Support shared vim for policy action execution

Change-Id: Ib58255e5b860f95b6c95c1373ee2c2e70722cd81
Co-Authored-By: Yan Xing an <yanxingan@cmss.chinamobile.com>
Implements: blueprint shared-barbican-secret

devstack/lib/tacker

@@ -110,6 +110,7 @@ function create_tacker_accounts {
         create_service_user "tacker"
         get_or_create_role "advsvc"
         create_service_user "tacker" "advsvc"
+        create_service_user "tacker" "admin"
 
         local tacker_service=$(get_or_create_service "tacker" \
             "nfv-orchestration" "Tacker NFV Orchestration Service")

doc/source/contributor/encrypt_vim_auth_with_barbican.rst

@@ -10,16 +10,36 @@ vim key in devstack environment.
 The brief code workflow is described as following:
 
 When creating a vim:
-We use fernet to encrypt vim password, save the fernet key into barbican
-as a secret, save encrypted into vim db's field **password**,
-and then save the secret uuid into vim db field **secret_uuid**.
+We use fernet to encrypt the VIM password, then use the tacker service tenant
+configured in the tacker.conf to save the fernet key to the barbican as
+a secret. barbican will return **secret_uuid**.
+then save encrypted into vim db's field **password**, and save the secret uuid
+into vim db field **secret_uuid**.
+
+Tacker service tenant configured in the tacker.conf as follows:
+
+.. code-block:: ini
+
+    [keystone_authtoken]
+    memcached_servers = localhost:11211
+    signing_dir = /var/cache/tacker
+    cafile = /opt/stack/data/ca-bundle.pem
+    project_domain_name = <DOMAIN_NAME>
+    project_name = service
+    user_domain_name = <DOMAIN_NAME>
+    username = <TACKER_USER_NAME>
+    password = <TACKER_SERVICE_USER_PASSWORD>
+    auth_url = http://127.0.0.1/identity
+    auth_type = password
 
 When retrieving vim password:
-We use **secret_uuid** to get the fernet key from barbican, and decode with
-**password** using fernet.
+We use the tacker service tenant configured in the tacker.conf and
+**secret_uuid** to get the fernet key from barbican, and decode
+with **password** using fernet.
 
 When deleting a vim:
-We delete the secret by the **secret_uuid** in vim db from barbican.
+We use the tacker service tenant configured in the tacker.conf to delete
+the secret by the **secret_uuid** in vim db from barbican.
 
 
 How to test
@@ -48,7 +68,7 @@ Create a vim and verify it works:
    $ openstack role add --project test --user test admin
 
    $ cat vim-test.yaml
-   auth_url: 'http://127.0.0.1:5000'
+   auth_url: 'http://127.0.0.1/identity'
    username: 'test'
    password: 'Passw0rd'
    project_name: 'test'
@@ -63,7 +83,7 @@ Create a vim and verify it works:
    export OS_PROJECT_NAME=test
    export OS_USER_DOMAIN_NAME=Default
    export OS_PROJECT_DOMAIN_NAME=Default
-   export OS_AUTH_URL=http://127.0.0.1:5000/v3
+   export OS_AUTH_URL=http://127.0.0.1/identity
    export OS_IDENTITY_API_VERSION=3
    export OS_IMAGE_API_VERSION=2
    export OS_NETWORK_API_VERSION=2
@@ -79,9 +99,9 @@ Create a vim and verify it works:
    | auth_cred      | {"username": "test", "password": "***", "project_name": |
    |                | "test", "user_domain_name": "Default", "key_type":      |
    |                | "barbican_key", "secret_uuid": "***", "auth_url":       |
-   |                | "http://127.0.0.1:5000/v3", "project_id": null,         |
+   |                | "http://127.0.0.1/identity/v3", "project_id": null,     |
    |                | "project_domain_name": "Default"}                       |
-   | auth_url       | http://127.0.0.1:5000/v3                                |
+   | auth_url       | http://127.0.0.1/identity/v3                            |
    | created_at     | 2017-06-20 14:56:05.622612                              |
    | description    |                                                         |
    | id             | 7c0b73c7-554b-46d3-a35c-c368019716a0                    |

lower-constraints.txt

@@ -8,6 +8,7 @@ Babel==2.3.4
 bcrypt==3.1.4
 beautifulsoup4==4.6.0
 cachetools==2.0.1
+castellan==0.16.0
 certifi==2018.1.18
 cffi==1.11.5
 chardet==3.0.4

releasenotes/notes/shared-barbican-secret-8024670361b91a30.yaml

@@ -0,0 +1,13 @@
+---
+features:
+  - |
+    Support shared vim for policy action execution
+upgrade:
+  - |
+    Because this version uses the tacker service tenant to manage the fernet key,
+    please remove the registered VIM before upgrading this version.
+    The upgrade steps are as follows.
+    1.Delete the registered VIM. If there is a VNF instance on the VIM,
+    you need to delete the VNF instance first.
+    2.Upgrade with this version.
+    3.Register the deleted VIM.

