Ability to authenticate against OpenStack with application credentials or token #776

laurentganne · 2022-01-12T17:43:19Z

Pull Request description

Description of the change

In some environments, like in LEXIS project, Yorc must be able to allocate OpenStack compute resources on behalf of any user created on demand by a third party AAI (Authentication and Authorization Infrastructure), Yorc being just given an OpenStack token or Openstack application credentials, valid only for a given time defined by the third party AAI.

Added the ability for Yorc to authenticate against OpenStack using a token or application credentials, that are provided in a node template metadata (not in yorc static configuration as these are per user values with a validity defined by an external AAI.

What I did

doc/configuration.rst

In the table of OpenStack parameters,
added parameter domain_id to be used with tokens, and referencing a note for user_name and password.
The note added below the table specifies that a token or application credentials can be specified in a node template, when user/password authentication can't be used.

tosca/constants.go
Added constants for token and application credentials keys that can be define in a node template metadata

prov/terraform/openstack/generator.go

When setting OpenStack parameters used for authentication, checking if application credentials are defined in the node template metadata to use them during the authentication,
else do a token-based authentication if a toekn is defined, else do the user/password authentication like previously.

How to verify it

Verified on a LEXIS setup, using both:

the usual user/password static configuration
the external AAI provide application credentials, that a Yorc plugin (https://github.com/lexis-project/yorc-dynamic-orchestration-plugin) injects in node template metadata.