diff --git a/castellan/common/credentials/keystone_password.py b/castellan/common/credentials/keystone_password.py index 2351740..2e3ef7f 100644 --- a/castellan/common/credentials/keystone_password.py +++ b/castellan/common/credentials/keystone_password.py @@ -23,13 +23,14 @@ class KeystonePassword(password.Password): """This class represents a keystone password credential.""" - def __init__(self, password, username=None, user_id=None, + def __init__(self, password, auth_url=None, username=None, user_id=None, user_domain_id=None, user_domain_name=None, trust_id=None, domain_id=None, domain_name=None, project_id=None, project_name=None, project_domain_id=None, project_domain_name=None, reauthenticate=True): """Create a new Keystone Password Credential. + :param string auth_url: Use this endpoint to connect to Keystone. :param string password: Password for authentication. :param string username: Username for authentication. :param string user_id: User ID for authentication. @@ -46,6 +47,7 @@ one is going to expire. (optional) default True """ + self._auth_url = auth_url self._user_id = user_id self._user_domain_id = user_domain_id self._user_domain_name = user_domain_name @@ -60,6 +62,11 @@ super(KeystonePassword, self).__init__(username, password) + + @property + def auth_url(self): + """This method returns an auth_url.""" + return self._auth_url @property def user_id(self): diff --git a/castellan/common/credentials/keystone_token.py b/castellan/common/credentials/keystone_token.py index 870895f..26d8bad 100644 --- a/castellan/common/credentials/keystone_token.py +++ b/castellan/common/credentials/keystone_token.py @@ -23,13 +23,15 @@ class KeystoneToken(token.Token): """This class represents a keystone token credential.""" - def __init__(self, token, trust_id=None, domain_id=None, domain_name=None, - project_id=None, project_name=None, project_domain_id=None, - project_domain_name=None, reauthenticate=True): + def __init__(self, token, auth_url=None, trust_id=None, domain_id=None, + domain_name=None, project_id=None, project_name=None, + project_domain_id=None, project_domain_name=None, + reauthenticate=True): """Create a new Keystone Token Credential. :param string token: Token for authentication. The type of token formats accepted are UUID, PKI, and Fernet. + :param string auth_url: Use this endpoint to connect to Keystone. :param string trust_id: Trust ID for trust scoping. :param string domain_id: Domain ID for domain scoping. :param string domain_name: Domain name for domain scoping. @@ -41,6 +43,7 @@ one is going to expire. (optional) default True """ + self._auth_url = auth_url self._trust_id = trust_id self._domain_id = domain_id self._domain_name = domain_name @@ -51,6 +54,11 @@ self._reauthenticate = reauthenticate super(KeystoneToken, self).__init__(token) + + @property + def auth_url(self): + """This method returns an auth_url.""" + return self._auth_url @property def trust_id(self): diff --git a/castellan/common/utils.py b/castellan/common/utils.py index a040c96..f6ba646 100644 --- a/castellan/common/utils.py +++ b/castellan/common/utils.py @@ -51,6 +51,8 @@ "'keystone_password' auth_type."), # keystone credential opts + cfg.StrOpt('auth_url', + help="Use this endpoint to connect to Keystone."), cfg.StrOpt('user_id', help="User ID for authentication. Optional for " "'keystone_token' and 'keystone_password' auth_type."), @@ -130,6 +132,7 @@ elif conf.key_manager.auth_type == 'keystone_password': return keystone_password.KeystonePassword( conf.key_manager.password, + auth_url=conf.key_manager.auth_url, username=conf.key_manager.username, user_id=conf.key_manager.user_id, user_domain_id=conf.key_manager.user_domain_id, @@ -153,6 +156,7 @@ return