Add project_id to barbican keymgr wrapper

Currently, the barbican keymgr wrapper does not provide the project_id
to barbican.  As a result, all key operations done in cinder with a
barbican backend are stored in the barbican database with a NULL
external project_id.

This patch adds the project_id to the auth plugin created using the
auth token, so that barbican has access to the project_id and uses
the external project_id with all key operations.

Change-Id: Ia5f6cdd5177893d2f13f181e1ced278d49f9d910
Closes-Bug: #1421795

diff --git a/cinder/keymgr/barbican.py b/cinder/keymgr/barbican.py
index 34c6d79bc3a02afab132668efaf5b5156d10aa7f..0d63f4ccb2580ba565d85dec77707c0747ae8b75 100644 (file)
--- a/cinder/keymgr/barbican.py
+++ b/cinder/keymgr/barbican.py
@@ -54,6 +54,8 @@ class BarbicanKeyManager(key_mgr.KeyManager):
         :param ctxt: the user context for authentication
         :return: a Barbican Client object
         :throws NotAuthorized: if the ctxt is None
+        :throws KeyManagerError: if ctxt is missing project_id
+                                 or project_id is None
         """
 
         if not self._barbican_client:
@@ -63,10 +65,16 @@ class BarbicanKeyManager(key_mgr.KeyManager):
                 LOG.error(msg)
                 raise exception.NotAuthorized(msg)
 
+            if not hasattr(ctxt, 'project_id') or ctxt.project_id is None:
+                msg = _("Unable to create Barbican Client without project_id.")
+                LOG.error(msg)
+                raise exception.KeyManagerError(msg)
+
             try:
                 auth = identity.v3.Token(
                     auth_url=CONF.keymgr.encryption_auth_url,
-                    token=ctxt.auth_token)
+                    token=ctxt.auth_token,
+                    project_id=ctxt.project_id)
                 sess = session.Session(auth=auth)
                 self._barbican_client = barbican_client.Client(
                     session=sess,

diff --git a/cinder/tests/keymgr/test_barbican.py b/cinder/tests/keymgr/test_barbican.py
index ef8577f1e153e3d0581c3fa5ad123c4c86dfd47c..f3382115e31b69de8dcc4a3e889483e8336b8015 100644 (file)
--- a/cinder/tests/keymgr/test_barbican.py
+++ b/cinder/tests/keymgr/test_barbican.py
@@ -45,6 +45,7 @@ class BarbicanKeyManagerTestCase(test_key_mgr.KeyManagerTestCase):
         # Create fake auth_token
         self.ctxt = mock.Mock()
         self.ctxt.auth_token = "fake_token"
+        self.ctxt.project_id = "fake_project_id"
 
         # Create mock barbican client
         self._build_mock_barbican()
@@ -229,3 +230,44 @@ class BarbicanKeyManagerTestCase(test_key_mgr.KeyManagerTestCase):
         self.key_mgr._barbican_client = None
         self.assertRaises(exception.NotAuthorized,
                           self.key_mgr.store_key, None, None)
+
+    def test_null_project_id(self):
+        self.key_mgr._barbican_client = None
+        self.ctxt.project_id = None
+        self.assertRaises(exception.KeyManagerError,
+                          self.key_mgr.create_key, self.ctxt)
+
+    def test_ctxt_without_project_id(self):
+        self.key_mgr._barbican_client = None
+        del self.ctxt.project_id
+        self.assertRaises(exception.KeyManagerError,
+                          self.key_mgr.create_key, self.ctxt)
+
+    @mock.patch('cinder.keymgr.barbican.identity.v3.Token')
+    @mock.patch('cinder.keymgr.barbican.session.Session')
+    @mock.patch('cinder.keymgr.barbican.barbican_client.Client')
+    def test_ctxt_with_project_id(self, mock_client, mock_session,
+                                  mock_token):
+        # set client to None so that client creation will occur
+        self.key_mgr._barbican_client = None
+
+        # mock the return values
+        mock_auth = mock.Mock()
+        mock_token.return_value = mock_auth
+        mock_sess = mock.Mock()
+        mock_session.return_value = mock_sess
+
+        # mock the endpoint
+        mock_endpoint = mock.Mock()
+        self.key_mgr._barbican_endpoint = mock_endpoint
+
+        self.key_mgr.create_key(self.ctxt)
+
+        # assert proper calls occured, including with project_id
+        mock_token.assert_called_once_with(
+            auth_url=CONF.keymgr.encryption_auth_url,
+            token=self.ctxt.auth_token,
+            project_id=self.ctxt.project_id)
+        mock_session.assert_called_once_with(auth=mock_auth)
+        mock_client.assert_called_once_with(session=mock_sess,
+                                            endpoint=mock_endpoint)