Revert "Support service user and project in non-default domain"
This case can be handled by default/design by using a v3 authentication
plugin. The values also don't make sense for v2 authentication.
Having them here means extra values to support in the default case.
There has not been a release with this patch.
This reverts commit bb00caf15b.
Related-bug: #1372142
Change-Id: I690f39284010906a0171178511729749ccc566b8
This commit is contained in:
Jamie Lennox
parent
89eddf54ee
commit
3b5c93f864
@ -167,12 +167,6 @@ a WSGI component. Example for the auth_token middleware:
|
||||
# Keystone account username (string value)
|
||||
#admin_user=<None>
|
||||
|
||||
# Keystone service account user domain ID. (string value)
|
||||
#admin_user_domain_id=<None>
|
||||
|
||||
# Keystone service account user domain name. (string value)
|
||||
#admin_user_domain_name=<None>
|
||||
|
||||
# Keystone account password (string value)
|
||||
admin_password=SuperSekretPassword
|
||||
|
||||
@ -180,12 +174,6 @@ a WSGI component. Example for the auth_token middleware:
|
||||
# (string value)
|
||||
#admin_tenant_name=admin
|
||||
|
||||
# Keystone service account project domain ID. (string value)
|
||||
#admin_project_domain_id=<None>
|
||||
|
||||
# Keystone service account project domain name. (string value)
|
||||
#admin_project_domain_name=<None>
|
||||
|
||||
# Env key for the swift cache (string value)
|
||||
#cache=<None>
|
||||
|
||||
@ -309,15 +297,10 @@ Configuration Options
|
||||
* ``admin_token``: either this or the following three options are required. If
|
||||
set, this is a single shared secret with the keystone configuration used to
|
||||
validate tokens.
|
||||
* ``admin_user``, ``admin_user_domain_name``, ``admin_user_domain_id``,
|
||||
``admin_password``, ``admin_tenant_name``, ``admin_project_domain_id``,
|
||||
``admin_project_domain_name``: if ``admin_token``
|
||||
is not set, or invalid, then ``admin_user``, ``admin_password``, and
|
||||
``admin_tenant_name`` are defined as a service account which is expected to
|
||||
have been previously configured in Keystone to validate user tokens. If the
|
||||
service user isn't in the default domain, set ``admin_user_domain_name`` or
|
||||
``admin_user_domain_id``. If the service project isn't in the default domain,
|
||||
set ``admin_project_domain_id`` or ``admin_project_domain_name``.
|
||||
* ``admin_user``, ``admin_password``, ``admin_tenant_name``: if ``admin_token``
|
||||
is not set, or invalid, then admin_user, admin_password, and
|
||||
admin_tenant_name are defined as a service account which is expected to have
|
||||
been previously configured in Keystone to validate user tokens.
|
||||
|
||||
* ``cache``: (optional) Env key for the swift cache
|
||||
|
||||
|
||||
@ -175,7 +175,6 @@ import time
|
||||
from keystoneclient import access
|
||||
from keystoneclient.auth.identity import base as base_identity
|
||||
from keystoneclient.auth.identity import v2
|
||||
from keystoneclient.auth.identity import v3
|
||||
from keystoneclient.auth import token_endpoint
|
||||
from keystoneclient.common import cms
|
||||
from keystoneclient import exceptions
|
||||
@ -272,10 +271,6 @@ _OPTS = [
|
||||
' instead.'),
|
||||
cfg.StrOpt('admin_user',
|
||||
help='Keystone account username'),
|
||||
cfg.StrOpt('admin_user_domain_id',
|
||||
help='Keystone service account user domain ID.'),
|
||||
cfg.StrOpt('admin_user_domain_name',
|
||||
help='Keystone service account user domain name.'),
|
||||
cfg.StrOpt('admin_password',
|
||||
secret=True,
|
||||
help='Keystone account password'),
|
||||
@ -283,10 +278,6 @@ _OPTS = [
|
||||
default='admin',
|
||||
help='Keystone service account tenant name to validate'
|
||||
' user tokens'),
|
||||
cfg.StrOpt('admin_project_domain_id',
|
||||
help='Keystone service account project domain ID.'),
|
||||
cfg.StrOpt('admin_project_domain_name',
|
||||
help='Keystone service account project domain name.'),
|
||||
cfg.StrOpt('cache',
|
||||
default=None,
|
||||
help='Env key for the swift cache'),
|
||||
@ -1241,37 +1232,21 @@ class AuthProtocol(object):
|
||||
# of this can be changed when we get keystoneclient 0.10. For now this
|
||||
# hardcoded path is EXACTLY the same as the original auth_token did.
|
||||
auth_url = '%s/v2.0' % self._identity_uri
|
||||
auth_plugin = None
|
||||
|
||||
admin_token = self._conf_get('admin_token')
|
||||
admin_user_domain_id = self._conf_get('admin_user_domain_id')
|
||||
admin_user_domain_name = self._conf_get('admin_user_domain_name')
|
||||
if admin_token:
|
||||
self._LOG.warning(
|
||||
"The admin_token option in the auth_token middleware is "
|
||||
"deprecated and should not be used. The admin_user and "
|
||||
"admin_password options should be used instead. The "
|
||||
"admin_token option may be removed in a future release.")
