config: Load additional options for v3multifactor

As the name would suggest, 'v3multifactor' uses multiple factors for
authentication. As a result, we need to register the configuration
options for each required auth method. If we don't do this, we won't
move the required configuration options for auth out of the top level
config object into the 'auth' key. This affects users who are
configuring via environment variables or config options.

Normally registering of configuration options is handled by the
'MultiFactor.load_from_options' [1][2] method but there doesn't appear
to be a way to "register" the auth methods without actually loading the
plugin. As a result, if we encounter this auth type then we need to do
this registration of extra options manually. There's a probably a TODO
for keystoneauth to provide a mechanism for this but I don't know what
that would look like right now.

[1] https://github.com/openstack/keystoneauth/blob/5.1.2/keystoneauth1/loading/_plugins/identity/v3.py#L332-L340
[2] https://github.com/openstack/keystoneauth/blob/5.1.2/keystoneauth1/loading/_plugins/identity/v3.py#L323-L329

Change-Id: I1f02133be373fa1f8facfd016586395fa2379a3e
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
Story: 2010661
Task: 47714
This commit is contained in:
Stephen Finucane 2023-03-24 15:38:06 +00:00
parent 76724972cb
commit dff6625fe6
2 changed files with 31 additions and 1 deletions

View File

@ -933,7 +933,25 @@ class OpenStackConfig:
# That it does not exist in keystoneauth is irrelvant- it not # That it does not exist in keystoneauth is irrelvant- it not
# doing what they want causes them sorrow. # doing what they want causes them sorrow.
config['auth_type'] = 'admin_token' config['auth_type'] = 'admin_token'
return loading.get_plugin_loader(config['auth_type'])
loader = loading.get_plugin_loader(config['auth_type'])
# As the name would suggest, v3multifactor uses multiple factors for
# authentication. As a result, we need to register the configuration
# options for each required auth method. Normally, this is handled by
# the 'MultiFactor.load_from_options' method but there doesn't appear
# to be a way to "register" the auth methods without actually loading
# the plugin. As a result, if we encounter this auth type then we need
# to do this registration of extra options manually.
# FIXME(stephenfin): We need to provide a mechanism to extend the
# options in keystoneauth1.loading._plugins.identity.v3.MultiAuth
# without calling 'load_from_options'.
if config['auth_type'] == 'v3multifactor':
# We use '.get' since we can't be sure this key is set yet -
# validation happens later, in _validate_auth
loader._methods = config.get('auth_methods')
return loader
def _validate_auth(self, config, loader): def _validate_auth(self, config, loader):
# May throw a keystoneauth1.exceptions.NoMatchingPlugin # May throw a keystoneauth1.exceptions.NoMatchingPlugin

View File

@ -0,0 +1,12 @@
---
fixes:
- |
It is now possible to configure ``v3multifactor`` auth type using
environment variables. For example:
export OS_AUTH_TYPE=v3multifactor
export OS_AUTH_METHODS=v3password,v3totp
export OS_USERNAME=admin
export OS_PASSWORD=password
export OS_PASSCODE=12345
openstack server list