openstack/python-keystoneclient
Code Issues Proposed changes
b7c6f604e7
python-keystoneclient/keystoneclient/httpclient.py

624 lines
25 KiB
Python
Raw Normal View History

Initial commit.
2011-10-25 16:50:08 -07:00
# Copyright 2010 Jacob Kaplan-Moss
# Copyright 2011 OpenStack LLC.
# Copyright 2011 Piston Cloud Computing, Inc.
# Copyright 2011 Nebula, Inc.
# All Rights Reserved.
"""
OpenStack Client interface. Handles the REST calls and responses.
"""
import copy
import logging
import urlparse
Use requests module for HTTP/HTTPS * Implement correct certificate verification * Add requests to tools/pip-requires * Fix OS_CACERT env var help text * Add info to README * Rework tests to use requests Pinned requests module to < 1.0 as 1.0.2 is now current in pipi as of 17Dec2012. Change-Id: I120d2c12d6f20ebe2fd7182ec8988cc73f623b80
2012-11-16 17:43:05 -06:00
import requests
Initial commit.
2011-10-25 16:50:08 -07:00
Fix optional keyring support, add basic keyring tests Commit 06d9437e8388b369546d760607f17cb5022750e9 made using a keyring optional by adding a function to handle the imports. The problem is that import needs to be available at a global level for it to be usable in other parts of the code. The function is replaced by a top-level try/except. Fixing the imports isn't enough to get keyring support working because in get_auth_ref_from_keyring() the wrong token was being used when evaluating token expiration. It was using the token already in the HTTPClient object and not the one returned from the keyring. Some simple tests were added to prevent future regressions. These tests will be skipped if the keyring or pickle packages are not installed. Change-Id: I1fe2c9e5cdf275df2047018368da2e4b3d2d6de2 Fixes: bug #1183072
2013-05-22 17:00:53 -04:00
try:
import keyring
import pickle
except ImportError:
keyring = None
pickle = None
Initial commit.
2011-10-25 16:50:08 -07:00
try:
import json
except ImportError:
import simplejson as json
# Python 2.5 compat fix
if not hasattr(urlparse, 'parse_qsl'):
import cgi
urlparse.parse_qsl = cgi.parse_qsl
removing repeat attempt at authorization in client blueprint solidify-python-api * extended and updated documentation strings * updated README.rst with latest options * made debug a pass-through value, optionally set on client (instead of just being pulled from environment variable) * adding AccessInfo object and associated tests (access.AccessInfo meant to be a cacheable object external to client and ultimately to replace service_catalog and it's existing functionality) * extending authtoken to support lists of endpoints * maintaining a single entity for client.management_url with first from list of possible endpoints * create project_name and project_id synonyms to match tenant_name and tenant_id * replacing authenticate call to a pure method, not overloading the resource/manager path that confuses base URL concepts. * throw AuthorizationFailure if client attempts to access keystone resources before it has a management url * special case listing tenant using auth_url for unscoped tokens authorized through client * special case listing tokens.authenticate for Dashboard to allow unscoped tokens to hand back parity information to dashboard Change-Id: I4bb3a1b6a5ce2c4b3fbcebeb59116286cac8b2e3
2012-10-13 00:15:39 +00:00
from keystoneclient import access
Initial commit.
2011-10-25 16:50:08 -07:00
from keystoneclient import exceptions
_logger = logging.getLogger(__name__)
Use requests module for HTTP/HTTPS * Implement correct certificate verification * Add requests to tools/pip-requires * Fix OS_CACERT env var help text * Add info to README * Rework tests to use requests Pinned requests module to < 1.0 as 1.0.2 is now current in pipi as of 17Dec2012. Change-Id: I120d2c12d6f20ebe2fd7182ec8988cc73f623b80
2012-11-16 17:43:05 -06:00
class HTTPClient(object):
Initial commit.
