Factor out authenticate method for engine.

This patch factors out an authenticate() function for use by both
the heat service authentication and the resource authentication.
This fixes the AWS auth method for creating resources - issue #153.

Change-Id: I134e993263ae6ba4890f56bfbe6a6a3205b7f921
Signed-off-by: Ian Main <imain@redhat.com>
This commit is contained in:
Ian Main 2012-06-22 08:48:23 -07:00
parent 38d382ad07
commit e0c3141253
5 changed files with 113 additions and 86 deletions

81
heat/engine/auth.py Normal file

@ -0,0 +1,81 @@
# vim: tabstop=4 shiftwidth=4 softtabstop=4
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import logging
import json
import httplib
import urlparse
from novaclient.v1_1 import client
from novaclient.exceptions import BadRequest
from novaclient.exceptions import NotFound
from novaclient.exceptions import AuthorizationFailure
from heat.common import context
logger = logging.getLogger('heat.engine.auth')
def authenticate(con, service_type='heat', service_name='heat'):
""" Authenticate a user context. This authenticates either an
EC2 style key context or a keystone user/pass context.
In the case of EC2 style authentication this will also set the
username in the context so we can use it to key in the database.
"""
if con.password is not None:
nova = client.Client(con.username, con.password,
con.tenant, con.auth_url,
service_type=service_type,
service_name=service_name)
nova.authenticate()
return nova
else:
# We'll have to do AWS style auth which is more complex.
# First step is to get a token from the AWS creds.
headers = {'Content-Type': 'application/json'}
o = urlparse.urlparse(con.aws_auth_uri)
if o.scheme == 'http':
conn = httplib.HTTPConnection(o.netloc)
else:
conn = httplib.HTTPSConnection(o.netloc)
conn.request('POST', o.path, body=con.aws_creds, headers=headers)
response = conn.getresponse().read()
conn.close()
result = json.loads(response)
try:
token_id = result['access']['token']['id']
# We grab the username here because with token auth and EC2
# we never get it normally. We could pass it in but then We
# are relying on user input to give us the correct username.
# This one is the result of the authentication and is verified.
username = result['access']['user']['username']
con.username = username
logger.info("AWS authentication successful.")
except (AttributeError, KeyError):
# FIXME: Should be 404 I think.
logger.info("AWS authentication failure.")
raise exception.AuthorizationFailure()
nova = client.Client(con.service_user, con.service_password,
con.tenant, con.auth_url,
proxy_token=token_id,
proxy_tenant_id=con.tenant_id,
service_type=service_type,
service_name=service_name)
nova.authenticate()
return nova

