From b54f373cac62ec170562d7a2d84e66773b9a2deb Mon Sep 17 00:00:00 2001
From: Lingxian Kong <anlin.kong@gmail.com>
Date: Thu, 7 May 2020 16:31:38 +1200
Subject: [PATCH] Fix getting user neutron client

Use token and endpoint URL to initialize neutron client for the
request user.

Story: 2007619
Task:  39641

Change-Id: I05a541a77f254a77ad5036e1062b61c8ce93b754
---
 octavia/common/clients.py | 31 ++++++++++++++-----------------
 1 file changed, 14 insertions(+), 17 deletions(-)

diff --git a/octavia/common/clients.py b/octavia/common/clients.py
index 58795b3408..08d57aacdb 100644
--- a/octavia/common/clients.py
+++ b/octavia/common/clients.py
@@ -12,8 +12,6 @@
 
 from cinderclient import client as cinder_client
 from glanceclient import client as glance_client
-from keystoneauth1.identity.generic import token
-from keystoneauth1 import session
 from neutronclient.neutron import client as neutron_client
 from novaclient import api_versions
 from novaclient import client as nova_client
@@ -111,28 +109,27 @@ class NeutronAuth(object):
 
     @classmethod
     def get_user_neutron_client(cls, context):
-        # get a normal session
-        ksession = keystone.KeystoneSession()
-        service_auth = ksession.get_auth()
+        """Get neutron client for request user.
 
-        # make user auth and swap it in session
-        user_auth = token.Token(auth_url=service_auth.auth_url,
-                                token=context.auth_token,
-                                project_id=context.project_id)
-        user_session = session.Session(auth=user_auth)
+        It's possible that the token in the context is a trust scoped
+        which can't be used to initialize a keystone session.
+
+        We directly use the token and endpoint_url to initialize neutron
+        client.
+        """
+        neutron_endpoint = CONF.neutron.endpoint
+        if not neutron_endpoint:
+            session = keystone.KeystoneSession().get_session()
+            endpoint_data = session.get_endpoint_data(service_type='network')
+            neutron_endpoint = endpoint_data.catalog_url
 
         kwargs = {
-            'session': user_session,
-            'region_name': CONF.neutron.region_name,
-            'endpoint_type': CONF.neutron.endpoint_type,
-            'service_name': CONF.neutron.service_name,
+            'token': context.auth_token,
+            'endpoint_url': neutron_endpoint,
             'insecure': CONF.neutron.insecure,
             'ca_cert': CONF.neutron.ca_certificates_file
         }
-        if CONF.neutron.endpoint:
-            kwargs['endpoint_override'] = CONF.neutron.endpoint
 
-        # create neutron client using user's session
         return neutron_client.Client(NEUTRON_VERSION, **kwargs)