81eebd12ad
Added an ability to retrieve information about the current user, current project, environment owner (both user and project) from keystone. Appropriate information (including extra fields but excluding internal system data) is fetched from Keystone using the same service credentials that are used to validate tokens, create trusts etc. - io.murano.User and io.murano.Project classes were added. - Both classes have 2 static methods to get current and environment owner object of appropriate class - Object model now contains project_id/user_id of the user who created the environment - Deployment task contains project_id (renamed from tenant_id) and user_id of the user who initiated the deployment Change-Id: Ic7e24c1d2b669ed315851047bcdb27e075cfc56b
189 lines
6.5 KiB
Python
189 lines
6.5 KiB
Python
# Copyright (c) 2016 Mirantis, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
from keystoneauth1 import identity
|
|
from keystoneauth1 import loading as ka_loading
|
|
from keystoneclient.v3 import client as ks_client
|
|
from oslo_config import cfg
|
|
|
|
from murano.dsl import helpers
|
|
|
|
|
|
CFG_KEYSTONE_GROUP = 'keystone_authtoken'
|
|
|
|
cfg.CONF.import_group(CFG_KEYSTONE_GROUP, 'keystonemiddleware.auth_token')
|
|
|
|
|
|
def _get_keystone_auth(trust_id=None):
|
|
if not cfg.CONF[CFG_KEYSTONE_GROUP].auth_type:
|
|
# Fallback to legacy v2 options if no auth_type is set.
|
|
# If auth_type is set, it is possible to use the auth loader
|
|
# from keystoneauth1. This is the same fallback as keystonemiddleware
|
|
# uses.
|
|
kwargs = {
|
|
'auth_url':
|
|
cfg.CONF[CFG_KEYSTONE_GROUP].auth_uri.replace('v2.0', 'v3'),
|
|
'username': cfg.CONF[CFG_KEYSTONE_GROUP].admin_user,
|
|
'password': cfg.CONF[CFG_KEYSTONE_GROUP].admin_password,
|
|
'user_domain_name': "Default"
|
|
}
|
|
if not trust_id:
|
|
kwargs['project_name'] = \
|
|
cfg.CONF[CFG_KEYSTONE_GROUP].admin_tenant_name
|
|
kwargs['project_domain_name'] = "Default"
|
|
else:
|
|
kwargs['trust_id'] = trust_id
|
|
auth = identity.Password(**kwargs)
|
|
else:
|
|
kwargs = {}
|
|
if trust_id:
|
|
# Remove project_name and project_id, since we need a trust scoped
|
|
# auth object
|
|
kwargs['project_name'] = None
|
|
kwargs['project_domain_name'] = None
|
|
kwargs['project_id'] = None
|
|
kwargs['trust_id'] = trust_id
|
|
auth = ka_loading.load_auth_from_conf_options(
|
|
cfg.CONF,
|
|
CFG_KEYSTONE_GROUP,
|
|
**kwargs)
|
|
return auth
|
|
|
|
|
|
def _create_keystone_admin_client():
|
|
auth = _get_keystone_auth()
|
|
session = _get_session(
|
|
auth=auth,
|
|
conf_section=cfg.CONF[CFG_KEYSTONE_GROUP])
|
|
return ks_client.Client(session=session)
|
|
|
|
|
|
def get_client_session(execution_session=None, conf=None):
|
|
if not execution_session:
|
|
execution_session = helpers.get_execution_session()
|
|
trust_id = execution_session.trust_id
|
|
if trust_id is None:
|
|
return get_token_client_session(
|
|
token=execution_session.token,
|
|
project_id=execution_session.project_id)
|
|
auth = _get_keystone_auth(trust_id)
|
|
session = _get_session(auth=auth, conf_section=conf)
|
|
return session
|
|
|
|
|
|
def get_token_client_session(token=None, project_id=None, conf=None):
|
|
