Stop abusing [keystone_authtoken]

That config section should be private for keystonemiddleware, so deprecate and discourage its use for trusts creation. Create a new config section for credentials to create trusts with. Change-Id: I93b9a9b4c8003463c33439f116b9a72619512b98
2017-12-03 05:26:16 +00:00 · 2017-12-03 05:26:16 +00:00 · 4ea2a8efdf
commit 4ea2a8efdf
parent bc2f5f03e2
10 changed files with 90 additions and 30 deletions
--- a/devstack/plugin.sh
+++ b/devstack/plugin.sh
@ -94,14 +94,16 @@ function configure_sahara {

    # Set admin user parameters needed for trusts creation
    iniset $SAHARA_CONF_FILE \
-        keystone_authtoken project_name $SERVICE_TENANT_NAME
-    iniset $SAHARA_CONF_FILE keystone_authtoken username sahara
+        trustee project_name $SERVICE_TENANT_NAME
+    iniset $SAHARA_CONF_FILE trustee username sahara
    iniset $SAHARA_CONF_FILE \
-        keystone_authtoken password $SERVICE_PASSWORD
+        trustee password $SERVICE_PASSWORD
    iniset $SAHARA_CONF_FILE \
-        keystone_authtoken user_domain_name "$SERVICE_DOMAIN_NAME"
+        trustee user_domain_name "$SERVICE_DOMAIN_NAME"
    iniset $SAHARA_CONF_FILE \
-        keystone_authtoken project_domain_name "$SERVICE_DOMAIN_NAME"
+        trustee project_domain_name "$SERVICE_DOMAIN_NAME"
+    iniset $SAHARA_CONF_FILE \
+        trustee auth_url "$KEYSTONE_SERVICE_URI/v3"

    iniset_rpc_backend sahara $SAHARA_CONF_FILE DEFAULT

--- a/releasenotes/notes/trustee-conf-section-5994dcd48a9744d7.yaml
+++ b/releasenotes/notes/trustee-conf-section-5994dcd48a9744d7.yaml
@ -0,0 +1,8 @@
+---
+deprecations:
+  - |
+    The use of [keystone_authtoken] credentials for trust creation is now
+    deprecated. Please use the new [trustee] config section. The options
+    ``username``, ``password``, ``project_name``, ``user_domain_name``,
+    ``project_domain_name``, and ``auth_url`` (with version) are obligatory
+    within that section.
--- a/sahara/config.py
+++ b/sahara/config.py
@ -200,6 +200,8 @@ def list_opts():
         itertools.chain(swift.opts)),
        (keystone.keystone_group.name,
         itertools.chain(keystone.ssl_opts)),
+        (keystone.trustee_group.name,
+         itertools.chain(keystone.trustee_opts)),
        (base.retries.name,
         itertools.chain(base.opts)),
        (swift_helper.public_endpoint_cert_group.name,
--- a/sahara/main.py
+++ b/sahara/main.py
@ -35,6 +35,7 @@ from sahara.service.edp.job_binaries import manager as jb_manager
 from sahara.service import ops as service_ops
 from sahara.service import periodic
 from sahara.utils.openstack import cinder
+from sahara.utils.openstack import keystone
 from sahara.utils import remote
 from sahara.utils import rpc as messaging

@ -80,6 +81,7 @@ def setup_common(possible_topdir, service_name):

    # Validate other configurations (that may produce logs) here
    cinder.validate_config()
+    keystone.validate_config()
    validate_castellan_config()

    messaging.setup(service_name)
--- a/sahara/service/trusts.py
+++ b/sahara/service/trusts.py
@ -87,7 +87,7 @@ def create_trust_for_cluster(cluster, expires=True):
    if CONF.use_identity_api_v3 and not cluster.trust_id:
        trustor = keystone.auth()
        trustee = keystone.auth_for_admin(
-            project_name=keystone.get_keystoneauth_cfg(CONF, 'project_name'))
+            project_name=CONF.trustee.project_name)

        trust_id = create_trust(trustor=trustor,
                                trustee=trustee,
@ -153,7 +153,7 @@ def use_os_admin_auth_token(cluster):
    ctx = context.current()
    cluster = conductor.cluster_get(ctx, cluster)
    if CONF.use_identity_api_v3 and cluster.trust_id:
-        ctx.username = keystone.get_keystoneauth_cfg(CONF, 'username')
+        ctx.username = CONF.trustee.username
        ctx.tenant_id = cluster.tenant_id
        ctx.auth_plugin = keystone.auth_for_admin(
            trust_id=cluster.trust_id)
--- a/sahara/tests/unit/service/test_trusts.py
+++ b/sahara/tests/unit/service/test_trusts.py
@ -70,16 +70,14 @@ class TestTrusts(base.SaharaTestCase):
                                                allow_redelegation=False)
        self.assertEqual("trust_id", trust_id)