requirements.txt

@@ -43,6 +43,7 @@ paramiko>=2.0.0 # LGPLv2.1+
 pyroute2>=0.4.21;sys_platform!='win32' # Apache-2.0 (+ dual licensed GPL2)
 python-mistralclient!=3.2.0,>=3.1.0 # Apache-2.0
 python-barbicanclient>=4.5.2 # Apache-2.0
+castellan>=0.16.0 # Apache-2.0
 kubernetes>=5.0.0 # Apache-2.0
 setuptools!=24.0.0,!=34.0.0,!=34.0.1,!=34.0.2,!=34.0.3,!=34.1.0,!=34.1.1,!=34.2.0,!=34.3.0,!=34.3.1,!=34.3.2,!=36.2.0,>=21.0.0 # PSF/ZPL
 PyYAML>=3.12 # MIT

tacker/context.py

@@ -18,12 +18,16 @@
 import copy
 import datetime
 
+from castellan.common.credentials import keystone_password
+from oslo_config import cfg
 from oslo_context import context as oslo_context
 from oslo_db.sqlalchemy import enginefacade
 
 from tacker.db import api as db_api
 from tacker import policy
 
+CONF = cfg.CONF
+
 
 class ContextBase(oslo_context.RequestContext):
     """Security context and request information.
@@ -139,3 +143,13 @@ def get_admin_context_without_session():
     return ContextBase(user_id=None,
                        tenant_id=None,
                        is_admin=True)
+
+
+def generate_tacker_service_context():
+    return keystone_password.KeystonePassword(
+        password=CONF.keystone_authtoken.password,
+        auth_url=CONF.keystone_authtoken.auth_url,
+        username=CONF.keystone_authtoken.username,
+        user_domain_name=CONF.keystone_authtoken.user_domain_name,
+        project_name=CONF.keystone_authtoken.project_name,
+        project_domain_name=CONF.keystone_authtoken.project_domain_name)

tacker/db/db_base.py

@@ -89,6 +89,12 @@ class CommonDbMixin(object):
                                 (model.shared == sql.true()))
             else:
                 query_filter = (model.tenant_id == context.tenant_id)
+        elif context.is_admin and hasattr(model, 'tenant_id'):
+            # NOTE(Lijiale) One tenant can not access other tenant's Vim,
+            # NOTE(Lijiale) even though this tenant has admin role.
+            if hasattr(model, 'shared'):
+                query_filter = (model.tenant_id == context.tenant_id)
+
         # Execute query hooks registered from mixins and plugins
         for _name, hooks in iteritems(self._model_query_hooks.get(model, {})):
             query_hook = hooks.get('query')

tacker/keymgr/barbican_key_manager.py

@@ -119,7 +119,8 @@ class BarbicanKeyManager(key_manager.KeyManager):
                 project_id=context.tenant)
         else:
             msg = _("context must be of type KeystonePassword, "
-                    "KeystoneToken, RequestContext, or Context.")
+                    "KeystoneToken, RequestContext, or Context, got type "
+                    "%s") % context.__class__.__name__
             LOG.error(msg)
             raise exception.Forbidden(reason=msg)
 

tacker/nfvo/drivers/vim/abstract_vim_driver.py

@@ -44,7 +44,7 @@ class VimAbstractDriver(extensions.PluginInterface):
         pass
 
     @abc.abstractmethod
-    def register_vim(self, context, vim_obj):
+    def register_vim(self, vim_obj):
         """Register VIM object in to NFVO plugin
 
         Validate, encode and store VIM information for deploying VNFs.
@@ -52,7 +52,7 @@ class VimAbstractDriver(extensions.PluginInterface):
         pass
 
     @abc.abstractmethod
-    def deregister_vim(self, context, vim_obj):
+    def deregister_vim(self, vim_obj):
         """Deregister VIM object from NFVO plugin
 
