commit 594885c80864710846f4fed35f19dc30a060f446
author Matt Riedemann <mriedem.os@gmail.com> Fri Sep 27 16:45:09 2019 -0400
committer Matt Riedemann <mriedem.os@gmail.com> Mon Sep 30 10:23:44 2019 -0400
tree 002b4496773e9ec13b9c8be0f14867f62c488185
parent 12e5ddcc2d0058ead4de76053db698ed21d4e813

Centralize and configure nova with cinder service user access

Since Queens [1] nova has been able to be configured with
cinder service user credentials for operating on cinder
resources without a user auth token similar to things nova
needs to do without a user auth token for working with neutron
and placement resources.

This change:

- centralizes the nova [cinder] section configuration
- adds the necessary auth configuration

Needed by: https://review.opendev.org/549130/

[1] I3c35bba43fee81baebe8261f546c1424ce3a3383

Change-Id: I5640ee431f6856853f6b00ec7ed1ea21d05117dd

lib/nova

diff --git a/lib/nova b/lib/nova
index c41f881..33d0a9f 100644
--- a/lib/nova
+++ b/lib/nova
@@ -468,11 +468,7 @@
     fi
 
     if is_service_enabled cinder; then
-        if is_service_enabled tls-proxy; then
-            CINDER_SERVICE_HOST=${CINDER_SERVICE_HOST:-$SERVICE_HOST}
-            CINDER_SERVICE_PORT=${CINDER_SERVICE_PORT:-8776}
-            iniset $NOVA_CONF cinder cafile $SSL_BUNDLE_FILE
-        fi
+        configure_cinder_access
     fi
 
     if [ -n "$NOVA_STATE_PATH" ]; then
@@ -520,8 +516,6 @@
     # don't let the conductor get out of control now that we're using a pure python db driver
     iniset $NOVA_CONF conductor workers "$API_WORKERS"
 
-    iniset $NOVA_CONF cinder os_region_name "$REGION_NAME"
-
     if is_service_enabled tls-proxy; then
         iniset $NOVA_CONF DEFAULT glance_protocol https
         iniset $NOVA_CONF oslo_middleware enable_proxy_headers_parsing True
@@ -593,6 +587,29 @@
     iniset $conf placement region_name "$REGION_NAME"
 }
 
+# Configure access to cinder.
+function configure_cinder_access {
+    iniset $NOVA_CONF cinder os_region_name "$REGION_NAME"
+    iniset $NOVA_CONF cinder auth_type "password"
+    iniset $NOVA_CONF cinder auth_url "$KEYSTONE_SERVICE_URI"
+    # NOTE(mriedem): This looks a bit weird but we use the nova user here
+    # since it has the admin role and the cinder user does not. This is
+    # similar to using the nova user in init_nova_service_user_conf. We need
+    # to use a user with the admin role for background tasks in nova to
+    # be able to GET block-storage API resources owned by another project
+    # since cinder has low-level "is_admin" checks in its DB API.
+    iniset $NOVA_CONF cinder username nova
+    iniset $NOVA_CONF cinder password "$SERVICE_PASSWORD"
+    iniset $NOVA_CONF cinder user_domain_name "$SERVICE_DOMAIN_NAME"
+    iniset $NOVA_CONF cinder project_name "$SERVICE_TENANT_NAME"
+    iniset $NOVA_CONF cinder project_domain_name "$SERVICE_DOMAIN_NAME"
+    if is_service_enabled tls-proxy; then
+        CINDER_SERVICE_HOST=${CINDER_SERVICE_HOST:-$SERVICE_HOST}
+        CINDER_SERVICE_PORT=${CINDER_SERVICE_PORT:-8776}
+        iniset $NOVA_CONF cinder cafile $SSL_BUNDLE_FILE
+    fi
+}
+
 function configure_console_compute {
     # If we are running multiple cells (and thus multiple console proxies) on a
     # single host, we offset the ports to avoid collisions.  We need to