Optionally create trust for alarm actions

When creating actions using TrustRestAlarmNotifier, allow the absence of
trust ID and automatically creates a trust in this case for the
ceilometer service user. This enables creation of trust alarms without
knowing the ceilometer service user ID outside of ceilometer itself.

blueprint trust-alarm-notifier
Change-Id: I4b781cbdd46dd4574fea44b40adad869373ab344

1 files changed, 63 insertions, 2 deletions

diff --git a/ceilometer/keystone_client.py b/ceilometer/keystone_client.py
index 239539a7..04186d39 100644
--- a/ceilometer/keystone_client.py
+++ b/ceilometer/keystone_client.py
@@ -14,7 +14,11 @@
 # under the License.
 
 
-from keystoneclient.v2_0 import client as ksclient
+from keystoneclient import discover as ks_discover
+from keystoneclient import exceptions as ks_exception
+from keystoneclient import session as ks_session
+from keystoneclient.v2_0 import client as ks_client
+from keystoneclient.v3 import client as ks_client_v3
 from oslo_config import cfg
 
 cfg.CONF.import_group('service_credentials', 'ceilometer.service')
@@ -22,7 +26,7 @@ cfg.CONF.import_opt('http_timeout', 'ceilometer.service')
 
 
 def get_client():
-    return ksclient.Client(
+    return ks_client.Client(
         username=cfg.CONF.service_credentials.os_username,
         password=cfg.CONF.service_credentials.os_password,
         tenant_id=cfg.CONF.service_credentials.os_tenant_id,
@@ -32,3 +36,60 @@ def get_client():
         region_name=cfg.CONF.service_credentials.os_region_name,
         insecure=cfg.CONF.service_credentials.insecure,
         timeout=cfg.CONF.http_timeout,)
+
+
+def get_v3_client(trust_id=None):
+    """Return a client for keystone v3 endpoint, optionally using a trust."""
+    auth_url = cfg.CONF.service_credentials.os_auth_url
+    try:
+        auth_url_noneversion = auth_url.replace('/v2.0', '/')
+        discover = ks_discover.Discover(auth_url=auth_url_noneversion)
+        v3_auth_url = discover.url_for('3.0')
+        if v3_auth_url:
+            auth_url = v3_auth_url
+        else:
+            auth_url = auth_url
+    except Exception:
+        auth_url = auth_url.replace('/v2.0', '/v3')
+    return ks_client_v3.Client(
+        username=cfg.CONF.service_credentials.os_username,
+        password=cfg.CONF.service_credentials.os_password,
+        cacert=cfg.CONF.service_credentials.os_cacert,
+        auth_url=auth_url,
+        region_name=cfg.CONF.service_credentials.os_region_name,
+        insecure=cfg.CONF.service_credentials.insecure,
+        timeout=cfg.CONF.http_timeout,
+        trust_id=trust_id)
+
+
+def create_trust_id(trustor_user_id, trustor_project_id, roles, auth_plugin):
+    """Create a new trust using the ceilometer service user."""
+    admin_client = get_v3_client()
+
+    trustee_user_id = admin_client.auth_ref.user_id
+
+    session = ks_session.Session.construct({
+        'cacert': cfg.CONF.service_credentials.os_cacert,
+        'insecure': cfg.CONF.service_credentials.insecure})
+
+    client = ks_client_v3.Client(session=session, auth=auth_plugin)
+
+    trust = client.trusts.create(trustor_user=trustor_user_id,
+                                 trustee_user=trustee_user_id,
+                                 project=trustor_project_id,
+                                 impersonation=True,
+                                 role_names=roles)
+    return trust.id
+
+
+def delete_trust_id(trust_id, auth_plugin):
+    """Delete a trust previously setup for the ceilometer user."""
+    session = ks_session.Session.construct({
+        'cacert': cfg.CONF.service_credentials.os_cacert,
+        'insecure': cfg.CONF.service_credentials.insecure})
+
+    client = ks_client_v3.Client(session=session, auth=auth_plugin)
+    try:
+        client.trusts.delete(trust_id)
+    except ks_exception.NotFound:
+        pass