openstack/ironic
Code Issues Proposed changes

Deprecate http_basic_username and http_basic_password in [json_rpc]

Browse Source 
It's very confusing that we use username/password everywhere, except
for [json_rpc]. Just use the standard options.

Also the version if keystoneauth is bumpted to one that supports
http_basic.

Change-Id: Icc834c3f8febd45c2548314ee00b85a7f9cebd2c
This commit is contained in:
Dmitry Tantsur 2020-07-22 18:09:22 +02:00
parent 1f63525a1f
commit 74e9e1d82a
8 changed files with 68 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
devstack/lib/ironic
View File

@ -1395,10 +1395,15 @@ function configure_ironic {
if [[ "$IRONIC_JSON_RPC_AUTH_STRATEGY" != "" ]]; then if [[ "$IRONIC_JSON_RPC_AUTH_STRATEGY" != "" ]]; then
iniset $IRONIC_CONF_FILE json_rpc auth_strategy $IRONIC_JSON_RPC_AUTH_STRATEGY iniset $IRONIC_CONF_FILE json_rpc auth_strategy $IRONIC_JSON_RPC_AUTH_STRATEGY
fi fi
iniset $IRONIC_CONF_FILE json_rpc http_basic_username myName if [[ "$IRONIC_JSON_RPC_AUTH_STRATEGY" == "http_basic" ]]; then
iniset $IRONIC_CONF_FILE json_rpc http_basic_password myPassword iniset $IRONIC_CONF_FILE json_rpc username myName
# json-rpc auth file with bcrypt hash of myPassword iniset $IRONIC_CONF_FILE json_rpc password myPassword
echo 'myName:$2y$05$lE3eGtyj41jZwrzS87KTqe6.JETVCWBkc32C63UP2aYrGoYOEpbJm' > /etc/ironic/htpasswd-json-rpc # json-rpc auth file with bcrypt hash of myPassword
echo 'myName:$2y$05$lE3eGtyj41jZwrzS87KTqe6.JETVCWBkc32C63UP2aYrGoYOEpbJm' > /etc/ironic/htpasswd-json-rpc
fi
if [[ "$IRONIC_JSON_RPC_AUTH_STRATEGY" == "" ]] || [[ "$IRONIC_JSON_RPC_AUTH_STRATEGY" == "keystone" ]]; then
configure_client_for json_rpc
fi
# Set fast track options # Set fast track options
iniset $IRONIC_CONF_FILE deploy fast_track $IRONIC_DEPLOY_FAST_TRACK iniset $IRONIC_CONF_FILE deploy fast_track $IRONIC_DEPLOY_FAST_TRACK
@ -1532,7 +1537,7 @@ function configure_ironic_conductor {
# NOTE(pas-ha) service_catalog section is used to discover # NOTE(pas-ha) service_catalog section is used to discover
# ironic API endpoint from keystone catalog # ironic API endpoint from keystone catalog
local client_sections="neutron swift glance inspector cinder service_catalog json_rpc nova" local client_sections="neutron swift glance inspector cinder service_catalog nova"
for conf_section in $client_sections; do for conf_section in $client_sections; do
configure_client_for $conf_section configure_client_for $conf_section
done done

4
doc/source/install/standalone.rst
View File

@ -70,8 +70,8 @@ You should make the following changes to ``/etc/ironic/ironic.conf``:
[json_rpc] [json_rpc]
auth_strategy=http_basic auth_strategy=http_basic
http_basic_username=myName username=myName
http_basic_password=myPassword password=myPassword
If you don't use Image service, it's possible to provide images to Bare Metal If you don't use Image service, it's possible to provide images to Bare Metal
service via a URL. service via a URL.

26
ironic/common/json_rpc/client.py
View File

@ -15,8 +15,6 @@
This client is compatible with any JSON RPC 2.0 implementation, including ours. This client is compatible with any JSON RPC 2.0 implementation, including ours.
""" """
import base64
from oslo_config import cfg from oslo_config import cfg
from oslo_log import log from oslo_log import log
from oslo_utils import importutils from oslo_utils import importutils
@ -38,23 +36,25 @@ def _get_session():
global _SESSION global _SESSION
if _SESSION is None: if _SESSION is None:
kwargs = {}
auth_strategy = json_rpc.auth_strategy() auth_strategy = json_rpc.auth_strategy()
if auth_strategy == 'keystone': if auth_strategy != 'keystone':
auth = keystone.get_auth('json_rpc') auth_type = 'none' if auth_strategy == 'noauth' else auth_strategy
else: CONF.set_default('auth_type', auth_type, group='json_rpc')
auth = None
# Deprecated, remove in W
if auth_strategy == 'http_basic':
if CONF.json_rpc.http_basic_username:
kwargs['username'] = CONF.json_rpc.http_basic_username
if CONF.json_rpc.http_basic_password:
kwargs['password'] = CONF.json_rpc.http_basic_password
auth = keystone.get_auth('json_rpc', **kwargs)
session = keystone.get_session('json_rpc', auth=auth) session = keystone.get_session('json_rpc', auth=auth)
headers = { headers = {
'Content-Type': 'application/json' 'Content-Type': 'application/json'
} }
if auth_strategy == 'http_basic':
token = '{}:{}'.format(
CONF.json_rpc.http_basic_username,
CONF.json_rpc.http_basic_password
).encode('utf-8')
encoded = base64.b64encode(token).decode('utf-8')
headers['Authorization'] = 'Basic {}'.format(encoded)
# Adds options like connect_retries # Adds options like connect_retries
_SESSION = keystone.get_adapter('json_rpc', session=session, _SESSION = keystone.get_adapter('json_rpc', session=session,