auth_url = cfg.CONF[CFG_KEYSTONE_GROUP].auth_uri.replace('v2.0', 'v3')
|
|
if token is None or project_id is None:
|
|
execution_session = helpers.get_execution_session()
|
|
token = execution_session.token
|
|
project_id = execution_session.project_id
|
|
token_auth = identity.Token(
|
|
auth_url,
|
|
token=token,
|
|
project_id=project_id)
|
|
session = _get_session(auth=token_auth, conf_section=conf)
|
|
return session
|
|
|
|
|
|
def create_keystone_client(token=None, project_id=None, conf=None):
|
|
return ks_client.Client(session=get_token_client_session(
|
|
token=token, project_id=project_id, conf=conf))
|
|
|
|
|
|
def create_trust(trustee_token=None, trustee_project_id=None):
|
|
admin_client = _create_keystone_admin_client()
|
|
user_client = create_keystone_client(
|
|
token=trustee_token, project_id=trustee_project_id)
|
|
trustee_user = admin_client.session.auth.get_user_id(admin_client.session)
|
|
auth_ref = user_client.session.auth.get_access(user_client.session)
|
|
trustor_user = auth_ref.user_id
|
|
project = auth_ref.project_id
|
|
roles = auth_ref.role_names
|
|
trust = user_client.trusts.create(
|
|
trustor_user=trustor_user,
|
|
trustee_user=trustee_user,
|
|
impersonation=True,
|
|
role_names=roles,
|
|
project=project)
|
|
return trust.id
|
|
|
|
|
|
def delete_trust(trust):
|
|
user_client = _create_keystone_admin_client()
|
|
user_client.trusts.delete(trust)
|
|
|
|
|
|
def _get_config_option(conf_section, option_names, default=None):
|
|
if not isinstance(option_names, (list, tuple)):
|
|
option_names = (option_names,)
|
|
for name in option_names:
|
|
if hasattr(conf_section, name):
|
|
return getattr(conf_section, name)
|
|
return default
|
|
|
|
|
|
def _get_session(auth, conf_section):
|
|
# Fallback to keystone_authtoken section for TLS parameters
|
|
# if no other conf_section supplied
|
|
if not conf_section:
|
|
conf_section = cfg.CONF[CFG_KEYSTONE_GROUP]
|
|
session = ka_loading.session.Session().load_from_options(
|
|
auth=auth,
|
|
insecure=_get_config_option(conf_section, 'insecure', False),
|
|
cacert=_get_config_option(
|
|
conf_section,
|
|
('ca_file', 'cafile', 'cacert')),
|
|
key=_get_config_option(conf_section, ('key_file', 'keyfile')),
|
|
cert=_get_config_option(conf_section, ('cert_file', 'certfile')))
|
|
return session
|
|
|
|
|
|
def get_session_client_parameters(service_type=None,
|
|
region='',
|
|
interface=None,
|
|
service_name=None,
|
|
conf=None,
|
|
session=None,
|
|
execution_session=None):
|
|
if region == '':
|
|
region = cfg.CONF.home_region
|
|
result = {
|
|
'session': session or get_client_session(
|
|
execution_session=execution_session, conf=conf)
|
|
}
|
|
|
|
url = _get_config_option(conf, 'url')
|
|
if url:
|
|
result['endpoint_override'] = url
|
|
else:
|
|
if not interface:
|
|
interface = _get_config_option(conf, 'endpoint_type')
|
|
result.update({
|
|
'service_type': service_type,
|
|
'service_name': service_name,
|
|
'interface': interface,
|
|
'region_name': region
|
|
})
|
|
return result
|
|
|
|
|
|
def get_user(uid):
|
|
client = _create_keystone_admin_client()
|
|
return client.users.get(uid).to_dict()
|
|
|
|
|
|
def get_project(pid):
|
|
client = _create_keystone_admin_client()
|
|
return client.projects.get(pid).to_dict()
|