From 7e5aa637283b32eaceaf0495794626a1fdeecd82 Mon Sep 17 00:00:00 2001
From: Nick Jones <nick@dischord.org>
Date: Sun, 5 Apr 2020 12:46:20 +0100
Subject: [PATCH] [skydive] fix: Use Keystone backend to authenticate API users

Update Skydive Analyzer's configuration to use Keystone as its backend
for authenticating users.  Any user with a role in the project defined
by the variable skydive_admin_tenant_name will be able to access
Skydive.

Change-Id: I64c811d5eb72c7406fd52b649fa00edaf2d0c07b
Closes-Bug: 1870903
---
 ansible/roles/skydive/defaults/main.yml                  | 1 +
 ansible/roles/skydive/templates/skydive-analyzer.conf.j2 | 9 +++++----
 .../notes/skydive-keystone-auth-0fe96463b27dd914.yaml    | 6 ++++++
 3 files changed, 12 insertions(+), 4 deletions(-)
 create mode 100644 releasenotes/notes/skydive-keystone-auth-0fe96463b27dd914.yaml

diff --git a/ansible/roles/skydive/defaults/main.yml b/ansible/roles/skydive/defaults/main.yml
index 08b71d4327..f35ee82065 100644
--- a/ansible/roles/skydive/defaults/main.yml
+++ b/ansible/roles/skydive/defaults/main.yml
@@ -37,6 +37,7 @@ skydive_analyzer_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{
 skydive_analyzer_tag: "{{ openstack_tag }}"
 skydive_analyzer_image_full: "{{ skydive_analyzer_image }}:{{ skydive_analyzer_tag }}"
 
+skydive_admin_tenant_name: "{{ openstack_auth['project_name'] }}"
 skydive_agent_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{{ docker_namespace }}/{{ kolla_base_distro }}-{{ skydive_install_type }}-skydive-agent"
 skydive_agent_tag: "{{ openstack_tag }}"
 skydive_agent_image_full: "{{ skydive_agent_image }}:{{ skydive_agent_tag }}"
diff --git a/ansible/roles/skydive/templates/skydive-analyzer.conf.j2 b/ansible/roles/skydive/templates/skydive-analyzer.conf.j2
index e128deb80a..92d5cf7838 100644
--- a/ansible/roles/skydive/templates/skydive-analyzer.conf.j2
+++ b/ansible/roles/skydive/templates/skydive-analyzer.conf.j2
@@ -1,13 +1,11 @@
 ### Skydive analyzer config file
 
 auth:
-  type: keystone
-  analyzer_username: {{ openstack_auth['username'] }}
-  analyzer_password: {{ openstack_auth['password'] }}
-
   keystone:
+    type: keystone
     auth_url: {{ keystone_internal_url }}/v3
     region_name: {{ openstack_region_name }}
+    tenant_name: {{ skydive_admin_tenant_name }}
     domain_name: Default
 
 logging:
@@ -40,6 +38,9 @@ etcd:
 {% endif %}
 
 analyzer:
+  auth:
+    api:
+      backend: keystone
   listen: {{ api_interface_address | put_address_in_context('url') }}:{{ skydive_analyzer_port }}
   storage:
     backend: elasticsearch
diff --git a/releasenotes/notes/skydive-keystone-auth-0fe96463b27dd914.yaml b/releasenotes/notes/skydive-keystone-auth-0fe96463b27dd914.yaml
new file mode 100644
index 0000000000..1beb4259b1
--- /dev/null
+++ b/releasenotes/notes/skydive-keystone-auth-0fe96463b27dd914.yaml
@@ -0,0 +1,6 @@
+---
+fixes:
+  - Skydive's API and the web UI now rely on Keystone for
+    authentication.  Only users in the Keystone project defined by
+    skydive_admin_tenant_name will be able to authenticate.  See
+    `LP#1870903 <https://launchpad.net/bugs/1870903>` for more details.