openstack/python-keystoneclient
Code Issues Proposed changes
abe6781913
python-keystoneclient/keystoneclient/client.py

434 lines
15 KiB
Python
Raw Normal View History

Initial commit.
2011-10-25 16:50:08 -07:00
# Copyright 2010 Jacob Kaplan-Moss
# Copyright 2011 OpenStack LLC.
# Copyright 2011 Piston Cloud Computing, Inc.
# Copyright 2011 Nebula, Inc.
# All Rights Reserved.
"""
OpenStack Client interface. Handles the REST calls and responses.
"""
import copy
import logging
import urlparse
Use requests module for HTTP/HTTPS * Implement correct certificate verification * Add requests to tools/pip-requires * Fix OS_CACERT env var help text * Add info to README * Rework tests to use requests Pinned requests module to < 1.0 as 1.0.2 is now current in pipi as of 17Dec2012. Change-Id: I120d2c12d6f20ebe2fd7182ec8988cc73f623b80
2012-11-16 17:43:05 -06:00
import requests
Initial commit.
2011-10-25 16:50:08 -07:00
Fix optional keyring support, add basic keyring tests Commit 06d9437e8388b369546d760607f17cb5022750e9 made using a keyring optional by adding a function to handle the imports. The problem is that import needs to be available at a global level for it to be usable in other parts of the code. The function is replaced by a top-level try/except. Fixing the imports isn't enough to get keyring support working because in get_auth_ref_from_keyring() the wrong token was being used when evaluating token expiration. It was using the token already in the HTTPClient object and not the one returned from the keyring. Some simple tests were added to prevent future regressions. These tests will be skipped if the keyring or pickle packages are not installed. Change-Id: I1fe2c9e5cdf275df2047018368da2e4b3d2d6de2 Fixes: bug #1183072
2013-05-22 17:00:53 -04:00
try:
import keyring
import pickle
except ImportError:
keyring = None
pickle = None
Initial commit.
2011-10-25 16:50:08 -07:00
try:
import json
except ImportError:
import simplejson as json
# Python 2.5 compat fix
if not hasattr(urlparse, 'parse_qsl'):
import cgi
urlparse.parse_qsl = cgi.parse_qsl
removing repeat attempt at authorization in client blueprint solidify-python-api * extended and updated documentation strings * updated README.rst with latest options * made debug a pass-through value, optionally set on client (instead of just being pulled from environment variable) * adding AccessInfo object and associated tests (access.AccessInfo meant to be a cacheable object external to client and ultimately to replace service_catalog and it's existing functionality) * extending authtoken to support lists of endpoints * maintaining a single entity for client.management_url with first from list of possible endpoints * create project_name and project_id synonyms to match tenant_name and tenant_id * replacing authenticate call to a pure method, not overloading the resource/manager path that confuses base URL concepts. * throw AuthorizationFailure if client attempts to access keystone resources before it has a management url * special case listing tenant using auth_url for unscoped tokens authorized through client * special case listing tokens.authenticate for Dashboard to allow unscoped tokens to hand back parity information to dashboard Change-Id: I4bb3a1b6a5ce2c4b3fbcebeb59116286cac8b2e3
2012-10-13 00:15:39 +00:00
from keystoneclient import access
Initial commit.
2011-10-25 16:50:08 -07:00
from keystoneclient import exceptions
_logger = logging.getLogger(__name__)
Use requests module for HTTP/HTTPS * Implement correct certificate verification * Add requests to tools/pip-requires * Fix OS_CACERT env var help text * Add info to README * Rework tests to use requests Pinned requests module to < 1.0 as 1.0.2 is now current in pipi as of 17Dec2012. Change-Id: I120d2c12d6f20ebe2fd7182ec8988cc73f623b80
2012-11-16 17:43:05 -06:00
class HTTPClient(object):
Initial commit.
2011-10-25 16:50:08 -07:00
USER_AGENT = 'python-keystoneclient'
more work on standardization of cliauth
2011-12-17 22:36:59 -08:00
def __init__(self, username=None, tenant_id=None, tenant_name=None,
finish removing project_id
2011-12-19 10:00:39 -08:00
password=None, auth_url=None, region_name=None, timeout=None,
Support 2-way SSL with Keystone server if it is configured to enforce 2-way SSL. See also https://review.openstack.org/#/c/7706/ for the corresponding review for the 2-way SSL addition to Keystone. Change-Id: If0cb46a43d663687396d93604a7139d85a4e7114
2012-05-23 18:16:50 +00:00
endpoint=None, token=None, cacert=None, key=None,
removing repeat attempt at authorization in client blueprint solidify-python-api * extended and updated documentation strings * updated README.rst with latest options * made debug a pass-through value, optionally set on client (instead of just being pulled from environment variable) * adding AccessInfo object and associated tests (access.AccessInfo meant to be a cacheable object external to client and ultimately to replace service_catalog and it's existing functionality) * extending authtoken to support lists of endpoints * maintaining a single entity for client.management_url with first from list of possible endpoints * create project_name and project_id synonyms to match tenant_name and tenant_id * replacing authenticate call to a pure method, not overloading the resource/manager path that confuses base URL concepts. * throw AuthorizationFailure if client attempts to access keystone resources before it has a management url * special case listing tenant using auth_url for unscoped tokens authorized through client * special case listing tokens.authenticate for Dashboard to allow unscoped tokens to hand back parity information to dashboard Change-Id: I4bb3a1b6a5ce2c4b3fbcebeb59116286cac8b2e3
2012-10-13 00:15:39 +00:00
cert=None, insecure=False, original_ip=None, debug=False,
Make use_keyring False by default. Updates the use_keyring option for the Keystone Client class to default to False by default. This provides for a much easier upgrade path the the most recent keystone-client code and is backwards compatible with the previous release. This does not change the default of the no_cache keystone CLI which will still enable use_keyring by default. Fixes LP Bug #1087434. Change-Id: Iaafadde660b0542a9c0a9c1bb742cb369b523a68
2012-12-06 15:26:46 -05:00
auth_ref=None, use_keyring=False, force_new_token=False,
bug-1040361: use keyring to store tokens User can optionally turn off keyring by specifying the --no-cache option. It can also be disabled with environment variable OS-NO-CACHE. Change-Id: I8935260bf7fd6befa14798da9b4d02c81e65c417
2012-11-08 16:32:17 -08:00
stale_duration=None):
Allow request timeout to be specified. Add a new cli argument (--timeout) which is by default 600 seconds which will be set in the requests library so that timeouts can occur correctly. Change-Id: I845c55dfb6f6b8345663ccdb5b150a2655f20026
2013-01-11 21:56:24 -08:00
"""Construct a new http client
@param: timeout the request libary timeout in seconds (default None)
"""
