||
# memcached_servers =
|
||||
# signing_dir =
|
||||
# cafile = /opt/stack/data/ca-bundle.pem
|
||||
# project_domain_name = Default
|
||||
# project_name = admin
|
||||
# user_domain_name = Default
|
||||
# password = password
|
||||
# username = admin
|
||||
# auth_type = password
|
||||
# auth_url = http://localhost:5555/
|
||||
|
||||
[nova]
|
||||
# The name of the nova service in the keystone catalog
|
||||
@ -264,28 +252,44 @@
|
||||
# Custom nova endpoint if override is necessary
|
||||
# endpoint =
|
||||
|
||||
# Region in Identity service catalog to use for communication with the OpenStack services.
|
||||
# region_name =
|
||||
|
||||
# Endpoint type in Identity service catalog to use for communication with
|
||||
# the OpenStack services.
|
||||
# endpoint_type = publicURL
|
||||
|
||||
# CA certificates file to verify nova connections when TLS is enabled
|
||||
# insecure = False
|
||||
# ca_certificates_file =
|
||||
|
||||
# Flag to enable nova anti-affinity capabilities to place amphorae on
|
||||
# different hosts
|
||||
# enable_anti_affinity = False
|
||||
|
||||
[neutron]
|
||||
# The name of the neutron service in the keystone catalog
|
||||
# service_name =
|
||||
# Custom neutron endpoint if override is necessary
|
||||
# endpoint =
|
||||
|
||||
# Region in Identity service catalog to use for communication with the OpenStack services.
|
||||
# Region in Identity service catalog to use for communication with the
|
||||
# OpenStack services.
|
||||
# region_name =
|
||||
|
||||
# Endpoint type in Identity service catalog to use for communication with
|
||||
# the OpenStack services.
|
||||
# endpoint_type = publicURL
|
||||
|
||||
# CA certificates file to verify neutron connections when TLS is enabled
|
||||
# insecure = False
|
||||
# ca_certificates_file =
|
||||
|
||||
[glance]
|
||||
# The name of the glance service in the keystone catalog
|
||||
# service_name =
|
||||
# Custom glance endpoint if override is necessary
|
||||
# endpoint =
|
||||
|
||||
# Region in Identity service catalog to use for communication with the
|
||||
# OpenStack services.
|
||||
# region_name =
|
||||
|
||||
# Endpoint type in Identity service catalog to use for communication with
|
||||
# the OpenStack services.
|
||||
# endpoint_type = publicURL
|
||||
|
||||
# CA certificates file to verify neutron connections when TLS is enabled
|
||||
# insecure = False
|
||||
# ca_certificates_file =
|
||||
|
||||
[neutron]
|
||||
# The name of the neutron service in the keystone catalog
|
||||
# service_name =
|
||||
# Custom neutron endpoint if override is necessary
|
||||
# endpoint =
|
||||
|
||||
# Region in Identity service catalog to use for communication with the
|
||||
# OpenStack services.
|
||||
# region_name =
|
||||
|
||||
# Endpoint type in Identity service catalog to use for communication with
|
||||
|
||||
@ -27,9 +27,7 @@ from octavia.i18n import _LE
|
||||
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
|
||||
CONF = cfg.CONF
|
||||
CONF.import_group('certificates', 'octavia.common.config')
|
||||
|
||||
|
||||
class BarbicanACLAuth(barbican_common.BarbicanAuth):
|
||||
@ -39,8 +37,9 @@ class BarbicanACLAuth(barbican_common.BarbicanAuth):
|
||||
def get_barbican_client(cls, project_id=None):
|
||||
if not cls._barbican_client:
|
||||
try:
|
||||
session = keystone.KeystoneSession().get_session()
|
||||
cls._barbican_client = barbican_client.Client(
|
||||
session=keystone.get_session(),
|
||||
session=session,
|
||||
region_name=CONF.certificates.region_name,
|
||||
interface=CONF.certificates.endpoint_type
|
||||
)
|
||||
|
||||
@ -14,6 +14,7 @@ from glanceclient import client as glance_client
|
||||
from neutronclient.neutron import client as neutron_client
|
||||
from novaclient import api_versions
|
||||
from novaclient import client as nova_client
|
||||
from oslo_config import cfg
|
||||
from oslo_log import log as logging
|
||||
from oslo_utils import excutils
|
||||
|
||||
@ -21,6 +22,8 @@ from octavia.common import keystone
|
||||
from octavia.i18n import _LE
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
CONF = cfg.CONF
|
||||
|
||||
GLANCE_VERSION = '2'
|
||||
NEUTRON_VERSION = '2.0'
|
||||
NOVA_VERSION = '2.1'
|
||||
@ -44,9 +47,10 @@ class NovaAuth(object):
|
||||
:return: a Nova Client object.
