OpenStack Identity (Keystone)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 

452 lines
19 KiB

# Copyright 2012 OpenStack Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import datetime
from oslo_db import api as oslo_db_api
import sqlalchemy
from keystone.common import driver_hints
from keystone.common import password_hashing
from keystone.common import resource_options
from keystone.common import sql
import keystone.conf
from keystone import exception
from keystone.i18n import _
from keystone.identity.backends import base
from keystone.identity.backends import resource_options as options
from keystone.identity.backends import sql_model as model
CONF = keystone.conf.CONF
def _stale_data_exception_checker(exc):
return isinstance(exc, sqlalchemy.orm.exc.StaleDataError)
class Identity(base.IdentityDriverBase):
# NOTE(henry-nash): Override the __init__() method so as to take a
# config parameter to enable sql to be used as a domain-specific driver.
def __init__(self, conf=None):
self.conf = conf
super(Identity, self).__init__()
@property
def is_sql(self):
return True
def _check_password(self, password, user_ref):
"""Check the specified password against the data store.
Note that we'll pass in the entire user_ref in case the subclass
needs things like user_ref.get('name')
For further justification, please see the follow up suggestion at
https://blueprints.launchpad.net/keystone/+spec/sql-identiy-pam
"""
return password_hashing.check_password(password, user_ref.password)
# Identity interface
def authenticate(self, user_id, password):
with sql.session_for_read() as session:
try:
user_ref = self._get_user(session, user_id)
user_dict = base.filter_user(user_ref.to_dict())
except exception.UserNotFound:
raise AssertionError(_('Invalid user / password'))
if self._is_account_locked(user_id, user_ref):
raise exception.AccountLocked(user_id=user_id)
elif not self._check_password(password, user_ref):
self._record_failed_auth(user_id)
raise AssertionError(_('Invalid user / password'))
elif not user_ref.enabled:
raise exception.UserDisabled(user_id=user_id)
elif user_ref.password_is_expired:
raise exception.PasswordExpired(user_id=user_id)
# successful auth, reset failed count if present
if user_ref.local_user.failed_auth_count:
self._reset_failed_auth(user_id)
return user_dict
def _is_account_locked(self, user_id, user_ref):
"""Check if the user account is locked.
Checks if the user account is locked based on the number of failed
authentication attempts.
:param user_id: The user ID
:param user_ref: Reference to the user object
:returns Boolean: True if the account is locked; False otherwise
"""
ignore_option = user_ref.get_resource_option(
options.IGNORE_LOCKOUT_ATTEMPT_OPT.option_id)
if ignore_option and ignore_option.option_value is True:
return False
attempts = user_ref.local_user.failed_auth_count or 0
max_attempts = CONF.security_compliance.lockout_failure_attempts
lockout_duration = CONF.security_compliance.lockout_duration
if max_attempts and (attempts >= max_attempts):
if not lockout_duration:
return True
else:
delta = datetime.timedelta(seconds=lockout_duration)
last_failure = user_ref.local_user.failed_auth_at
if (last_failure + delta) > datetime.datetime.utcnow():
return True
else:
self._reset_failed_auth(user_id)
return False
def _record_failed_auth(self, user_id):
with sql.session_for_write() as session:
user_ref = session.query(model.User).get(user_id)
if not user_ref.local_user.failed_auth_count:
user_ref.local_user.failed_auth_count = 0
user_ref.local_user.failed_auth_count += 1
user_ref.local_user.failed_auth_at = datetime.datetime.utcnow()
def _reset_failed_auth(self, user_id):
with sql.session_for_write() as session:
user_ref = session.query(model.User).get(user_id)
user_ref.local_user.failed_auth_count = 0
user_ref.local_user.failed_auth_at = None
# user crud
@sql.handle_conflicts(conflict_type='user')
def create_user(self, user_id, user):
with sql.session_for_write() as session:
user_ref = model.User.from_dict(user)
if self._change_password_required(user_ref):
user_ref.password_ref.expires_at = datetime.datetime.utcnow()
user_ref.created_at = datetime.datetime.utcnow()
session.add(user_ref)
# Set resource options passed on creation
resource_options.resource_options_ref_to_mapper(
user_ref, model.UserOption)
return base.filter_user(user_ref.to_dict())
def _change_password_required(self, user):
if not CONF.security_compliance.change_password_upon_first_use:
return False
ignore_option = user.get_resource_option(
options.IGNORE_CHANGE_PASSWORD_OPT.option_id)
return not (ignore_option and ignore_option.option_value is True)
def _create_password_expires_query(self, session, query, hints):
for filter_ in hints.filters:
if 'password_expires_at' == filter_['name']:
# Filter on users who's password expires based on the operator
# specified in `filter_['comparator']`
query = query.filter(sqlalchemy.and_(
model.LocalUser.id == model.Password.local_user_id,
filter_['comparator'](model.Password.expires_at,
filter_['value'])))