removing repeat attempt at authorization in client blueprint solidify-python-api * extended and updated documentation strings * updated README.rst with latest options * made debug a pass-through value, optionally set on client (instead of just being pulled from environment variable) * adding AccessInfo object and associated tests (access.AccessInfo meant to be a cacheable object external to client and ultimately to replace service_catalog and it's existing functionality) * extending authtoken to support lists of endpoints * maintaining a single entity for client.management_url with first from list of possible endpoints * create project_name and project_id synonyms to match tenant_name and tenant_id * replacing authenticate call to a pure method, not overloading the resource/manager path that confuses base URL concepts. * throw AuthorizationFailure if client attempts to access keystone resources before it has a management url * special case listing tenant using auth_url for unscoped tokens authorized through client * special case listing tokens.authenticate for Dashboard to allow unscoped tokens to hand back parity information to dashboard Change-Id: I4bb3a1b6a5ce2c4b3fbcebeb59116286cac8b2e3
2012-10-13 00:15:39 +00:00
self.version = 'v2.0'
fixes auth_ref initialization error bug 1078589 * allow client values to be overridden, but use auth_ref if none available * added tests to match this flow * refactored tokens into test_fixtures.py file Change-Id: I771a2dee6dedf31d883417d9b4e6e64bbb620f14
2012-11-14 05:38:16 +00:00
# set baseline defaults
self.username = None
self.tenant_id = None
self.tenant_name = None
self.auth_url = None
self.management_url = None
Allow request timeout to be specified. Add a new cli argument (--timeout) which is by default 600 seconds which will be set in the requests library so that timeouts can occur correctly. Change-Id: I845c55dfb6f6b8345663ccdb5b150a2655f20026
2013-01-11 21:56:24 -08:00
if timeout is not None:
self.timeout = float(timeout)
else:
self.timeout = None
fixes auth_ref initialization error bug 1078589 * allow client values to be overridden, but use auth_ref if none available * added tests to match this flow * refactored tokens into test_fixtures.py file Change-Id: I771a2dee6dedf31d883417d9b4e6e64bbb620f14
2012-11-14 05:38:16 +00:00
# if loading from a dictionary passed in via auth_ref,
# load values from AccessInfo parsing that dictionary
removing repeat attempt at authorization in client blueprint solidify-python-api * extended and updated documentation strings * updated README.rst with latest options * made debug a pass-through value, optionally set on client (instead of just being pulled from environment variable) * adding AccessInfo object and associated tests (access.AccessInfo meant to be a cacheable object external to client and ultimately to replace service_catalog and it's existing functionality) * extending authtoken to support lists of endpoints * maintaining a single entity for client.management_url with first from list of possible endpoints * create project_name and project_id synonyms to match tenant_name and tenant_id * replacing authenticate call to a pure method, not overloading the resource/manager path that confuses base URL concepts. * throw AuthorizationFailure if client attempts to access keystone resources before it has a management url * special case listing tenant using auth_url for unscoped tokens authorized through client * special case listing tokens.authenticate for Dashboard to allow unscoped tokens to hand back parity information to dashboard Change-Id: I4bb3a1b6a5ce2c4b3fbcebeb59116286cac8b2e3
2012-10-13 00:15:39 +00:00
self.auth_ref = access.AccessInfo(**auth_ref) if auth_ref else None
if self.auth_ref:
self.username = self.auth_ref.username
self.tenant_id = self.auth_ref.tenant_id
self.tenant_name = self.auth_ref.tenant_name
fixes auth_ref initialization error bug 1078589 * allow client values to be overridden, but use auth_ref if none available * added tests to match this flow * refactored tokens into test_fixtures.py file Change-Id: I771a2dee6dedf31d883417d9b4e6e64bbb620f14
2012-11-14 05:38:16 +00:00
self.auth_url = self.auth_ref.auth_url[0]
self.management_url = self.auth_ref.management_url[0]
# allow override of the auth_ref defaults from explicit
removing repeat attempt at authorization in client blueprint solidify-python-api * extended and updated documentation strings * updated README.rst with latest options * made debug a pass-through value, optionally set on client (instead of just being pulled from environment variable) * adding AccessInfo object and associated tests (access.AccessInfo meant to be a cacheable object external to client and ultimately to replace service_catalog and it's existing functionality) * extending authtoken to support lists of endpoints * maintaining a single entity for client.management_url with first from list of possible endpoints * create project_name and project_id synonyms to match tenant_name and tenant_id * replacing authenticate call to a pure method, not overloading the resource/manager path that confuses base URL concepts. * throw AuthorizationFailure if client attempts to access keystone resources before it has a management url * special case listing tenant using auth_url for unscoped tokens authorized through client * special case listing tokens.authenticate for Dashboard to allow unscoped tokens to hand back parity information to dashboard Change-Id: I4bb3a1b6a5ce2c4b3fbcebeb59116286cac8b2e3
2012-10-13 00:15:39 +00:00
# values provided to the client
fixes auth_ref initialization error bug 1078589 * allow client values to be overridden, but use auth_ref if none available * added tests to match this flow * refactored tokens into test_fixtures.py file Change-Id: I771a2dee6dedf31d883417d9b4e6e64bbb620f14
2012-11-14 05:38:16 +00:00
if username:
self.username = username
if tenant_id:
self.tenant_id = tenant_id
if tenant_name:
self.tenant_name = tenant_name
if auth_url:
self.auth_url = auth_url.rstrip('/')
if token:
Implements token expiration handling This implements handling of token expiration. Once the token is expired, this will request automatically for a new one. A special case is introduced if the user specified a token when the client is initialized: this is the auth_token_from_user. In this case, we can't know the expiration date, so we just assume it will never expire and don't handle it ourself. Change-Id: I3771ff5d669da015d4aa259de422c5d81aed3eb4 Signed-off-by: Julien Danjou <julien@danjou.info>
2013-01-30 18:07:29 +01:00
self.auth_token_from_user = token
else:
self.auth_token_from_user = None
fixes auth_ref initialization error bug 1078589 * allow client values to be overridden, but use auth_ref if none available * added tests to match this flow * refactored tokens into test_fixtures.py file Change-Id: I771a2dee6dedf31d883417d9b4e6e64bbb620f14
2012-11-14 05:38:16 +00:00
if endpoint:
self.management_url = endpoint.rstrip('/')
Initial commit.