         Cleanup VIM data and delete VIM information
@@ -60,7 +60,7 @@ class VimAbstractDriver(extensions.PluginInterface):
         pass
 
     @abc.abstractmethod
-    def authenticate_vim(self, context, vim_obj):
+    def authenticate_vim(self, vim_obj):
         """Authenticate VIM connection parameters
 
         Validate authentication credentials and connectivity of VIM
@@ -68,7 +68,7 @@ class VimAbstractDriver(extensions.PluginInterface):
         pass
 
     @abc.abstractmethod
-    def encode_vim_auth(self, context, vim_id, auth):
+    def encode_vim_auth(self, vim_id, auth):
         """Encrypt VIM credentials
 
         Encrypt and store VIM sensitive information such as password
@@ -76,7 +76,7 @@ class VimAbstractDriver(extensions.PluginInterface):
         pass
 
     @abc.abstractmethod
-    def delete_vim_auth(self, context, vim_id, auth):
+    def delete_vim_auth(self, vim_id, auth):
         """Delete VIM auth keys
 
         Delete VIM sensitive information such as keys from file system or DB

tacker/nfvo/drivers/vim/kubernetes_driver.py

@@ -19,6 +19,7 @@ from oslo_log import log as logging
 from tacker._i18n import _
 from tacker.common.container import kubernetes_utils
 from tacker.common import log
+from tacker import context as t_context
 from tacker.extensions import nfvo
 from tacker.keymgr import API as KEYMGR_API
 from tacker.nfvo.drivers.vim import abstract_vim_driver
@@ -127,7 +128,7 @@ class Kubernetes_Driver(abstract_vim_driver.VimAbstractDriver):
             self.kubernetes.close_tmp_file(file_descriptor, file_path)
 
     @log.log
-    def register_vim(self, context, vim_obj):
+    def register_vim(self, vim_obj):
         """Validate Kubernetes VIM."""
         if 'key_type' in vim_obj['auth_cred']:
             vim_obj['auth_cred'].pop(u'key_type')
@@ -135,21 +136,21 @@ class Kubernetes_Driver(abstract_vim_driver.VimAbstractDriver):
             vim_obj['auth_cred'].pop(u'secret_uuid')
         self.authenticate_vim(vim_obj)
         self.discover_placement_attr(vim_obj)
-        self.encode_vim_auth(context, vim_obj['id'],
+        self.encode_vim_auth(vim_obj['id'],
                              vim_obj['auth_cred'])
         LOG.debug('VIM registration completed for %s', vim_obj)
 
     @log.log
-    def deregister_vim(self, context, vim_obj):
+    def deregister_vim(self, vim_obj):
         """Deregister Kubernetes VIM from NFVO
 
         Delete VIM keys from file system
         """
-        self.delete_vim_auth(context, vim_obj['id'],
+        self.delete_vim_auth(vim_obj['id'],
                              vim_obj['auth_cred'])
 
     @log.log
-    def delete_vim_auth(self, context, vim_id, auth):
+    def delete_vim_auth(self, vim_id, auth):
         """Delete kubernetes vim information
 
         Delete vim key stored in file system
@@ -160,10 +161,12 @@ class Kubernetes_Driver(abstract_vim_driver.VimAbstractDriver):
                       vim_id)
             if auth.get('key_type') == 'barbican_key':
                 try:
+                    k_context = \
+                        t_context.generate_tacker_service_context()
                     keystone_conf = CONF.keystone_authtoken
                     secret_uuid = auth['secret_uuid']
                     keymgr_api = KEYMGR_API(keystone_conf.auth_url)
-                    keymgr_api.delete(context, secret_uuid)
+                    keymgr_api.delete(k_context, secret_uuid)
                     LOG.debug('VIM key deleted successfully for vim %s',
                               vim_id)
                 except Exception as exception:
@@ -175,7 +178,7 @@ class Kubernetes_Driver(abstract_vim_driver.VimAbstractDriver):
                 raise nfvo.VimEncryptKeyError(vim_id=vim_id)
 
     @log.log
-    def encode_vim_auth(self, context, vim_id, auth):
+    def encode_vim_auth(self, vim_id, auth):
         """Encode VIM credentials
 
