4ee754f359
With directly provide auth string(with contain a json formate with auth_type and auth info), we can release context to specific auth_type and give user the ability to provide other Keystone (or their own) authentication method (like using `v3applicationcredential` or others). The format for `auth` and `auth_type` follows exactly Keystone plugins like in clouds.yaml file [1]. [1] https://docs.openstack.org/keystoneauth/latest/ plugin-options.html#additional-loaders Change-Id: Ic4dc2292a82860b9bb54ecb9e3b1a4dc806dab2c Story: #2002126 Task: #26904
65 lines
2.4 KiB
Python
65 lines
2.4 KiB
Python
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
import json
|
|
|
|
from keystoneauth1 import loading as ks_loading
|
|
from oslo_log import log as logging
|
|
|
|
from heat.common import exception
|
|
|
|
LOG = logging.getLogger(__name__)
|
|
|
|
|
|
def parse_auth_credential_to_dict(cred):
|
|
"""Parse credential to dict"""
|
|
def validate(cred):
|
|
valid_keys = ['auth_type', 'auth']
|
|
for k in valid_keys:
|
|
if k not in cred:
|
|
raise ValueError('Missing key in auth information, the '
|
|
'correct format contains %s.' % valid_keys)
|
|
try:
|
|
_cred = json.loads(cred)
|
|
except ValueError as e:
|
|
LOG.error('Failed to parse credential with error: %s' % e)
|
|
raise ValueError('Failed to parse credential, please check your '
|
|
'Stack Credential format.')
|
|
validate(_cred)
|
|
return _cred
|
|
|
|
|
|
def validate_auth_plugin(auth_plugin, keystone_session):
|
|
"""Validate if this auth_plugin is valid to use."""
|
|
|
|
try:
|
|
auth_plugin.get_token(keystone_session)
|
|
except Exception as e:
|
|
# TODO(ricolin) Add heat document link for plugin information,
|
|
# once we generated one.
|
|
failure_reason = ("Failed to validate auth_plugin with error %s. "
|
|
"Please make sure the credential you provide is "
|
|
"correct. Also make sure the it is a valid Keystone "
|
|
"auth plugin type and contain in your "
|
|
"environment." % e)
|
|
raise exception.AuthorizationFailure(failure_reason=failure_reason)
|
|
|
|
|
|
def get_keystone_plugin_loader(auth, keystone_session):
|
|
cred = parse_auth_credential_to_dict(auth)
|
|
auth_plugin = ks_loading.get_plugin_loader(
|
|
cred.get('auth_type')).load_from_options(
|
|
**cred.get('auth'))
|
|
validate_auth_plugin(auth_plugin, keystone_session)
|
|
return auth_plugin
|