|
||||
:raises Exception: if the client cannot be created
|
||||
"""
|
||||
ksession = keystone.KeystoneSession()
|
||||
if not cls.nova_client:
|
||||
kwargs = {'region_name': region,
|
||||
'session': keystone.get_session(),
|
||||
'session': ksession.get_session(),
|
||||
'endpoint_type': endpoint_type,
|
||||
'insecure': insecure}
|
||||
if service_name:
|
||||
@ -82,9 +86,10 @@ class NeutronAuth(object):
|
||||
:return: a Neutron Client object.
|
||||
:raises Exception: if the client cannot be created
|
||||
"""
|
||||
ksession = keystone.KeystoneSession()
|
||||
if not cls.neutron_client:
|
||||
kwargs = {'region_name': region,
|
||||
'session': keystone.get_session(),
|
||||
'session': ksession.get_session(),
|
||||
'endpoint_type': endpoint_type,
|
||||
'insecure': insecure}
|
||||
if service_name:
|
||||
@ -120,9 +125,10 @@ class GlanceAuth(object):
|
||||
:return: a Glance Client object.
|
||||
:raises Exception: if the client cannot be created
|
||||
"""
|
||||
ksession = keystone.KeystoneSession()
|
||||
if not cls.glance_client:
|
||||
kwargs = {'region_name': region,
|
||||
'session': keystone.get_session(),
|
||||
'session': ksession.get_session(),
|
||||
'interface': endpoint_type}
|
||||
if service_name:
|
||||
kwargs['service_name'] = service_name
|
||||
|
||||
@ -17,6 +17,7 @@
|
||||
Routines for configuring Octavia
|
||||
"""
|
||||
|
||||
from keystoneauth1 import loading as ks_loading
|
||||
from oslo_config import cfg
|
||||
from oslo_db import options as db_options
|
||||
from oslo_log import log as logging
|
||||
@ -41,6 +42,7 @@ core_opts = [
|
||||
cfg.StrOpt('api_extensions_path', default="",
|
||||
help=_("The path for API extensions")),
|
||||
cfg.StrOpt('auth_strategy', default='keystone',
|
||||
choices=('noauth', 'keystone'),
|
||||
help=_("The type of authentication to use")),
|
||||
cfg.BoolOpt('allow_bulk', default=True,
|
||||
help=_("Allow the usage of the bulk API")),
|
||||
@ -142,13 +144,6 @@ oslo_messaging_opts = [
|
||||
help=_('topic name for communicating events through a queue')),
|
||||
]
|
||||
|
||||
keystone_authtoken_v3_opts = [
|
||||
cfg.StrOpt('admin_user_domain', default='default',
|
||||
help=_('Admin user keystone authentication domain')),
|
||||
cfg.StrOpt('admin_project_domain', default='default',
|
||||
help=_('Admin project keystone authentication domain'))
|
||||
]
|
||||
|
||||
haproxy_amphora_opts = [
|
||||
cfg.StrOpt('base_path',
|
||||
default='/var/lib/octavia',
|
||||
@ -292,12 +287,22 @@ certificate_opts = [
|
||||
cfg.StrOpt('barbican_auth',
|
||||
default='barbican_acl_auth',
|
||||
help='Name of the Barbican authentication method to use'),
|
||||
cfg.StrOpt('service_name',
|
||||
help=_('The name of the certificate service in the keystone'
|
||||
'catalog')),
|
||||
cfg.StrOpt('endpoint', help=_('A new endpoint to override the endpoint '
|
||||
'in the keystone catalog.')),
|
||||
cfg.StrOpt('region_name',
|
||||
help='Region in Identity service catalog to use for '
|
||||
'communication with the barbican service.'),
|
||||
cfg.StrOpt('endpoint_type',
|
||||
default='publicURL',
|
||||
help='The endpoint_type to be used for barbican service.')