          Store VIM auth using fernet key encryption
@@ -196,9 +199,10 @@ class Kubernetes_Driver(abstract_vim_driver.VimAbstractDriver):
 
         if CONF.k8s_vim.use_barbican:
             try:
+                k_context = t_context.generate_tacker_service_context()
                 keystone_conf = CONF.keystone_authtoken
                 keymgr_api = KEYMGR_API(keystone_conf.auth_url)
-                secret_uuid = keymgr_api.store(context, fernet_key)
+                secret_uuid = keymgr_api.store(k_context, fernet_key)
 
                 auth['key_type'] = 'barbican_key'
                 auth['secret_uuid'] = secret_uuid

tacker/nfvo/drivers/vim/openstack_driver.py

@@ -30,6 +30,7 @@ from oslo_log import log as logging
 
 from tacker._i18n import _
 from tacker.common import log
+from tacker import context as t_context
 from tacker.extensions import nfvo
 from tacker.keymgr import API as KEYMGR_API
 from tacker.mistral import mistral_client
@@ -195,7 +196,7 @@ class OpenStack_Driver(abstract_vim_driver.VimAbstractDriver,
         return vim_obj
 
     @log.log
-    def register_vim(self, context, vim_obj):
+    def register_vim(self, vim_obj):
         """Validate and set VIM placements."""
 
         if 'key_type' in vim_obj['auth_cred']:
@@ -205,19 +206,19 @@ class OpenStack_Driver(abstract_vim_driver.VimAbstractDriver,
 
         ks_client = self.authenticate_vim(vim_obj)
         self.discover_placement_attr(vim_obj, ks_client)
-        self.encode_vim_auth(context, vim_obj['id'], vim_obj['auth_cred'])
+        self.encode_vim_auth(vim_obj['id'], vim_obj['auth_cred'])
         LOG.debug('VIM registration completed for %s', vim_obj)
 
     @log.log
-    def deregister_vim(self, context, vim_obj):
+    def deregister_vim(self, vim_obj):
         """Deregister VIM from NFVO
 
         Delete VIM keys from file system
         """
-        self.delete_vim_auth(context, vim_obj['id'], vim_obj['auth_cred'])
+        self.delete_vim_auth(vim_obj['id'], vim_obj['auth_cred'])
 
     @log.log
-    def delete_vim_auth(self, context, vim_id, auth):
+    def delete_vim_auth(self, vim_id, auth):
         """Delete vim information
 
         Delete vim key stored in file system
@@ -226,10 +227,11 @@ class OpenStack_Driver(abstract_vim_driver.VimAbstractDriver,
 
         if auth.get('key_type') == 'barbican_key':
             try:
+                k_context = t_context.generate_tacker_service_context()
                 keystone_conf = CONF.keystone_authtoken
                 secret_uuid = auth['secret_uuid']
                 keymgr_api = KEYMGR_API(keystone_conf.auth_url)
-                keymgr_api.delete(context, secret_uuid)
+                keymgr_api.delete(k_context, secret_uuid)
                 LOG.debug('VIM key deleted successfully for vim %s',
                           vim_id)
             except Exception as ex:
@@ -248,7 +250,7 @@ class OpenStack_Driver(abstract_vim_driver.VimAbstractDriver,
                             vim_id)
 
     @log.log
-    def encode_vim_auth(self, context, vim_id, auth):
+    def encode_vim_auth(self, vim_id, auth):
         """Encode VIM credentials
 
          Store VIM auth using fernet key encryption
@@ -259,9 +261,10 @@ class OpenStack_Driver(abstract_vim_driver.VimAbstractDriver,
 
         if CONF.vim_keys.use_barbican:
             try:
+                k_context = t_context.generate_tacker_service_context()
                 keystone_conf = CONF.keystone_authtoken
                 keymgr_api = KEYMGR_API(keystone_conf.auth_url)
-                secret_uuid = keymgr_api.store(context, fernet_key)
+                secret_uuid = keymgr_api.store(k_context, fernet_key)
 
                 auth['key_type'] = 'barbican_key'
                 auth['secret_uuid'] = secret_uuid

tacker/nfvo/nfvo_plugin.py

@@ -33,6 +33,7 @@ from tacker._i18n import _
 from tacker.common import driver_manager
 from tacker.common import log
 from tacker.common import utils
+from tacker import context as t_context
 from tacker.db.nfvo import nfvo_db_plugin
 from tacker.db.nfvo import ns_db
 from tacker.db.nfvo import vnffg_db
@@ -109,14 +110,12 @@ class NfvoPlugin(nfvo_db_plugin.NfvoPluginDb, vnffg_db.VnffgPluginDbMixin,
         try:
             self._vim_drivers.invoke(vim_type,
                                      'register_vim',
-                                     context=context,
                                      vim_obj=vim_obj)
             res = super(NfvoPlugin, self).create_vim(context, vim_obj)
         except Exception:
             with excutils.save_and_reraise_exception():
                 self._vim_drivers.invoke(vim_type,
                                          'delete_vim_auth',
-                                         context=context,
                                          vim_id=vim_obj['id'],
                                          auth=vim_obj['auth_cred'])
 
