Merge pull request #1867 from coreos-inc/keystone-timeout

Add configurable timeout and debug flags to Keystone users
2016-09-29 23:01:02 +02:00 · 2016-09-29 23:01:02 +02:00 · b4dd5ea4dd
commit b4dd5ea4dd
parent e313d59138 fd770422bb
2 changed files with 12 additions and 4 deletions
--- a/data/users/init.py
+++ b/data/users/init.py
@ -59,11 +59,12 @@ def get_users_handler(config, config_provider, override_config_dir):

  if authentication_type == 'Keystone':
    auth_url = config.get('KEYSTONE_AUTH_URL')
+    timeout = config.get('KEYSTONE_AUTH_TIMEOUT')
    keystone_admin_username = config.get('KEYSTONE_ADMIN_USERNAME')
    keystone_admin_password = config.get('KEYSTONE_ADMIN_PASSWORD')
    keystone_admin_tenant = config.get('KEYSTONE_ADMIN_TENANT')
    return KeystoneUsers(auth_url, keystone_admin_username, keystone_admin_password,
-                         keystone_admin_tenant)
+                         keystone_admin_tenant, timeout)

  raise RuntimeError('Unknown authentication type: %s' % authentication_type)

--- a/data/users/keystone.py
+++ b/data/users/keystone.py
@ -1,4 +1,5 @@
 import logging
+import os

 from keystoneclient.v2_0 import client as kclient
 from keystoneclient.exceptions import AuthorizationFailure as KeystoneAuthorizationFailure
@ -7,19 +8,24 @@ from data.users.federated import FederatedUsers, VerifiedCredentials

 logger = logging.getLogger(__name__)

+DEFAULT_TIMEOUT = 10 # seconds
+
 class KeystoneUsers(FederatedUsers):
  """ Delegates authentication to OpenStack Keystone. """
-  def __init__(self, auth_url, admin_username, admin_password, admin_tenant):
+  def __init__(self, auth_url, admin_username, admin_password, admin_tenant, timeout=None):
    super(KeystoneUsers, self).__init__('keystone')
    self.auth_url = auth_url
    self.admin_username = admin_username
    self.admin_password = admin_password
    self.admin_tenant = admin_tenant
+    self.timeout = timeout or DEFAULT_TIMEOUT
+    self.debug = os.environ.get('USERS_DEBUG') == '1'

  def verify_credentials(self, username_or_email, password):
    try:
      keystone_client = kclient.Client(username=username_or_email, password=password,
-                                       auth_url=self.auth_url)
+                                       auth_url=self.auth_url, timeout=self.timeout,
+                                       debug=self.debug)
      user_id = keystone_client.user_id
    except KeystoneAuthorizationFailure as kaf:
      logger.exception('Keystone auth failure for user: %s', username_or_email)
@ -30,7 +36,8 @@ class KeystoneUsers(FederatedUsers):

    try:
      admin_client = kclient.Client(username=self.admin_username, password=self.admin_password,
-                                    tenant_name=self.admin_tenant, auth_url=self.auth_url)
+                                    tenant_name=self.admin_tenant, auth_url=self.auth_url,
+                                    timeout=self.timeout, debug=self.debug)
      user = admin_client.users.get(user_id)
    except KeystoneUnauthorized as kut:
      logger.exception('Keystone unauthorized admin')