[openstack-dev] Access to keystone_authtoken config options (required for Sahara trust)

Gyorgy Szombathelyi gyorgy.szombathelyi at doclerholding.com
Thu Jul 20 13:23:43 UTC 2017


Hi,

> I naively tried (see https://review.openstack.org/#/c/485521/ ) to simply
> replace the old config key with the new ones, but this fails with:
>  oslo_config.cfg.NoSuchOptError: no such option project_name in group
> [keystone_authtoken]
> 
> I found this thread on this list, few months ago, and apparently those options
> can't be accessed directly:
> http://lists.openstack.org/pipermail/openstack-dev/2017-
> January/110060.html
> 
> but we were accessing their old version - or maybe it was just a combination
> of luck.
> So the question for Keystone people is: how to access those values? Through
> keystonemiddleware? Is there some existing code that can be used as
> reference?
> 
Well, using [keystone_authtoken] usually a bad idea, that's why projects introduce
other sections, like [nova], [neutron], [service_user], etc...
Howerver it is very confusing for the user (why the hell one needs to configure the
same settings twice), but [keystone_authtoken] should be considered private for 
keystonemiddleware. The effects can be mitigated with a default value of 
auth_section in the new section, I think it would be wise to use this in the projects
(create a new section, like [service_user], and set CFG.service_user.auth_section=
keystone_authtoken by default, then you can use CFG.service_user.xxx values in
your code).

For an instant solution, you can use the following ugliness:

http://git.openstack.org/cgit/openstack/murano/tree/murano/common/auth_utils.py#n28


> Ciao
> --
> Luigi

Br,
György




More information about the OpenStack-dev mailing list