@@ -170,7 +169,6 @@ class NfvoPlugin(nfvo_db_plugin.NfvoPluginDb, vnffg_db.VnffgPluginDbMixin,
                 # Notice: vim_obj may be updated in vim driver's
                 self._vim_drivers.invoke(vim_type,
                                          'register_vim',
-                                         context=context,
                                          vim_obj=vim_obj)
                 new_auth_created = True
 
@@ -185,7 +183,6 @@ class NfvoPlugin(nfvo_db_plugin.NfvoPluginDb, vnffg_db.VnffgPluginDbMixin,
                 try:
                     self._vim_drivers.invoke(vim_type,
                                              'delete_vim_auth',
-                                             context=context,
                                              vim_id=old_vim_obj['id'],
                                              auth=old_vim_obj['auth_cred'])
                 except Exception as ex:
@@ -200,7 +197,6 @@ class NfvoPlugin(nfvo_db_plugin.NfvoPluginDb, vnffg_db.VnffgPluginDbMixin,
                     # delete new-created vim auth, old auth is still used.
                     self._vim_drivers.invoke(vim_type,
                                              'delete_vim_auth',
-                                             context=context,
                                              vim_id=vim_obj['id'],
                                              auth=vim_obj['auth_cred'])
 
@@ -209,7 +205,6 @@ class NfvoPlugin(nfvo_db_plugin.NfvoPluginDb, vnffg_db.VnffgPluginDbMixin,
         vim_obj = self._get_vim(context, vim_id)
         self._vim_drivers.invoke(vim_obj['type'],
                                  'deregister_vim',
-                                 context=context,
                                  vim_obj=vim_obj)
         try:
             auth_dict = self.get_auth_dict(context)
@@ -519,14 +514,13 @@ class NfvoPlugin(nfvo_db_plugin.NfvoPluginDb, vnffg_db.VnffgPluginDbMixin,
         vim_obj = self.get_vim(context, vim_id['vim_id'], mask_password=False)
         if vim_obj is None:
             raise nfvo.VimFromVnfNotFoundException(vnf_id=vnf_id)
-        self._build_vim_auth(context, vim_obj)
+        self._build_vim_auth(vim_obj)
         return vim_obj
 
-    def _build_vim_auth(self, context, vim_info):
+    def _build_vim_auth(self, vim_info):
         LOG.debug('VIM id is %s', vim_info['id'])
         vim_auth = vim_info['auth_cred']
-        vim_auth['password'] = self._decode_vim_auth(context,
-                                                     vim_info['id'],
+        vim_auth['password'] = self._decode_vim_auth(vim_info['id'],
                                                      vim_auth)
         vim_auth['auth_url'] = vim_info['auth_url']
 
@@ -538,7 +532,7 @@ class NfvoPlugin(nfvo_db_plugin.NfvoPluginDb, vnffg_db.VnffgPluginDbMixin,
                 vim_auth.pop(attr, None)
         return vim_auth
 
-    def _decode_vim_auth(self, context, vim_id, auth):
+    def _decode_vim_auth(self, vim_id, auth):
         """Decode Vim credentials
 
         Decrypt VIM cred, get fernet Key from local_file_system or
@@ -546,10 +540,11 @@ class NfvoPlugin(nfvo_db_plugin.NfvoPluginDb, vnffg_db.VnffgPluginDbMixin,
         """
         cred = auth['password'].encode('utf-8')
         if auth.get('key_type') == 'barbican_key':
+            k_context = t_context.generate_tacker_service_context()
             keystone_conf = CONF.keystone_authtoken
             secret_uuid = auth['secret_uuid']
             keymgr_api = KEYMGR_API(keystone_conf.auth_url)
-            secret_obj = keymgr_api.get(context, secret_uuid)
+            secret_obj = keymgr_api.get(k_context, secret_uuid)
             vim_key = secret_obj.payload
         else:
             vim_key = self._find_vim_key(vim_id)

tacker/tests/unit/nfvo/drivers/vim/test_kubernetes_driver.py

@@ -14,10 +14,42 @@
 
 from collections import namedtuple
 import mock
+from oslo_config import cfg
+
+from tacker import context as t_context
 from tacker.nfvo.drivers.vim import kubernetes_driver
 from tacker.tests.unit import base
 