@ -32,6 +32,7 @@ from heat.common import context as ctxtlib
from heat.engine import parser from heat.engine import parser
from heat.engine import resources from heat.engine import resources
from heat.engine import watchrule from heat.engine import watchrule
from heat.engine import auth
from heat.openstack.common import timeutils from heat.openstack.common import timeutils
from novaclient.v1_1 import client from novaclient.v1_1 import client
@ -77,60 +78,6 @@ class EngineManager(manager.Manager):
"""Load configuration options and connect to the hypervisor.""" """Load configuration options and connect to the hypervisor."""
pass pass
def _authenticate(self, con):
""" Authenticate against the 'heat' service. This should be
the first call made in an endpoint call. I like to see this
done explicitly so that it is clear there is an authentication
request at the entry to the call.
In the case of EC2 style authentication this will also set the
username in the context so we can use it to key in the database.
"""
if con.password is not None:
nova = client.Client(con.username, con.password,
con.tenant, con.auth_url,
service_type='heat',
service_name='heat')
nova.authenticate()
else:
# We'll have to do AWS style auth which is more complex.
# First step is to get a token from the AWS creds.
headers = {'Content-Type': 'application/json'}
o = urlparse.urlparse(con.aws_auth_uri)
if o.scheme == 'http':
conn = httplib.HTTPConnection(o.netloc)
else:
conn = httplib.HTTPSConnection(o.netloc)
conn.request('POST', o.path, body=con.aws_creds, headers=headers)
response = conn.getresponse().read()
conn.close()
result = json.loads(response)
try:
token_id = result['access']['token']['id']
# We grab the username here because with token auth and EC2
# we never get it normally. We could pass it in but then We
# are relying on user input to give us the correct username.
# This one is the result of the authentication and is verified.
username = result['access']['user']['username']
con.username = username
logger.info("AWS authentication successful.")
except (AttributeError, KeyError):
# FIXME: Should be 404 I think.
logger.info("AWS authentication failure.")
raise exception.AuthorizationFailure()
nova = client.Client(con.service_user, con.service_password,
con.tenant, con.auth_url,
proxy_token=token_id,
proxy_tenant_id=con.tenant_id,
service_type='heat',
service_name='heat')
nova.authenticate()
def list_stacks(self, context, params): def list_stacks(self, context, params):
""" """
The list_stacks method is the end point that actually implements The list_stacks method is the end point that actually implements
@ -139,7 +86,7 @@ class EngineManager(manager.Manager):
arg2 -> Dict of http request parameters passed in from API side. arg2 -> Dict of http request parameters passed in from API side.
""" """
self._authenticate(context) auth.authenticate(context)
res = {'stacks': []} res = {'stacks': []}
stacks = db_api.stack_get_by_user(context) stacks = db_api.stack_get_by_user(context)
@ -167,7 +114,7 @@ class EngineManager(manager.Manager):
arg2 -> Name of the stack you want to see. arg2 -> Name of the stack you want to see.
arg3 -> Dict of http request parameters passed in from API side. arg3 -> Dict of http request parameters passed in from API side.
""" """
self._authenticate(context) auth.authenticate(context)
res = {'stacks': []} res = {'stacks': []}
s = db_api.stack_get_by_name(context, stack_name) s = db_api.stack_get_by_name(context, stack_name)
@ -209,7 +156,7 @@ class EngineManager(manager.Manager):
""" """
logger.info('template is %s' % template) logger.info('template is %s' % template)
self._authenticate(context) auth.authenticate(context)
if db_api.stack_get_by_name(None, stack_name): if db_api.stack_get_by_name(None, stack_name):
return {'Error': 'Stack already exists with that name.'} return {'Error': 'Stack already exists with that name.'}
@ -267,7 +214,7 @@ class EngineManager(manager.Manager):
arg4 -> Params passed from API. arg4 -> Params passed from API.
""" """
self._authenticate(context) auth.authenticate(context)
logger.info('validate_template') logger.info('validate_template')
if template is None: if template is None:
@ -297,7 +244,7 @@ class EngineManager(manager.Manager):
arg2 -> Name of the stack you want to see. arg2 -> Name of the stack you want to see.
arg3 -> Dict of http request parameters passed in from API side. arg3 -> Dict of http request parameters passed in from API side.
""" """
self._authenticate(context) auth.authenticate(context)
s = db_api.stack_get_by_name(context, stack_name) s = db_api.stack_get_by_name(context, stack_name)
if s: if s:
return s.raw_template.template return s.raw_template.template
@ -311,7 +258,7 @@ class EngineManager(manager.Manager):
arg3 -> Params passed from API. arg3 -> Params passed from API.
""" """
self._authenticate(context) auth.authenticate(context)
st = db_api.stack_get_by_name(context, stack_name) st = db_api.stack_get_by_name(context, stack_name)
if not st: if not st:
@ -347,7 +294,7 @@ class EngineManager(manager.Manager):
arg3 -> Params passed from API. arg3 -> Params passed from API.
""" """
self._authenticate(context) auth.authenticate(context)
if stack_name is not None: if stack_name is not None:
st = db_api.stack_get_by_name(context, stack_name) st = db_api.stack_get_by_name(context, stack_name)
@ -362,7 +309,7 @@ class EngineManager(manager.Manager):
def event_create(self, context, event): def event_create(self, context, event):
self._authenticate(context) auth.authenticate(context)
stack_name = event['stack'] stack_name = event['stack']
resource_name = event['resource'] resource_name = event['resource']
@ -391,7 +338,7 @@ class EngineManager(manager.Manager):
return [msg, None] return [msg, None]
def describe_stack_resource(self, context, stack_name, resource_name): def describe_stack_resource(self, context, stack_name, resource_name):
self._authenticate(context) auth.authenticate(context)
stack = db_api.stack_get_by_name(context, stack_name) stack = db_api.stack_get_by_name(context, stack_name)
if not stack: if not stack:
@ -405,7 +352,7 @@ class EngineManager(manager.Manager):
def describe_stack_resources(self, context, stack_name, def describe_stack_resources(self, context, stack_name,
physical_resource_id, logical_resource_id): physical_resource_id, logical_resource_id):
self._authenticate(context) auth.authenticate(context)
if stack_name: if stack_name:
stack = db_api.stack_get_by_name(context, stack_name) stack = db_api.stack_get_by_name(context, stack_name)
@ -433,7 +380,7 @@ class EngineManager(manager.Manager):
return resources return resources
def list_stack_resources(self, context, stack_name): def list_stack_resources(self, context, stack_name):
self._authenticate(context) auth.authenticate(context)
stack = db_api.stack_get_by_name(context, stack_name) stack = db_api.stack_get_by_name(context, stack_name)
if not stack: if not stack:

