Commit 17cd8335e13cc7b15818e9a0ea9a0f9d5e5cc150 - python-castellan

Merge "barbican key manager: Add support for service user" Zuul authored 2 years ago Gerrit Code Review committed 2 years ago

3 changed file(s) with 78 addition(s) and 7 deletion(s). Raw diff Collapse all Expand all

+43

-6

castellan/key_manager/barbican_key_manager.py less more

24	24	from cryptography import x509 as cryptography_x509
25	25	from keystoneauth1 import identity
26	26	from keystoneauth1 import loading
	27	from keystoneauth1 import service_token
27	28	from keystoneauth1 import session
28	29	from oslo_config import cfg
29	30	from oslo_log import log as logging

79	80	cfg.StrOpt('barbican_region_name',
80	81	default=None,
81	82	help='Specifies the region of the chosen endpoint.'),
82
	83	cfg.BoolOpt('send_service_user_token',
	84	default=False,
	85	help="""
	86	When True, if sending a user token to a REST API, also send a service token.
	87
	88	Nova often reuses the user token provided to the nova-api to talk to other REST
	89	APIs, such as Cinder, Glance and Neutron. It is possible that while the user
	90	token was valid when the request was made to Nova, the token may expire before
	91	it reaches the other service. To avoid any failures, and to make it clear it is
	92	Nova calling the service on the user's behalf, we include a service token along
	93	with the user token. Should the user's token have expired, a valid service
	94	token ensures the REST API request will still be accepted by the keystone
	95	middleware.
	96	"""),
83	97	]
84	98
	99
85	100	_BARBICAN_OPT_GROUP = 'barbican'
	101	_BARBICAN_SERVICE_USER_OPT_GROUP = 'barbican_service_user'
86	102
87	103	LOG = logging.getLogger(__name__)
88	104

97	113	self.conf.register_opts(_barbican_opts, group=_BARBICAN_OPT_GROUP)
98	114	loading.register_session_conf_options(self.conf, _BARBICAN_OPT_GROUP)
99	115
	116	loading.register_session_conf_options(self.conf,
	117	_BARBICAN_SERVICE_USER_OPT_GROUP)
	118	loading.register_auth_conf_options(self.conf,
	119	_BARBICAN_SERVICE_USER_OPT_GROUP)
	120
100	121	def _get_barbican_client(self, context):
101	122	"""Creates a client to connect to the Barbican service.
102	123

143	164
144	165	def _get_keystone_auth(self, context):
145	166	if context.__class__.__name__ == 'KeystonePassword':
146		return identity.Password(
	167	auth = identity.Password(
147	168	auth_url=context.auth_url,
148	169	username=context.username,
149	170	password=context.password,

159	180	project_domain_name=context.project_domain_name,
160	181	reauthenticate=context.reauthenticate)
161	182	elif context.__class__.__name__ == 'KeystoneToken':
162		return identity.Token(
	183	auth = identity.Token(
163	184	auth_url=context.auth_url,
164	185	token=context.token,
165	186	trust_id=context.trust_id,

174	195	# projects begin to use utils.credential_factory
175	196	elif context.__class__.__name__ == 'RequestContext':
176	197	if getattr(context, 'get_auth_plugin', None):
177		return context.get_auth_plugin()
	198	auth = context.get_auth_plugin()
178	199	else:
179		return identity.Token(
	200	auth = identity.Token(
180	201	auth_url=self.conf.barbican.auth_endpoint,
181	202	token=context.auth_token,
182	203	project_id=context.project_id,

188	209	"KeystoneToken, or RequestContext.")
189	210	LOG.error(msg)
190	211	raise exception.Forbidden(reason=msg)
	212
	213	if self.conf.barbican.send_service_user_token:
	214	service_auth = loading.load_auth_from_conf_options(
	215	self.conf,
	216	group=_BARBICAN_SERVICE_USER_OPT_GROUP)
	217	auth = service_token.ServiceTokenAuthWrapper(
	218	user_auth=auth,
	219	service_auth=service_auth)
	220
	221	return auth
191	222
192	223	def _get_barbican_endpoint(self, auth, sess):
193	224	if self.conf.barbican.barbican_endpoint:

652	683	return objects
653	684
654	685	def list_options_for_discovery(self):
655		return [(_BARBICAN_OPT_GROUP, _barbican_opts)]
	686	barbican_service_user_opts = loading.get_session_conf_options()
	687	barbican_service_user_opts += loading.get_auth_common_conf_options()
	688
	689	return [
	690	(_BARBICAN_OPT_GROUP, _barbican_opts),
	691	(_BARBICAN_SERVICE_USER_OPT_GROUP, barbican_service_user_opts),
	692	]

+28

-1

castellan/tests/unit/key_manager/test_barbican_key_manager.py less more

19	19	from unittest import mock
20	20
21	21	from barbicanclient import exceptions as barbican_exceptions
	22	from keystoneauth1 import identity
	23	from keystoneauth1 import service_token
	24	from oslo_context import context
22	25	from oslo_utils import timeutils
23	26
24	27	from castellan.common import exception

36	39	super(BarbicanKeyManagerTestCase, self).setUp()
37	40
38	41	# Create fake auth_token
39		self.ctxt = mock.Mock()
	42	self.ctxt = mock.Mock(spec=context.RequestContext)
40	43	self.ctxt.auth_token = "fake_token"
	44	self.ctxt.project_name = "foo"
	45	self.ctxt.project_domain_name = "foo"
41	46
42	47	# Create mock barbican client
43	48	self._build_mock_barbican()

161	166	auth.get_endpoint.assert_called_once_with(
162	167	sess, service_type='key-manager', interface='public',
163	168	region_name='regionOne')
	169
	170	def test__get_keystone_auth(self):
	171	auth = self.key_mgr._get_keystone_auth(self.ctxt)
	172	self.assertIsInstance(auth, identity.Token)
	173
	174	def test__get_keystone_auth_service_user(self):
	175	self.key_mgr.conf.barbican.send_service_user_token = True
	176	auth = self.key_mgr._get_keystone_auth(self.ctxt)
	177	self.assertIsInstance(auth, service_token.ServiceTokenAuthWrapper)
164	178
165	179	def test_base_url_old_version(self):
166	180	version = "v1"

606	620	def test_list_with_invalid_object_type(self):
607	621	self.assertRaises(exception.KeyManagerError,
608	622	self.key_mgr.list, self.ctxt, "invalid_type")
	623
	624	def test_list_options_for_discovery(self):
	625	opts = self.key_mgr.list_options_for_discovery()
	626	expected_sections = ['barbican', 'barbican_service_user']
	627	self.assertEqual(expected_sections, [section[0] for section in opts])
	628	barbican_opts = [opt.name for opt in opts[0][1]]
	629	# From Castellan opts.
	630	self.assertIn('barbican_endpoint', barbican_opts)
	631	barbican_service_user_opts = [opt.name for opt in opts[1][1]]
	632	# From session opts.
	633	self.assertIn('cafile', barbican_service_user_opts)
	634	# From auth common opts.
	635	self.assertIn('auth_section', barbican_service_user_opts)

-0

releasenotes/notes/barbican-service-user-11ebbfcd33dace9d.yaml less more

	0	---
	1	features:
	2	- \|
	3	Adds support for using a service user with the Barbican key manager.
	4	This is enabled via ``[barbican] send_service_user_token``, with
	5	credentials for the service user configured via keystoneauth options in the
	6	``[barbican_service_user]`` group.