-    @mock.patch('sahara.utils.openstack.keystone.get_keystoneauth_cfg')
    @mock.patch('sahara.conductor.API.cluster_get')
    @mock.patch('sahara.conductor.API.cluster_update')
    @mock.patch('sahara.service.trusts.create_trust')
    @mock.patch('sahara.utils.openstack.keystone.auth_for_admin')
    @mock.patch('sahara.context.current')
    def test_create_trust_for_cluster(self, context_current, auth_for_admin,
-                                      create_trust, cluster_update, cl_get,
-                                      config_get):
-        config_get.return_value = "admin_project"
+                                      create_trust, cluster_update, cl_get):
+        self.override_config('project_name', 'admin_project', group='trustee')
        trustor_auth = mock.Mock()
        fake_cluster = mock.Mock(trust_id=None)
        cl_get.return_value = fake_cluster
--- a/sahara/tests/unit/utils/openstack/test_base.py
+++ b/sahara/tests/unit/utils/openstack/test_base.py
@ -61,7 +61,7 @@ class AuthUrlTest(testbase.SaharaTestCase):
        correct = "https://127.0.0.1:8080/v3"

        def _assert(uri):
-            self.override_config('auth_uri', uri, 'keystone_authtoken')
+            self.override_config('auth_url', uri, 'trustee')
            self.assertEqual(correct, base.retrieve_auth_url())

        _assert("%s/" % correct)
@ -110,7 +110,7 @@ class AuthUrlTest(testbase.SaharaTestCase):
        correct = "https://127.0.0.1:8080/v2.0"

        def _assert(uri):
-            self.override_config('auth_uri', uri, 'keystone_authtoken')
+            self.override_config('auth_url', uri, 'trustee')
            self.assertEqual(correct, base.retrieve_auth_url())

        _assert("%s/" % correct)
--- a/sahara/tests/unit/utils/openstack/test_images.py
+++ b/sahara/tests/unit/utils/openstack/test_images.py
@ -29,8 +29,8 @@ class FakeImage(object):
 class TestImages(base.SaharaTestCase):
    def setUp(self):
        super(TestImages, self).setUp()
-        self.override_config('auth_uri', 'https://127.0.0.1:8080/v3/',
-                             'keystone_authtoken')
+        self.override_config('auth_url', 'https://127.0.0.1:8080/v3/',
+                             'trustee')

    @mock.patch('sahara.utils.openstack.base.url_for', return_value='')
    def test_list_registered_images(self, url_for_mock):
--- a/sahara/utils/openstack/base.py
+++ b/sahara/utils/openstack/base.py
@ -80,7 +80,7 @@ def retrieve_auth_url(endpoint_type="internalURL", version=None):
    if ctx.service_catalog:
        auth_url = url_for(ctx.service_catalog, 'identity', endpoint_type)
    else:
-        auth_url = CONF.keystone_authtoken.auth_uri
+        auth_url = CONF.trustee.auth_url
    return prepare_auth_url(auth_url, version)


--- a/sahara/utils/openstack/keystone.py
+++ b/sahara/utils/openstack/keystone.py
@ -13,32 +13,61 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

+import re
+
 from keystoneauth1 import identity as keystone_identity
 from keystoneclient.v2_0 import client as keystone_client
 from keystoneclient.v3 import client as keystone_client_v3
 from oslo_config import cfg
+from oslo_log import log as logging

 from sahara import context
 from sahara.service import sessions
 from sahara.utils.openstack import base


-def get_keystoneauth_cfg(conf, name, default=None):
+LOG = logging.getLogger(__name__)
+
+
+def _get_keystoneauth_cfg(name):
    """get the keystone auth cfg