@ -24,6 +24,7 @@ from heat.common import exception
from heat.common.config import HeatEngineConfigOpts from heat.common.config import HeatEngineConfigOpts
from heat.db import api as db_api from heat.db import api as db_api
from heat.engine import checkeddict from heat.engine import checkeddict
from heat.engine import auth
logger = logging.getLogger('heat.engine.resources') logger = logging.getLogger('heat.engine.resources')
@ -121,13 +122,9 @@ class Resource(object):
return self._nova[service_type] return self._nova[service_type]
con = self.stack.context con = self.stack.context
self._nova[service_type] = nc.Client(con.username, self._nova[service_type] = auth.authenticate(con,
con.password, service_type=service_type,
con.tenant, service_name=None)
con.auth_url,
proxy_token=con.auth_token,
proxy_tenant_id=con.tenant_id,
service_type=service_type)
return self._nova[service_type] return self._nova[service_type]
def calculate_properties(self): def calculate_properties(self):

@ -15,6 +15,7 @@ from heat.engine import instance as instances
import heat.db as db_api import heat.db as db_api
from heat.engine import parser from heat.engine import parser
from heat.engine import manager from heat.engine import manager
from heat.engine import auth
@attr(tag=['unit', 'resource']) @attr(tag=['unit', 'resource'])
@ -149,8 +150,8 @@ class stacksTest(unittest.TestCase):
ctx = context.get_admin_context() ctx = context.get_admin_context()
self.m.StubOutWithMock(ctx, 'username') self.m.StubOutWithMock(ctx, 'username')
ctx.username = 'fred' ctx.username = 'fred'
self.m.StubOutWithMock(manager.EngineManager, '_authenticate') self.m.StubOutWithMock(auth, 'authenticate')
manager.EngineManager._authenticate(ctx).AndReturn(True) auth.authenticate(ctx).AndReturn(True)
s = {} s = {}
s['name'] = stack.name s['name'] = stack.name

