Authenticate the domain user with id instead of username

This change makes the authentication process that requests a domain user
token provide user_id and password instead of username and password.
Authenticating with the user_id is more reliable, as that works even when
the username is truncated or modified in any other way before it is passed
to Keystone.

Conflicts:
	heat/common/heat_keystoneclient.py

Change-Id: I7b2897c2be1e4ad7f55549449b1791991572a7f1
Closes-bug: 1402894
(cherry picked from commit 0ba4dacbe292a182ac4ccd69f1133aa6cdba8045)

5 files changed, 11 insertions, 13 deletions

diff --git a/heat/common/heat_keystoneclient.py b/heat/common/heat_keystoneclient.py
index 3fc7d0c0d..50888ea75 100644
--- a/heat/common/heat_keystoneclient.py
+++ b/heat/common/heat_keystoneclient.py
@@ -365,7 +365,7 @@ class KeystoneClientV3(object):
 
         return user.id
 
-    def stack_domain_user_token(self, username, project_id, password):
+    def stack_domain_user_token(self, user_id, project_id, password):
         """Get a token for a stack domain user."""
         if not self.stack_domain:
             # Note, no legacy fallback path as we don't want to deploy
@@ -391,8 +391,8 @@ class KeystoneClientV3(object):
         body = {'auth': {'scope':
                          {'project': {'id': project_id}},
                          'identity': {'password': {'user': {
-                         'domain': domain,
-                         'password': password, 'name': username}},
+                             'domain': domain,
+                             'password': password, 'id': user_id}},
                              'methods': ['password']}}}
         t = sess.post(token_url, headers=headers, json=body,
                       authenticated=False)
diff --git a/heat/engine/stack_user.py b/heat/engine/stack_user.py
index 6994a7c05..f4218dd51 100644
--- a/heat/engine/stack_user.py
+++ b/heat/engine/stack_user.py
@@ -61,7 +61,7 @@ class StackUser(resource.Resource):
             raise ValueError(_("Can't get user token without password"))
 
         return self.keystone().stack_domain_user_token(
-            username=self.physical_resource_name(),
+            user_id=self._get_user_id(),
             project_id=project_id, password=password)
 
     def _get_user_id(self):
diff --git a/heat/tests/fakes.py b/heat/tests/fakes.py
index 7c8d51b09..acd10a5be 100644
--- a/heat/tests/fakes.py
+++ b/heat/tests/fakes.py
@@ -165,5 +165,5 @@ class FakeKeystoneClient(object):
                                          credential_id):
         pass
 
-    def stack_domain_user_token(self, username, project_id, password):
+    def stack_domain_user_token(self, user_id, project_id, password):
         return 'adomainusertoken'
diff --git a/heat/tests/test_heatclient.py b/heat/tests/test_heatclient.py
index 42304ab04..ade82f115 100644
--- a/heat/tests/test_heatclient.py
+++ b/heat/tests/test_heatclient.py
@@ -1360,7 +1360,7 @@ class KeystoneClientTest(HeatTestCase):
 
     def _stub_domain_user_pw_auth(self):
         ks_auth_v3.Password(auth_url='http://server.test:5000/v3',
-                            username='duser',
+                            user_id='duser',
                             password='apassw',
                             project_id='aproject',
                             user_domain_id='adomain123').AndReturn('dummyauth')
@@ -1382,7 +1382,7 @@ class KeystoneClientTest(HeatTestCase):
         ctx.trust_id = None
         heat_ks_client = heat_keystoneclient.KeystoneClient(ctx)
         token = heat_ks_client.stack_domain_user_token(
-            username='duser', project_id='aproject', password='apassw')
+            user_id='duser', project_id='aproject', password='apassw')
         self.assertEqual('dummytoken', token)
 
     def test_stack_domain_user_token_err_nodomain(self):
@@ -1393,7 +1393,7 @@ class KeystoneClientTest(HeatTestCase):
         heat_ks_client = heat_keystoneclient.KeystoneClient(ctx)
         self.assertRaises(exception.Error,
                           heat_ks_client.stack_domain_user_token,
-                          username='user',
+                          user_id='user',
                           project_id='aproject',
                           password='password')
 
@@ -1497,7 +1497,7 @@ class KeystoneClientTestDomainName(KeystoneClientTest):
 
     def _stub_domain_user_pw_auth(self):
         ks_auth_v3.Password(auth_url='http://server.test:5000/v3',
-                            username='duser',
+                            user_id='duser',
                             password='apassw',
                             project_id='aproject',
                             user_domain_name='fake_domain_name'
diff --git a/heat/tests/test_stack_user.py b/heat/tests/test_stack_user.py
index 243b9f436..3fb68d7fe 100644
--- a/heat/tests/test_stack_user.py
+++ b/heat/tests/test_stack_user.py
@@ -357,15 +357,13 @@ class StackUserTest(HeatTestCase):
     def test_user_token(self):
         rsrc = self._user_create(stack_name='user_test123',
                                  project_id='aproject123',
-                                 user_id='auser123',
+                                 user_id='aabbcc',
                                  password='apassword')
 
-        short_id.get_id(rsrc.id).AndReturn('aabbcc')
         self.m.StubOutWithMock(fakes.FakeKeystoneClient,
                                'stack_domain_user_token')
-        username = 'user_test123-user-aabbcc'
         fakes.FakeKeystoneClient.stack_domain_user_token(
-            username=username, project_id='aproject123',
+            user_id='aabbcc', project_id='aproject123',
             password='apassword').AndReturn('atoken123')
         self.m.ReplayAll()