12
ironic/conf/json_rpc.py
View File

@ -38,16 +38,16 @@ opts = [
default=False, default=False,
help=_('Whether to use TLS for JSON RPC')), help=_('Whether to use TLS for JSON RPC')),
cfg.StrOpt('http_basic_username', cfg.StrOpt('http_basic_username',
default='', deprecated_for_removal=True,
deprecated_reason=_("Use username instead"),
help=_("Name of the user to use for HTTP Basic authentication " help=_("Name of the user to use for HTTP Basic authentication "
"client requests. Required when " "client requests.")),
"auth_strategy=http_basic.")),
cfg.StrOpt('http_basic_password', cfg.StrOpt('http_basic_password',
default='', deprecated_for_removal=True,
deprecated_reason=_("Use password instead"),
secret=True, secret=True,
help=_("Password to use for HTTP Basic authentication " help=_("Password to use for HTTP Basic authentication "
"client requests. Required when " "client requests.")),
"auth_strategy=http_basic.")),
] ]

36
ironic/tests/unit/common/test_json_rpc.py
View File

@ -584,9 +584,11 @@ class TestSession(test_base.TestCase):
self.config(auth_strategy='noauth', group='json_rpc') self.config(auth_strategy='noauth', group='json_rpc')
session = client._get_session() session = client._get_session()
mock_keystone.get_auth.assert_not_called() mock_keystone.get_auth.assert_called_once_with('json_rpc')
auth = mock_keystone.get_auth.return_value
mock_keystone.get_session.assert_called_once_with( mock_keystone.get_session.assert_called_once_with(
'json_rpc', auth=None) 'json_rpc', auth=auth)
internal_session = mock_keystone.get_session.return_value internal_session = mock_keystone.get_session.return_value
@ -620,13 +622,34 @@ class TestSession(test_base.TestCase):
def test_http_basic(self, mock_keystone): def test_http_basic(self, mock_keystone):
self.config(auth_strategy='http_basic', group='json_rpc') self.config(auth_strategy='http_basic', group='json_rpc')
self.config(http_basic_username='myName', group='json_rpc')
self.config(http_basic_password='myPassword', group='json_rpc')
session = client._get_session() session = client._get_session()
mock_keystone.get_auth.assert_not_called() mock_keystone.get_auth.assert_called_once_with('json_rpc')
auth = mock_keystone.get_auth.return_value
mock_keystone.get_session.assert_called_once_with( mock_keystone.get_session.assert_called_once_with(
'json_rpc', auth=None) 'json_rpc', auth=auth)
internal_session = mock_keystone.get_session.return_value
mock_keystone.get_adapter.assert_called_once_with(
'json_rpc',
session=internal_session,
additional_headers={
'Content-Type': 'application/json'
})
self.assertEqual(mock_keystone.get_adapter.return_value, session)
def test_http_basic_deprecated(self, mock_keystone):
self.config(auth_strategy='http_basic', group='json_rpc')
self.config(http_basic_username='myName', group='json_rpc')
self.config(http_basic_password='myPassword', group='json_rpc')
session = client._get_session()
mock_keystone.get_auth.assert_called_once_with(
'json_rpc', username='myName', password='myPassword')
auth = mock_keystone.get_auth.return_value
mock_keystone.get_session.assert_called_once_with(
'json_rpc', auth=auth)
internal_session = mock_keystone.get_session.return_value internal_session = mock_keystone.get_session.return_value
@ -634,7 +657,6 @@ class TestSession(test_base.TestCase):
'json_rpc', 'json_rpc',
session=internal_session, session=internal_session,
additional_headers={ additional_headers={
'Authorization': 'Basic bXlOYW1lOm15UGFzc3dvcmQ=',
'Content-Type': 'application/json' 'Content-Type': 'application/json'
}) })
self.assertEqual(mock_keystone.get_adapter.return_value, session) self.assertEqual(mock_keystone.get_adapter.return_value, session)

2
lower-constraints.txt
View File

@ -42,7 +42,7 @@ jmespath==0.9.5
jsonpatch==1.16 jsonpatch==1.16
jsonpointer==2.0 jsonpointer==2.0
jsonschema==3.2.0 jsonschema==3.2.0
keystoneauth1==3.18.0 keystoneauth1==4.2.0
keystonemiddleware==4.17.0 keystonemiddleware==4.17.0
kombu==4.6.8 kombu==4.6.8
linecache2==1.0.0 linecache2==1.0.0

6
releasenotes/notes/json_rpc_http_basic-42dfc6ca2471a30e.yaml Normal file
View File

@ -0,0 +1,6 @@
---
deprecations:
- |
The configuration options ``[json_rpc]http_basic_username`` and
``[json_rpc]http_basic_password`` have been deprecated in favour of the
more generic ``[json_rpc]username`` and ``[json_rpc]password``.

2
requirements.txt
View File

@ -10,7 +10,7 @@ WebOb>=1.7.1 # MIT
python-cinderclient!=4.0.0,>=3.3.0 # Apache-2.0 python-cinderclient!=4.0.0,>=3.3.0 # Apache-2.0
python-neutronclient>=6.7.0 # Apache-2.0 python-neutronclient>=6.7.0 # Apache-2.0
python-glanceclient>=2.8.0 # Apache-2.0 python-glanceclient>=2.8.0 # Apache-2.0
keystoneauth1>=3.18.0 # Apache-2.0 keystoneauth1>=4.2.0 # Apache-2.0
ironic-lib>=4.3.0 # Apache-2.0 ironic-lib>=4.3.0 # Apache-2.0
python-swiftclient>=3.2.0 # Apache-2.0 python-swiftclient>=3.2.0 # Apache-2.0
pytz>=2013.6 # MIT pytz>=2013.6 # MIT