2011-10-25 16:50:08 -07:00
self.password = password
add a new HTTPClient attr for setting the original IP The original IP is useful in cases where keystoneclient is used by a different openstack component and we need to know who made the original request. Otherwise it gets overwritten by e.g. Dashboard's host's IP. bug 1046837 Change-Id: Ic22c565e92010afd89c8573c375919215b70d73d
2012-09-13 15:45:40 +02:00
self.original_ip = original_ip
removing repeat attempt at authorization in client blueprint solidify-python-api * extended and updated documentation strings * updated README.rst with latest options * made debug a pass-through value, optionally set on client (instead of just being pulled from environment variable) * adding AccessInfo object and associated tests (access.AccessInfo meant to be a cacheable object external to client and ultimately to replace service_catalog and it's existing functionality) * extending authtoken to support lists of endpoints * maintaining a single entity for client.management_url with first from list of possible endpoints * create project_name and project_id synonyms to match tenant_name and tenant_id * replacing authenticate call to a pure method, not overloading the resource/manager path that confuses base URL concepts. * throw AuthorizationFailure if client attempts to access keystone resources before it has a management url * special case listing tenant using auth_url for unscoped tokens authorized through client * special case listing tokens.authenticate for Dashboard to allow unscoped tokens to hand back parity information to dashboard Change-Id: I4bb3a1b6a5ce2c4b3fbcebeb59116286cac8b2e3
2012-10-13 00:15:39 +00:00
self.region_name = region_name
Use requests module for HTTP/HTTPS * Implement correct certificate verification * Add requests to tools/pip-requires * Fix OS_CACERT env var help text * Add info to README * Rework tests to use requests Pinned requests module to < 1.0 as 1.0.2 is now current in pipi as of 17Dec2012. Change-Id: I120d2c12d6f20ebe2fd7182ec8988cc73f623b80
2012-11-16 17:43:05 -06:00
if cacert:
self.verify_cert = cacert
else:
self.verify_cert = True
if insecure:
self.verify_cert = False
self.cert = cert
if cert and key:
self.cert = (cert, key,)
self.domain = ''
Initial commit.
2011-10-25 16:50:08 -07:00
splitting http req and resp logging also some pep8 cleanup in shell.py Change-Id: I71aa2586a0196c0a6ba64b892b56c9d221bdcc1d
2012-08-16 18:18:22 -07:00
# logging setup
removing repeat attempt at authorization in client blueprint solidify-python-api * extended and updated documentation strings * updated README.rst with latest options * made debug a pass-through value, optionally set on client (instead of just being pulled from environment variable) * adding AccessInfo object and associated tests (access.AccessInfo meant to be a cacheable object external to client and ultimately to replace service_catalog and it's existing functionality) * extending authtoken to support lists of endpoints * maintaining a single entity for client.management_url with first from list of possible endpoints * create project_name and project_id synonyms to match tenant_name and tenant_id * replacing authenticate call to a pure method, not overloading the resource/manager path that confuses base URL concepts. * throw AuthorizationFailure if client attempts to access keystone resources before it has a management url * special case listing tenant using auth_url for unscoped tokens authorized through client * special case listing tokens.authenticate for Dashboard to allow unscoped tokens to hand back parity information to dashboard Change-Id: I4bb3a1b6a5ce2c4b3fbcebeb59116286cac8b2e3
2012-10-13 00:15:39 +00:00
self.debug_log = debug
Only add logging handlers if there currently aren't any This corrects an odd problem where Horizon would stand up multiple client objects, which would cause duplicate/triplicate/dozens of repeated log lines in its log files, due to multiple identical handlers being added to the logging object Fixes Bug 1182678 Change-Id: I020b3999c9008b996286ccb74a7801c96c43e71c
2013-05-21 16:25:11 -07:00
if self.debug_log and not _logger.handlers:
splitting http req and resp logging also some pep8 cleanup in shell.py Change-Id: I71aa2586a0196c0a6ba64b892b56c9d221bdcc1d
2012-08-16 18:18:22 -07:00
ch = logging.StreamHandler()
_logger.setLevel(logging.DEBUG)
_logger.addHandler(ch)
Fix debug with requests. - From http://docs.python.org/2/library/functions.html#hasattr : hasattr(object, name) -- The arguments are an object and a string. - Fixes bug 1124084. Change-Id: I47283abff440abdf827598c2497519f3de510baf
2013-02-09 03:22:00 +01:00
if hasattr(requests, 'logging'):
Allow requests up to 0.8 and greater The requests module dropped all configuration with the 1.0.0 release. There's no danger_mode and no 'verbose'' mode. The former shouldn't be necessary anymore and the latter can be done by setting a different log handler for the request.logging root logger. Change-Id: I41bfaf2574f6d7fc21f86e0124ceae7df6481eee Signed-off-by: Chuck Short <chuck.short@canonical.com>
2013-02-06 09:36:51 -06:00
requests.logging.getLogger(requests.__name__).addHandler(ch)
splitting http req and resp logging also some pep8 cleanup in shell.py Change-Id: I71aa2586a0196c0a6ba64b892b56c9d221bdcc1d
2012-08-16 18:18:22 -07:00
bug-1040361: use keyring to store tokens User can optionally turn off keyring by specifying the --no-cache option. It can also be disabled with environment variable OS-NO-CACHE. Change-Id: I8935260bf7fd6befa14798da9b4d02c81e65c417
2012-11-08 16:32:17 -08:00
# keyring setup
Fix optional keyring support, add basic keyring tests Commit 06d9437e8388b369546d760607f17cb5022750e9 made using a keyring optional by adding a function to handle the imports. The problem is that import needs to be available at a global level for it to be usable in other parts of the code. The function is replaced by a top-level try/except. Fixing the imports isn't enough to get keyring support working because in get_auth_ref_from_keyring() the wrong token was being used when evaluating token expiration. It was using the token already in the HTTPClient object and not the one returned from the keyring. Some simple tests were added to prevent future regressions. These tests will be skipped if the keyring or pickle packages are not installed. Change-Id: I1fe2c9e5cdf275df2047018368da2e4b3d2d6de2 Fixes: bug #1183072
2013-05-22 17:00:53 -04:00
if use_keyring and keyring is None:
_logger.warning('Failed to load keyring modules.')
