diff options
| author | Pavlo Shchelokovskyy <pshchelokovskyy@mirantis.com> | 2016-03-23 17:54:59 +0200 |
|---|---|---|
| committer | Devananda van der Veen <devananda.vdv@gmail.com> | 2016-08-03 11:24:21 -0700 |
| commit | f9ea26ebf33118cfc179cc183588df2a829db4b6 (patch) | |
| tree | c3c969ddf8cef07478249fbdc9d6f55d89fca409 /ironic/conf/__init__.py | |
| parent | bf4788cc1d561abaea6f410abfdc64579105b70f (diff) | |
| download | ironic-f9ea26ebf33118cfc179cc183588df2a829db4b6.tar.gz | |
Migrate to using keystoneauth Sessions
We currently construct Keystone client objects directly, which
is no longer the preferred way. Instead, we should be using Sessions
which allows use of different auth plugins. This change attempts to
migrate our Keystone usage to this model.
Additionally, we currently rely on the imported keystonemiddleware
auth_token's configuration for all of the Keystone credentials used
by the Ironic service user. This is bad, as that config is internal
to that library and may change at any time. Also, the service user
may be using different credentials than the token validator.
This refactors the keystone module to use Sessions.
It attempts to provide some backward compat for users
who have not yet updated their config,
by falling back to the authtoken config section when required.
Operators impact:
- Authentification parameters for each service now should specified in
the corresponding config section for this service ([glance], [neutron]
[swift], [inspector]).
This includes providing both Keystone session-related options
(timeout, SSL-related ones) and authentification options
(`auth_type`, `auth_url` and proper options for the auth plugin).
- New config section `service_catalog` for Ironic service user
credentials, used to resolve Ironic API URL from Keystone catalog.
- If loading from the service config section fails, an attempt is made
to use respective options from [keystone_authtoken] section as a
fall-back for backward compatibility.
Implementation details:
- using keystoneauth1 library instead of keystoneclient
- For each service the keystone session is created only once and is
reused further. This lowers the number of authentification requests
made to Keystone but implies that only auth plugins that can
re-authentificate themselves can be used (so no *Token plugins).
This patch does not update the DevStack plugin, in order to test
backwards compatibility with old config options.
DevStack plugin will be modified in a subsequent patch.
Change-Id: I166eebefc1e1335a1a7b632149cf6441512e9d5e
Closes-Bug: #1422632
Related-Bug: #1418341
Related-Bug: #1494776
Co-Authored-By: Adam Gandelman <adamg@ubuntu.com>
Diffstat (limited to 'ironic/conf/__init__.py')
| -rw-r--r-- | ironic/conf/__init__.py | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/ironic/conf/__init__.py b/ironic/conf/__init__.py index 1ec5ee33c..048343c64 100644 --- a/ironic/conf/__init__.py +++ b/ironic/conf/__init__.py @@ -38,6 +38,7 @@ from ironic.conf import metrics_statsd from ironic.conf import neutron from ironic.conf import oneview from ironic.conf import seamicro +from ironic.conf import service_catalog from ironic.conf import snmp from ironic.conf import ssh from ironic.conf import swift @@ -68,6 +69,7 @@ metrics_statsd.register_opts(CONF) neutron.register_opts(CONF) oneview.register_opts(CONF) seamicro.register_opts(CONF) +service_catalog.register_opts(CONF) snmp.register_opts(CONF) ssh.register_opts(CONF) swift.register_opts(CONF) |