Add ability to override OpenStack privileged user auth url

Introduce os_privileged_user_auth_url config to give the ability
to override the auth_url used when authenticating
the OpenStack privileged user and bypass use of catalog found in token.

DocImpact: New os_privileged_user_auth_url config
Closes-bug: #1473206
Change-Id: I4ffca8df0eb38fe41264439ae5bb93e025c808ff

diff --git a/cinder/common/config.py b/cinder/common/config.py
index cee3b518d4400167f138556f40f4ff78abd9e8ce..161d6368bc1a93b62bdbc6f57346ff712007f9ec 100644 (file)
--- a/cinder/common/config.py
+++ b/cinder/common/config.py
@@ -202,6 +202,10 @@ global_opts = [
                default=None,
                help='Tenant name associated with the OpenStack privileged '
                     'account.'),
+    cfg.StrOpt('os_privileged_user_auth_url',
+               default=None,
+               help='Auth URL associated with the OpenStack privileged '
+                    'account.'),
 ]
 
 CONF.register_opts(global_opts)

diff --git a/cinder/compute/nova.py b/cinder/compute/nova.py
index 8f63dc87d5b554757f37efcc60c57e69d44a8185..ceacb5014a3dc0cbd20d56134b0bb793d3965989 100644 (file)
--- a/cinder/compute/nova.py
+++ b/cinder/compute/nova.py
@@ -113,11 +113,16 @@ def novaclient(context, admin_endpoint=False, privileged_user=False,
 
         # When privileged_user is used, it needs to authenticate to Keystone
         # before querying Nova, so we set auth_url to the identity service
-        # endpoint. We then pass region_name, endpoint_type, etc. to the
-        # Client() constructor so that the final endpoint is chosen correctly.
-        url = sc.url_for(service_type='identity',
-                         endpoint_type=endpoint_type,
-                         **region_filter)
+        # endpoint.
+        if CONF.os_privileged_user_auth_url:
+            url = CONF.os_privileged_user_auth_url
+        else:
+            # We then pass region_name, endpoint_type, etc. to the
+            # Client() constructor so that the final endpoint is
+            # chosen correctly.
+            url = sc.url_for(service_type='identity',
+                             endpoint_type=endpoint_type,
+                             **region_filter)
 
         LOG.debug('Creating a Nova client using "%s" user',
                   CONF.os_privileged_user_name)

diff --git a/cinder/tests/unit/compute/test_nova.py b/cinder/tests/unit/compute/test_nova.py
index 8bc50e9d4e5e394105e46865232be7ba92f1f035..4521fdd011f1e52132959f68f0963fab7ed743cb 100644 (file)
--- a/cinder/tests/unit/compute/test_nova.py
+++ b/cinder/tests/unit/compute/test_nova.py
@@ -65,6 +65,17 @@ class NovaClientTestCase(test.TestCase):
             insecure=False, endpoint_type='publicURL', cacert=None,
             timeout=None, extensions=nova.nova_extensions)
 
+    @mock.patch('novaclient.v1_1.client.Client')
+    def test_nova_client_privileged_user_custom_auth_url(self, p_client):
+        self.override_config('os_privileged_user_auth_url',
+                             'http://privatekeystonehost:5000/v2.0')
+        nova.novaclient(self.ctx, privileged_user=True)
+        p_client.assert_called_once_with(
+            'adminuser', 'strongpassword', None, region_name=None,
+            auth_url='http://privatekeystonehost:5000/v2.0',
+            insecure=False, endpoint_type='publicURL', cacert=None,
+            timeout=None, extensions=nova.nova_extensions)
+
     @mock.patch('novaclient.v1_1.client.Client')
     def test_nova_client_custom_region(self, p_client):
         self.override_config('os_region_name', 'farfaraway')