openstack/deb-heat
Code Issues Proposed changes
514e9b746c
deb-heat/heat/common/heat_keystoneclient.py
Steve Baker f77195cb68 Only use a token for openstack client operations. 
This uses the same techniques as horizon for getting client
instances with an existing token.

This change also fetches a new auth_token if the context has none,
as will happen when the context is created from saved user_creds
rather than a real request.

While it appears that some code paths will result in an extra call to the
keystone client, the actual calls to keystone will be less. This is
because each client was making its own calls to keystone when
authenticating with a username and password.

Implements blueprint auth-token-only

Change-Id: If6a63a5079464758f42d5d5e83dfffb196f4a7f6
2013-07-22 12:40:11 +12:00

161 lines
6.3 KiB
Python
Raw Blame History

# vim: tabstop=4 shiftwidth=4 softtabstop=4
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from heat.openstack.common import exception
import eventlet
from keystoneclient.v2_0 import client as kc
from oslo.config import cfg
from heat.openstack.common import log as logging
logger = logging.getLogger('heat.common.keystoneclient')
class KeystoneClient(object):
"""
Wrap keystone client so we can encapsulate logic used in resources
Note this is intended to be initialized from a resource on a per-session
basis, so the session context is passed in on initialization
Also note that a copy of this is created every resource as self.keystone()
via the code in engine/client.py, so there should not be any need to
directly instantiate instances of this class inside resources themselves
"""
def __init__(self, context):
self.context = context
kwargs = {
'auth_url': context.auth_url,
}
if context.password is not None:
kwargs['username'] = context.username
kwargs['password'] = context.password
kwargs['tenant_name'] = context.tenant
kwargs['tenant_id'] = context.tenant_id
elif context.auth_token is not None:
kwargs['tenant_name'] = context.tenant
kwargs['token'] = context.auth_token
else:
logger.error("Keystone connection failed, no password or " +
"auth_token!")
return
self.client = kc.Client(**kwargs)
self.client.authenticate()
def create_stack_user(self, username, password=''):
"""
Create a user defined as part of a stack, either via template
or created internally by a resource. This user will be added to
the heat_stack_user_role as defined in the config
Returns the keystone ID of the resulting user
"""
if(len(username) > 64):
logger.warning("Truncating the username %s to the last 64 "
"characters." % username)
#get the last 64 characters of the username
username = username[-64:]
user = self.client.users.create(username,
password,
'%s@heat-api.org' %
username,
tenant_id=self.context.tenant_id,
enabled=True)
# We add the new user to a special keystone role
# This role is designed to allow easier differentiation of the
# heat-generated "stack users" which will generally have credentials
# deployed on an instance (hence are implicitly untrusted)
roles = self.client.roles.list()
stack_user_role = [r.id for r in roles
if r.name == cfg.CONF.heat_stack_user_role]
if len(stack_user_role) == 1:
role_id = stack_user_role[0]
logger.debug("Adding user %s to role %s" % (user.id, role_id))
self.client.roles.add_user_role(user.id, role_id,
self.context.tenant_id)
else:
logger.error("Failed to add user %s to role %s, check role exists!"
% (username,
cfg.CONF.heat_stack_user_role))
return user.id
def delete_stack_user(self, user_id):
user = self.client.users.get(user_id)
# FIXME (shardy) : need to test, do we still need this retry logic?
# Copied from user.py, but seems like something we really shouldn't
# need to do, no bug reference in the original comment (below)...
# tempory hack to work around an openstack bug.
# seems you can't delete a user first time - you have to try
# a couple of times - go figure!
tmo = eventlet.Timeout(10)
status = 'WAITING'
reason = 'Timed out trying to delete user'
try:
while status == 'WAITING':
try:
user.delete()
status = 'DELETED'
except Exception as ce:
reason = str(ce)
logger.warning("Problem deleting user %s: %s" %
(user_id, reason))
eventlet.sleep(1)
except eventlet.Timeout as t:
if t is not tmo:
# not my timeout
raise
else:
status = 'TIMEDOUT'
finally:
tmo.cancel()
if status != 'DELETED':
raise exception.Error(reason)
def delete_ec2_keypair(self, user_id, accesskey):
self.client.ec2.delete(user_id, accesskey)
def get_ec2_keypair(self, user_id):
# We make the assumption that each user will only have one
# ec2 keypair, it's not clear if AWS allow multiple AccessKey resources
# to be associated with a single User resource, but for simplicity
# we assume that here for now
cred = self.client.ec2.list(user_id)
if len(cred) == 0:
return self.client.ec2.create(user_id, self.context.tenant_id)
if len(cred) == 1:
return cred[0]
else:
logger.error("Unexpected number of ec2 credentials %s for %s" %
(len(cred), user_id))
def disable_stack_user(self, user_id):
# FIXME : This won't work with the v3 keystone API
self.client.users.update_enabled(user_id, False)
def enable_stack_user(self, user_id):
# FIXME : This won't work with the v3 keystone API
self.client.users.update_enabled(user_id, True)
def url_for(self, **kwargs):
return self.client.service_catalog.url_for(**kwargs)
@property
def auth_token(self):
return self.client.auth_token
View Git Blame Copy Permalink