 
+OPTS = [cfg.StrOpt('user_domain_id',
+                   default='default',
+                   help='User Domain Id'),
+        cfg.StrOpt('project_domain_id',
+                   default='default',
+                   help='Project Domain Id'),
+        cfg.StrOpt('password',
+                   default='default',
+                   help='User Password'),
+        cfg.StrOpt('username',
+                   default='default',
+                   help='User Name'),
+        cfg.StrOpt('user_domain_name',
+                   default='default',
+                   help='Use Domain Name'),
+        cfg.StrOpt('project_name',
+                   default='default',
+                   help='Project Name'),
+        cfg.StrOpt('project_domain_name',
+                   default='default',
+                   help='Project Domain Name'),
+        cfg.StrOpt('auth_url',
+                   default='http://localhost:5000/v3',
+                   help='Keystone endpoint')]
+
+cfg.CONF.register_opts(OPTS, 'keystone_authtoken')
+CONF = cfg.CONF
+
+
 class FakeKubernetesAPI(mock.Mock):
     pass
 
@@ -113,15 +145,15 @@ class TestKubernetes_Driver(base.TestCase):
                                                               mock_fernet_obj)
         self.kubernetes_api.create_ca_cert_tmp_file.\
             return_value = ('file_descriptor', 'file_path')
-        self.kubernetes_driver.register_vim(None, vim_obj)
+        self.kubernetes_driver.register_vim(vim_obj)
         mock_fernet_obj.encrypt.assert_called_once_with(mock.ANY)
 
     def test_deregister_vim_barbican(self):
         self.keymgr.delete.return_value = None
         vim_obj = self.get_vim_obj_barbican()
-        self.kubernetes_driver.deregister_vim(None, vim_obj)
+        self.kubernetes_driver.deregister_vim(vim_obj)
         self.keymgr.delete.assert_called_once_with(
-            None, 'fake-secret-uuid')
+            t_context.generate_tacker_service_context(), 'fake-secret-uuid')
 
     def test_encode_vim_auth_barbican(self):
         self.config_fixture.config(group='k8s_vim',
@@ -135,10 +167,10 @@ class TestKubernetes_Driver(base.TestCase):
 
         vim_obj = self.get_vim_obj()
         self.kubernetes_driver.encode_vim_auth(
-            None, vim_obj['id'], vim_obj['auth_cred'])
+            vim_obj['id'], vim_obj['auth_cred'])
 
         self.keymgr.store.assert_called_once_with(
-            None, 'test_fernet_key')
+            t_context.generate_tacker_service_context(), 'test_fernet_key')
         mock_fernet_obj.encrypt.assert_called_once_with(mock.ANY)
         self.assertEqual(vim_obj['auth_cred']['key_type'],
                          'barbican_key')

tacker/tests/unit/nfvo/drivers/vim/test_openstack_driver.py

@@ -17,6 +17,7 @@ from keystoneauth1 import exceptions
 import mock
 from oslo_config import cfg
 
+from tacker import context as t_context
 from tacker.extensions import nfvo
 from tacker.nfvo.drivers.vim import openstack_driver
 from tacker.tests.unit import base
@@ -28,6 +29,21 @@ OPTS = [cfg.StrOpt('user_domain_id',
         cfg.StrOpt('project_domain_id',
                    default='default',
                    help='Project Domain Id'),
+        cfg.StrOpt('password',
+                   default='default',
+                   help='User Password'),
+        cfg.StrOpt('username',
+                   default='default',
+                   help='User Name'),
+        cfg.StrOpt('user_domain_name',
+                   default='default',
+                   help='Use Domain Name'),
+        cfg.StrOpt('project_name',
+                   default='default',
+                   help='Project Name'),
+        cfg.StrOpt('project_domain_name',
+                   default='default',
+                   help='Project Domain Name'),
         cfg.StrOpt('auth_url',
                    default='http://localhost:5000/v3',
                    help='Keystone endpoint')]
@@ -149,7 +165,7 @@ class TestOpenstack_Driver(base.TestCase):
                                                         mock_fernet_obj)
         file_mock = mock.mock_open()
         with mock.patch('six.moves.builtins.open', file_mock, create=True):
-            self.openstack_driver.register_vim(None, vim_obj)
+            self.openstack_driver.register_vim(vim_obj)
         mock_fernet_obj.encrypt.assert_called_once_with(mock.ANY)
         file_mock().write.assert_called_once_with('test_fernet_key')
 
