openstack/deb-murano
Code Issues Proposed changes
a89dfdcbde
deb-murano/murano/common/auth_utils.py
Gyorgy Szombathelyi 3d20f25d3b Use keystoneauth1 lib for authentication helpers 
If auth_type is set in the keystone_authtoken section,
then one can use the the keystoneauth1 library to load the
authentication plugin. This makes muranoclient fully workable,
with Keystone v3 in case domain name is not 'Default'.

Related-Bug: 1580611

Change-Id: I0d71032fb5296752ee25482b75993072884731e7
2016-07-08 12:46:17 +00:00

179 lines
6.2 KiB
Python
Raw Blame History

# Copyright (c) 2016 Mirantis, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from keystoneauth1 import identity
from keystoneauth1 import loading as ka_loading
from keystoneclient.v3 import client as ks_client
from oslo_config import cfg
from murano.dsl import helpers
CFG_KEYSTONE_GROUP = 'keystone_authtoken'
cfg.CONF.import_group(CFG_KEYSTONE_GROUP, 'keystonemiddleware.auth_token')
def _get_keystone_auth(trust_id=None):
if not cfg.CONF[CFG_KEYSTONE_GROUP].auth_type:
# Fallback to legacy v2 options if no auth_type is set.
# If auth_type is set, it is possible to use the auth loader
# from keystoneauth1. This is the same fallback as keystonemiddleware
# uses.
kwargs = {
'auth_url':
cfg.CONF[CFG_KEYSTONE_GROUP].auth_uri.replace('v2.0', 'v3'),
'username': cfg.CONF[CFG_KEYSTONE_GROUP].admin_user,
'password': cfg.CONF[CFG_KEYSTONE_GROUP].admin_password,
'user_domain_name': "Default"
}
if not trust_id:
kwargs['project_name'] = \
cfg.CONF[CFG_KEYSTONE_GROUP].admin_tenant_name
kwargs['project_domain_name'] = "Default"
else:
kwargs['trust_id'] = trust_id
auth = identity.Password(**kwargs)
else:
kwargs = {}
if trust_id:
# Remove project_name and project_id, since we need a trust scoped
# auth object
kwargs['project_name'] = None
kwargs['project_domain_name'] = None
kwargs['project_id'] = None
kwargs['trust_id'] = trust_id
auth = ka_loading.load_auth_from_conf_options(
cfg.CONF,
CFG_KEYSTONE_GROUP,
**kwargs)
return auth
def _create_keystone_admin_client():
auth = _get_keystone_auth()
session = _get_session(
auth=auth,
conf_section=cfg.CONF[CFG_KEYSTONE_GROUP])
return ks_client.Client(session=session)
def get_client_session(execution_session=None, conf=None):
if not execution_session:
execution_session = helpers.get_execution_session()
trust_id = execution_session.trust_id
if trust_id is None:
return get_token_client_session(
token=execution_session.token,
project_id=execution_session.project_id)
auth = _get_keystone_auth(trust_id)
session = _get_session(auth=auth, conf_section=conf)
return session
def get_token_client_session(token=None, project_id=None, conf=None):
auth_url = cfg.CONF[CFG_KEYSTONE_GROUP].auth_uri.replace('v2.0', 'v3')
if token is None or project_id is None:
execution_session = helpers.get_execution_session()
token = execution_session.token
project_id = execution_session.project_id
token_auth = identity.Token(
auth_url,
token=token,
project_id=project_id)
session = _get_session(auth=token_auth, conf_section=conf)
return session
def create_keystone_client(token=None, project_id=None, conf=None):
return ks_client.Client(session=get_token_client_session(
token=token, project_id=project_id, conf=conf))
def create_trust(trustee_token=None, trustee_project_id=None):
admin_client = _create_keystone_admin_client()
user_client = create_keystone_client(
token=trustee_token, project_id=trustee_project_id)
trustee_user = admin_client.session.auth.get_user_id(admin_client.session)
auth_ref = user_client.session.auth.get_access(user_client.session)
trustor_user = auth_ref.user_id
project = auth_ref.project_id
roles = auth_ref.role_names
trust = user_client.trusts.create(
trustor_user=trustor_user,
trustee_user=trustee_user,
impersonation=True,
role_names=roles,
project=project)
return trust.id
def delete_trust(trust):
user_client = _create_keystone_admin_client()
user_client.trusts.delete(trust)
def _get_config_option(conf_section, option_names, default=None):
if not isinstance(option_names, (list, tuple)):
option_names = (option_names,)
for name in option_names:
if hasattr(conf_section, name):
return getattr(conf_section, name)
return default
def _get_session(auth, conf_section):
# Fallback to keystone_authtoken section for TLS parameters
# if no other conf_section supplied
if not conf_section:
conf_section = cfg.CONF[CFG_KEYSTONE_GROUP]
session = ka_loading.session.Session().load_from_options(
auth=auth,
insecure=_get_config_option(conf_section, 'insecure', False),
cacert=_get_config_option(
conf_section,
('ca_file', 'cafile', 'cacert')),
key=_get_config_option(conf_section, ('key_file', 'keyfile')),
cert=_get_config_option(conf_section, ('cert_file', 'certfile')))
return session
def get_session_client_parameters(service_type=None,
region='',
interface=None,
service_name=None,
conf=None,
session=None,
execution_session=None):
if region == '':
region = cfg.CONF.home_region
result = {
'session': session or get_client_session(
execution_session=execution_session, conf=conf)
}
url = _get_config_option(conf, 'url')
if url:
result['endpoint_override'] = url
else:
if not interface:
interface = _get_config_option(conf, 'endpoint_type')
result.update({
'service_type': service_type,
'service_name': service_name,
'interface': interface,
'region_name': region
})
return result
View Git Blame Copy Permalink