# Removes the `password_expired_at` filters so there are no errors
# if the call is filtered further. This is because the
# `password_expires_at` value is not stored in the `User` table but
# derived from the `Password` table's value `expires_at`.
hints.filters = [x for x in hints.filters if x['name'] !=
'password_expires_at']
return query, hints
@staticmethod
def _apply_limits_to_list(collection, hints):
if not hints.limit:
return collection
return collection[:hints.limit['limit']]
@driver_hints.truncated
def list_users(self, hints):
with sql.session_for_read() as session:
query = session.query(model.User).outerjoin(model.LocalUser)
query, hints = self._create_password_expires_query(session, query,
hints)
user_refs = sql.filter_limit_query(model.User, query, hints)
return [base.filter_user(x.to_dict()) for x in user_refs]
def unset_default_project_id(self, project_id):
with sql.session_for_write() as session:
query = session.query(model.User)
query = query.filter(model.User.default_project_id == project_id)
for user in query:
user.default_project_id = None
def _get_user(self, session, user_id):
user_ref = session.query(model.User).get(user_id)
if not user_ref:
raise exception.UserNotFound(user_id=user_id)
return user_ref
def get_user(self, user_id):
with sql.session_for_read() as session:
return base.filter_user(
self._get_user(session, user_id).to_dict())
def get_user_by_name(self, user_name, domain_id):
with sql.session_for_read() as session:
query = session.query(model.User).join(model.LocalUser)
query = query.filter(sqlalchemy.and_(
model.LocalUser.name == user_name,
model.LocalUser.domain_id == domain_id))
try:
user_ref = query.one()
except sql.NotFound:
raise exception.UserNotFound(user_id=user_name)
return base.filter_user(user_ref.to_dict())
@sql.handle_conflicts(conflict_type='user')
# Explicitly retry on StaleDataErrors, which can happen if two clients
# update the same user's password and the second client has stale password
# information.
@oslo_db_api.wrap_db_retry(exception_checker=_stale_data_exception_checker)
def update_user(self, user_id, user):
with sql.session_for_write() as session:
user_ref = self._get_user(session, user_id)
old_user_dict = user_ref.to_dict()
for k in user:
old_user_dict[k] = user[k]
new_user = model.User.from_dict(old_user_dict)
for attr in model.User.attributes:
if attr not in model.User.readonly_attributes:
setattr(user_ref, attr, getattr(new_user, attr))
# Move the "_resource_options" attribute over to the real user_ref
# so that resource_options.resource_options_ref_to_mapper can
# handle the work.
setattr(user_ref, '_resource_options',
getattr(new_user, '_resource_options', {}))
# Move options into the proper attribute mapper construct
resource_options.resource_options_ref_to_mapper(
user_ref, model.UserOption)
if 'password' in user:
user_ref.password = user['password']
if self._change_password_required(user_ref):
expires_now = datetime.datetime.utcnow()
user_ref.password_ref.expires_at = expires_now
user_ref.extra = new_user.extra
return base.filter_user(
user_ref.to_dict(include_extra_dict=True))
def _validate_password_history(self, password, user_ref):
unique_cnt = CONF.security_compliance.unique_last_password_count
# Validate the new password against the remaining passwords.
if unique_cnt > 0:
for password_ref in user_ref.local_user.passwords[-unique_cnt:]:
if password_hashing.check_password(
password, password_ref.password_hash):
raise exception.PasswordHistoryValidationError(
unique_count=unique_cnt)
def change_password(self, user_id, new_password):
with sql.session_for_write() as session:
user_ref = session.query(model.User).get(user_id)
lock_pw_opt = user_ref.get_resource_option(
options.LOCK_PASSWORD_OPT.option_id)
if lock_pw_opt is not None and lock_pw_opt.option_value is True:
raise exception.PasswordSelfServiceDisabled()
if user_ref.password_ref and user_ref.password_ref.self_service:
self._validate_minimum_password_age(user_ref)
self._validate_password_history(new_password, user_ref)
user_ref.password = new_password
user_ref.password_ref.self_service = True
def _validate_minimum_password_age(self, user_ref):
min_age_days = CONF.security_compliance.minimum_password_age
min_age = (user_ref.password_created_at +
datetime.timedelta(days=min_age_days))
if datetime.datetime.utcnow() < min_age:
days_left = (min_age - datetime.datetime.utcnow()).days
raise exception.PasswordAgeValidationError(
min_age_days=min_age_days, days_left=days_left)
def add_user_to_group(self, user_id, group_id):
with sql.session_for_write() as session:
self.get_group(group_id)
self.get_user(user_id)
query = session.query(model.UserGroupMembership)
query = query.filter_by(user_id=user_id)
query = query.filter_by(group_id=group_id)
rv = query.first()
if rv:
return
session.add(model.UserGroupMembership(user_id=user_id,
group_id=group_id))
def check_user_in_group(self, user_id, group_id):
with sql.session_for_read() as session:
self.get_group(group_id)
self.get_user(user_id)
# Note(knikolla): Check for normal group membership
query = session.query(model.UserGroupMembership)
query = query.filter_by(user_id=user_id)
query = query.filter_by(group_id=group_id)
if query.first():
return
# Note(knikolla): Check for expiring group membership
query = session.query(model.ExpiringUserGroupMembership)
query = query.filter(
model.ExpiringUserGroupMembership.user_id == user_id)
query = query.filter(
model.ExpiringUserGroupMembership.group_id == group_id)
active = [q for q in query.all() if not q.expired]
if active:
return
raise exception.NotFound(_("User '%(user_id)s' not found in"
" group '%(group_id)s'") %
{'user_id': user_id,
'group_id': group_id})
def remove_user_from_group(self, user_id, group_id):
# We don't check if user or group are still valid and let the remove
# be tried anyway - in case this is some kind of clean-up operation
with sql.session_for_write() as session:
query = session.query(model.UserGroupMembership)
query = query.filter_by(user_id=user_id)
query = query.filter_by(group_id=group_id)
membership_ref = query.first()
if membership_ref is None:
