openstack/deb-sahara
Code Issues Proposed changes

Merge "Adding generic trust creation and destruction methods"

Browse Source
This commit is contained in:
Jenkins 2014-08-04 15:56:27 +00:00 committed by Gerrit Code Review
commit 171526bb58
3 changed files with 108 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
sahara/exceptions.py
View File

@ -143,6 +143,15 @@ class DBDuplicateEntry(SaharaException):
self.message = message
class CreationFailed(SaharaException):
message = _("Object was not created")
code = "CREATION_FAILED"
def __init__(self, message=None):
if message:
self.message = message
class DeletionFailed(SaharaException):
message = _("Object was not deleted")
code = "DELETION_FAILED"

4
sahara/service/ops.py
View File

@ -118,7 +118,7 @@ def _provision_cluster(cluster_id):
ctx, cluster, plugin = _prepare_provisioning(cluster_id)
if CONF.use_identity_api_v3 and cluster.is_transient:
trusts.create_trust(cluster)
trusts.create_trust_for_cluster(cluster)
# updating cluster infra
cluster = g.change_cluster_status(cluster, "InfraUpdating")
@ -233,7 +233,7 @@ def _terminate_cluster(cluster_id):
INFRA.shutdown_cluster(cluster)
if CONF.use_identity_api_v3:
trusts.delete_trust(cluster)
trusts.delete_trust_from_cluster(cluster)
conductor.cluster_destroy(ctx, cluster)

112
sahara/service/trusts.py
View File

@ -16,34 +16,122 @@
import json
from oslo.config import cfg
import six
from sahara import conductor as c
from sahara import context
from sahara import exceptions as ex
from sahara.i18n import _
from sahara.i18n import _LE
from sahara.openstack.common import log as logging
from sahara.utils.openstack import keystone
conductor = c.API
CONF = cfg.CONF
LOG = logging.getLogger(__name__)
def create_trust(cluster):
client = keystone.client()
def create_trust(trustor,
trustee,
role_names,
impersonation=True,
project_id=None):
'''Create a trust and return it's identifier
:param trustor: The Keystone client delegating the trust.
:param trustee: The Keystone client consuming the trust.
:param role_names: A list of role names to be assigned.
:param impersonation: Should the trustee impersonate trustor,
default is True.
:param project_id: The project that the trust will be scoped into,
default is the trustor's project id.
:returns: A valid trust id.
:raises CreationFailed: If the trust cannot be created.
'''
if project_id is None:
project_id = trustor.tenant_id
try:
trust = trustor.trusts.create(trustor_user=trustor.user_id,
trustee_user=trustee.user_id,
impersonation=impersonation,
role_names=role_names,
project=project_id)
LOG.debug('Created trust {0}'.format(six.text_type(trust.id)))
return trust.id
except Exception as e:
LOG.exception(_LE('Unable to create trust (reason: %s)'), e)
raise ex.CreationFailed(_('Failed to create trust'))
def create_trust_for_cluster(cluster):
'''Create a trust for a cluster
This delegates a trust from the current user to the Sahara admin user
based on the current context roles, and then adds the trust identifier
to the cluster object.
'''
trustor = keystone.client()
ctx = context.current()
trustee = keystone.client_for_admin()
trustee_id = keystone.client_for_admin().user_id
trust_id = create_trust(trustor=trustor,
trustee=trustee,
role_names=ctx.roles)
trust = client.trusts.create(trustor_user=client.user_id,
trustee_user=trustee_id,
impersonation=True,
role_names=ctx.roles,
project=client.tenant_id)
conductor.cluster_update(ctx,
cluster,
{'trust_id': trust.id})
{'trust_id': trust_id})
def delete_trust(trustee, trust_id):
'''Delete a trust from a trustee
:param trustee: The Keystone client to delete the trust from.
:param trust_id: The identifier of the trust to delete.
:raises DeletionFailed: If the trust cannot be deleted.
'''
try:
trustee.trusts.delete(trust_id)
LOG.debug('Deleted trust {0}'.format(six.text_type(trust_id)))
except Exception as e:
LOG.exception(_LE('Unable to delete trust (reason: %s)'), e)
raise ex.DeletionFailed(
_('Failed to delete trust {0}').format(trust_id))
def delete_trust_from_cluster(cluster):
'''Delete a trust from a cluster
If the cluster has a trust delegated to it, then delete it and set
the trust id to None.
:param cluster: The cluster to delete the trust from.
'''
if cluster.trust_id:
keystone_client = keystone.client_for_trusts(cluster.trust_id)
delete_trust(keystone_client, cluster.trust_id)
ctx = context.current()
conductor.cluster_update(ctx,
cluster,
{'trust_id': None})
def use_os_admin_auth_token(cluster):
'''Set the current context to the admin user's trust scoped token
This will configure the current context to the admin user's identity
with the cluster's tenant. It will also generate an authentication token
based on the admin user and a delegated trust associated with the
cluster.
:param cluster: The cluster to use for tenant and trust identification.
'''
if cluster.trust_id:
ctx = context.current()
ctx.username = CONF.keystone_authtoken.admin_user
@ -52,9 +140,3 @@ def use_os_admin_auth_token(cluster):
ctx.token = client.auth_token
ctx.service_catalog = json.dumps(
client.service_catalog.catalog['catalog'])
def delete_trust(cluster):
if cluster.trust_id:
keystone_client = keystone.client_for_trusts(cluster.trust_id)
keystone_client.trusts.delete(cluster.trust_id)