|
||||
help='The endpoint_type to be used for barbican service.'),
|
||||
cfg.StrOpt('ca_certificates_file',
|
||||
help=_('CA certificates file path')),
|
||||
cfg.BoolOpt('insecure',
|
||||
default=False,
|
||||
help=_('Disable certificate validation on SSL connections ')),
|
||||
]
|
||||
|
||||
house_keeping_opts = [
|
||||
@ -439,9 +444,6 @@ cfg.CONF.register_opts(anchor_opts, group='anchor')
|
||||
cfg.CONF.register_cli_opts(core_cli_opts)
|
||||
cfg.CONF.register_opts(certificate_opts, group='certificates')
|
||||
cfg.CONF.register_cli_opts(healthmanager_opts, group='health_manager')
|
||||
cfg.CONF.import_group('keystone_authtoken', 'keystonemiddleware.auth_token')
|
||||
cfg.CONF.register_opts(keystone_authtoken_v3_opts,
|
||||
group='keystone_authtoken_v3')
|
||||
cfg.CONF.register_opts(nova_opts, group='nova')
|
||||
cfg.CONF.register_opts(glance_opts, group='glance')
|
||||
cfg.CONF.register_opts(neutron_opts, group='neutron')
|
||||
@ -457,6 +459,9 @@ db_options.set_defaults(cfg.CONF, connection=_SQL_CONNECTION_DEFAULT,
|
||||
|
||||
logging.register_options(cfg.CONF)
|
||||
|
||||
ks_loading.register_auth_conf_options(cfg.CONF, constants.SERVICE_AUTH)
|
||||
ks_loading.register_session_conf_options(cfg.CONF, constants.SERVICE_AUTH)
|
||||
|
||||
|
||||
def init(args, **kwargs):
|
||||
cfg.CONF(args=args, project='octavia',
|
||||
@ -472,30 +477,3 @@ def setup_logging(conf):
|
||||
product_name = "octavia"
|
||||
logging.setup(conf, product_name)
|
||||
LOG.info(_LI("Logging enabled!"))
|
||||
|
||||
|
||||
# def load_paste_app(app_name):
|
||||
# """Builds and returns a WSGI app from a paste config file.
|
||||
|
||||
# :param app_name: Name of the application to load
|
||||
# :raises ConfigFilesNotFoundError when config file cannot be located
|
||||
# :raises RuntimeError when application cannot be loaded from config file
|
||||
# """
|
||||
|
||||
# config_path = cfg.CONF.find_file(cfg.CONF.api_paste_config)
|
||||
# if not config_path:
|
||||
# raise cfg.ConfigFilesNotFoundError(
|
||||
# config_files=[cfg.CONF.api_paste_config])
|
||||
# config_path = os.path.abspath(config_path)
|
||||
# LOG.info(_LI("Config paste file: %s"), config_path)
|
||||
|
||||
# try:
|
||||
# app = deploy.loadapp("config:%s" % config_path, name=app_name)
|
||||
# except (LookupError, ImportError):
|
||||
# msg = (_("Unable to load %(app_name)s from "
|
||||
# "configuration file %(config_path)s.") %
|
||||
# {'app_name': app_name,
|
||||
# 'config_path': config_path})
|
||||
# LOG.exception(msg)
|
||||
# raise RuntimeError(msg)
|
||||
# return app
|
||||
|
||||
@ -252,6 +252,9 @@ NOVA_21 = '2.1'
|
||||
NOVA_3 = '3'
|
||||
NOVA_VERSIONS = (NOVA_1, NOVA_21, NOVA_3)
|
||||
|
||||
# Auth sections
|
||||
SERVICE_AUTH = 'service_auth'
|
||||
|
||||
RPC_NAMESPACE_CONTROLLER_AGENT = 'controller'
|
||||
|
||||
|
||||
|
||||
@ -12,59 +12,32 @@
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from keystoneauth1.identity import v2 as v2_client
|
||||
from keystoneauth1.identity import v3 as v3_client
|
||||
from keystoneauth1 import session
|
||||
from keystoneauth1 import loading as ks_loading
|
||||
from oslo_config import cfg
|
||||
from oslo_log import log as logging
|
||||
from oslo_utils import excutils
|
||||
|
||||
from octavia.i18n import _LE
|
||||
|
||||
from octavia.common import constants
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
|
||||
cfg.CONF.import_group('keystone_authtoken', 'keystonemiddleware.auth_token')
|
||||
cfg.CONF.import_group('keystone_authtoken_v3', 'octavia.common.config')
|
||||
|
||||
_SESSION = None
|
||||
class KeystoneSession:
|
||||
|
||||
def __init__(self, section=constants.SERVICE_AUTH):
|
||||
self._session = None
|
||||
self.section = section
|
||||
ks_loading.register_auth_conf_options(cfg.CONF, self.section)
|
||||
ks_loading.register_session_conf_options(cfg.CONF, self.section)
|
||||
|
||||
def get_session():
|
||||
"""Initializes a Keystone session.