@ -16,6 +16,7 @@ from heat.engine import volume as volumes
from heat.engine import manager as managers from heat.engine import manager as managers
import heat.db as db_api import heat.db as db_api
from heat.engine import parser from heat.engine import parser
from heat.engine import auth
test_template_volumeattach = ''' test_template_volumeattach = '''
{ {
@ -212,8 +213,8 @@ class validateTest(unittest.TestCase):
def test_validate_volumeattach_valid(self): def test_validate_volumeattach_valid(self):
t = json.loads(test_template_volumeattach % 'vdq') t = json.loads(test_template_volumeattach % 'vdq')
self.m.StubOutWithMock(managers.EngineManager, '_authenticate') self.m.StubOutWithMock(auth, 'authenticate')
managers.EngineManager._authenticate(None).AndReturn(True) auth.authenticate(None).AndReturn(True)
params = {} params = {}
stack = parser.Stack(None, 'test_stack', t, 0, params) stack = parser.Stack(None, 'test_stack', t, 0, params)
@ -227,8 +228,8 @@ class validateTest(unittest.TestCase):
def test_validate_volumeattach_invalid(self): def test_validate_volumeattach_invalid(self):
t = json.loads(test_template_volumeattach % 'sda') t = json.loads(test_template_volumeattach % 'sda')
self.m.StubOutWithMock(managers.EngineManager, '_authenticate') self.m.StubOutWithMock(auth, 'authenticate')
managers.EngineManager._authenticate(None).AndReturn(True) auth.authenticate(None).AndReturn(True)
params = {} params = {}
stack = parser.Stack(None, 'test_stack', t, 0, params) stack = parser.Stack(None, 'test_stack', t, 0, params)
@ -244,8 +245,8 @@ class validateTest(unittest.TestCase):
t = json.loads(test_template_ref % 'WikiDatabase') t = json.loads(test_template_ref % 'WikiDatabase')
t['Parameters']['KeyName']['Value'] = 'test' t['Parameters']['KeyName']['Value'] = 'test'
params = {} params = {}
self.m.StubOutWithMock(managers.EngineManager, '_authenticate') self.m.StubOutWithMock(auth, 'authenticate')
managers.EngineManager._authenticate(None).AndReturn(True) auth.authenticate(None).AndReturn(True)
self.m.StubOutWithMock(instances.Instance, 'nova') self.m.StubOutWithMock(instances.Instance, 'nova')
instances.Instance.nova().AndReturn(self.fc) instances.Instance.nova().AndReturn(self.fc)
@ -261,8 +262,8 @@ class validateTest(unittest.TestCase):
t = json.loads(test_template_ref % 'WikiDatabasez') t = json.loads(test_template_ref % 'WikiDatabasez')
t['Parameters']['KeyName']['Value'] = 'test' t['Parameters']['KeyName']['Value'] = 'test'
params = {} params = {}
self.m.StubOutWithMock(managers.EngineManager, '_authenticate') self.m.StubOutWithMock(auth, 'authenticate')
managers.EngineManager._authenticate(None).AndReturn(True) auth.authenticate(None).AndReturn(True)
self.m.StubOutWithMock(instances.Instance, 'nova') self.m.StubOutWithMock(instances.Instance, 'nova')
instances.Instance.nova().AndReturn(self.fc) instances.Instance.nova().AndReturn(self.fc)
@ -277,8 +278,8 @@ class validateTest(unittest.TestCase):
t = json.loads(test_template_findinmap_valid) t = json.loads(test_template_findinmap_valid)
t['Parameters']['KeyName']['Value'] = 'test' t['Parameters']['KeyName']['Value'] = 'test'
params = {} params = {}
self.m.StubOutWithMock(managers.EngineManager, '_authenticate') self.m.StubOutWithMock(auth, 'authenticate')
managers.EngineManager._authenticate(None).AndReturn(True) auth.authenticate(None).AndReturn(True)
self.m.StubOutWithMock(instances.Instance, 'nova') self.m.StubOutWithMock(instances.Instance, 'nova')
instances.Instance.nova().AndReturn(self.fc) instances.Instance.nova().AndReturn(self.fc)
@ -293,8 +294,8 @@ class validateTest(unittest.TestCase):
t = json.loads(test_template_findinmap_invalid) t = json.loads(test_template_findinmap_invalid)
t['Parameters']['KeyName']['Value'] = 'test' t['Parameters']['KeyName']['Value'] = 'test'
params = {} params = {}
self.m.StubOutWithMock(managers.EngineManager, '_authenticate') self.m.StubOutWithMock(auth, 'authenticate')
managers.EngineManager._authenticate(None).AndReturn(True) auth.authenticate(None).AndReturn(True)
self.m.StubOutWithMock(instances.Instance, 'nova') self.m.StubOutWithMock(instances.Instance, 'nova')
instances.Instance.nova().AndReturn(self.fc) instances.Instance.nova().AndReturn(self.fc)