2011-10-25 16:50:08 -07:00
USER_AGENT = 'python-keystoneclient'
more work on standardization of cliauth
2011-12-17 22:36:59 -08:00
def __init__(self, username=None, tenant_id=None, tenant_name=None,
finish removing project_id
2011-12-19 10:00:39 -08:00
password=None, auth_url=None, region_name=None, timeout=None,
Support 2-way SSL with Keystone server if it is configured to enforce 2-way SSL. See also https://review.openstack.org/#/c/7706/ for the corresponding review for the 2-way SSL addition to Keystone. Change-Id: If0cb46a43d663687396d93604a7139d85a4e7114
2012-05-23 18:16:50 +00:00
endpoint=None, token=None, cacert=None, key=None,
removing repeat attempt at authorization in client blueprint solidify-python-api * extended and updated documentation strings * updated README.rst with latest options * made debug a pass-through value, optionally set on client (instead of just being pulled from environment variable) * adding AccessInfo object and associated tests (access.AccessInfo meant to be a cacheable object external to client and ultimately to replace service_catalog and it's existing functionality) * extending authtoken to support lists of endpoints * maintaining a single entity for client.management_url with first from list of possible endpoints * create project_name and project_id synonyms to match tenant_name and tenant_id * replacing authenticate call to a pure method, not overloading the resource/manager path that confuses base URL concepts. * throw AuthorizationFailure if client attempts to access keystone resources before it has a management url * special case listing tenant using auth_url for unscoped tokens authorized through client * special case listing tokens.authenticate for Dashboard to allow unscoped tokens to hand back parity information to dashboard Change-Id: I4bb3a1b6a5ce2c4b3fbcebeb59116286cac8b2e3
2012-10-13 00:15:39 +00:00
cert=None, insecure=False, original_ip=None, debug=False,
Make use_keyring False by default. Updates the use_keyring option for the Keystone Client class to default to False by default. This provides for a much easier upgrade path the the most recent keystone-client code and is backwards compatible with the previous release. This does not change the default of the no_cache keystone CLI which will still enable use_keyring by default. Fixes LP Bug #1087434. Change-Id: Iaafadde660b0542a9c0a9c1bb742cb369b523a68
2012-12-06 15:26:46 -05:00
auth_ref=None, use_keyring=False, force_new_token=False,
Implements v3 auth client. Added support for domain scoping. Enhancement on AccessInfo to support reading v2/v3 token information. Enhancement on ServiceCatalog for reading/filtering v2/v3 service catalog information. Change-Id: Ibb678b9933d3673e37d0fba857a152a3c5d2b4f4
2013-02-13 22:52:05 -06:00
stale_duration=None, user_id=None, user_domain_id=None,
user_domain_name=None, domain_id=None, domain_name=None,
project_id=None, project_name=None, project_domain_id=None,
project_domain_name=None):
Allow request timeout to be specified. Add a new cli argument (--timeout) which is by default 600 seconds which will be set in the requests library so that timeouts can occur correctly. Change-Id: I845c55dfb6f6b8345663ccdb5b150a2655f20026
2013-01-11 21:56:24 -08:00
"""Construct a new http client
Implements v3 auth client. Added support for domain scoping. Enhancement on AccessInfo to support reading v2/v3 token information. Enhancement on ServiceCatalog for reading/filtering v2/v3 service catalog information. Change-Id: Ibb678b9933d3673e37d0fba857a152a3c5d2b4f4
2013-02-13 22:52:05 -06:00
:param string user_id: User ID for authentication. (optional)
:param string username: Username for authentication. (optional)
:param string user_domain_id: User's domain ID for authentication.
(optional)
:param string user_domain_name: User's domain name for authentication.
(optional)
:param string password: Password for authentication. (optional)
:param string domain_id: Domain ID for domain scoping. (optional)
:param string domain_name: Domain name for domain scoping. (optional)
:param string project_id: Project ID for project scoping. (optional)
:param string project_name: Project name for project scoping.
(optional)
:param string project_domain_id: Project's domain ID for project
scoping. (optional)
:param string project_domain_name: Project's domain name for project
scoping. (optional)
:param string auth_url: Identity service endpoint for authorization.
:param string region_name: Name of a region to select when choosing an
endpoint from the service catalog.
