diff options
author | Miguel Grinberg <miguel.grinberg@gmail.com> | 2014-12-16 06:45:22 +0000 |
---|---|---|
committer | Miguel Grinberg <miguelgrinberg50@gmail.com> | 2014-12-23 18:40:13 -0800 |
commit | 0ba4dacbe292a182ac4ccd69f1133aa6cdba8045 (patch) | |
tree | d03b1b8c1590984cda6fc3bb7836a7e8a9228cf2 /heat | |
parent | c16f539c5351d3dcc05422126b6f0cd67b627459 (diff) | |
download | heat-0ba4dacbe292a182ac4ccd69f1133aa6cdba8045.tar.gz |
Authenticate the domain user with id instead of username
This change makes the authentication process that requests a domain user
token provide user_id and password instead of username and password.
Authenticating with the user_id is more reliable, as that works even when
the username is truncated or modified in any other way before it is passed
to Keystone.
Change-Id: I7b2897c2be1e4ad7f55549449b1791991572a7f1
Closes-bug: 1402894
Diffstat (limited to 'heat')
-rw-r--r-- | heat/common/heat_keystoneclient.py | 8 | ||||
-rw-r--r-- | heat/engine/stack_user.py | 2 | ||||
-rw-r--r-- | heat/tests/fakes.py | 2 | ||||
-rw-r--r-- | heat/tests/test_heatclient.py | 8 | ||||
-rw-r--r-- | heat/tests/test_stack_user.py | 6 |
5 files changed, 12 insertions, 14 deletions
diff --git a/heat/common/heat_keystoneclient.py b/heat/common/heat_keystoneclient.py index 32cd5268c..a8a7c5530 100644 --- a/heat/common/heat_keystoneclient.py +++ b/heat/common/heat_keystoneclient.py @@ -370,7 +370,7 @@ class KeystoneClientV3(object): return user.id - def stack_domain_user_token(self, username, project_id, password): + def stack_domain_user_token(self, user_id, project_id, password): """Get a token for a stack domain user.""" if not self.stack_domain: # Note, no legacy fallback path as we don't want to deploy @@ -385,13 +385,13 @@ class KeystoneClientV3(object): # space is limited..) if self._stack_domain_is_id: auth = kc_auth_v3.Password(auth_url=self.v3_endpoint, - username=username, + user_id=user_id, password=password, project_id=project_id, user_domain_id=self.stack_domain) else: auth = kc_auth_v3.Password(auth_url=self.v3_endpoint, - username=username, + user_id=user_id, password=password, project_id=project_id, user_domain_name=self.stack_domain) @@ -408,7 +408,7 @@ class KeystoneClientV3(object): {'project': {'id': project_id}}, 'identity': {'password': {'user': { 'domain': domain, - 'password': password, 'name': username}}, + 'password': password, 'id': user_id}}, 'methods': ['password']}}} t = sess.post(token_url, headers=headers, json=body, authenticated=False) diff --git a/heat/engine/stack_user.py b/heat/engine/stack_user.py index 981677df6..58bc4494c 100644 --- a/heat/engine/stack_user.py +++ b/heat/engine/stack_user.py @@ -62,7 +62,7 @@ class StackUser(resource.Resource): raise ValueError(_("Can't get user token without password")) return self.keystone().stack_domain_user_token( - username=self.physical_resource_name(), + user_id=self._get_user_id(), project_id=project_id, password=password) def _get_user_id(self): diff --git a/heat/tests/fakes.py b/heat/tests/fakes.py index cd0386c4f..defc46d0a 100644 --- a/heat/tests/fakes.py +++ b/heat/tests/fakes.py @@ -175,5 +175,5 @@ class FakeKeystoneClient(object): credential_id): pass - def stack_domain_user_token(self, username, project_id, password): + def stack_domain_user_token(self, user_id, project_id, password): return 'adomainusertoken' diff --git a/heat/tests/test_heatclient.py b/heat/tests/test_heatclient.py index 35bd0c220..2315860b3 100644 --- a/heat/tests/test_heatclient.py +++ b/heat/tests/test_heatclient.py @@ -1368,7 +1368,7 @@ class KeystoneClientTest(common.HeatTestCase): def _stub_domain_user_pw_auth(self): self.m.StubOutWithMock(ks_auth_v3, 'Password') ks_auth_v3.Password(auth_url='http://server.test:5000/v3', - username='duser', + user_id='duser', password='apassw', project_id='aproject', user_domain_id='adomain123').AndReturn('dummyauth') @@ -1391,7 +1391,7 @@ class KeystoneClientTest(common.HeatTestCase): ctx.trust_id = None heat_ks_client = heat_keystoneclient.KeystoneClient(ctx) token = heat_ks_client.stack_domain_user_token( - username='duser', project_id='aproject', password='apassw') + user_id='duser', project_id='aproject', password='apassw') self.assertEqual('dummytoken', token) def test_stack_domain_user_token_err_nodomain(self): @@ -1402,7 +1402,7 @@ class KeystoneClientTest(common.HeatTestCase): heat_ks_client = heat_keystoneclient.KeystoneClient(ctx) self.assertRaises(exception.Error, heat_ks_client.stack_domain_user_token, - username='user', + user_id='user', project_id='aproject', password='password') @@ -1527,7 +1527,7 @@ class KeystoneClientTestDomainName(KeystoneClientTest): def _stub_domain_user_pw_auth(self): self.m.StubOutWithMock(ks_auth_v3, 'Password') ks_auth_v3.Password(auth_url='http://server.test:5000/v3', - username='duser', + user_id='duser', password='apassw', project_id='aproject', user_domain_name='fake_domain_name' diff --git a/heat/tests/test_stack_user.py b/heat/tests/test_stack_user.py index e02268dda..29b580e95 100644 --- a/heat/tests/test_stack_user.py +++ b/heat/tests/test_stack_user.py @@ -356,15 +356,13 @@ class StackUserTest(common.HeatTestCase): def test_user_token(self): rsrc = self._user_create(stack_name='user_test123', project_id='aproject123', - user_id='auser123', + user_id='aabbcc', password='apassword') - short_id.get_id(rsrc.id).AndReturn('aabbcc') self.m.StubOutWithMock(fakes.FakeKeystoneClient, 'stack_domain_user_token') - username = 'user_test123-user-aabbcc' fakes.FakeKeystoneClient.stack_domain_user_token( - username=username, project_id='aproject123', + user_id='aabbcc', project_id='aproject123', password='apassword').AndReturn('atoken123') self.m.ReplayAll() |