OpenStack Orchestration (Heat)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

271 lines
10 KiB

# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import hashlib
from oslo_config import cfg
from oslo_log import log as logging
from oslo_serialization import jsonutils as json
from oslo_utils import importutils
import requests
import webob
from import exception
from heat.common.i18n import _
from heat.common.i18n import _LE
from heat.common.i18n import _LI
from heat.common import wsgi
LOG = logging.getLogger(__name__)
opts = [
help=_("Authentication Endpoint URI.")),
help=_('Allow orchestration of multiple clouds.')),
help=_('Allowed keystone endpoints for auth_uri when '
'multi_cloud is enabled. At least one endpoint needs '
'to be specified.')),
help=_('Optional PEM-formatted certificate chain file.')),
help=_('Optional PEM-formatted file that contains the '
'private key.')),
help=_('Optional CA cert file to use in SSL connections.')),
help=_('If set, then the server\'s certificate will not '
'be verified.')),
cfg.CONF.register_opts(opts, group='ec2authtoken')
class EC2Token(wsgi.Middleware):
"""Authenticate an EC2 request with keystone and convert to token."""
def __init__(self, app, conf):
self.conf = conf
self.application = app
self._ssl_options = None
def _conf_get(self, name):
# try config from paste-deploy first
if name in self.conf:
return self.conf[name]
return cfg.CONF.ec2authtoken[name]
def _conf_get_auth_uri(self):
auth_uri = self._conf_get('auth_uri')
if auth_uri:
return auth_uri
# Import auth_token to have keystone_authtoken settings setup.
# We can use the auth_uri from the keystone_authtoken section
return cfg.CONF.keystone_authtoken['auth_uri']
def _conf_get_keystone_ec2_uri(auth_uri):
if auth_uri.endswith('ec2tokens'):
return auth_uri
if auth_uri.endswith('/'):
return '%sec2tokens' % auth_uri
return '%s/ec2tokens' % auth_uri
def _get_signature(self, req):
Extract the signature from the request, this can be a get/post
variable or for v4 also in a header called 'Authorization'
- params['Signature'] == version 0,1,2,3
- params['X-Amz-Signature'] == version 4
- header 'Authorization' == version 4
sig = req.params.get('Signature') or req.params.get('X-Amz-Signature')
if sig is None and 'Authorization' in req.headers:
auth_str = req.headers['Authorization']
sig = auth_str.partition("Signature=")[2].split(',')[0]
return sig
def _get_access(self, req):
Extract the access key identifier, for v 0/1/2/3 this is passed
as the AccessKeyId parameter, for version4 it is either and
X-Amz-Credential parameter or a Credential= field in the
'Authorization' header string
access = req.params.get('AWSAccessKeyId')
if access is None:
cred_param = req.params.get('X-Amz-Credential')
if cred_param:
access = cred_param.split("/")[0]
if access is None and 'Authorization' in req.headers:
auth_str = req.headers['Authorization']
cred_str = auth_str.partition("Credential=")[2].split(',')[0]
access = cred_str.split("/")[0]
return access
def __call__(self, req):
if not self._conf_get('multi_cloud'):
return self._authorize(req, self._conf_get_auth_uri())
# attempt to authorize for each configured allowed_auth_uris
# until one is successful.
# This is safe for the following reasons:
# 1. AWSAccessKeyId is a randomly generated sequence
# 2. No secret is transferred to validate a request
last_failure = None
for auth_uri in self._conf_get('allowed_auth_uris'):
LOG.debug("Attempt authorize on %s" % auth_uri)
return self._authorize(req, auth_uri)
except exception.HeatAPIException as e:
LOG.debug("Authorize failed: %s" % e.__class__)
last_failure = e
raise last_failure or exception.HeatAccessDeniedError()
def ssl_options(self):
if not self._ssl_options:
cacert = self._conf_get('ca_file')
insecure = self._conf_get('insecure')
cert = self._conf_get('cert_file')
key = self._conf_get('key_file')
self._ssl_options = {
'verify': cacert if cacert else not insecure,
'cert': (cert, key) if cert else None
return self._ssl_options
def _authorize(self, req, auth_uri):
# Read request signature and access id.
# If we find X-Auth-User in the headers we ignore a key error
# here so that we can use both authentication methods.
# Returning here just means the user didn't supply AWS
# authentication and we'll let the app try native keystone next."Checking AWS credentials.."))
signature = self._get_signature(req)
if not signature:
if 'X-Auth-User' in req.headers:
return self.application
else:"No AWS Signature found."))
raise exception.HeatIncompleteSignatureError()
access = self._get_access(req)
if not access:
if 'X-Auth-User' in req.headers:
return self.application
else:"No AWSAccessKeyId/Authorization Credential"))
raise exception.HeatMissingAuthenticationTokenError()"AWS credentials found, checking against keystone."))
if not auth_uri:
LOG.error(_LE("Ec2Token authorization failed, no auth_uri "
"specified in config file"))
raise exception.HeatInternalFailureError(_('Service '
# Make a copy of args for authentication and signature verification.
auth_params = dict(req.params)
# 'Signature' param Not part of authentication args
auth_params.pop('Signature', None)
# Authenticate the request.
# AWS v4 authentication requires a hash of the body
body_hash = hashlib.sha256(req.body).hexdigest()
creds = {'ec2Credentials': {'access': access,
'signature': signature,
'verb': req.method,
'path': req.path,
'params': auth_params,
'headers': req.headers,
'body_hash': body_hash
creds_json = json.dumps(creds)
headers = {'Content-Type': 'application/json'}
keystone_ec2_uri = self._conf_get_keystone_ec2_uri(auth_uri)'Authenticating with %s'), keystone_ec2_uri)
response =, data=creds_json,
result = response.json()
token_id = result['access']['token']['id']
tenant = result['access']['token']['tenant']['name']
tenant_id = result['access']['token']['tenant']['id']"AWS authentication successful."))
except (AttributeError, KeyError):"AWS authentication failure."))
# Try to extract the reason for failure so we can return the
# appropriate AWS error via raising an exception
reason = result['error']['message']
except KeyError:
reason = None
if reason == "EC2 access key not found.":
raise exception.HeatInvalidClientTokenIdError()
elif reason == "EC2 signature not supplied.":
raise exception.HeatSignatureError()
raise exception.HeatAccessDeniedError()
# Authenticated!
ec2_creds = {'ec2Credentials': {'access': access,
'signature': signature}}
req.headers['X-Auth-EC2-Creds'] = json.dumps(ec2_creds)
req.headers['X-Auth-Token'] = token_id
req.headers['X-Tenant-Name'] = tenant
req.headers['X-Tenant-Id'] = tenant_id
req.headers['X-Auth-URL'] = auth_uri
metadata = result['access'].get('metadata', {})
roles = metadata.get('roles', [])
req.headers['X-Roles'] = ','.join(roles)
return self.application
def EC2Token_filter_factory(global_conf, **local_conf):
Factory method for paste.deploy
conf = global_conf.copy()
def filter(app):
return EC2Token(app, conf)
return filter
def list_opts():
yield 'ec2authtoken', opts