OpenStack Identity Authentication Library
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

98 lines
3.2KB

  1. # Licensed under the Apache License, Version 2.0 (the "License"); you may
  2. # not use this file except in compliance with the License. You may obtain
  3. # a copy of the License at
  4. #
  5. # http://www.apache.org/licenses/LICENSE-2.0
  6. #
  7. # Unless required by applicable law or agreed to in writing, software
  8. # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
  9. # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
  10. # License for the specific language governing permissions and limitations
  11. # under the License.
  12. """Kerberos authentication plugins.
  13. .. warning::
  14. This module requires installation of an extra package (`requests_kerberos`)
  15. not installed by default. Without the extra package an import error will
  16. occur. The extra package can be installed using::
  17. $ pip install keystoneauth1[kerberos]
  18. """
  19. try:
  20. import requests_kerberos
  21. except ImportError:
  22. requests_kerberos = None
  23. from keystoneauth1 import access
  24. from keystoneauth1.identity import v3
  25. from keystoneauth1.identity.v3 import federation
  26. def _mutual_auth(value):
  27. if value is None:
  28. return requests_kerberos.OPTIONAL
  29. return {
  30. 'required': requests_kerberos.REQUIRED,
  31. 'optional': requests_kerberos.OPTIONAL,
  32. 'disabled': requests_kerberos.DISABLED,
  33. }.get(value.lower(), requests_kerberos.OPTIONAL)
  34. def _requests_auth(mutual_authentication):
  35. return requests_kerberos.HTTPKerberosAuth(
  36. mutual_authentication=_mutual_auth(mutual_authentication))
  37. def _dependency_check():
  38. if requests_kerberos is None:
  39. raise ImportError("""
  40. Using the kerberos authentication plugin requires installation of additional
  41. packages. These can be installed with::
  42. $ pip install keystoneauth1[kerberos]
  43. """)
  44. class KerberosMethod(v3.AuthMethod):
  45. _method_parameters = ['mutual_auth']
  46. def __init__(self, *args, **kwargs):
  47. _dependency_check()
  48. super(KerberosMethod, self).__init__(*args, **kwargs)
  49. def get_auth_data(self, session, auth, headers, request_kwargs, **kwargs):
  50. # NOTE(jamielennox): request_kwargs is passed as a kwarg however it is
  51. # required and always present when called from keystoneclient.
  52. request_kwargs['requests_auth'] = _requests_auth(self.mutual_auth)
  53. return 'kerberos', {}
  54. class Kerberos(v3.AuthConstructor):
  55. _auth_method_class = KerberosMethod
  56. class MappedKerberos(federation.FederationBaseAuth):
  57. """Authenticate using Kerberos via the keystone federation mechanisms.
  58. This uses the OS-FEDERATION extension to gain an unscoped token and then
  59. use the standard keystone auth process to scope that to any given project.
  60. """
  61. def __init__(self, auth_url, identity_provider, protocol,
  62. mutual_auth=None, **kwargs):
  63. _dependency_check()
  64. self.mutual_auth = mutual_auth
  65. super(MappedKerberos, self).__init__(auth_url, identity_provider,
  66. protocol, **kwargs)
  67. def get_unscoped_auth_ref(self, session, **kwargs):
  68. resp = session.get(self.federated_token_url,
  69. requests_auth=_requests_auth(self.mutual_auth),
  70. authenticated=False)
  71. return access.create(body=resp.json(), resp=resp)