@@ -162,15 +178,15 @@ class TestOpenstack_Driver(base.TestCase):
         vim_obj['id'] = vim_id
         file_path = CONF.vim_keys.openstack + '/' + vim_id
         mock_os_path.return_value = file_path
-        self.openstack_driver.deregister_vim(None, vim_obj)
+        self.openstack_driver.deregister_vim(vim_obj)
         mock_os_remove.assert_called_once_with(file_path)
 
     def test_deregister_vim_barbican(self):
         self.keymgr.delete.return_value = None
         vim_obj = self.get_vim_obj_barbican()
-        self.openstack_driver.deregister_vim(None, vim_obj)
+        self.openstack_driver.deregister_vim(vim_obj)
         self.keymgr.delete.assert_called_once_with(
-            None, 'fake-secret-uuid')
+            t_context.generate_tacker_service_context(), 'fake-secret-uuid')
 
     def test_encode_vim_auth_barbican(self):
         self.config_fixture.config(group='vim_keys',
@@ -184,10 +200,10 @@ class TestOpenstack_Driver(base.TestCase):
 
         vim_obj = self.get_vim_obj()
         self.openstack_driver.encode_vim_auth(
-            None, vim_obj['id'], vim_obj['auth_cred'])
+            vim_obj['id'], vim_obj['auth_cred'])
 
         self.keymgr.store.assert_called_once_with(
-            None, 'test_fernet_key')
+            t_context.generate_tacker_service_context(), 'test_fernet_key')
         mock_fernet_obj.encrypt.assert_called_once_with(mock.ANY)
         self.assertEqual(vim_obj['auth_cred']['key_type'],
                          'barbican_key')
@@ -209,7 +225,6 @@ class TestOpenstack_Driver(base.TestCase):
         self.keystone.initialize_client.return_value = mock_ks_client
         self.assertRaises(nfvo.VimUnauthorizedException,
                           self.openstack_driver.register_vim,
-                          None,
                           self.vim_obj)
         mock_ks_client.regions.list.assert_called_once_with()
         self.keystone.initialize_client.assert_called_once_with(

tacker/tests/unit/nfvo/test_nfvo_plugin.py

@@ -295,8 +295,7 @@ class TestNfvoPlugin(db_base.SqlTestCase):
             res_state=mock.ANY, res_type=constants.RES_TYPE_VIM,
             tstamp=mock.ANY)
         self._driver_manager.invoke.assert_any_call(
-            vim_type, 'register_vim',
-            context=self.context, vim_obj=vim_dict['vim'])
+            vim_type, 'register_vim', vim_obj=vim_dict['vim'])
         self.assertIsNotNone(res)
         self.assertEqual(SECRET_PASSWORD, res['auth_cred']['password'])
         self.assertIn('id', res)
@@ -310,11 +309,11 @@ class TestNfvoPlugin(db_base.SqlTestCase):
         self._insert_dummy_vim()
         vim_type = u'openstack'
         vim_id = '6261579e-d6f3-49ad-8bc3-a9cb974778ff'
+        self.context.tenant_id = 'ad7ebc56538745a08ef7c5e97f8bd437'
         vim_obj = self.nfvo_plugin._get_vim(self.context, vim_id)
         self.nfvo_plugin.delete_vim(self.context, vim_id)
         self._driver_manager.invoke.assert_called_once_with(
             vim_type, 'deregister_vim',
-            context=self.context,
             vim_obj=vim_obj)
         self._cos_db_plugin.create_event.assert_called_with(
             self.context, evt_type=constants.RES_EVT_DELETE, res_id=mock.ANY,
@@ -330,6 +329,7 @@ class TestNfvoPlugin(db_base.SqlTestCase):
         vim_auth_username = vim_dict['vim']['auth_cred']['username']
         vim_project = vim_dict['vim']['vim_project']
         self._insert_dummy_vim()
+        self.context.tenant_id = 'ad7ebc56538745a08ef7c5e97f8bd437'
         res = self.nfvo_plugin.update_vim(self.context, vim_dict['vim']['id'],
                                           vim_dict)
         vim_obj = self.nfvo_plugin._get_vim(
@@ -337,7 +337,6 @@ class TestNfvoPlugin(db_base.SqlTestCase):
         vim_obj['updated_at'] = None
         self._driver_manager.invoke.assert_called_with(
             vim_type, 'register_vim',
-            context=self.context,
             vim_obj=vim_obj)
         self.assertIsNotNone(res)
         self.assertIn('id', res)
@@ -360,6 +359,7 @@ class TestNfvoPlugin(db_base.SqlTestCase):
         vim_auth_username = vim_dict['vim']['auth_cred']['username']
         vim_project = vim_dict['vim']['vim_project']
         self._insert_dummy_vim_barbican()
+        self.context.tenant_id = 'ad7ebc56538745a08ef7c5e97f8bd437'
         old_vim_obj = self.nfvo_plugin._get_vim(
             self.context, vim_dict['vim']['id'])
         res = self.nfvo_plugin.update_vim(self.context, vim_dict['vim']['id'],
@@ -369,7 +369,6 @@ class TestNfvoPlugin(db_base.SqlTestCase):
         vim_obj['updated_at'] = None
         self._driver_manager.invoke.assert_called_with(
             vim_type, 'delete_vim_auth',
-            context=self.context,
             vim_id=vim_obj['id'],
             auth=old_vim_obj['auth_cred'])
         self.assertIsNotNone(res)