|
||||
def get_session(self):
|
||||
"""Initializes a Keystone session.
|
||||
|
||||
:return: a Keystone Session object
|
||||
:raises Exception: if the session cannot be established
|
||||
"""
|
||||
global _SESSION
|
||||
if not _SESSION:
|
||||
:return: a Keystone Session object
|
||||
"""
|
||||
if not self._session:
|
||||
self._auth = ks_loading.load_auth_from_conf_options(
|
||||
cfg.CONF, self.section)
|
||||
self._session = ks_loading.load_session_from_conf_options(
|
||||
cfg.CONF, self.section, auth=self._auth)
|
||||
|
||||
kwargs = {'auth_url': cfg.CONF.keystone_authtoken.auth_uri,
|
||||
'username': cfg.CONF.keystone_authtoken.admin_user,
|
||||
'password': cfg.CONF.keystone_authtoken.admin_password}
|
||||
|
||||
if cfg.CONF.keystone_authtoken.auth_version == '2':
|
||||
client = v2_client
|
||||
kwargs['tenant_name'] = (cfg.CONF.keystone_authtoken.
|
||||
admin_tenant_name)
|
||||
elif cfg.CONF.keystone_authtoken.auth_version == '3':
|
||||
client = v3_client
|
||||
kwargs['project_name'] = (cfg.CONF.keystone_authtoken.
|
||||
admin_tenant_name)
|
||||
kwargs['user_domain_name'] = (cfg.CONF.keystone_authtoken_v3.
|
||||
admin_user_domain)
|
||||
kwargs['project_domain_name'] = (cfg.CONF.keystone_authtoken_v3.
|
||||
admin_project_domain)
|
||||
else:
|
||||
raise Exception('Unknown keystone version!')
|
||||
|
||||
try:
|
||||
kc = client.Password(**kwargs)
|
||||
_SESSION = session.Session(
|
||||
auth=kc, verify=(cfg.CONF.keystone_authtoken.cafile or
|
||||
not cfg.CONF.keystone_authtoken.insecure))
|
||||
except Exception:
|
||||
with excutils.save_and_reraise_exception():
|
||||
LOG.exception(_LE("Error creating Keystone session."))
|
||||
|
||||
return _SESSION
|
||||
return self._session
|
||||
|
||||
@ -26,10 +26,7 @@ from octavia.i18n import _LE, _LW
|
||||
LOG = logging.getLogger(__name__)
|
||||
|
||||
CONF = cfg.CONF
|
||||
CONF.import_group('glance', 'octavia.common.config')
|
||||
CONF.import_group('keystone_authtoken', 'octavia.common.config')
|
||||
CONF.import_group('networking', 'octavia.common.config')
|
||||
CONF.import_group('nova', 'octavia.common.config')
|
||||
|
||||
|
||||
def _extract_amp_image_id_by_tag(client, image_tag, image_owner):
|
||||
|
||||
@ -29,7 +29,6 @@ DNS_INT_EXT_ALIAS = 'dns-integration'
|
||||
SEC_GRP_EXT_ALIAS = 'security-group'
|
||||
|
||||
CONF = cfg.CONF
|
||||
CONF.import_group('neutron', 'octavia.common.config')
|
||||
|
||||
|
||||
class BaseNeutronDriver(base.AbstractNetworkDriver):
|
||||
|
||||
@ -10,9 +10,15 @@
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
import copy
|
||||
import itertools
|
||||
import operator
|
||||
|
||||
from keystoneauth1 import loading as ks_loading
|
||||
from oslo_config import cfg
|
||||
|
||||
import octavia.common.config
|
||||
from octavia.common import constants
|
||||
|
||||
|
||||
def list_opts():
|
||||
@ -22,13 +28,31 @@ def list_opts():
|
||||
('amphora_agent', octavia.common.config.amphora_agent_opts),
|
||||
('networking', octavia.common.config.networking_opts),
|
||||
('oslo_messaging', octavia.common.config.oslo_messaging_opts),
|
||||
('keystone_authtoken_v3',
|
||||
octavia.common.config.keystone_authtoken_v3_opts),
|
||||
('haproxy_amphora', octavia.common.config.haproxy_amphora_opts),
|
||||
('health_manager', octavia.common.config.healthmanager_opts),
|
||||
('controller_worker', octavia.common.config.controller_worker_opts),