self.use_keyring = use_keyring and keyring is not None
bug-1040361: use keyring to store tokens User can optionally turn off keyring by specifying the --no-cache option. It can also be disabled with environment variable OS-NO-CACHE. Change-Id: I8935260bf7fd6befa14798da9b4d02c81e65c417
2012-11-08 16:32:17 -08:00
self.force_new_token = force_new_token
self.stale_duration = stale_duration or access.STALE_TOKEN_DURATION
self.stale_duration = int(self.stale_duration)
Implements token expiration handling This implements handling of token expiration. Once the token is expired, this will request automatically for a new one. A special case is introduced if the user specified a token when the client is initialized: this is the auth_token_from_user. In this case, we can't know the expiration date, so we just assume it will never expire and don't handle it ourself. Change-Id: I3771ff5d669da015d4aa259de422c5d81aed3eb4 Signed-off-by: Julien Danjou <julien@danjou.info>
2013-01-30 18:07:29 +01:00
@property
def auth_token(self):
if self.auth_token_from_user:
return self.auth_token_from_user
if self.auth_ref:
if self.auth_ref.will_expire_soon(self.stale_duration):
self.authenticate()
return self.auth_ref.auth_token
@auth_token.setter
def auth_token(self, value):
self.auth_token_from_user = value
@auth_token.deleter
Fix selef to self in class. Change-Id: I1fec9908fb1aa915158996d57fdd82cfdf483535
2013-02-20 08:48:14 +01:00
def auth_token(self):
Implements token expiration handling This implements handling of token expiration. Once the token is expired, this will request automatically for a new one. A special case is introduced if the user specified a token when the client is initialized: this is the auth_token_from_user. In this case, we can't know the expiration date, so we just assume it will never expire and don't handle it ourself. Change-Id: I3771ff5d669da015d4aa259de422c5d81aed3eb4 Signed-off-by: Julien Danjou <julien@danjou.info>
2013-01-30 18:07:29 +01:00
del self.auth_token_from_user
bug-1040361: use keyring to store tokens User can optionally turn off keyring by specifying the --no-cache option. It can also be disabled with environment variable OS-NO-CACHE. Change-Id: I8935260bf7fd6befa14798da9b4d02c81e65c417
2012-11-08 16:32:17 -08:00
def authenticate(self, username=None, password=None, tenant_name=None,
Revert "Use TokenManager to get token" This reverts commit 22228f526d6ea08b7006be1287afe959b93c23db which appears to be breaking the keystone gating
2013-04-30 17:34:14 +00:00
tenant_id=None, auth_url=None, token=None):
bug-1040361: use keyring to store tokens User can optionally turn off keyring by specifying the --no-cache option. It can also be disabled with environment variable OS-NO-CACHE. Change-Id: I8935260bf7fd6befa14798da9b4d02c81e65c417
2012-11-08 16:32:17 -08:00
""" Authenticate user.
Uses the data provided at instantiation to authenticate against
the Keystone server. This may use either a username and password
or token for authentication. If a tenant name or id was provided
then the resulting authenticated client will be scoped to that
tenant and contain a service catalog of available endpoints.
With the v2.0 API, if a tenant name or ID is not provided, the
authenication token returned will be 'unscoped' and limited in
capabilities until a fully-scoped token is acquired.
If successful, sets the self.auth_ref and self.auth_token with
the returned token. If not already set, will also set
self.management_url from the details provided in the token.
:returns: ``True`` if authentication was successful.
:raises: AuthorizationFailure if unable to authenticate or validate
the existing authorization token
:raises: ValueError if insufficient parameters are used.
If keyring is used, token is retrieved from keyring instead.
