+++ /dev/null
-::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
-: Copyright (c) 2018 Mirantis Inc., Enea AB and others.
-:
-: All rights reserved. This program and the accompanying materials
-: are made available under the terms of the Apache License, Version 2.0
-: which accompanies this distribution, and is available at
-: http://www.apache.org/licenses/LICENSE-2.0
-::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
-From: Alexandru Avadanii <Alexandru.Avadanii@enea.com>
-Date: Wed, 3 Jan 2018 00:50:50 +0100
-Subject: [PATCH] controller: Use keystoneclient to check project ID
-
-Port fix from [1] for using the internal network when connecting
-to keystone during project ID validation in nova, instead of
-going through public endpoint (and using SSL).
-
-[1] https://bugs.launchpad.net/nova/+bug/1716344
-
-Signed-off-by: Alexandru Avadanii <Alexandru.Avadanii@enea.com>
----
- nova/controller.sls | 10 ++
- ...keystoneclient-to-check-project-ID-exists.patch | 116 +++++++++++++++++++++
- 2 files changed, 126 insertions(+)
- create mode 100644 nova/files/0001-Use-keystoneclient-to-check-project-ID-exists.patch
-
-diff --git a/nova/controller.sls b/nova/controller.sls
-index a55d037..59af945 100644
---- a/nova/controller.sls
-+++ b/nova/controller.sls
-@@ -71,6 +71,16 @@ contrail_nova_packages:
-
- {%- endif %}
-
-+nova-api-openstack-identity-patch:
-+ file.patch:
-+ - name: /usr/lib/python2.7/dist-packages
-+ - source: salt://nova/files/0001-Use-keystoneclient-to-check-project-ID-exists.patch
-+ - hash: False
-+ - options: '-p1'
-+ - unless: 'test -f /var/cache/salt/minion/files/base/nova/files/0001-Use-keystoneclient-to-check-project-ID-exists.patch && cd /usr/lib/python2.7/dist-packages && patch -p1 -R --dry-run /var/cache/salt/minion/files/base/nova/files/0001-Use-keystoneclient-to-check-project-ID-exists.patch'
-+ - require:
-+ - pkg: nova_controller_packages
-+
- /etc/nova/nova.conf:
- file.managed:
- - source: salt://nova/files/{{ controller.version }}/nova-controller.conf.{{ grains.os_family }}
-diff --git a/nova/files/0001-Use-keystoneclient-to-check-project-ID-exists.patch b/nova/files/0001-Use-keystoneclient-to-check-project-ID-exists.patch
-new file mode 100644
-index 0000000..58d027e
---- /dev/null
-+++ b/nova/files/0001-Use-keystoneclient-to-check-project-ID-exists.patch
-@@ -0,0 +1,116 @@
-+From: Christoph Fiehe <fiehe@gmx.de>
-+Date: Wed, 3 Jan 2018 00:11:20 +0100
-+Subject: [PATCH] Use keystoneclient to check project ID exists
-+
-+Based on Christoph's implementation proposed in [1].
-+
-+[1] https://bugs.launchpad.net/nova/+bug/1716344
-+
-+Signed-off-by: Alexandru Avadanii <Alexandru.Avadanii@enea.com>
-+---
-+ nova/api/openstack/identity.py | 81 ++++++++++++++++--------------------------
-+ 1 file changed, 30 insertions(+), 51 deletions(-)
-+
-+diff --git a/nova/api/openstack/identity.py b/nova/api/openstack/identity.py
-+index 833d3b5..3269cec 100644
-+--- a/nova/api/openstack/identity.py
-++++ b/nova/api/openstack/identity.py
-+@@ -12,16 +12,15 @@
-+ # License for the specific language governing permissions and limitations
-+ # under the License.
-+
-+-from keystoneauth1 import exceptions as kse
-+-from keystoneauth1 import loading as ks_loading
-++from keystoneauth1 import session
-++from keystoneclient import exceptions as kse
-++from keystoneclient.v3 import client
-+ from oslo_log import log as logging
-+ import webob
-+
-+-import nova.conf
-+ from nova.i18n import _
-+
-+
-+-CONF = nova.conf.CONF
-+ LOG = logging.getLogger(__name__)
-+
-+
-+@@ -32,51 +31,31 @@ def verify_project_id(context, project_id):
-+ an HTTPBadRequest is emitted.
-+
-+ """
-+- sess = ks_loading.load_session_from_conf_options(
-+- CONF, 'keystone', auth=context.get_auth_plugin())
-+-
-+- failure = webob.exc.HTTPBadRequest(
-+- explanation=_("Project ID %s is not a valid project.") %
-+- project_id)
-++ auth = context.get_auth_plugin()
-++ sess = session.Session(auth=auth)
-++ keystone = client.Client(session=sess)
-+ try:
-+- resp = sess.get('/projects/%s' % project_id,
-+- endpoint_filter={
-+- 'service_type': 'identity',
-+- 'version': (3, 0)
-+- },
-+- raise_exc=False)
-+- except kse.EndpointNotFound:
-+- LOG.error(
-+- "Keystone identity service version 3.0 was not found. This might "
-+- "be because your endpoint points to the v2.0 versioned endpoint "
-+- "which is not supported. Please fix this.")
-+- raise failure
-+- except kse.ClientException:
-+- # something is wrong, like there isn't a keystone v3 endpoint,
-+- # we'll take the pass and default to everything being ok.
-+- LOG.exception("Unable to contact keystone to verify project_id")
-+- return True
-+-
-+- if resp:
-+- # All is good with this 20x status
-+- return True
-+- elif resp.status_code == 404:
-+- # we got access, and we know this project is not there
-+- raise failure
-+- elif resp.status_code == 403:
-+- # we don't have enough permission to verify this, so default
-+- # to "it's ok".
-+- LOG.info(
-+- "Insufficient permissions for user %(user)s to verify "
-+- "existence of project_id %(pid)s",
-+- {"user": context.user_id, "pid": project_id})
-+- return True
-+- else:
-+- LOG.warning(
-+- "Unexpected response from keystone trying to "
-+- "verify project_id %(pid)s - resp: %(code)s %(content)s",
-+- {"pid": project_id,
-+- "code": resp.status_code,
-+- "content": resp.content})
-+- # realize we did something wrong, but move on with a warning
-+- return True
-++ project = keystone.projects.get(project_id)
-++ except kse.ClientException as e:
-++ if e.http_status == 404:
-++ # we got access, and we know this project is not there
-++ raise webob.exc.HTTPBadRequest(
-++ explanation=_("Project ID %s is not a valid project.") %
-++ project_id)
-++ elif e.http_status == 403:
-++ # we don't have enough permission to verify this, so default
-++ # to "it's ok".
-++ LOG.info(
-++ "Insufficient permissions for user %(user)s to verify "
-++ "existence of project_id %(pid)s",
-++ {"user": context.user_id, "pid": project_id})
-++ return True
-++ else:
-++ LOG.warning(
-++ "Unexpected response from keystone trying to "
-++ "verify project_id %(pid)s - resp: %(code)s %(content)s",
-++ {"pid": project_id,
-++ "code": resp.status_code,
-++ "content": resp.content})
-++ # realize we did something wrong, but move on with a warning
-++ return True
Code Review / fuel.git / commitdiff