keystone_token.KeystoneToken( auth_token, + auth_url=conf.key_manager.auth_url, trust_id=conf.key_manager.trust_id, domain_id=conf.key_manager.domain_id, domain_name=conf.key_manager.domain_name, diff --git a/castellan/key_manager/barbican_key_manager.py b/castellan/key_manager/barbican_key_manager.py index d73fc32..6937c42 100644 --- a/castellan/key_manager/barbican_key_manager.py +++ b/castellan/key_manager/barbican_key_manager.py @@ -55,6 +55,8 @@ help='Version of the Barbican API, for example: "v1"'), cfg.StrOpt('auth_endpoint', default='http://localhost/identity/v3', + deprecated_name='auth_url', + deprecated_group='key_manager', help='Use this endpoint to connect to Keystone'), cfg.IntOpt('retry_delay', default=1, @@ -123,6 +125,8 @@ endpoint=self._barbican_endpoint) self._current_context = context + # TODO(pbourke): more fine grained exception handling - we are eating + # tracebacks here except Exception as e: LOG.error("Error creating Barbican client: %s", e) raise exception.KeyManagerError(reason=e) @@ -134,11 +138,9 @@ return self._barbican_client def _get_keystone_auth(self, context): - auth_url = self.conf.barbican.auth_endpoint - if context.__class__.__name__ is 'KeystonePassword': return identity.Password( - auth_url=auth_url, + auth_url=context.auth_url, username=context.username, password=context.password, user_id=context.user_id, @@ -154,7 +156,7 @@ reauthenticate=context.reauthenticate) elif context.__class__.__name__ is 'KeystoneToken': return identity.Token( - auth_url=auth_url, + auth_url=context.auth_url, token=context.token, trust_id=context.trust_id, domain_id=context.domain_id, @@ -168,7 +170,7 @@ # projects begin to use utils.credential_factory elif context.__class__.__name__ is 'RequestContext': return identity.Token( - auth_url=auth_url, + auth_url=self.conf.barbican.auth_endpoint, token=context.auth_token, project_id=context.tenant) else: diff --git a/castellan/tests/functional/key_manager/test_barbican_key_manager.py b/castellan/tests/functional/key_manager/test_barbican_key_manager.py index 8fed35c..7651821 100644 --- a/castellan/tests/functional/key_manager/test_barbican_key_manager.py +++ b/castellan/tests/functional/key_manager/test_barbican_key_manager.py @@ -129,6 +129,7 @@ base.BaseTestCase): def get_context(self): + auth_url = CONF.identity.auth_url username = CONF.identity.username password = CONF.identity.password project_name = CONF.identity.project_name @@ -136,7 +137,7 @@ project_domain_name = CONF.identity.project_domain_name ctxt = keystone_password.KeystonePassword( - username=username, password=password, + auth_url=auth_url, username=username, password=password, project_name=project_name, user_domain_name=user_domain_name, project_domain_name=project_domain_name) @@ -165,4 +166,5 @@ return keystone_token.KeystoneToken( token=auth.get_token(sess), + auth_url=auth_url, project_id=auth.get_project_id(sess)) diff --git a/doc/source/user/index.rst b/doc/source/user/index.rst index 3ebccf5..36cd711 100644 --- a/doc/source/user/index.rst +++ b/doc/source/user/index.rst @@ -37,12 +37,14 @@ # keystone token credential [key_manager] + auth_url = 'http://192.169.5.254:5000' auth_type = 'keystone_token' token = '5b4de0bb77064f289f7cc58e33bea8c7' project_id = 'a1e19934af81420d980a5d02b4afe9fb' # keystone password credential [key_manager] + auth_url = 'http://192.169.5.254:5000' auth_type = 'keystone_password' username = 'admin' password = 'passw0rd1' diff --git a/releasenotes/notes/deprecate-auth-endpoint-b91a3e67b5c7263f.yaml b/releasenotes/notes/deprecate-auth-endpoint-b91a3e67b5c7263f.yaml new file mode 100644 index 0000000..62ae236 --- /dev/null +++ b/releasenotes/notes/deprecate-auth-endpoint-b91a3e67b5c7263f.yaml @@ -0,0 +1,5 @@ +--- +deprecations: + - | + Config option barbican/auth_endpoint is unnecessary and deprecated in + favor of the more standard key_manager/auth_url.