Authentication will only be necessary if any of the following
conditions are met:
* keyring is not used
* if token is not found in keyring
* if token retrieved from keyring is expired or about to
expired (as determined by stale_duration)
* if force_new_token is true
"""
Revert "Use TokenManager to get token" This reverts commit 22228f526d6ea08b7006be1287afe959b93c23db which appears to be breaking the keystone gating
2013-04-30 17:34:14 +00:00
auth_url = auth_url or self.auth_url
bug-1040361: use keyring to store tokens User can optionally turn off keyring by specifying the --no-cache option. It can also be disabled with environment variable OS-NO-CACHE. Change-Id: I8935260bf7fd6befa14798da9b4d02c81e65c417
2012-11-08 16:32:17 -08:00
username = username or self.username
password = password or self.password
tenant_name = tenant_name or self.tenant_name
tenant_id = tenant_id or self.tenant_id
Implements token expiration handling This implements handling of token expiration. Once the token is expired, this will request automatically for a new one. A special case is introduced if the user specified a token when the client is initialized: this is the auth_token_from_user. In this case, we can't know the expiration date, so we just assume it will never expire and don't handle it ourself. Change-Id: I3771ff5d669da015d4aa259de422c5d81aed3eb4 Signed-off-by: Julien Danjou <julien@danjou.info>
2013-01-30 18:07:29 +01:00
if not token:
token = self.auth_token_from_user
Fix line continuations (flake8 E125, E126) - E125: continuation line does not distinguish itself from next logical line - E126: continuation line over-indented for hanging indent Change-Id: I626a6d5d57db927e8b239f90569b5601c772f28b
2013-05-28 08:48:44 -05:00
if (not token and self.auth_ref and not
self.auth_ref.will_expire_soon(self.stale_duration)):
Implements token expiration handling This implements handling of token expiration. Once the token is expired, this will request automatically for a new one. A special case is introduced if the user specified a token when the client is initialized: this is the auth_token_from_user. In this case, we can't know the expiration date, so we just assume it will never expire and don't handle it ourself. Change-Id: I3771ff5d669da015d4aa259de422c5d81aed3eb4 Signed-off-by: Julien Danjou <julien@danjou.info>
2013-01-30 18:07:29 +01:00
token = self.auth_ref.auth_token
bug-1040361: use keyring to store tokens User can optionally turn off keyring by specifying the --no-cache option. It can also be disabled with environment variable OS-NO-CACHE. Change-Id: I8935260bf7fd6befa14798da9b4d02c81e65c417
2012-11-08 16:32:17 -08:00
Revert "Use TokenManager to get token" This reverts commit 22228f526d6ea08b7006be1287afe959b93c23db which appears to be breaking the keystone gating
2013-04-30 17:34:14 +00:00
(keyring_key, auth_ref) = self.get_auth_ref_from_keyring(auth_url,
bug-1040361: use keyring to store tokens User can optionally turn off keyring by specifying the --no-cache option. It can also be disabled with environment variable OS-NO-CACHE. Change-Id: I8935260bf7fd6befa14798da9b4d02c81e65c417
2012-11-08 16:32:17 -08:00
username,
tenant_name,
tenant_id,
token)
new_token_needed = False
if auth_ref is None or self.force_new_token:
new_token_needed = True
Revert "Use TokenManager to get token" This reverts commit 22228f526d6ea08b7006be1287afe959b93c23db which appears to be breaking the keystone gating
2013-04-30 17:34:14 +00:00
raw_token = self.get_raw_token_from_identity_service(auth_url,
username,
bug-1040361: use keyring to store tokens User can optionally turn off keyring by specifying the --no-cache option. It can also be disabled with environment variable OS-NO-CACHE. Change-Id: I8935260bf7fd6befa14798da9b4d02c81e65c417
2012-11-08 16:32:17 -08:00
password,
tenant_name,
tenant_id,
token)
self.auth_ref = access.AccessInfo(**raw_token)
else:
self.auth_ref = auth_ref
self.process_token()
if new_token_needed:
self.store_auth_ref_into_keyring(keyring_key)
return True
def _build_keyring_key(self, auth_url, username, tenant_name,
tenant_id, token):
""" Create a unique key for keyring.
Used to store and retrieve auth_ref from keyring.
"""
keys = [auth_url, username, tenant_name, tenant_id, token]
for index, key in enumerate(keys):
if key is None:
keys[index] = '?'
keyring_key = '/'.join(keys)
return keyring_key
def get_auth_ref_from_keyring(self, auth_url, username, tenant_name,
tenant_id, token):
""" Retrieve auth_ref from keyring.
If auth_ref is found in keyring, (keyring_key, auth_ref) is returned.
Otherwise, (keyring_key, None) is returned.
:returns: (keyring_key, auth_ref) or (keyring_key, None)
Fix optional keyring support, add basic keyring tests Commit 06d9437e8388b369546d760607f17cb5022750e9 made using a keyring optional by adding a function to handle the imports. The problem is that import needs to be available at a global level for it to be usable in other parts of the code. The function is replaced by a top-level try/except. Fixing the imports isn't enough to get keyring support working because in get_auth_ref_from_keyring() the wrong token was being used when evaluating token expiration. It was using the token already in the HTTPClient object and not the one returned from the keyring. Some simple tests were added to prevent future regressions. These tests will be skipped if the keyring or pickle packages are not installed. Change-Id: I1fe2c9e5cdf275df2047018368da2e4b3d2d6de2 Fixes: bug #1183072
2013-05-22 17:00:53 -04:00
:returns: or (None, None) if use_keyring is not set in the object
bug-1040361: use keyring to store tokens User can optionally turn off keyring by specifying the --no-cache option. It can also be disabled with environment variable OS-NO-CACHE. Change-Id: I8935260bf7fd6befa14798da9b4d02c81e65c417
2012-11-08 16:32:17 -08:00
"""
keyring_key = None
auth_ref = None
if self.use_keyring:
keyring_key = self._build_keyring_key(auth_url, username,
tenant_name, tenant_id,
token)
try:
auth_ref = keyring.get_password("keystoneclient_auth",
keyring_key)
if auth_ref:
auth_ref = pickle.loads(auth_ref)
Fix optional keyring support, add basic keyring tests Commit 06d9437e8388b369546d760607f17cb5022750e9 made using a keyring optional by adding a function to handle the imports. The problem is that import needs to be available at a global level for it to be usable in other parts of the code. The function is replaced by a top-level try/except. Fixing the imports isn't enough to get keyring support working because in get_auth_ref_from_keyring() the wrong token was being used when evaluating token expiration. It was using the token already in the HTTPClient object and not the one returned from the keyring. Some simple tests were added to prevent future regressions. These tests will be skipped if the keyring or pickle packages are not installed. Change-Id: I1fe2c9e5cdf275df2047018368da2e4b3d2d6de2 Fixes: bug #1183072
2013-05-22 17:00:53 -04:00
if auth_ref.will_expire_soon(self.stale_duration):
bug-1040361: use keyring to store tokens User can optionally turn off keyring by specifying the --no-cache option. It can also be disabled with environment variable OS-NO-CACHE. Change-Id: I8935260bf7fd6befa14798da9b4d02c81e65c417
2012-11-08 16:32:17 -08:00
# token has expired, don't use it
auth_ref = None
except Exception as e:
auth_ref = None
_logger.warning('Unable to retrieve token from keyring %s' % (
e))
return (keyring_key, auth_ref)
def store_auth_ref_into_keyring(self, keyring_key):
""" Store auth_ref into keyring.
