[openstack-dev] Access to keystone_authtoken config options (required for Sahara trust)
Gyorgy Szombathelyi
gyorgy.szombathelyi at doclerholding.com
Thu Jul 20 13:23:43 UTC 2017
Hi,
> I naively tried (see https://review.openstack.org/#/c/485521/ ) to simply
> replace the old config key with the new ones, but this fails with:
> oslo_config.cfg.NoSuchOptError: no such option project_name in group
> [keystone_authtoken]
>
> I found this thread on this list, few months ago, and apparently those options
> can't be accessed directly:
> http://lists.openstack.org/pipermail/openstack-dev/2017-
> January/110060.html
>
> but we were accessing their old version - or maybe it was just a combination
> of luck.
> So the question for Keystone people is: how to access those values? Through
> keystonemiddleware? Is there some existing code that can be used as
> reference?
>
Well, using [keystone_authtoken] usually a bad idea, that's why projects introduce
other sections, like [nova], [neutron], [service_user], etc...
Howerver it is very confusing for the user (why the hell one needs to configure the
same settings twice), but [keystone_authtoken] should be considered private for
keystonemiddleware. The effects can be mitigated with a default value of
auth_section in the new section, I think it would be wise to use this in the projects
(create a new section, like [service_user], and set CFG.service_user.auth_section=
keystone_authtoken by default, then you can use CFG.service_user.xxx values in
your code).
For an instant solution, you can use the following ugliness:
http://git.openstack.org/cgit/openstack/murano/tree/murano/common/auth_utils.py#n28
> Ciao
> --
> Luigi
Br,
György
More information about the OpenStack-dev
mailing list