ironic-lib/ironic_lib/json_rpc/__init__.py

# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.

from oslo_config import cfg

from ironic_lib.common import config
from ironic_lib.common.i18n import _
from ironic_lib import keystone


CONF = cfg.CONF

opts = [
    cfg.StrOpt('auth_strategy',
               choices=[('noauth', _('no authentication')),
                        ('keystone', _('use the Identity service for '
                                       'authentication')),
                        ('http_basic', _('HTTP basic authentication'))],
               help=_('Authentication strategy used by JSON RPC. Defaults to '
                      'the global auth_strategy setting.')),
    cfg.StrOpt('http_basic_auth_user_file',
               default='/etc/ironic/htpasswd-json-rpc',
               help=_('Path to Apache format user authentication file used '
                      'when auth_strategy=http_basic')),
    cfg.HostAddressOpt('host_ip',
                       default='::',
                       help=_('The IP address or hostname on which JSON RPC '
                              'will listen.')),
    cfg.PortOpt('port',
                default=8089,
                help=_('The port to use for JSON RPC')),
    cfg.BoolOpt('use_ssl',
                default=False,
                help=_('Whether to use TLS for JSON RPC')),
    cfg.StrOpt('http_basic_username',
               deprecated_for_removal=True,
               deprecated_reason=_("Use username instead"),
               help=_("Name of the user to use for HTTP Basic authentication "
                      "client requests.")),
    cfg.StrOpt('http_basic_password',
               deprecated_for_removal=True,
               deprecated_reason=_("Use password instead"),
               secret=True,
               help=_("Password to use for HTTP Basic authentication "
                      "client requests.")),
    cfg.ListOpt('allowed_roles',
                default=['admin'],
                help=_("List of roles allowed to use JSON RPC")),
    cfg.StrOpt('unix_socket',
               help=_('Unix socket to listen on. Disables host_ip and port.')),
    cfg.Opt('unix_socket_mode', type=config.Octal(),
            help=_('File mode (an octal number) of the unix socket to '
                   'listen on. Ignored if unix_socket is not set.')),
]


def register_opts(conf):
    conf.register_opts(opts, group='json_rpc')
    keystone.register_auth_opts(conf, 'json_rpc')
    conf.set_default('timeout', 120, group='json_rpc')


register_opts(CONF)


def list_opts():
    return [('json_rpc', opts + keystone.add_auth_opts([]))]


def auth_strategy():
    # NOTE(dtantsur): this expects [DEFAULT]auth_strategy to be provided by the
    # service configuration.
    return CONF.json_rpc.auth_strategy or CONF.auth_strategy