diff --git a/etc/ironic/ironic.conf.sample b/etc/ironic/ironic.conf.sample index 823795e747..59d34d24bf 100644 --- a/etc/ironic/ironic.conf.sample +++ b/etc/ironic/ironic.conf.sample @@ -854,7 +854,7 @@ [keystone_authtoken] # -# Options defined in keystoneclient.middleware.auth_token +# Options defined in keystonemiddleware.auth_token # # Prefix to prepend at the beginning of the path. Deprecated, diff --git a/ironic/api/acl.py b/ironic/api/acl.py index b9bf8fc0d4..a22a64910b 100644 --- a/ironic/api/acl.py +++ b/ironic/api/acl.py @@ -18,36 +18,19 @@ """Access Control Lists (ACL's) control access the API server.""" -from keystoneclient.middleware import auth_token as keystone_auth_token -from oslo.config import cfg - from ironic.api.middleware import auth_token -OPT_GROUP_NAME = 'keystone_authtoken' - - -def register_opts(conf): - """Register keystoneclient middleware options - - :param conf: Ironic settings. - """ - conf.register_opts(keystone_auth_token.opts, group=OPT_GROUP_NAME) - keystone_auth_token.CONF = conf - - def install(app, conf, public_routes): """Install ACL check on application. :param app: A WSGI applicatin. - :param conf: Settings. Must include OPT_GROUP_NAME section. + :param conf: Settings. Dict'ified and passed to keystonemiddleware :param public_routes: The list of the routes which will be allowed to access without authentication. :return: The same WSGI application with ACL installed. """ - register_opts(cfg.CONF) - keystone_config = dict(conf.get(OPT_GROUP_NAME)) return auth_token.AuthTokenMiddleware(app, - conf=keystone_config, + conf=dict(conf), public_api_routes=public_routes) diff --git a/ironic/api/middleware/auth_token.py b/ironic/api/middleware/auth_token.py index 9cad079b3c..d30f5d9ab9 100644 --- a/ironic/api/middleware/auth_token.py +++ b/ironic/api/middleware/auth_token.py @@ -14,7 +14,7 @@ import re -from keystoneclient.middleware import auth_token +from keystonemiddleware import auth_token from ironic.common import exception from ironic.common import utils @@ -54,6 +54,6 @@ class AuthTokenMiddleware(auth_token.AuthProtocol): self.public_api_routes)) if env['is_public_api']: - return self.app(env, start_response) + return self._app(env, start_response) return super(AuthTokenMiddleware, self).__call__(env, start_response) diff --git a/ironic/common/keystone.py b/ironic/common/keystone.py index f64da1bcf0..c197c231ad 100644 --- a/ironic/common/keystone.py +++ b/ironic/common/keystone.py @@ -13,14 +13,14 @@ # under the License. from keystoneclient import exceptions as ksexception +# NOTE(deva): import auth_token so oslo.config pulls in keystone_authtoken +from keystonemiddleware import auth_token # noqa from oslo.config import cfg from six.moves.urllib import parse -from ironic.api import acl from ironic.common import exception CONF = cfg.CONF -acl.register_opts(CONF) def get_service_url(service_type='baremetal', endpoint_type='internal'): diff --git a/ironic/common/neutron.py b/ironic/common/neutron.py index 22360b13e6..621267b17b 100644 --- a/ironic/common/neutron.py +++ b/ironic/common/neutron.py @@ -20,7 +20,6 @@ from neutronclient.common import exceptions as neutron_client_exc from neutronclient.v2_0 import client as clientv20 from oslo.config import cfg -from ironic.api import acl from ironic.common import exception from ironic.common import keystone from ironic.drivers.modules import ssh @@ -46,7 +45,6 @@ neutron_opts = [ CONF = cfg.CONF CONF.import_opt('my_ip', 'ironic.netconf') CONF.register_opts(neutron_opts, group='neutron') -acl.register_opts(CONF) LOG = logging.getLogger(__name__) diff --git a/ironic/tests/api/base.py b/ironic/tests/api/base.py index 472f953ac0..0f0a640885 100644 --- a/ironic/tests/api/base.py +++ b/ironic/tests/api/base.py @@ -20,12 +20,13 @@ # ceilometer/tests/api/__init__.py). This should be oslo'ified: # https://bugs.launchpad.net/ironic/+bug/1255115. +# NOTE(deva): import auth_token so we can override a config option +from keystonemiddleware import auth_token # noqa from oslo.config import cfg import pecan import pecan.testing from six.moves.urllib import parse as urlparse -from ironic.api import acl from ironic.db import api as dbapi from ironic.tests.db import base @@ -42,7 +43,8 @@ class FunctionalTest(base.DbTestCase): def setUp(self): super(FunctionalTest, self).setUp() - cfg.CONF.set_override("auth_version", "v2.0", group=acl.OPT_GROUP_NAME) + cfg.CONF.set_override("auth_version", "v2.0", + group='keystone_authtoken') self.app = self._make_app() self.dbapi = dbapi.get_instance() diff --git a/ironic/tests/api/test_acl.py b/ironic/tests/api/test_acl.py index 413601ff23..d4b410aca0 100644 --- a/ironic/tests/api/test_acl.py +++ b/ironic/tests/api/test_acl.py @@ -18,9 +18,11 @@ are blocked or allowed to be processed. import mock +# NOTE(deva): import auth_token so we can override a config option +from keystonemiddleware import auth_token # noqa + from oslo.config import cfg -from ironic.api import acl from ironic.db import api as db_api from ironic.tests.api import base from ironic.tests.api import utils @@ -46,7 +48,8 @@ class TestACL(base.FunctionalTest): **param) def _make_app(self): - cfg.CONF.set_override('cache', 'fake.cache', group=acl.OPT_GROUP_NAME) + cfg.CONF.set_override('cache', 'fake.cache', + group='keystone_authtoken') return super(TestACL, self)._make_app(enable_acl=True) def test_non_authenticated(self): diff --git a/requirements.txt b/requirements.txt index 98bc82c5d3..a7b65c913c 100644 --- a/requirements.txt +++ b/requirements.txt @@ -31,6 +31,7 @@ six>=1.7.0 jsonpatch>=1.1 WSME>=0.6 Jinja2 +keystonemiddleware>=1.0.0 oslo.messaging>=1.4.0.0a3 retrying>=1.2.2 # Apache-2.0 posix_ipc diff --git a/tools/config/oslo.config.generator.rc b/tools/config/oslo.config.generator.rc index e18556a86e..0e1325b9ca 100644 --- a/tools/config/oslo.config.generator.rc +++ b/tools/config/oslo.config.generator.rc @@ -1,2 +1,2 @@ export IRONIC_CONFIG_GENERATOR_EXTRA_LIBRARIES='oslo.db oslo.messaging' -export IRONIC_CONFIG_GENERATOR_EXTRA_MODULES=keystoneclient.middleware.auth_token +export IRONIC_CONFIG_GENERATOR_EXTRA_MODULES=keystonemiddleware.auth_token