add cross domain scoping

thanos-io · May 6, 2019 · 8378856 · 8378856
1 parent af78279
commit 8378856
Showing 1 changed file with 52 additions and 11 deletions.
diff --git a/pkg/objstore/swift/swift.go b/pkg/objstore/swift/swift.go
@@ -12,6 +12,7 @@ import (
 	"time"
 
 	"github.com/improbable-eng/thanos/pkg/objstore"
+	yaml "gopkg.in/yaml.v2"
 
 	"github.com/go-kit/kit/log"
 	"github.com/gophercloud/gophercloud"
@@ -20,23 +21,33 @@ import (
 	"github.com/gophercloud/gophercloud/openstack/objectstorage/v1/objects"
 	"github.com/gophercloud/gophercloud/pagination"
 	"github.com/pkg/errors"
-	"gopkg.in/yaml.v2"
 )
 
 // DirDelim is the delimiter used to model a directory structure in an object store bucket.
 const DirDelim = "/"
 
 type SwiftConfig struct {
-	AuthUrl       string `yaml:"auth_url"`
-	Username      string `yaml:"username"`
-	UserId        string `yaml:"user_id"`
-	Password      string `yaml:"password"`
-	DomainId      string `yaml:"domain_id"`
-	DomainName    string `yaml:"domain_name"`
-	TenantID      string `yaml:"tenant_id"`
-	TenantName    string `yaml:"tenant_name"`
-	RegionName    string `yaml:"region_name"`
-	ContainerName string `yaml:"container_name"`
+	AuthUrl        string `yaml:"auth_url"`
+	Username       string `yaml:"username"`
+	UserDomainName string `yaml:"user_domain_name"`
+	UserDomainID   string `yaml:"user_domain_id"`
+	UserId         string `yaml:"user_id"`
+	Password       string `yaml:"password"`
+	DomainId       string `yaml:"domain_id"`
+	DomainName     string `yaml:"domain_name"`
+	ProjectID      string `yaml:"project_id"`
+	ProjectName    string `yaml:"project_name"`
+	ProjectDomainID string `yaml:"project_domain_id"`
+	ProjectDomainName string `yaml:"project_domain_name"`
+	RegionName     string `yaml:"region_name"`
+	ContainerName  string `yaml:"container_name"`
+
+	// Deprecated: Please use `project_id` instead.
+	// The term `tenant` is used in the deprecated OpenStack Identity v2.
+	TenantID       string `yaml:"tenant_id"`
+	// Deprecated: Please use `project_name` instead.
+	// The term `tenant` is used in the deprecated OpenStack Identity v2.
+	TenantName     string `yaml:"tenant_name"`
 }
 
 type Container struct {
@@ -65,6 +76,36 @@ func NewContainer(logger log.Logger, conf []byte) (*Container, error) {
 		AllowReauth: true,
 	}
 
+	// In Identity v3 the term `project` is used instead of `tenant`.
+	if sc.ProjectID != "" {
+		authOpts.TenantID = sc.ProjectID
+	}
+	if sc.ProjectName != "" {
+		authOpts.TenantName = sc.ProjectName
+	}
+
+	// Support for cross domain scoping (user in different domain than project)
+	// If a userDomainName or userDomainID is given, a user is scoped to this domain
+	// and the tenant (aka project) is expected to be in the domain given by domainName or domainID.
+	if sc.UserDomainName != "" {
+		authOpts.DomainName = sc.UserDomainName
+		authOpts.Scope = &gophercloud.AuthScope{
+			DomainName: sc.DomainName,
+		}
+	} else if sc.UserDomainID != "" {
+		authOpts.DomainID = sc.UserDomainID
+		authOpts.Scope = &gophercloud.AuthScope{
+			DomainID: sc.DomainId,
+		}
+	}
+	if authOpts.Scope != nil {
+		if sc.TenantName != "" {
+			authOpts.Scope.ProjectName = sc.TenantName
+		} else if sc.TenantID != "" {
+			authOpts.Scope.ProjectID = sc.TenantID
+		}
+	}
+
 	provider, err := openstack.AuthenticatedClient(authOpts)
 	if err != nil {
 		return nil, err