keystone_client: stop using cfg.CONF

We don't want to rely on the global conf object to avoid all kind of
conflicts and import issue, we're gonna build a local one in
service.prepare_service().

Change-Id: I376879e3ccd6b8613125cd5c58a501cc9862a27e

aodh/api/controllers/v2/alarm_rules/gnocchi.py

@@ -63,7 +63,7 @@ class AlarmGnocchiThresholdRule(base.AlarmRule):
     # @cachetools.ttl_cache(maxsize=1, ttl=600)
     @staticmethod
     def _get_aggregation_methods():
-        ks_client = keystone_client.get_client()
+        ks_client = keystone_client.get_client(cfg.CONF)
         gnocchi_url = cfg.CONF.gnocchi_url
         headers = {'Content-Type': "application/json",
                    'X-Auth-Token': ks_client.auth_token}
@@ -103,7 +103,7 @@ class MetricOfResourceRule(AlarmGnocchiThresholdRule):
               cls).validate_alarm(alarm)
 
         rule = alarm.gnocchi_resources_threshold_rule
-        ks_client = keystone_client.get_client()
+        ks_client = keystone_client.get_client(cfg.CONF)
         gnocchi_url = cfg.CONF.gnocchi_url
         headers = {'Content-Type': "application/json",
                    'X-Auth-Token': ks_client.auth_token}
@@ -161,7 +161,7 @@ class AggregationMetricByResourcesLookupRule(AlarmGnocchiThresholdRule):
                         query]})
 
         # Delegate the query validation to gnocchi
-        ks_client = keystone_client.get_client()
+        ks_client = keystone_client.get_client(cfg.CONF)
         request = {
             'url': "%s/v1/aggregation/resource/%s/metric/%s" % (
                 cfg.CONF.gnocchi_url,

aodh/api/controllers/v2/alarms.py

@@ -403,6 +403,7 @@ class Alarm(base.Base):
                             # We have a trust action without a trust ID,
                             # create it
                             trust_id = keystone_client.create_trust_id(
+                                cfg.CONF,
                                 trustor_user_id, trustor_project_id, roles,
                                 auth_plugin)
                             netloc = '%s:delete@%s' % (trust_id, url.netloc)
@@ -417,6 +418,7 @@ class Alarm(base.Base):
                     if (self._is_trust_url(url) and url.password and
                             action not in getattr(self, key)):
                         keystone_client.delete_trust_id(
+                            cfg.CONF,
                             url.username, auth_plugin)
 
     def delete_actions(self):
@@ -425,7 +427,8 @@ class Alarm(base.Base):
                                       self.insufficient_data_actions):
             url = netutils.urlsplit(action)
             if self._is_trust_url(url) and url.password:
-                keystone_client.delete_trust_id(url.username, auth_plugin)
+                keystone_client.delete_trust_id(cfg.CONF,
+                                                url.username, auth_plugin)
 
 
 Alarm.add_attributes(**{"%s_rule" % ext.name: ext.plugin

aodh/evaluator/gnocchi.py

@@ -44,7 +44,7 @@ class GnocchiThresholdEvaluator(threshold.ThresholdEvaluator):
     @property
     def ks_client(self):
         if self._ks_client is None:
-            self._ks_client = keystone_client.get_client()
+            self._ks_client = keystone_client.get_client(cfg.CONF)
         return self._ks_client
 
     def _get_headers(self, content_type="application/json"):

aodh/keystone_client.py

@@ -19,28 +19,24 @@ from keystoneclient import exceptions as ks_exception
 from keystoneclient import session as ks_session
 from keystoneclient.v2_0 import client as ks_client
 from keystoneclient.v3 import client as ks_client_v3
-from oslo_config import cfg
-
-cfg.CONF.import_group('service_credentials', 'aodh.service')
-cfg.CONF.import_opt('http_timeout', 'aodh.service')
 