|
||||
auth_plugin = token_endpoint.Token(auth_url, admin_token)
|
||||
elif admin_user_domain_id or admin_user_domain_name:
|
||||
auth_url = '%s/v3' % self._identity_uri
|
||||
project_domain_name = self._conf_get('admin_project_domain_name')
|
||||
auth_plugin = v3.Password(
|
||||
auth_url,
|
||||
username=self._conf_get('admin_user'),
|
||||
user_domain_id=admin_user_domain_id,
|
||||
user_domain_name=admin_user_domain_name,
|
||||
password=self._conf_get('admin_password'),
|
||||
project_name=self._conf_get('admin_tenant_name'),
|
||||
project_domain_id=self._conf_get('admin_project_domain_id'),
|
||||
project_domain_name=project_domain_name)
|
||||
sess.auth = token_endpoint.Token(auth_url, admin_token)
|
||||
else:
|
||||
auth_plugin = v2.Password(
|
||||
sess.auth = v2.Password(
|
||||
auth_url,
|
||||
username=self._conf_get('admin_user'),
|
||||
password=self._conf_get('admin_password'),
|
||||
tenant_name=self._conf_get('admin_tenant_name'))
|
||||
sess.auth = auth_plugin
|
||||
return sess
|
||||
|
||||
def _identity_server_factory(self):
|
||||
|
||||
@ -643,44 +643,6 @@ class GeneralAuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest,
|
||||
self.assertRaises(auth_token.ConfigurationError,
|
||||
auth_token.AuthProtocol, self.fake_app, conf)
|
||||
|
||||
def test_service_auth_domain_name(self):
|
||||
# When the service user and project domain name is configured, the V3
|
||||
# password plugin is used.
|
||||
|
||||
user_domain_name = uuid.uuid4().hex
|
||||
project_domain_name = uuid.uuid4().hex
|
||||
|
||||
conf = {
|
||||
'admin_user_domain_name': user_domain_name,
|
||||
'admin_project_domain_name': project_domain_name,
|
||||
}
|
||||
self.set_middleware(conf=conf)
|
||||
|
||||
auth_plugin = self.middleware._session.auth
|
||||
self.assertEqual(project_domain_name, auth_plugin.project_domain_name)
|
||||
|
||||
auth_method = auth_plugin.auth_methods[0]
|
||||
self.assertEqual(user_domain_name, auth_method.user_domain_name)
|
||||
|
||||
def test_service_user_domain_id(self):
|
||||
# When the service user and project domain ID is configured, the V3
|
||||
# password plugin is used.
|
||||
|
||||
user_domain_id = uuid.uuid4().hex
|
||||
project_domain_id = uuid.uuid4().hex
|
||||
|
||||
conf = {
|
||||
'admin_user_domain_id': user_domain_id,
|
||||
'admin_project_domain_id': project_domain_id,
|
||||
}
|
||||
self.set_middleware(conf=conf)
|
||||
|
||||
auth_plugin = self.middleware._session.auth
|
||||
self.assertEqual(project_domain_id, auth_plugin.project_domain_id)
|
||||
|
||||
auth_method = auth_plugin.auth_methods[0]
|
||||
self.assertEqual(user_domain_id, auth_method.user_domain_id)
|
||||
|
||||
|
||||
class CommonAuthTokenMiddlewareTest(object):
|
||||
"""These tests are run once using v2 tokens and again using v3 tokens."""
|
||||
|
||||
@ -40,12 +40,8 @@ class OptsTestCase(utils.TestCase):
|
||||
'http_request_max_retries',
|
||||
'admin_token',
|
||||
'admin_user',
|
||||
'admin_user_domain_id',
|
||||
'admin_user_domain_name',
|
||||
'admin_password',
|
||||
'admin_tenant_name',
|
||||
'admin_project_domain_id',
|
||||
'admin_project_domain_name',
|
||||
'cache',
|
||||
'certfile',
|
||||
'keyfile',
|
||||
|
||||
Loading…
Reference in New Issue
Block a user