"""
if self.use_keyring:
try:
keyring.set_password("keystoneclient_auth",
keyring_key,
pickle.dumps(self.auth_ref))
except Exception as e:
_logger.warning("Failed to store token into keyring %s" % (e))
def process_token(self):
""" Extract and process information from the new auth_ref.
"""
raise NotImplementedError
def get_raw_token_from_identity_service(self, auth_url, username=None,
password=None, tenant_name=None,
tenant_id=None, token=None):
""" Authenticate against the Identity API and get a token.
Initial commit.
2011-10-25 16:50:08 -07:00
Not implemented here because auth protocols should be API
version-specific.
removing repeat attempt at authorization in client blueprint solidify-python-api * extended and updated documentation strings * updated README.rst with latest options * made debug a pass-through value, optionally set on client (instead of just being pulled from environment variable) * adding AccessInfo object and associated tests (access.AccessInfo meant to be a cacheable object external to client and ultimately to replace service_catalog and it's existing functionality) * extending authtoken to support lists of endpoints * maintaining a single entity for client.management_url with first from list of possible endpoints * create project_name and project_id synonyms to match tenant_name and tenant_id * replacing authenticate call to a pure method, not overloading the resource/manager path that confuses base URL concepts. * throw AuthorizationFailure if client attempts to access keystone resources before it has a management url * special case listing tenant using auth_url for unscoped tokens authorized through client * special case listing tokens.authenticate for Dashboard to allow unscoped tokens to hand back parity information to dashboard Change-Id: I4bb3a1b6a5ce2c4b3fbcebeb59116286cac8b2e3
2012-10-13 00:15:39 +00:00
Expected to authenticate or validate an existing authentication
reference already associated with the client. Invoking this call
*always* makes a call to the Keystone.
bug-1040361: use keyring to store tokens User can optionally turn off keyring by specifying the --no-cache option. It can also be disabled with environment variable OS-NO-CACHE. Change-Id: I8935260bf7fd6befa14798da9b4d02c81e65c417
2012-11-08 16:32:17 -08:00
:returns: ``raw token``
Initial commit.
2011-10-25 16:50:08 -07:00
"""
raise NotImplementedError
def _extract_service_catalog(self, url, body):
""" Set the client's service catalog from the response data.
Not implemented here because data returned may be API
version-specific.
"""
raise NotImplementedError
splitting http req and resp logging also some pep8 cleanup in shell.py Change-Id: I71aa2586a0196c0a6ba64b892b56c9d221bdcc1d
2012-08-16 18:18:22 -07:00
def http_log_req(self, args, kwargs):
if not self.debug_log:
Initial commit.
2011-10-25 16:50:08 -07:00
return
string_parts = ['curl -i']
for element in args:
if element in ('GET', 'POST'):
string_parts.append(' -X %s' % element)
else:
string_parts.append(' %s' % element)
for element in kwargs['headers']:
header = ' -H "%s: %s"' % (element, kwargs['headers'][element])
string_parts.append(header)
Use requests module for HTTP/HTTPS * Implement correct certificate verification * Add requests to tools/pip-requires * Fix OS_CACERT env var help text * Add info to README * Rework tests to use requests Pinned requests module to < 1.0 as 1.0.2 is now current in pipi as of 17Dec2012. Change-Id: I120d2c12d6f20ebe2fd7182ec8988cc73f623b80
2012-11-16 17:43:05 -06:00
_logger.debug("REQ: %s" % "".join(string_parts))
If you specify the --debug argument, it doesn't show the body of a POST request. The body (string rep) is at 'data' in the kwargs dict. 'body' was deleted prior to this call. Change-Id: Ieea3d11f5246ee785e41df3bc54ac61200808354 Fixes: bug #1104313
2013-01-24 21:42:14 +00:00
if 'data' in kwargs:
_logger.debug("REQ BODY: %s\n" % (kwargs['data']))
splitting http req and resp logging also some pep8 cleanup in shell.py Change-Id: I71aa2586a0196c0a6ba64b892b56c9d221bdcc1d
2012-08-16 18:18:22 -07:00
Use requests module for HTTP/HTTPS * Implement correct certificate verification * Add requests to tools/pip-requires * Fix OS_CACERT env var help text * Add info to README * Rework tests to use requests Pinned requests module to < 1.0 as 1.0.2 is now current in pipi as of 17Dec2012. Change-Id: I120d2c12d6f20ebe2fd7182ec8988cc73f623b80
2012-11-16 17:43:05 -06:00
def http_log_resp(self, resp):
splitting http req and resp logging also some pep8 cleanup in shell.py Change-Id: I71aa2586a0196c0a6ba64b892b56c9d221bdcc1d
2012-08-16 18:18:22 -07:00
if self.debug_log:
Use requests module for HTTP/HTTPS * Implement correct certificate verification * Add requests to tools/pip-requires * Fix OS_CACERT env var help text * Add info to README * Rework tests to use requests Pinned requests module to < 1.0 as 1.0.2 is now current in pipi as of 17Dec2012. Change-Id: I120d2c12d6f20ebe2fd7182ec8988cc73f623b80
2012-11-16 17:43:05 -06:00
_logger.debug(
"RESP: [%s] %s\nRESP BODY: %s\n",
resp.status_code,
resp.headers,
resp.text)
Initial commit.
2011-10-25 16:50:08 -07:00
Allow serialization impl to be overridden Change-Id: I0f955c78897d4212f06942e59a7018dbe5d28540
2012-09-11 11:10:40 -05:00
def serialize(self, entity):
return json.dumps(entity)
Use AuthRef for some client fields This tackles some TODO items left over. Change-Id: Ib062744acbf56f05d09857d244b78b35c0ef4d39 Signed-off-by: Julien Danjou <julien@danjou.info>
2013-01-24 17:46:29 +01:00
@property
def service_catalog(self):
"""Returns this client's service catalog."""
return self.auth_ref.service_catalog
def has_service_catalog(self):
"""Returns True if this client provides a service catalog."""
return self.auth_ref.has_service_catalog()
Initial commit.
