neutron-lbaas/neutron_lbaas/common/keystone.py
chen, hao 56c7669dcf Allow setting "insecure" in neutron_lbaas.conf
Keystone deployments can be on self signed certs, which will fail
on verifying the cert on client side. This patch allows an user
to turn off cert verification.

Change-Id: I7db3c7f9dd5c2f8b0ff4da65eefaf6cd95a5c671
Partially-Closes: #1611509
2016-08-11 15:29:18 -07:00

126 lines
3.7 KiB
Python

# Copyright 2015 Rackspace
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from keystoneauth1.identity import v2 as v2_client
from keystoneauth1.identity import v3 as v3_client
from keystoneauth1 import session
from oslo_config import cfg
from oslo_log import log as logging
from oslo_utils import excutils
from neutron_lbaas._i18n import _, _LE
LOG = logging.getLogger(__name__)
_SESSION = None
OPTS = [
cfg.StrOpt(
'auth_url',
default='http://127.0.0.1:5000/v2.0',
help=_('Authentication endpoint'),
),
cfg.StrOpt(
'admin_user',
default='admin',
help=_('The service admin user name'),
),
cfg.StrOpt(
'admin_tenant_name',
default='admin',
help=_('The service admin tenant name'),
),
cfg.StrOpt(
'admin_password',
secret=True,
default='password',
help=_('The service admin password'),
),
cfg.StrOpt(
'admin_user_domain',
default='admin',
help=_('The admin user domain name'),
),
cfg.StrOpt(
'admin_project_domain',
default='admin',
help=_('The admin project domain name'),
),
cfg.StrOpt(
'region',
default='RegionOne',
help=_('The deployment region'),
),
cfg.StrOpt(
'service_name',
default='lbaas',
help=_('The name of the service'),
),
cfg.StrOpt(
'auth_version',
default='2',
help=_('The auth version used to authenticate'),
),
cfg.StrOpt(
'endpoint_type',
default='public',
help=_('The endpoint_type to be used')
),
cfg.BoolOpt(
'insecure',
default=False,
help=_('Disable server certificate verification')
)
]
cfg.CONF.register_opts(OPTS, 'service_auth')
def get_session():
"""Initializes a Keystone session.
:returns: a Keystone Session object
:raises Exception: if the session cannot be established
"""
global _SESSION
if not _SESSION:
auth_url = cfg.CONF.service_auth.auth_url
insecure = cfg.CONF.service_auth.insecure
kwargs = {'auth_url': auth_url,
'username': cfg.CONF.service_auth.admin_user,
'password': cfg.CONF.service_auth.admin_password}
if cfg.CONF.service_auth.auth_version == '2':
client = v2_client
kwargs['tenant_name'] = cfg.CONF.service_auth.admin_tenant_name
elif cfg.CONF.service_auth.auth_version == '3':
client = v3_client
kwargs['project_name'] = cfg.CONF.service_auth.admin_tenant_name
kwargs['user_domain_name'] = (cfg.CONF.service_auth.
admin_user_domain)
kwargs['project_domain_name'] = (cfg.CONF.service_auth.
admin_project_domain)
else:
raise Exception(_('Unknown keystone version!'))
try:
kc = client.Password(**kwargs)
_SESSION = session.Session(auth=kc, verify=not insecure)
except Exception:
with excutils.save_and_reraise_exception():
LOG.exception(_LE("Error creating Keystone session."))
return _SESSION