Ironic

Bug #1418341
Comment #17

Comment 17 for bug 1418341

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-08-04: Related fix merged to ironic (master)

#17

Reviewed: https://review.openstack.org/236982
Committed: https://git.openstack.org/cgit/openstack/ironic/commit/?id=f9ea26ebf33118cfc179cc183588df2a829db4b6
Submitter: Jenkins
Branch: master

commit f9ea26ebf33118cfc179cc183588df2a829db4b6
Author: Pavlo Shchelokovskyy <email address hidden>
Date: Wed Mar 23 17:54:59 2016 +0200

Migrate to using keystoneauth Sessions

    We currently construct Keystone client objects directly, which
    is no longer the preferred way. Instead, we should be using Sessions
    which allows use of different auth plugins. This change attempts to
    migrate our Keystone usage to this model.

    Additionally, we currently rely on the imported keystonemiddleware
    auth_token's configuration for all of the Keystone credentials used
    by the Ironic service user. This is bad, as that config is internal
    to that library and may change at any time. Also, the service user
    may be using different credentials than the token validator.

    This refactors the keystone module to use Sessions.
    It attempts to provide some backward compat for users
    who have not yet updated their config,
    by falling back to the authtoken config section when required.

Operators impact:

    - Authentification parameters for each service now should specified in
      the corresponding config section for this service ([glance], [neutron]
      [swift], [inspector]).
      This includes providing both Keystone session-related options
      (timeout, SSL-related ones) and authentification options
      (`auth_type`, `auth_url` and proper options for the auth plugin).

- New config section `service_catalog` for Ironic service user
credentials, used to resolve Ironic API URL from Keystone catalog.

    - If loading from the service config section fails, an attempt is made
      to use respective options from [keystone_authtoken] section as a
      fall-back for backward compatibility.

Implementation details:

- using keystoneauth1 library instead of keystoneclient

    - For each service the keystone session is created only once and is
      reused further. This lowers the number of authentification requests
      made to Keystone but implies that only auth plugins that can
      re-authentificate themselves can be used (so no *Token plugins).

    This patch does not update the DevStack plugin, in order to test
    backwards compatibility with old config options.
    DevStack plugin will be modified in a subsequent patch.

    Change-Id: I166eebefc1e1335a1a7b632149cf6441512e9d5e
    Closes-Bug: #1422632
    Related-Bug: #1418341
    Related-Bug: #1494776
    Co-Authored-By: Adam Gandelman <email address hidden>

Reviewed:  https://review.openstack.org/236982
Committed: https://git.openstack.org/cgit/openstack/ironic/commit/?id=f9ea26ebf33118cfc179cc183588df2a829db4b6
Submitter: Jenkins
Branch:    master

commit f9ea26ebf33118cfc179cc183588df2a829db4b6
Author: Pavlo Shchelokovskyy <pshchelokovskyy@mirantis.com>
Date:   Wed Mar 23 17:54:59 2016 +0200

Migrate to using keystoneauth Sessions
    
    We currently construct Keystone client objects directly, which
    is no longer the preferred way.  Instead, we should be using Sessions
    which allows use of different auth plugins.  This change attempts to
    migrate our Keystone usage to this model.
    
    Additionally, we currently rely on the imported keystonemiddleware
    auth_token's configuration for all of the Keystone credentials used
    by the Ironic service user.  This is bad, as that config is internal
    to that library and may change at any time.  Also, the service user
    may be using different credentials than the token validator.
    
    This refactors the keystone module to use Sessions.
    It attempts to provide some backward compat for users
    who have not yet updated their config,
    by falling back to the authtoken config section when required.
    
    Operators impact:
    
    - Authentification parameters for each service now should specified in
      the corresponding config section for this service ([glance], [neutron]
      [swift], [inspector]).
      This includes providing both Keystone session-related options
      (timeout, SSL-related ones) and authentification options
      (`auth_type`, `auth_url` and proper options for the auth plugin).
    
    - New config section `service_catalog` for Ironic service user
      credentials, used to resolve Ironic API URL from Keystone catalog.
    
    - If loading from the service config section fails, an attempt is made
      to use respective options from [keystone_authtoken] section as a
      fall-back for backward compatibility.
    
    Implementation details:
    
    - using keystoneauth1 library instead of keystoneclient
    
    - For each service the keystone session is created only once and is
      reused further. This lowers the number of authentification requests
      made to Keystone but implies that only auth plugins that can
      re-authentificate themselves can be used (so no *Token plugins).
    
    This patch does not update the DevStack plugin, in order to test
    backwards compatibility with old config options.
    DevStack plugin will be modified in a subsequent patch.
    
    Change-Id: I166eebefc1e1335a1a7b632149cf6441512e9d5e
    Closes-Bug: #1422632
    Related-Bug: #1418341
    Related-Bug: #1494776
    Co-Authored-By: Adam Gandelman <adamg@ubuntu.com>