 
-def get_client():
+def get_client(conf):
     return ks_client.Client(
-        username=cfg.CONF.service_credentials.os_username,
-        password=cfg.CONF.service_credentials.os_password,
-        tenant_id=cfg.CONF.service_credentials.os_tenant_id,
-        tenant_name=cfg.CONF.service_credentials.os_tenant_name,
-        cacert=cfg.CONF.service_credentials.os_cacert,
-        auth_url=cfg.CONF.service_credentials.os_auth_url,
-        region_name=cfg.CONF.service_credentials.os_region_name,
-        insecure=cfg.CONF.service_credentials.insecure,
-        timeout=cfg.CONF.http_timeout,)
+        username=conf.service_credentials.os_username,
+        password=conf.service_credentials.os_password,
+        tenant_id=conf.service_credentials.os_tenant_id,
+        tenant_name=conf.service_credentials.os_tenant_name,
+        cacert=conf.service_credentials.os_cacert,
+        auth_url=conf.service_credentials.os_auth_url,
+        region_name=conf.service_credentials.os_region_name,
+        insecure=conf.service_credentials.insecure,
+        timeout=conf.http_timeout,)
 
 
-def get_v3_client(trust_id=None):
+def get_v3_client(conf, trust_id=None):
     """Return a client for keystone v3 endpoint, optionally using a trust."""
-    auth_url = cfg.CONF.service_credentials.os_auth_url
+    auth_url = conf.service_credentials.os_auth_url
     try:
         auth_url_noneversion = auth_url.replace('/v2.0', '/')
         discover = ks_discover.Discover(auth_url=auth_url_noneversion)
@@ -52,25 +48,26 @@ def get_v3_client(trust_id=None):
     except Exception:
         auth_url = auth_url.replace('/v2.0', '/v3')
     return ks_client_v3.Client(
-        username=cfg.CONF.service_credentials.os_username,
-        password=cfg.CONF.service_credentials.os_password,
-        cacert=cfg.CONF.service_credentials.os_cacert,
+        username=conf.service_credentials.os_username,
+        password=conf.service_credentials.os_password,
+        cacert=conf.service_credentials.os_cacert,
         auth_url=auth_url,
-        region_name=cfg.CONF.service_credentials.os_region_name,
-        insecure=cfg.CONF.service_credentials.insecure,
-        timeout=cfg.CONF.http_timeout,
+        region_name=conf.service_credentials.os_region_name,
+        insecure=conf.service_credentials.insecure,
+        timeout=conf.http_timeout,
         trust_id=trust_id)
 
 
-def create_trust_id(trustor_user_id, trustor_project_id, roles, auth_plugin):
+def create_trust_id(conf, trustor_user_id, trustor_project_id,
+                    roles, auth_plugin):
     """Create a new trust using the aodh service user."""
-    admin_client = get_v3_client()
+    admin_client = get_v3_client(conf)
 
     trustee_user_id = admin_client.auth_ref.user_id
 
     session = ks_session.Session.construct({
-        'cacert': cfg.CONF.service_credentials.os_cacert,
-        'insecure': cfg.CONF.service_credentials.insecure})
+        'cacert': conf.service_credentials.os_cacert,
+        'insecure': conf.service_credentials.insecure})
 
     client = ks_client_v3.Client(session=session, auth=auth_plugin)
 
@@ -82,11 +79,11 @@ def create_trust_id(trustor_user_id, trustor_project_id, roles, auth_plugin):
     return trust.id
 
 
-def delete_trust_id(trust_id, auth_plugin):
+def delete_trust_id(conf, trust_id, auth_plugin):
     """Delete a trust previously setup for the aodh user."""
     session = ks_session.Session.construct({
-        'cacert': cfg.CONF.service_credentials.os_cacert,
-        'insecure': cfg.CONF.service_credentials.insecure})
+        'cacert': conf.service_credentials.os_cacert,
+        'insecure': conf.service_credentials.insecure})
 
     client = ks_client_v3.Client(session=session, auth=auth_plugin)
     try:

aodh/notifier/trust.py

@@ -14,6 +14,7 @@
 # under the License.
 """Rest alarm notifier with trusted authentication."""
 
+from oslo_config import cfg
 from six.moves.urllib import parse
 
 from aodh import keystone_client
@@ -35,7 +36,7 @@ class TrustRestAlarmNotifier(rest.RestAlarmNotifier):
                reason, reason_data):
         trust_id = action.username
 
-        client = keystone_client.get_v3_client(trust_id)
+        client = keystone_client.get_v3_client(cfg.CONF, trust_id)
 
         # Remove the fake user
         netloc = action.netloc.split("@")[1]