diff --git a/octavia/common/clients.py b/octavia/common/clients.py index 58795b3408..08d57aacdb 100644 --- a/octavia/common/clients.py +++ b/octavia/common/clients.py @@ -12,8 +12,6 @@ from cinderclient import client as cinder_client from glanceclient import client as glance_client -from keystoneauth1.identity.generic import token -from keystoneauth1 import session from neutronclient.neutron import client as neutron_client from novaclient import api_versions from novaclient import client as nova_client @@ -111,28 +109,27 @@ class NeutronAuth(object): @classmethod def get_user_neutron_client(cls, context): - # get a normal session - ksession = keystone.KeystoneSession() - service_auth = ksession.get_auth() + """Get neutron client for request user. - # make user auth and swap it in session - user_auth = token.Token(auth_url=service_auth.auth_url, - token=context.auth_token, - project_id=context.project_id) - user_session = session.Session(auth=user_auth) + It's possible that the token in the context is a trust scoped + which can't be used to initialize a keystone session. + + We directly use the token and endpoint_url to initialize neutron + client. + """ + neutron_endpoint = CONF.neutron.endpoint + if not neutron_endpoint: + session = keystone.KeystoneSession().get_session() + endpoint_data = session.get_endpoint_data(service_type='network') + neutron_endpoint = endpoint_data.catalog_url kwargs = { - 'session': user_session, - 'region_name': CONF.neutron.region_name, - 'endpoint_type': CONF.neutron.endpoint_type, - 'service_name': CONF.neutron.service_name, + 'token': context.auth_token, + 'endpoint_url': neutron_endpoint, 'insecure': CONF.neutron.insecure, 'ca_cert': CONF.neutron.ca_certificates_file } - if CONF.neutron.endpoint: - kwargs['endpoint_override'] = CONF.neutron.endpoint - # create neutron client using user's session return neutron_client.Client(NEUTRON_VERSION, **kwargs)