Browse code
Centralize and configure nova with cinder service user access
Since Queens [1] nova has been able to be configured with
cinder service user credentials for operating on cinder
resources without a user auth token similar to things nova
needs to do without a user auth token for working with neutron
and placement resources.
This change:
- centralizes the nova [cinder] section configuration
- adds the necessary auth configuration
Needed by: https://review.opendev.org/549130/
[1] I3c35bba43fee81baebe8261f546c1424ce3a3383
Change-Id: I5640ee431f6856853f6b00ec7ed1ea21d05117dd
Matt Riedemann authored on 2019/09/28 05:45:09Showing 1 changed files
| ... | ... |
@@ -468,11 +468,7 @@ function create_nova_conf {
|
| 468 | 468 |
fi |
| 469 | 469 |
|
| 470 | 470 |
if is_service_enabled cinder; then |
| 471 |
- if is_service_enabled tls-proxy; then |
|
| 472 |
- CINDER_SERVICE_HOST=${CINDER_SERVICE_HOST:-$SERVICE_HOST}
|
|
| 473 |
- CINDER_SERVICE_PORT=${CINDER_SERVICE_PORT:-8776}
|
|
| 474 |
- iniset $NOVA_CONF cinder cafile $SSL_BUNDLE_FILE |
|
| 475 |
- fi |
|
| 471 |
+ configure_cinder_access |
|
| 476 | 472 |
fi |
| 477 | 473 |
|
| 478 | 474 |
if [ -n "$NOVA_STATE_PATH" ]; then |
| ... | ... |
@@ -520,8 +516,6 @@ function create_nova_conf {
|
| 520 | 520 |
# don't let the conductor get out of control now that we're using a pure python db driver |
| 521 | 521 |
iniset $NOVA_CONF conductor workers "$API_WORKERS" |
| 522 | 522 |
|
| 523 |
- iniset $NOVA_CONF cinder os_region_name "$REGION_NAME" |
|
| 524 |
- |
|
| 525 | 523 |
if is_service_enabled tls-proxy; then |
| 526 | 524 |
iniset $NOVA_CONF DEFAULT glance_protocol https |
| 527 | 525 |
iniset $NOVA_CONF oslo_middleware enable_proxy_headers_parsing True |
| ... | ... |
@@ -593,6 +587,29 @@ function configure_placement_nova_compute {
|
| 593 | 593 |
iniset $conf placement region_name "$REGION_NAME" |
| 594 | 594 |
} |
| 595 | 595 |
|
| 596 |
+# Configure access to cinder. |
|
| 597 |
+function configure_cinder_access {
|
|
| 598 |
+ iniset $NOVA_CONF cinder os_region_name "$REGION_NAME" |
|
| 599 |
+ iniset $NOVA_CONF cinder auth_type "password" |
|
| 600 |
+ iniset $NOVA_CONF cinder auth_url "$KEYSTONE_SERVICE_URI" |
|
| 601 |
+ # NOTE(mriedem): This looks a bit weird but we use the nova user here |
|
| 602 |
+ # since it has the admin role and the cinder user does not. This is |
|
| 603 |
+ # similar to using the nova user in init_nova_service_user_conf. We need |
|
| 604 |
+ # to use a user with the admin role for background tasks in nova to |
|
| 605 |
+ # be able to GET block-storage API resources owned by another project |
|
| 606 |
+ # since cinder has low-level "is_admin" checks in its DB API. |
|
| 607 |
+ iniset $NOVA_CONF cinder username nova |
|
| 608 |
+ iniset $NOVA_CONF cinder password "$SERVICE_PASSWORD" |
|
| 609 |
+ iniset $NOVA_CONF cinder user_domain_name "$SERVICE_DOMAIN_NAME" |
|
| 610 |
+ iniset $NOVA_CONF cinder project_name "$SERVICE_TENANT_NAME" |
|
| 611 |
+ iniset $NOVA_CONF cinder project_domain_name "$SERVICE_DOMAIN_NAME" |
|
| 612 |
+ if is_service_enabled tls-proxy; then |
|
| 613 |
+ CINDER_SERVICE_HOST=${CINDER_SERVICE_HOST:-$SERVICE_HOST}
|
|
| 614 |
+ CINDER_SERVICE_PORT=${CINDER_SERVICE_PORT:-8776}
|
|
| 615 |
+ iniset $NOVA_CONF cinder cafile $SSL_BUNDLE_FILE |
|
| 616 |
+ fi |
|
| 617 |
+} |
|
| 618 |
+ |
|
| 596 | 619 |
function configure_console_compute {
|
| 597 | 620 |
# If we are running multiple cells (and thus multiple console proxies) on a |
| 598 | 621 |
# single host, we offset the ports to avoid collisions. We need to |