Get auth from context for glance endpoint

Change the Adapter loading for glance to use the auth from the user context instead of exposing and requiring it in the conf. With this change, it is possible to leave the [glance] conf section empty and still be able to discover the image API endpoint from the service catalog. Note that, when we do this, we often end up with the user auth being a _ContextAuthPlugin, which doesn't conform to the characteristics of keystoneauth1.identity.base.BaseIdentityPlugin as augmented in keystoneauth1 3.1.0. This requires a series of workarounds until bug 1709118 is fixed. These, along with workarounds for bugs 1707993 and 1707995, are subsumed with this change set in a (hopefully temporary) helper method nova.utils.get_endpoint. This lays the foundation for other services that should use user context for authentication - those via which Nova is acting on behalf of the user, i.e. cinder, keystone, and (sometimes) neutron[1]. (Services such as placement and ironic (and sometimes neutron) should continue to use admin auth context loaded from the conf.) [1] bb4faf40df/nova/network/neutronv2/api.py (L149-L160) Co-Authored-By: Eric Fried <efried@us.ibm.com> Partial-Implements: bp use-ksa-adapter-for-endpoints Change-Id: I4e755b9c66ec8bc3af0393e81cffd91c56064717
2017-08-04 16:54:08 -05:00 · 2017-08-04 16:54:08 -05:00 · 5a6fc85912
commit 5a6fc85912
parent 16e0d58608
2 changed files with 62 additions and 2 deletions
--- a/nova/conf/utils.py
+++ b/nova/conf/utils.py
@ -55,7 +55,8 @@ def _dummy_opt(name):
    return cfg.Opt(name, type=lambda x: None)


-def register_ksa_opts(conf, group, default_service_type, deprecated_opts=None):
+def register_ksa_opts(conf, group, default_service_type, include_auth=True,
+                      deprecated_opts=None):
    """Register keystoneauth auth, Session, and Adapter opts.

    :param conf: oslo_config.cfg.CONF in which to register the options
@ -63,6 +64,10 @@ def register_ksa_opts(conf, group, default_service_type, deprecated_opts=None):
                  options.
    :param default_service_type: Default for the service_type conf option on
                                 the Adapter.
+    :param include_auth: For service types where Nova is acting on behalf of
+                         the user, auth should come from the user context.
+                         In those cases, set this arg to False to avoid
+                         registering ksa auth options.
    :param deprecated_opts: dict of deprecated opts to register with the ksa
                            Session or Adapter opts.  See docstring for
                            the deprecated_opts param of:
@ -72,7 +77,8 @@ def register_ksa_opts(conf, group, default_service_type, deprecated_opts=None):
    group = getattr(group, 'name', group)
    ks_loading.register_session_conf_options(
        conf, group, deprecated_opts=deprecated_opts)
-    ks_loading.register_auth_conf_options(conf, group)
+    if include_auth:
+        ks_loading.register_auth_conf_options(conf, group)
    conf.register_opts(get_ksa_adapter_opts(
        default_service_type, deprecated_opts=deprecated_opts), group=group)
    # Have to register dummies for the version-related opts we removed
--- a/nova/utils.py
+++ b/nova/utils.py
@ -33,6 +33,7 @@ import tempfile
 import time

 import eventlet
+from keystoneauth1 import exceptions as ks_exc
 from keystoneauth1 import loading as ks_loading
 import netaddr
 from os_service_types import service_types
@ -1325,3 +1326,56 @@ def get_ksa_adapter(service_type, ksa_auth=None, ksa_session=None,
    return ks_loading.load_adapter_from_conf_options(
        CONF, confgrp, session=ksa_session, auth=ksa_auth,
        min_version=min_version, max_version=max_version)
+
+
+def get_endpoint(ksa_adapter):
+    """Get the endpoint URL represented by a keystoneauth1 Adapter.
+
+    This method is equivalent to what
+
+        ksa_adapter.get_endpoint()
+
+    should do, if it weren't for a panoply of bugs.
+
+    :param ksa_adapter: keystoneauth1.adapter.Adapter, appropriately set up
+                        with an endpoint_override; or service_type, interface
+                        (list) and auth/service_catalog.
+    :return: String endpoint URL.
+    :raise EndpointNotFound: If endpoint discovery fails.
+    """
+    # TODO(efried): This will be unnecessary once bug #1707993 is fixed.
+    # (At least for the non-image case, until 1707995 is fixed.)
+    if ksa_adapter.endpoint_override:
+        return ksa_adapter.endpoint_override
+    # TODO(efried): Remove this once bug #1707995 is fixed.
+    if ksa_adapter.service_type == 'image':
+        try:
+            return ksa_adapter.get_endpoint_data().catalog_url
+        except AttributeError:
+            # ksa_adapter.auth is a _ContextAuthPlugin, which doesn't have
+            # get_endpoint_data.  Fall through to using get_endpoint().
+            pass
+    # TODO(efried): The remainder of this method reduces to
+    # TODO(efried):     return ksa_adapter.get_endpoint()
+    # TODO(efried): once bug #1709118 is fixed.
+    # NOTE(efried): Id9bd19cca68206fc64d23b0eaa95aa3e5b01b676 may also do the
+    #               trick, once it's in a ksa release.
+    # The EndpointNotFound exception happens when _ContextAuthPlugin is in play
+    # because its get_endpoint() method isn't yet set up to handle interface as
+    # a list.  (It could also happen with a real auth if the endpoint isn't
+    # there; but that's covered below.)
+    try:
+        return ksa_adapter.get_endpoint()
+    except ks_exc.EndpointNotFound:
+        pass
+
+    interfaces = list(ksa_adapter.interface)
+    for interface in interfaces:
+        ksa_adapter.interface = interface
+        try:
+            return ksa_adapter.get_endpoint()
+        except ks_exc.EndpointNotFound:
+            pass
+    raise ks_exc.EndpointNotFound(
+        "Could not find requested endpoint for any of the following "
+        "interfaces: %s" % interfaces)