:param integer timeout: Allows customization of the timeout for client
http requests. (optional)
:param string endpoint: A user-supplied endpoint URL for the identity
service. Lazy-authentication is possible for
API service calls if endpoint is set at
instantiation. (optional)
:param string token: Token for authentication. (optional)
:param string cacert: Path to the Privacy Enhanced Mail (PEM) file
which contains the trusted authority X.509
certificates needed to established SSL connection
with the identity service. (optional)
:param string key: Path to the Privacy Enhanced Mail (PEM) file which
contains the unencrypted client private key needed
to established two-way SSL connection with the
identity service. (optional)
:param string cert: Path to the Privacy Enhanced Mail (PEM) file which
contains the corresponding X.509 client certificate
needed to established two-way SSL connection with
the identity service. (optional)
:param boolean insecure: Does not perform X.509 certificate validation
when establishing SSL connection with identity
service. default: False (optional)
:param string original_ip: The original IP of the requesting user
which will be sent to identity service in a
'Forwarded' header. (optional)
:param boolean debug: Enables debug logging of all request and
responses to identity service.
default False (optional)
:param dict auth_ref: To allow for consumers of the client to manage
their own caching strategy, you may initialize a
client with a previously captured auth_reference
(token). If there are keyword arguments passed
that also exist in auth_ref, the value from the
argument will take precedence.
:param boolean use_keyring: Enables caching auth_ref into keyring.
default: False (optional)
:param boolean force_new_token: Keyring related parameter, forces
request for new token.
default: False (optional)
:param integer stale_duration: Gap in seconds to determine if token
from keyring is about to expire.
default: 30 (optional)
:param string tenant_name: Tenant name. (optional)
The tenant_name keyword argument is
deprecated, use project_name instead.
:param string tenant_id: Tenant id. (optional)
The tenant_id keyword argument is
deprecated, use project_id instead.
Allow request timeout to be specified. Add a new cli argument (--timeout) which is by default 600 seconds which will be set in the requests library so that timeouts can occur correctly. Change-Id: I845c55dfb6f6b8345663ccdb5b150a2655f20026
2013-01-11 21:56:24 -08:00
"""
fixes auth_ref initialization error bug 1078589 * allow client values to be overridden, but use auth_ref if none available * added tests to match this flow * refactored tokens into test_fixtures.py file Change-Id: I771a2dee6dedf31d883417d9b4e6e64bbb620f14
2012-11-14 05:38:16 +00:00
# set baseline defaults
Implements v3 auth client. Added support for domain scoping. Enhancement on AccessInfo to support reading v2/v3 token information. Enhancement on ServiceCatalog for reading/filtering v2/v3 service catalog information. Change-Id: Ibb678b9933d3673e37d0fba857a152a3c5d2b4f4
2013-02-13 22:52:05 -06:00
self.user_id = None
fixes auth_ref initialization error bug 1078589 * allow client values to be overridden, but use auth_ref if none available * added tests to match this flow * refactored tokens into test_fixtures.py file Change-Id: I771a2dee6dedf31d883417d9b4e6e64bbb620f14
2012-11-14 05:38:16 +00:00
self.username = None
Implements v3 auth client. Added support for domain scoping. Enhancement on AccessInfo to support reading v2/v3 token information. Enhancement on ServiceCatalog for reading/filtering v2/v3 service catalog information. Change-Id: Ibb678b9933d3673e37d0fba857a152a3c5d2b4f4
2013-02-13 22:52:05 -06:00
self.user_domain_id = None
self.user_domain_name = None
self.domain_id = None
self.domain_name = None
self.project_id = None
self.project_name = None
self.project_domain_id = None
self.project_domain_name = None
fixes auth_ref initialization error bug 1078589 * allow client values to be overridden, but use auth_ref if none available * added tests to match this flow * refactored tokens into test_fixtures.py file Change-Id: I771a2dee6dedf31d883417d9b4e6e64bbb620f14