2011-10-25 16:50:08 -07:00
def request(self, url, method, **kwargs):
""" Send an http request with the specified characteristics.
Use requests module for HTTP/HTTPS * Implement correct certificate verification * Add requests to tools/pip-requires * Fix OS_CACERT env var help text * Add info to README * Rework tests to use requests Pinned requests module to < 1.0 as 1.0.2 is now current in pipi as of 17Dec2012. Change-Id: I120d2c12d6f20ebe2fd7182ec8988cc73f623b80
2012-11-16 17:43:05 -06:00
Wrapper around requests.request to handle tasks such as
Initial commit.
2011-10-25 16:50:08 -07:00
setting headers, JSON encoding/decoding, and error handling.
"""
# Copy the kwargs so we can reuse the original in case of redirects
request_kwargs = copy.copy(kwargs)
request_kwargs.setdefault('headers', kwargs.get('headers', {}))
request_kwargs['headers']['User-Agent'] = self.USER_AGENT
add a new HTTPClient attr for setting the original IP The original IP is useful in cases where keystoneclient is used by a different openstack component and we need to know who made the original request. Otherwise it gets overwritten by e.g. Dashboard's host's IP. bug 1046837 Change-Id: Ic22c565e92010afd89c8573c375919215b70d73d
2012-09-13 15:45:40 +02:00
if self.original_ip:
request_kwargs['headers']['Forwarded'] = "for=%s;by=%s" % (
self.original_ip, self.USER_AGENT)
Initial commit.
2011-10-25 16:50:08 -07:00
if 'body' in kwargs:
request_kwargs['headers']['Content-Type'] = 'application/json'
Use requests module for HTTP/HTTPS * Implement correct certificate verification * Add requests to tools/pip-requires * Fix OS_CACERT env var help text * Add info to README * Rework tests to use requests Pinned requests module to < 1.0 as 1.0.2 is now current in pipi as of 17Dec2012. Change-Id: I120d2c12d6f20ebe2fd7182ec8988cc73f623b80
2012-11-16 17:43:05 -06:00
request_kwargs['data'] = self.serialize(kwargs['body'])
del request_kwargs['body']
if self.cert:
request_kwargs['cert'] = self.cert
Allow request timeout to be specified. Add a new cli argument (--timeout) which is by default 600 seconds which will be set in the requests library so that timeouts can occur correctly. Change-Id: I845c55dfb6f6b8345663ccdb5b150a2655f20026
2013-01-11 21:56:24 -08:00
if self.timeout is not None:
request_kwargs.setdefault('timeout', self.timeout)
Initial commit.
2011-10-25 16:50:08 -07:00
splitting http req and resp logging also some pep8 cleanup in shell.py Change-Id: I71aa2586a0196c0a6ba64b892b56c9d221bdcc1d
2012-08-16 18:18:22 -07:00
self.http_log_req((url, method,), request_kwargs)
Convert requests.ConnectionError to ClientException Fixes bug 1163678 Change-Id: I16201eda29a56e3c1e6008989260425ddc124ea6
2013-04-02 21:25:30 -07:00
try:
resp = requests.request(
method,
url,
verify=self.verify_cert,
**request_kwargs)
except requests.ConnectionError:
msg = 'Unable to establish connection to %s' % url
raise exceptions.ClientException(msg)
Use requests module for HTTP/HTTPS * Implement correct certificate verification * Add requests to tools/pip-requires * Fix OS_CACERT env var help text * Add info to README * Rework tests to use requests Pinned requests module to < 1.0 as 1.0.2 is now current in pipi as of 17Dec2012. Change-Id: I120d2c12d6f20ebe2fd7182ec8988cc73f623b80
2012-11-16 17:43:05 -06:00
self.http_log_resp(resp)
if resp.text:
Initial commit.
2011-10-25 16:50:08 -07:00
try:
Use requests module for HTTP/HTTPS * Implement correct certificate verification * Add requests to tools/pip-requires * Fix OS_CACERT env var help text * Add info to README * Rework tests to use requests Pinned requests module to < 1.0 as 1.0.2 is now current in pipi as of 17Dec2012. Change-Id: I120d2c12d6f20ebe2fd7182ec8988cc73f623b80
2012-11-16 17:43:05 -06:00
body = json.loads(resp.text)
Pass json object when invoking exception handler. Fixes bug 1154753. Change-Id: I6ca7c758d42e8586c8adf2529ce5362108a57a56
2013-03-13 20:59:03 -07:00
except (ValueError, TypeError):
Use requests module for HTTP/HTTPS * Implement correct certificate verification * Add requests to tools/pip-requires * Fix OS_CACERT env var help text * Add info to README * Rework tests to use requests Pinned requests module to < 1.0 as 1.0.2 is now current in pipi as of 17Dec2012. Change-Id: I120d2c12d6f20ebe2fd7182ec8988cc73f623b80
2012-11-16 17:43:05 -06:00
body = None
_logger.debug("Could not decode JSON from body: %s"
% resp.text)
Initial commit.
2011-10-25 16:50:08 -07:00
else:
_logger.debug("No body was returned.")
body = None
Pass json object when invoking exception handler. Fixes bug 1154753. Change-Id: I6ca7c758d42e8586c8adf2529ce5362108a57a56
2013-03-13 20:59:03 -07:00
if resp.status_code >= 400:
_logger.debug(
"Request returned failure status: %s",
resp.status_code)
raise exceptions.from_response(resp, body or resp.text)
elif resp.status_code in (301, 302, 305):
# Redirected. Reissue the request to the new location.
return self.request(resp.headers['location'], method, **kwargs)
Initial commit.