    Fetch value of keystone_authtoken group from config file when not
    available as part of GroupAttr.
    :rtype: String
-    :param conf: oslo config cfg.CONF
    :param name: property name to be retrieved
-    :param default: the default value if the key is not found
    """
    try:
-        value_list = conf._namespace._get_file_value([('keystone_authtoken',
+        value_list = CONF._namespace._get_file_value([('keystone_authtoken',
                                                       name)])
-        return value_list[0]
+        cfg_val = value_list[0]
+        if name == "auth_url" and not re.findall(r'\/v[2-3].*', cfg_val):
+            cfg_val += "/v3"
+        return cfg_val
    except KeyError:
-        return default
+        if name in ["user_domain_name", "project_domain_name"]:
+            return "Default"
+        else:
+            raise
+
+
+def validate_config():
+    if any(map(lambda o: getattr(CONF.trustee, o) is None, CONF.trustee)):
+        for replace_opt in CONF.trustee:
+            CONF.set_override(replace_opt, _get_keystoneauth_cfg(replace_opt),
+                              group="trustee")
+        LOG.warning("""
+ __        __               _
+ \ \      / /_ _ _ __ _ __ (_)_ __   __ _
+  \ \ /\ / / _` | '__| '_ \| | '_ \ / _` |
+   \ V  V / (_| | |  | | | | | | | | (_| |
+    \_/\_/ \__,_|_|  |_| |_|_|_| |_|\__, |
+                                    |___/
+
+Using the [keystone_authtoken] user as the Sahara trustee user directly is
+deprecated. Please add the trustee credentials you need to the [trustee]
+section of your sahara.conf file.
+    """)

 opts = [
    # TODO(alazarev) Move to [keystone] section
@ -65,10 +94,31 @@ ssl_opts = [
 keystone_group = cfg.OptGroup(name='keystone',
                              title='Keystone client options')

+trustee_opts = [
+    cfg.StrOpt('username',
+               help='Username for trusts creation'),
+    cfg.StrOpt('password',
+               help='Password for trusts creation'),
+    cfg.StrOpt('project_name',
+               help='Project name for trusts creation'),
+    cfg.StrOpt('user_domain_name',
+               help='User domain name for trusts creation',
+               default="Default"),
+    cfg.StrOpt('project_domain_name',
+               help='Project domain name for trusts creation',
+               default="Default"),
+    cfg.StrOpt('auth_url',
+               help='Auth url for trusts creation'),
+]
+
+trustee_group = cfg.OptGroup(name='trustee', title="Trustee options")
+
 CONF = cfg.CONF
 CONF.register_group(keystone_group)
+CONF.register_group(trustee_group)
 CONF.register_opts(opts)
 CONF.register_opts(ssl_opts, group=keystone_group)
+CONF.register_opts(trustee_opts, group=trustee_group)


 def auth():
@ -91,13 +141,11 @@ def auth_for_admin(project_name=None, trust_id=None):
    # into federated authentication. it will need to match the domain that
    # the project_name exists in.
    auth = _password_auth(
-        username=get_keystoneauth_cfg(CONF, 'username'),
-        password=get_keystoneauth_cfg(CONF, 'password'),
+        username=CONF.trustee.username,
+        password=CONF.trustee.password,
        project_name=project_name,
-        user_domain_name=get_keystoneauth_cfg(CONF, 'user_domain_name',
-                                              'Default'),
-        project_domain_name=get_keystoneauth_cfg(CONF, 'project_domain_name',
-                                                 'Default'),
+        user_domain_name=CONF.trustee.user_domain_name,
+        project_domain_name=CONF.trustee.project_domain_name,
        trust_id=trust_id)
    return auth

@ -129,7 +177,7 @@ def client():
 def client_for_admin():
    '''Return the Sahara admin user client.'''
    auth = auth_for_admin(
-        project_name=get_keystoneauth_cfg(CONF, 'project_name'))
+        project_name=CONF.trustee.project_name)
    return client_from_auth(auth)


@ -247,7 +295,7 @@ def _password_auth(username, password,
    :returns: a password auth plugin object.
    '''
    passwd_kwargs = dict(
-        auth_url=base.retrieve_auth_url(CONF.keystone.endpoint_type),
+        auth_url=CONF.trustee.auth_url,
        username=username,
        password=password
    )