2012-11-14 05:38:16 +00:00
self.auth_url = None
self.management_url = None
Implements v3 auth client. Added support for domain scoping. Enhancement on AccessInfo to support reading v2/v3 token information. Enhancement on ServiceCatalog for reading/filtering v2/v3 service catalog information. Change-Id: Ibb678b9933d3673e37d0fba857a152a3c5d2b4f4
2013-02-13 22:52:05 -06:00
self.timeout = float(timeout) if timeout is not None else None
fixes auth_ref initialization error bug 1078589 * allow client values to be overridden, but use auth_ref if none available * added tests to match this flow * refactored tokens into test_fixtures.py file Change-Id: I771a2dee6dedf31d883417d9b4e6e64bbb620f14
2012-11-14 05:38:16 +00:00
# if loading from a dictionary passed in via auth_ref,
# load values from AccessInfo parsing that dictionary
Implements v3 auth client. Added support for domain scoping. Enhancement on AccessInfo to support reading v2/v3 token information. Enhancement on ServiceCatalog for reading/filtering v2/v3 service catalog information. Change-Id: Ibb678b9933d3673e37d0fba857a152a3c5d2b4f4
2013-02-13 22:52:05 -06:00
if auth_ref:
self.auth_ref = access.AccessInfo.factory(**auth_ref)
self.version = self.auth_ref.version
self.user_id = self.auth_ref.user_id
removing repeat attempt at authorization in client blueprint solidify-python-api * extended and updated documentation strings * updated README.rst with latest options * made debug a pass-through value, optionally set on client (instead of just being pulled from environment variable) * adding AccessInfo object and associated tests (access.AccessInfo meant to be a cacheable object external to client and ultimately to replace service_catalog and it's existing functionality) * extending authtoken to support lists of endpoints * maintaining a single entity for client.management_url with first from list of possible endpoints * create project_name and project_id synonyms to match tenant_name and tenant_id * replacing authenticate call to a pure method, not overloading the resource/manager path that confuses base URL concepts. * throw AuthorizationFailure if client attempts to access keystone resources before it has a management url * special case listing tenant using auth_url for unscoped tokens authorized through client * special case listing tokens.authenticate for Dashboard to allow unscoped tokens to hand back parity information to dashboard Change-Id: I4bb3a1b6a5ce2c4b3fbcebeb59116286cac8b2e3
2012-10-13 00:15:39 +00:00
self.username = self.auth_ref.username
Implements v3 auth client. Added support for domain scoping. Enhancement on AccessInfo to support reading v2/v3 token information. Enhancement on ServiceCatalog for reading/filtering v2/v3 service catalog information. Change-Id: Ibb678b9933d3673e37d0fba857a152a3c5d2b4f4
2013-02-13 22:52:05 -06:00
self.user_domain_id = self.auth_ref.user_domain_id
self.domain_id = self.auth_ref.domain_id
self.domain_name = self.auth_ref.domain_name
self.project_id = self.auth_ref.project_id
self.project_name = self.auth_ref.project_name
self.project_domain_id = self.auth_ref.project_domain_id
fixes auth_ref initialization error bug 1078589 * allow client values to be overridden, but use auth_ref if none available * added tests to match this flow * refactored tokens into test_fixtures.py file Change-Id: I771a2dee6dedf31d883417d9b4e6e64bbb620f14
2012-11-14 05:38:16 +00:00
self.auth_url = self.auth_ref.auth_url[0]
self.management_url = self.auth_ref.management_url[0]
Implements v3 auth client. Added support for domain scoping. Enhancement on AccessInfo to support reading v2/v3 token information. Enhancement on ServiceCatalog for reading/filtering v2/v3 service catalog information. Change-Id: Ibb678b9933d3673e37d0fba857a152a3c5d2b4f4
2013-02-13 22:52:05 -06:00
self.auth_token = self.auth_ref.auth_token
else:
self.auth_ref = None
fixes auth_ref initialization error bug 1078589 * allow client values to be overridden, but use auth_ref if none available * added tests to match this flow * refactored tokens into test_fixtures.py file Change-Id: I771a2dee6dedf31d883417d9b4e6e64bbb620f14
2012-11-14 05:38:16 +00:00