# Check if the group and user exist to return descriptive
# exceptions.
self.get_group(group_id)
self.get_user(user_id)
raise exception.NotFound(_("User '%(user_id)s' not found in"
" group '%(group_id)s'") %
{'user_id': user_id,
'group_id': group_id})
session.delete(membership_ref)
def list_groups_for_user(self, user_id, hints):
def row_to_group_dict(row):
group = row.group.to_dict()
group['membership_expires_at'] = row.expires
return group
with sql.session_for_read() as session:
self.get_user(user_id)
query = session.query(model.Group).join(model.UserGroupMembership)
query = query.filter(model.UserGroupMembership.user_id == user_id)
query = sql.filter_limit_query(model.Group, query, hints)
groups = [g.to_dict() for g in query]
# Note(knikolla): We must use the ExpiringGroupMembership model
# so that we can access the expired property.
query = session.query(model.ExpiringUserGroupMembership)
query = query.filter(
model.ExpiringUserGroupMembership.user_id == user_id)
query = sql.filter_limit_query(
model.UserGroupMembership, query, hints)
expiring_groups = [row_to_group_dict(r) for r in query.all()
if not r.expired]
# Note(knikolla): I would have loved to be able to merge the two
# queries together and use filter_limit_query on the union, but
# I haven't found a generic way to express expiration in a SQL
# query, therefore we have to apply the limits here again.
return self._apply_limits_to_list(groups + expiring_groups, hints)
def list_users_in_group(self, group_id, hints):
with sql.session_for_read() as session:
self.get_group(group_id)
query = session.query(model.User).outerjoin(model.LocalUser)
query = query.join(model.UserGroupMembership)
query = query.filter(
model.UserGroupMembership.group_id == group_id)
query, hints = self._create_password_expires_query(session, query,
hints)
query = sql.filter_limit_query(model.User, query, hints)
return [base.filter_user(u.to_dict()) for u in query]
@oslo_db_api.wrap_db_retry(retry_on_deadlock=True)
def delete_user(self, user_id):
with sql.session_for_write() as session:
ref = self._get_user(session, user_id)
q = session.query(model.UserGroupMembership)
q = q.filter_by(user_id=user_id)
q.delete(False)
session.delete(ref)
# group crud
@sql.handle_conflicts(conflict_type='group')
def create_group(self, group_id, group):
with sql.session_for_write() as session:
ref = model.Group.from_dict(group)
session.add(ref)
return ref.to_dict()
@driver_hints.truncated
def list_groups(self, hints):
with sql.session_for_read() as session:
query = session.query(model.Group)
refs = sql.filter_limit_query(model.Group, query, hints)
return [ref.to_dict() for ref in refs]
def _get_group(self, session, group_id):
ref = session.query(model.Group).get(group_id)
if not ref:
raise exception.GroupNotFound(group_id=group_id)
return ref
def get_group(self, group_id):
with sql.session_for_read() as session:
return self._get_group(session, group_id).to_dict()
def get_group_by_name(self, group_name, domain_id):
with sql.session_for_read() as session:
query = session.query(model.Group)
query = query.filter_by(name=group_name)
query = query.filter_by(domain_id=domain_id)
try:
group_ref = query.one()
except sql.NotFound:
raise exception.GroupNotFound(group_id=group_name)
return group_ref.to_dict()
@sql.handle_conflicts(conflict_type='group')
def update_group(self, group_id, group):
with sql.session_for_write() as session:
ref = self._get_group(session, group_id)
old_dict = ref.to_dict()
for k in group:
old_dict[k] = group[k]
new_group = model.Group.from_dict(old_dict)
for attr in model.Group.attributes:
if attr != 'id':
setattr(ref, attr, getattr(new_group, attr))
ref.extra = new_group.extra
return ref.to_dict()
def delete_group(self, group_id):
with sql.session_for_write() as session:
ref = self._get_group(session, group_id)
q = session.query(model.UserGroupMembership)
q = q.filter_by(group_id=group_id)
q.delete(False)
session.delete(ref)