|
||||
('task_flow', octavia.common.config.task_flow_opts),
|
||||
('certificates', octavia.common.config.certificate_opts),
|
||||
('house_keeping', octavia.common.config.house_keeping_opts),
|
||||
('keepalived_vrrp', octavia.common.config.keepalived_vrrp_opts)
|
||||
('keepalived_vrrp', octavia.common.config.keepalived_vrrp_opts),
|
||||
('nova', octavia.common.config.nova_opts),
|
||||
('neutron', octavia.common.config.neutron_opts),
|
||||
('glance', octavia.common.config.glance_opts),
|
||||
add_auth_opts(),
|
||||
]
|
||||
|
||||
|
||||
def add_auth_opts():
|
||||
opts = ks_loading.register_session_conf_options(
|
||||
cfg.CONF, constants.SERVICE_AUTH)
|
||||
opt_list = copy.deepcopy(opts)
|
||||
opt_list.insert(0, ks_loading.get_auth_common_conf_options()[0])
|
||||
# NOTE(mhickey): There are a lot of auth plugins, we just generate
|
||||
# the config options for a few common ones
|
||||
plugins = ['password', 'v2password', 'v3password']
|
||||
for name in plugins:
|
||||
for plugin_option in ks_loading.get_auth_plugin_conf_options(name):
|
||||
if all(option.name != plugin_option.name for option in opt_list):
|
||||
opt_list.append(plugin_option)
|
||||
opt_list.sort(key=operator.attrgetter('name'))
|
||||
return (constants.SERVICE_AUTH, opt_list)
|
||||
|
||||
@ -36,12 +36,9 @@ class TestBarbicanACLAuth(base.TestCase):
|
||||
conf.config(group="certificates", endpoint_type='publicURL')
|
||||
super(TestBarbicanACLAuth, self).setUp()
|
||||
|
||||
@mock.patch('keystoneauth1.session.Session', mock.Mock())
|
||||
def test_get_barbican_client(self):
|
||||
# There should be no existing client
|
||||
self.assertIsNone(keystone._SESSION)
|
||||
|
||||
# Mock out the keystone session and get the client
|
||||
keystone._SESSION = mock.MagicMock()
|
||||
acl_auth_object = barbican_acl.BarbicanACLAuth()
|
||||
bc1 = acl_auth_object.get_barbican_client()
|
||||
|
||||
|
||||
@ -15,7 +15,6 @@ import mock
|
||||
import neutronclient.v2_0
|
||||
import novaclient.v2
|
||||
from oslo_config import cfg
|
||||
from oslo_config import fixture as oslo_fixture
|
||||
|
||||
from octavia.common import clients
|
||||
from octavia.common import keystone
|
||||
@ -27,15 +26,13 @@ CONF = cfg.CONF
|
||||
class TestNovaAuth(base.TestCase):
|
||||
|
||||
def setUp(self):
|
||||
conf = self.useFixture(oslo_fixture.Config(cfg.CONF))
|
||||
conf.config(group="keystone_authtoken", auth_version='2')
|
||||
|
||||
# Reset the session and client
|
||||
clients.NovaAuth.nova_client = None
|
||||
keystone._SESSION = None
|
||||
|
||||
super(TestNovaAuth, self).setUp()
|
||||
|
||||
@mock.patch('keystoneauth1.session.Session', mock.Mock())
|
||||
def test_get_nova_client(self):
|
||||
# There should be no existing client
|
||||
self.assertIsNone(
|
||||
@ -67,15 +64,13 @@ class TestNovaAuth(base.TestCase):
|
||||
class TestNeutronAuth(base.TestCase):
|
||||
|
||||
def setUp(self):
|
||||
conf = self.useFixture(oslo_fixture.Config(cfg.CONF))
|
||||
conf.config(group="keystone_authtoken", auth_version='2')
|
||||
|
||||
# Reset the session and client
|
||||
clients.NeutronAuth.neutron_client = None
|
||||
keystone._SESSION = None
|
||||
|
||||
super(TestNeutronAuth, self).setUp()
|
||||
|
||||
@mock.patch('keystoneauth1.session.Session', mock.Mock())
|
||||
def test_get_neutron_client(self):
|
||||
# There should be no existing client
|
||||
self.assertIsNone(