2011-10-25 16:50:08 -07:00
return resp, body
def _cs_request(self, url, method, **kwargs):
removing repeat attempt at authorization in client blueprint solidify-python-api * extended and updated documentation strings * updated README.rst with latest options * made debug a pass-through value, optionally set on client (instead of just being pulled from environment variable) * adding AccessInfo object and associated tests (access.AccessInfo meant to be a cacheable object external to client and ultimately to replace service_catalog and it's existing functionality) * extending authtoken to support lists of endpoints * maintaining a single entity for client.management_url with first from list of possible endpoints * create project_name and project_id synonyms to match tenant_name and tenant_id * replacing authenticate call to a pure method, not overloading the resource/manager path that confuses base URL concepts. * throw AuthorizationFailure if client attempts to access keystone resources before it has a management url * special case listing tenant using auth_url for unscoped tokens authorized through client * special case listing tokens.authenticate for Dashboard to allow unscoped tokens to hand back parity information to dashboard Change-Id: I4bb3a1b6a5ce2c4b3fbcebeb59116286cac8b2e3
2012-10-13 00:15:39 +00:00
""" Makes an authenticated request to keystone endpoint by
concatenating self.management_url and url and passing in method and
any associated kwargs. """
Initial commit.
2011-10-25 16:50:08 -07:00
Add command to allow users to change their own password Fixes Bug 1082539 The Equivalent of doing curl -X PATCH http://localhost:5000/v2.0/OS-KSCRUD/users/<userid> \ -H "Content-type: application/json" \ -H "X_Auth_Token: <authtokenid>" \ -d '{"user": {"password": "ABCD", "original_password": "DCBA"}}' Change-Id: Ia1a907c5fd138c4252196145b361f43671047a1a
2012-11-23 09:17:24 +00:00
is_management = kwargs.pop('management', True)
if is_management and self.management_url is None:
removing repeat attempt at authorization in client blueprint solidify-python-api * extended and updated documentation strings * updated README.rst with latest options * made debug a pass-through value, optionally set on client (instead of just being pulled from environment variable) * adding AccessInfo object and associated tests (access.AccessInfo meant to be a cacheable object external to client and ultimately to replace service_catalog and it's existing functionality) * extending authtoken to support lists of endpoints * maintaining a single entity for client.management_url with first from list of possible endpoints * create project_name and project_id synonyms to match tenant_name and tenant_id * replacing authenticate call to a pure method, not overloading the resource/manager path that confuses base URL concepts. * throw AuthorizationFailure if client attempts to access keystone resources before it has a management url * special case listing tenant using auth_url for unscoped tokens authorized through client * special case listing tokens.authenticate for Dashboard to allow unscoped tokens to hand back parity information to dashboard Change-Id: I4bb3a1b6a5ce2c4b3fbcebeb59116286cac8b2e3
2012-10-13 00:15:39 +00:00
raise exceptions.AuthorizationFailure(
'Current authorization does not have a known management url')
Add command to allow users to change their own password Fixes Bug 1082539 The Equivalent of doing curl -X PATCH http://localhost:5000/v2.0/OS-KSCRUD/users/<userid> \ -H "Content-type: application/json" \ -H "X_Auth_Token: <authtokenid>" \ -d '{"user": {"password": "ABCD", "original_password": "DCBA"}}' Change-Id: Ia1a907c5fd138c4252196145b361f43671047a1a
2012-11-23 09:17:24 +00:00
url_to_use = self.auth_url
if is_management:
url_to_use = self.management_url
Initial commit.
2011-10-25 16:50:08 -07:00
kwargs.setdefault('headers', {})
Revert "Use TokenManager to get token" This reverts commit 22228f526d6ea08b7006be1287afe959b93c23db which appears to be breaking the keystone gating
2013-04-30 17:34:14 +00:00
if self.auth_token:
kwargs['headers']['X-Auth-Token'] = self.auth_token
Initial commit.
2011-10-25 16:50:08 -07:00
Add command to allow users to change their own password Fixes Bug 1082539 The Equivalent of doing curl -X PATCH http://localhost:5000/v2.0/OS-KSCRUD/users/<userid> \ -H "Content-type: application/json" \ -H "X_Auth_Token: <authtokenid>" \ -d '{"user": {"password": "ABCD", "original_password": "DCBA"}}' Change-Id: Ia1a907c5fd138c4252196145b361f43671047a1a
2012-11-23 09:17:24 +00:00
resp, body = self.request(url_to_use + url, method,
removing repeat attempt at authorization in client blueprint solidify-python-api * extended and updated documentation strings * updated README.rst with latest options * made debug a pass-through value, optionally set on client (instead of just being pulled from environment variable) * adding AccessInfo object and associated tests (access.AccessInfo meant to be a cacheable object external to client and ultimately to replace service_catalog and it's existing functionality) * extending authtoken to support lists of endpoints * maintaining a single entity for client.management_url with first from list of possible endpoints * create project_name and project_id synonyms to match tenant_name and tenant_id * replacing authenticate call to a pure method, not overloading the resource/manager path that confuses base URL concepts. * throw AuthorizationFailure if client attempts to access keystone resources before it has a management url * special case listing tenant using auth_url for unscoped tokens authorized through client * special case listing tokens.authenticate for Dashboard to allow unscoped tokens to hand back parity information to dashboard Change-Id: I4bb3a1b6a5ce2c4b3fbcebeb59116286cac8b2e3
2012-10-13 00:15:39 +00:00
**kwargs)
return resp, body
Initial commit.
2011-10-25 16:50:08 -07:00
def get(self, url, **kwargs):
return self._cs_request(url, 'GET', **kwargs)
Add support for HEAD and PATCH Change-Id: Ic874c49b791e9d2cb3d44b15511cbb467a551589
2012-09-11 11:06:54 -05:00
def head(self, url, **kwargs):
return self._cs_request(url, 'HEAD', **kwargs)
Initial commit.
2011-10-25 16:50:08 -07:00
def post(self, url, **kwargs):
return self._cs_request(url, 'POST', **kwargs)
def put(self, url, **kwargs):
return self._cs_request(url, 'PUT', **kwargs)
Add support for HEAD and PATCH Change-Id: Ic874c49b791e9d2cb3d44b15511cbb467a551589
2012-09-11 11:06:54 -05:00
def patch(self, url, **kwargs):
return self._cs_request(url, 'PATCH', **kwargs)
Initial commit.
2011-10-25 16:50:08 -07:00
def delete(self, url, **kwargs):
return self._cs_request(url, 'DELETE', **kwargs)
Copy Permalink