tacker/vnfm/vim_client.py

@@ -19,6 +19,8 @@ from cryptography import fernet
 from oslo_config import cfg
 from oslo_log import log as logging
 
+
+from tacker import context as t_context
 from tacker.extensions import nfvo
 from tacker.keymgr import API as KEYMGR_API
 from tacker import manager
@@ -57,7 +59,7 @@ class VimClient(object):
                                                  ['regions'], region_name):
             raise nfvo.VimRegionNotFoundException(region_name=region_name)
 
-        vim_auth = self._build_vim_auth(context, vim_info)
+        vim_auth = self._build_vim_auth(vim_info)
         vim_res = {'vim_auth': vim_auth, 'vim_id': vim_info['id'],
                    'vim_name': vim_info.get('name', vim_info['id']),
                    'vim_type': vim_info['type']}
@@ -67,29 +69,26 @@ class VimClient(object):
     def region_valid(vim_regions, region_name):
         return region_name in vim_regions
 
-    def _build_vim_auth(self, context, vim_info):
+    def _build_vim_auth(self, vim_info):
         LOG.debug('VIM id is %s', vim_info['id'])
         vim_auth = vim_info['auth_cred']
 
         # decode password
         if ('password' in vim_auth) and (vim_auth['password'] is not None):
-            vim_auth['password'] = self._decode_vim_auth(context,
-                                                         vim_info['id'],
+            vim_auth['password'] = self._decode_vim_auth(vim_info['id'],
                                                          vim_auth,
                                                          vim_auth['password'])
         # decode bearer_token
         if 'bearer_token' in vim_auth:
             vim_auth['bearer_token'] = self.\
-                _decode_vim_auth(context,
-                                 vim_info['id'],
+                _decode_vim_auth(vim_info['id'],
                                  vim_auth,
                                  vim_auth['bearer_token'])
         # decode ssl_ca_cert
         if ('ssl_ca_cert' in vim_auth) and \
                 (vim_auth['ssl_ca_cert'] is not None):
             vim_auth['ssl_ca_cert'] = self.\
-                _decode_vim_auth(context,
-                                 vim_info['id'],
+                _decode_vim_auth(vim_info['id'],
                                  vim_auth,
                                  vim_auth['ssl_ca_cert'])
 
@@ -103,7 +102,7 @@ class VimClient(object):
                 vim_auth.pop(attr, None)
         return vim_auth
 
-    def _decode_vim_auth(self, context, vim_id, auth, secret_value):
+    def _decode_vim_auth(self, vim_id, auth, secret_value):
         """Decode Vim credentials
 
         Decrypt VIM cred, get fernet Key from local_file_system or
@@ -114,7 +113,8 @@ class VimClient(object):
             keystone_conf = CONF.keystone_authtoken
             secret_uuid = auth['secret_uuid']
             keymgr_api = KEYMGR_API(keystone_conf.auth_url)
-            secret_obj = keymgr_api.get(context, secret_uuid)
+            k_context = t_context.generate_tacker_service_context()
+            secret_obj = keymgr_api.get(k_context, secret_uuid)
             vim_key = secret_obj.payload
         else:
             vim_key = self._find_vim_key(vim_id)