|
||||
@ -107,15 +102,13 @@ class TestNeutronAuth(base.TestCase):
|
||||
class TestGlanceAuth(base.TestCase):
|
||||
|
||||
def setUp(self):
|
||||
conf = self.useFixture(oslo_fixture.Config(cfg.CONF))
|
||||
conf.config(group="keystone_authtoken", auth_version='2')
|
||||
|
||||
# Reset the session and client
|
||||
clients.GlanceAuth.glance_client = None
|
||||
keystone._SESSION = None
|
||||
|
||||
super(TestGlanceAuth, self).setUp()
|
||||
|
||||
@mock.patch('keystoneauth1.session.Session', mock.Mock())
|
||||
def test_get_glance_client(self):
|
||||
# There should be no existing client
|
||||
self.assertIsNone(
|
||||
|
||||
@ -91,7 +91,6 @@ class TestNovaClient(base.TestCase):
|
||||
|
||||
def setUp(self):
|
||||
conf = self.useFixture(oslo_fixture.Config(cfg.CONF))
|
||||
conf.config(group="keystone_authtoken", auth_version='2')
|
||||
self.net_name = "lb-mgmt-net"
|
||||
conf.config(group="networking", lb_network_name=self.net_name)
|
||||
conf.config(group="controller_worker", amp_boot_network_list=[1, 2])
|
||||
|
||||
@ -33,7 +33,6 @@ class TestAmphoraFlows(base.TestCase):
|
||||
def setUp(self):
|
||||
super(TestAmphoraFlows, self).setUp()
|
||||
self.conf = self.useFixture(oslo_fixture.Config(cfg.CONF))
|
||||
self.conf.config(group="keystone_authtoken", auth_version=AUTH_VERSION)
|
||||
self.conf.config(
|
||||
group="controller_worker",
|
||||
amphora_driver='amphora_haproxy_rest_driver')
|
||||
|
||||
@ -36,7 +36,6 @@ AMPHORA_ID = uuidutils.generate_uuid()
|
||||
COMPUTE_ID = uuidutils.generate_uuid()
|
||||
LB_NET_IP = '192.0.2.1'
|
||||
PORT_ID = uuidutils.generate_uuid()
|
||||
AUTH_VERSION = '2'
|
||||
SERVER_GRPOUP_ID = uuidutils.generate_uuid()
|
||||
|
||||
|
||||
@ -70,7 +69,6 @@ class TestComputeTasks(base.TestCase):
|
||||
conf.config(group="controller_worker", amp_active_wait_sec=AMP_WAIT)
|
||||
conf.config(group="controller_worker",
|
||||
amp_secgroup_list=AMP_SEC_GROUPS)
|
||||
conf.config(group="keystone_authtoken", auth_version=AUTH_VERSION)
|
||||
conf.config(group="controller_worker", amp_image_owner_id='')
|
||||
|
||||
_amphora_mock.id = AMPHORA_ID
|
||||
|
||||
@ -70,7 +70,7 @@ class TestAllowedAddressPairsDriver(base.TestCase):
|
||||
]
|
||||
}
|
||||
self.k_session = mock.patch(
|
||||
'octavia.common.keystone.get_session').start()
|
||||
'keystoneauth1.session.Session').start()
|
||||
self.driver = allowed_address_pairs.AllowedAddressPairsDriver()
|
||||
|
||||
@mock.patch('octavia.network.drivers.neutron.base.BaseNeutronDriver.'
|
||||
|
||||
@ -49,7 +49,7 @@ class TestBaseNeutronNetworkDriver(base.TestCase):
|
||||
]
|
||||
}
|
||||
self.k_session = mock.patch(
|
||||
'octavia.common.keystone.get_session').start()
|
||||
'keystoneauth1.session.Session').start()
|
||||
self.driver = self._instantiate_partial_abc(
|
||||
neutron_base.BaseNeutronDriver)
|
||||
|
||||
|
||||
@ -0,0 +1,11 @@
|
||||
---
|
||||
prelude: >
|
||||
Extended support for Keystone API v3.
|
||||
features:
|
||||
- Octavia supports different Keystone APIs and choose authentication
|
||||
mechanism based on configuration specified in "keystone_authtoken" section
|
||||
of octavia.conf file.
|
||||
upgrade:
|
||||
- From configuration file section "keystone_authtoken_v3" was removed and all
|
||||
parameters are stored in "keystone_authtoken" section of configuration
|
||||
file.
|
||||
Loading…
Reference in New Issue
Block a user