Heat - revise keystone/trusts config to avoid deprecated options
There are some inter-related changes required to avoid using legacy
fallback/deprecated paths in heat, which result in warnings in the
log, e.g because we fall-back to reusing keystone auth_token
configuration instead of heat specific sections.
To fix this:
- Don't explicitly set deferred_auth_method=trusts, as this is now
the default (since kilo)
- Create a new "trustee" section containing configuration used for
the password auth-plugin associated with deferred authentication
via trusts (support for this was added during liberty to enable
us to stop incorrectly using the keystone auth_token config)
- Create a "clients_keystone" section to avoid falling back to the
legacy behavior of stealing the uri from auth_token.
This also means we can remove the FIXME and auth_token auth_uri
mentioned by jamielennox.
Change-Id: Ie34332a7aec3b9b271df0759dd6ab66b45302832
Related-Bug: #1300246
diff --git a/lib/heat b/lib/heat
index fdcf5bc..3666776 100644
--- a/lib/heat
+++ b/lib/heat
@@ -56,6 +56,10 @@
HEAT_TEMPLATES_DIR=$HEAT_CONF_DIR/templates
HEAT_API_HOST=${HEAT_API_HOST:-$HOST_IP}
HEAT_API_PORT=${HEAT_API_PORT:-8004}
+HEAT_SERVICE_USER=${HEAT_SERVICE_USER:-heat}
+HEAT_TRUSTEE_USER=${HEAT_TRUSTEE_USER:-$HEAT_SERVICE_USER}
+HEAT_TRUSTEE_PASSWORD=${HEAT_TRUSTEE_PASSWORD:-$SERVICE_PASSWORD}
+HEAT_TRUSTEE_DOMAIN=${HEAT_TRUSTEE_DOMAIN:-default}
# Support entry points installation of console scripts
HEAT_BIN_DIR=$(get_python_exec_prefix)
@@ -73,7 +77,7 @@
fi
else
HEAT_STACK_DOMAIN=$(trueorfalse True HEAT_STACK_DOMAIN)
- HEAT_DEFERRED_AUTH=${HEAT_DEFERRED_AUTH:-trusts}
+ HEAT_DEFERRED_AUTH=${HEAT_DEFERRED_AUTH:-}
fi
HEAT_PLUGIN_DIR=${HEAT_PLUGIN_DIR:-$DATA_DIR/heat/plugins}
ENABLE_HEAT_PLUGINS=${ENABLE_HEAT_PLUGINS:-}
@@ -134,30 +138,39 @@
setup_colorized_logging $HEAT_CONF DEFAULT tenant user
fi
- iniset $HEAT_CONF DEFAULT deferred_auth_method $HEAT_DEFERRED_AUTH
+ if [ ! -z "$HEAT_DEFERRED_AUTH" ]; then
+ iniset $HEAT_CONF DEFAULT deferred_auth_method $HEAT_DEFERRED_AUTH
+ fi
if [ "$HEAT_USE_MOD_WSGI" == "True" ]; then
_config_heat_apache_wsgi
fi
- # NOTE(jamielennox): heat re-uses specific values from the
- # keystone_authtoken middleware group and so currently fails when using the
- # auth plugin setup. This should be fixed in heat. Heat is also the only
- # service that requires the auth_uri to include a /v2.0. Remove this custom
- # setup when bug #1300246 is resolved.
- iniset $HEAT_CONF keystone_authtoken auth_uri $KEYSTONE_SERVICE_URI/v2.0
if [[ "$HEAT_STANDALONE" = "True" ]]; then
iniset $HEAT_CONF paste_deploy flavor standalone
iniset $HEAT_CONF clients_heat url "http://$HEAT_API_HOST:$HEAT_API_PORT/v1/%(tenant_id)s"
else
iniset $HEAT_CONF keystone_authtoken identity_uri $KEYSTONE_AUTH_URI
- iniset $HEAT_CONF keystone_authtoken admin_user heat
+ iniset $HEAT_CONF keystone_authtoken admin_user $HEAT_SERVICE_USER
iniset $HEAT_CONF keystone_authtoken admin_password $SERVICE_PASSWORD
iniset $HEAT_CONF keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME
iniset $HEAT_CONF keystone_authtoken cafile $SSL_BUNDLE_FILE
iniset $HEAT_CONF keystone_authtoken signing_dir $HEAT_AUTH_CACHE_DIR
fi
+ # If HEAT_DEFERRED_AUTH is unset or explicitly set to trusts, configure
+ # the section for the client plugin associated with the trustee
+ if [ -z "$HEAT_DEFERRED_AUTH" -o "trusts" == "$HEAT_DEFERRED_AUTH" ]; then
+ iniset $HEAT_CONF trustee auth_plugin password
+ iniset $HEAT_CONF trustee auth_url $KEYSTONE_AUTH_URI
+ iniset $HEAT_CONF trustee username $HEAT_TRUSTEE_USER
+ iniset $HEAT_CONF trustee password $HEAT_TRUSTEE_PASSWORD
+ iniset $HEAT_CONF trustee user_domain_id $HEAT_TRUSTEE_DOMAIN
+ fi
+
+ # clients_keystone
+ iniset $HEAT_CONF clients_keystone auth_uri $KEYSTONE_AUTH_URI
+
# ec2authtoken
iniset $HEAT_CONF ec2authtoken auth_uri $KEYSTONE_SERVICE_URI/v2.0