From ce7f27e3b7ef6a94501ce975fb0e9dadcffb822b Mon Sep 17 00:00:00 2001 From: Gregory Thiemonge Date: Thu, 25 Aug 2022 10:33:21 +0200 Subject: [PATCH] Fix barbican client with application credentials/trusts It seems that keystoneauth1.identity.generic.token doesn't handle properly the application credential/trust tokens passed by the context of the requests. When using app credentials, Octavia failed to retrieve the certificates from barbican. Switching to keystoneauth1.token_endpoint fixes the issue, the auth tokens are correctly passed to the barbican client. Story: 2007619 Task: 39737 Change-Id: Id77ce36f59b71d309f153e5c1d44059f162ee440 --- .../certificates/common/auth/barbican_acl.py | 27 ++++++++++--------- .../common/auth/test_barbican_acl.py | 3 +-- ...tokens-with-barbican-3b7d13283206c124.yaml | 5 ++++ 3 files changed, 20 insertions(+), 15 deletions(-) create mode 100644 releasenotes/notes/fix-application-credential-tokens-with-barbican-3b7d13283206c124.yaml diff --git a/octavia/certificates/common/auth/barbican_acl.py b/octavia/certificates/common/auth/barbican_acl.py index c86fc04d38..859f7d34cc 100644 --- a/octavia/certificates/common/auth/barbican_acl.py +++ b/octavia/certificates/common/auth/barbican_acl.py @@ -17,8 +17,8 @@ Barbican ACL auth class for Barbican certificate handling """ from barbicanclient import client as barbican_client -from keystoneauth1.identity.generic import token from keystoneauth1 import session +from keystoneauth1 import token_endpoint from oslo_config import cfg from oslo_log import log as logging @@ -79,20 +79,21 @@ class BarbicanACLAuth(barbican_common.BarbicanAuth): @classmethod def get_barbican_client_user_auth(cls, context): - # get a normal session - ksession = keystone.KeystoneSession() - service_auth = ksession.get_auth() + barbican_endpoint = CONF.certificates.endpoint + if not barbican_endpoint: + ksession = keystone.KeystoneSession().get_session() + endpoint_data = ksession.get_endpoint_data( + service_type='key-manager', + region_name=CONF.certificates.region_name, + interface=CONF.certificates.endpoint_type) + barbican_endpoint = endpoint_data.catalog_url + + auth_token = token_endpoint.Token(barbican_endpoint, + context.auth_token) - # make our own auth and swap it in - user_auth = token.Token(auth_url=service_auth.auth_url, - token=context.auth_token, - project_id=context.project_id) user_session = session.Session( - auth=user_auth, + auth=auth_token, verify=CONF.certificates.ca_certificates_file) - - # create a special barbican client with our user's session return barbican_client.Client( session=user_session, - region_name=CONF.certificates.region_name, - interface=CONF.certificates.endpoint_type) + endpoint=barbican_endpoint) diff --git a/octavia/tests/unit/certificates/common/auth/test_barbican_acl.py b/octavia/tests/unit/certificates/common/auth/test_barbican_acl.py index 79d6ddcede..4448d4ed00 100644 --- a/octavia/tests/unit/certificates/common/auth/test_barbican_acl.py +++ b/octavia/tests/unit/certificates/common/auth/test_barbican_acl.py @@ -91,5 +91,4 @@ class TestBarbicanACLAuth(base.TestCase): bc = acl_auth_object.get_barbican_client_user_auth(mock.Mock()) self.assertTrue(hasattr(bc, 'containers') and hasattr(bc.containers, 'register_consumer')) - self.assertEqual('publicURL', bc.client.interface) - self.assertEqual('RegionOne', bc.client.region_name) + self.assertEqual('public', bc.client.interface) diff --git a/releasenotes/notes/fix-application-credential-tokens-with-barbican-3b7d13283206c124.yaml b/releasenotes/notes/fix-application-credential-tokens-with-barbican-3b7d13283206c124.yaml new file mode 100644 index 0000000000..b56ec73a7d --- /dev/null +++ b/releasenotes/notes/fix-application-credential-tokens-with-barbican-3b7d13283206c124.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - | + Fix an authentication error with Barbican when creating a TERMINATED_HTTPS + listener with application credential tokens or trust IDs.