X Tutup

From fe4d1e605935c61286d9bea14c2e432a079363d6 Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Sat, 12 Jul 2025 00:36:21 +0900 Subject: [PATCH] Create dedicated function to manage only keystoneauth options Using the common function to configure keystoneauth middleware leaves some options not actually used for service-to-service communication. Create a dedicated function, which configures only options loaded by keystoneauth library, to drop unnecessary options. Change-Id: Idafdd4a3925d09f155d8ec651786ccbcd6a5f2e4 Signed-off-by: Takashi Kajinami --- lib/cinder | 13 ++----------- lib/keystone | 30 ++++++++++++++++++++---------- lib/neutron | 13 +++---------- lib/nova | 34 ++++------------------------------ 4 files changed, 29 insertions(+), 61 deletions(-) diff --git a/lib/cinder b/lib/cinder index aef6854062..aafd837c95 100644 --- a/lib/cinder +++ b/lib/cinder @@ -303,15 +303,6 @@ function configure_cinder { cp $CINDER_DIR/etc/cinder/api-paste.ini $CINDER_API_PASTE_INI - inicomment $CINDER_API_PASTE_INI filter:authtoken auth_host - inicomment $CINDER_API_PASTE_INI filter:authtoken auth_port - inicomment $CINDER_API_PASTE_INI filter:authtoken auth_protocol - inicomment $CINDER_API_PASTE_INI filter:authtoken cafile - inicomment $CINDER_API_PASTE_INI filter:authtoken admin_tenant_name - inicomment $CINDER_API_PASTE_INI filter:authtoken admin_user - inicomment $CINDER_API_PASTE_INI filter:authtoken admin_password - inicomment $CINDER_API_PASTE_INI filter:authtoken signing_dir - configure_keystone_authtoken_middleware $CINDER_CONF cinder iniset $CINDER_CONF DEFAULT debug $ENABLE_DEBUG_LOG_LEVEL @@ -423,7 +414,7 @@ function configure_cinder { configure_keystone_authtoken_middleware $CINDER_CONF glance glance # Set nova credentials (used for os-assisted-snapshots) - configure_keystone_authtoken_middleware $CINDER_CONF nova nova + configure_keystoneauth $CINDER_CONF nova nova iniset $CINDER_CONF nova region_name "$REGION_NAME" iniset $CINDER_CONF DEFAULT graceful_shutdown_timeout "$SERVICE_GRACEFUL_SHUTDOWN_TIMEOUT" @@ -733,8 +724,8 @@ function configure_cinder_volume_upload { } function init_cinder_service_user_conf { - configure_keystone_authtoken_middleware $CINDER_CONF cinder service_user iniset $CINDER_CONF service_user send_service_user_token True + configure_keystoneauth $CINDER_CONF cinder service_user } # Restore xtrace diff --git a/lib/keystone b/lib/keystone index 241909cb9d..4a2d7a9f6c 100644 --- a/lib/keystone +++ b/lib/keystone @@ -421,9 +421,27 @@ function create_service_user { fi } +# Configure options for keystoneauth +# +# configure_keystoneauth conf_file admin_user section +function configure_keystoneauth { + local conf_file=$1 + local admin_user=$2 + local section=$3 + + iniset $conf_file $section auth_type password + iniset $conf_file $section interface public + iniset $conf_file $section auth_url $KEYSTONE_SERVICE_URI + iniset $conf_file $section username $admin_user + iniset $conf_file $section password $SERVICE_PASSWORD + iniset $conf_file $section user_domain_name "$SERVICE_DOMAIN_NAME" + iniset $conf_file $section project_name $SERVICE_PROJECT_NAME + iniset $conf_file $section project_domain_name "$SERVICE_DOMAIN_NAME" +} + # Configure a service to use the auth token middleware. # -# configure_keystone_authtoken_middleware conf_file admin_user IGNORED [section] +# configure_keystone_authtoken_middleware conf_file admin_user [section] # # section defaults to keystone_authtoken, which is where auth_token looks in # the .conf file. If the paste config file is used (api-paste.ini) then @@ -434,15 +452,7 @@ function configure_keystone_authtoken_middleware { local section=${3:-keystone_authtoken} local service_type=$4 - iniset $conf_file $section auth_type password - iniset $conf_file $section interface public - iniset $conf_file $section auth_url $KEYSTONE_SERVICE_URI - iniset $conf_file $section username $admin_user - iniset $conf_file $section password $SERVICE_PASSWORD - iniset $conf_file $section user_domain_name "$SERVICE_DOMAIN_NAME" - iniset $conf_file $section project_name $SERVICE_PROJECT_NAME - iniset $conf_file $section project_domain_name "$SERVICE_DOMAIN_NAME" - + configure_keystoneauth $conf_file $admin_user $section iniset $conf_file $section cafile $SSL_BUNDLE_FILE iniset $conf_file $section memcached_servers $MEMCACHE_SERVERS if [[ -n "$service_type" ]]; then diff --git a/lib/neutron b/lib/neutron index ea2d8e728a..44cd249fa1 100644 --- a/lib/neutron +++ b/lib/neutron @@ -460,14 +460,7 @@ function configure_neutron_nova { function create_nova_conf_neutron { local conf=${1:-$NOVA_CONF} - iniset $conf neutron auth_type "password" - iniset $conf neutron auth_url "$KEYSTONE_SERVICE_URI" - iniset $conf neutron username nova - iniset $conf neutron password "$SERVICE_PASSWORD" - iniset $conf neutron user_domain_name "$SERVICE_DOMAIN_NAME" - iniset $conf neutron project_name "$SERVICE_PROJECT_NAME" - iniset $conf neutron project_domain_name "$SERVICE_DOMAIN_NAME" - iniset $conf neutron auth_strategy "$Q_AUTH_STRATEGY" + configure_keystoneauth $conf nova neutron iniset $conf neutron region_name "$REGION_NAME" # optionally set options in nova_conf @@ -1011,10 +1004,10 @@ function _configure_neutron_service { iniset $NEUTRON_CONF DEFAULT notify_nova_on_port_status_changes $Q_NOTIFY_NOVA_PORT_STATUS_CHANGES iniset $NEUTRON_CONF DEFAULT notify_nova_on_port_data_changes $Q_NOTIFY_NOVA_PORT_DATA_CHANGES - configure_keystone_authtoken_middleware $NEUTRON_CONF nova nova + configure_keystoneauth $NEUTRON_CONF nova nova # Configuration for placement client - configure_keystone_authtoken_middleware $NEUTRON_CONF placement placement + configure_keystoneauth $NEUTRON_CONF placement placement # Configure plugin neutron_plugin_configure_service diff --git a/lib/nova b/lib/nova index 2357d87ee3..a7222cec81 100644 --- a/lib/nova +++ b/lib/nova @@ -628,32 +628,19 @@ function create_nova_conf { function configure_placement_nova_compute { # Use the provided config file path or default to $NOVA_CONF. local conf=${1:-$NOVA_CONF} - iniset $conf placement auth_type "password" - iniset $conf placement auth_url "$KEYSTONE_SERVICE_URI" - iniset $conf placement username nova - iniset $conf placement password "$SERVICE_PASSWORD" - iniset $conf placement user_domain_name "$SERVICE_DOMAIN_NAME" - iniset $conf placement project_name "$SERVICE_TENANT_NAME" - iniset $conf placement project_domain_name "$SERVICE_DOMAIN_NAME" - iniset $conf placement region_name "$REGION_NAME" + configure_keystoneauth $conf nova placement } # Configure access to cinder. function configure_cinder_access { iniset $NOVA_CONF cinder os_region_name "$REGION_NAME" - iniset $NOVA_CONF cinder auth_type "password" - iniset $NOVA_CONF cinder auth_url "$KEYSTONE_SERVICE_URI" # NOTE(mriedem): This looks a bit weird but we use the nova user here # since it has the admin role and the cinder user does not. This is # similar to using the nova user in init_nova_service_user_conf. We need # to use a user with the admin role for background tasks in nova to # be able to GET block-storage API resources owned by another project # since cinder has low-level "is_admin" checks in its DB API. - iniset $NOVA_CONF cinder username nova - iniset $NOVA_CONF cinder password "$SERVICE_PASSWORD" - iniset $NOVA_CONF cinder user_domain_name "$SERVICE_DOMAIN_NAME" - iniset $NOVA_CONF cinder project_name "$SERVICE_TENANT_NAME" - iniset $NOVA_CONF cinder project_domain_name "$SERVICE_DOMAIN_NAME" + configure_keystoneauth $conf nova cinder if is_service_enabled tls-proxy; then CINDER_SERVICE_HOST=${CINDER_SERVICE_HOST:-$SERVICE_HOST} CINDER_SERVICE_PORT=${CINDER_SERVICE_PORT:-8776} @@ -663,14 +650,7 @@ function configure_cinder_access { # Configure access to manila. function configure_manila_access { - iniset $NOVA_CONF manila os_region_name "$REGION_NAME" - iniset $NOVA_CONF manila auth_type "password" - iniset $NOVA_CONF manila auth_url "$KEYSTONE_SERVICE_URI" - iniset $NOVA_CONF manila username nova - iniset $NOVA_CONF manila password "$SERVICE_PASSWORD" - iniset $NOVA_CONF manila user_domain_name "$SERVICE_DOMAIN_NAME" - iniset $NOVA_CONF manila project_name "$SERVICE_TENANT_NAME" - iniset $NOVA_CONF manila project_domain_name "$SERVICE_DOMAIN_NAME" + configure_keystoneauth $conf nova manila } function configure_console_compute { @@ -836,13 +816,7 @@ function configure_nova_unified_limits { function init_nova_service_user_conf { iniset $NOVA_CONF service_user send_service_user_token True - iniset $NOVA_CONF service_user auth_type password - iniset $NOVA_CONF service_user auth_url "$KEYSTONE_SERVICE_URI" - iniset $NOVA_CONF service_user username nova - iniset $NOVA_CONF service_user password "$SERVICE_PASSWORD" - iniset $NOVA_CONF service_user user_domain_name "$SERVICE_DOMAIN_NAME" - iniset $NOVA_CONF service_user project_name "$SERVICE_PROJECT_NAME" - iniset $NOVA_CONF service_user project_domain_name "$SERVICE_DOMAIN_NAME" + configure_keystoneauth $NOVA_CONF nova service_user } function conductor_conf {

X Tutup