# allow override of the auth_ref defaults from explicit
removing repeat attempt at authorization in client blueprint solidify-python-api * extended and updated documentation strings * updated README.rst with latest options * made debug a pass-through value, optionally set on client (instead of just being pulled from environment variable) * adding AccessInfo object and associated tests (access.AccessInfo meant to be a cacheable object external to client and ultimately to replace service_catalog and it's existing functionality) * extending authtoken to support lists of endpoints * maintaining a single entity for client.management_url with first from list of possible endpoints * create project_name and project_id synonyms to match tenant_name and tenant_id * replacing authenticate call to a pure method, not overloading the resource/manager path that confuses base URL concepts. * throw AuthorizationFailure if client attempts to access keystone resources before it has a management url * special case listing tenant using auth_url for unscoped tokens authorized through client * special case listing tokens.authenticate for Dashboard to allow unscoped tokens to hand back parity information to dashboard Change-Id: I4bb3a1b6a5ce2c4b3fbcebeb59116286cac8b2e3
2012-10-13 00:15:39 +00:00
# values provided to the client
Implements v3 auth client. Added support for domain scoping. Enhancement on AccessInfo to support reading v2/v3 token information. Enhancement on ServiceCatalog for reading/filtering v2/v3 service catalog information. Change-Id: Ibb678b9933d3673e37d0fba857a152a3c5d2b4f4
2013-02-13 22:52:05 -06:00
# apply deprecated variables first, so modern variables override them
fixes auth_ref initialization error bug 1078589 * allow client values to be overridden, but use auth_ref if none available * added tests to match this flow * refactored tokens into test_fixtures.py file Change-Id: I771a2dee6dedf31d883417d9b4e6e64bbb620f14
2012-11-14 05:38:16 +00:00
if tenant_id:
Implements v3 auth client. Added support for domain scoping. Enhancement on AccessInfo to support reading v2/v3 token information. Enhancement on ServiceCatalog for reading/filtering v2/v3 service catalog information. Change-Id: Ibb678b9933d3673e37d0fba857a152a3c5d2b4f4
2013-02-13 22:52:05 -06:00
self.project_id = tenant_id
fixes auth_ref initialization error bug 1078589 * allow client values to be overridden, but use auth_ref if none available * added tests to match this flow * refactored tokens into test_fixtures.py file Change-Id: I771a2dee6dedf31d883417d9b4e6e64bbb620f14
2012-11-14 05:38:16 +00:00
if tenant_name:
Implements v3 auth client. Added support for domain scoping. Enhancement on AccessInfo to support reading v2/v3 token information. Enhancement on ServiceCatalog for reading/filtering v2/v3 service catalog information. Change-Id: Ibb678b9933d3673e37d0fba857a152a3c5d2b4f4
2013-02-13 22:52:05 -06:00
self.project_name = tenant_name
# user-related attributes
self.password = password
if user_id:
self.user_id = user_id
if username:
self.username = username
if user_domain_id:
self.user_domain_id = user_domain_id
elif not (user_id or user_domain_name):
self.user_domain_id = 'default'
if user_domain_name:
self.user_domain_name = user_domain_name
# domain-related attributes
if domain_id:
self.domain_id = domain_id
if domain_name:
self.domain_name = domain_name
# project-related attributes
if project_id:
self.project_id = project_id
if project_name:
self.project_name = project_name
if project_domain_id:
self.project_domain_id = project_domain_id
elif not (project_id or project_domain_name):
self.project_domain_id = 'default'
if project_domain_name:
self.project_domain_name = project_domain_name
# endpoint selection
fixes auth_ref initialization error bug 1078589 * allow client values to be overridden, but use auth_ref if none available * added tests to match this flow * refactored tokens into test_fixtures.py file Change-Id: I771a2dee6dedf31d883417d9b4e6e64bbb620f14
2012-11-14 05:38:16 +00:00
if auth_url:
self.auth_url = auth_url.rstrip('/')
if token:
Implements token expiration handling This implements handling of token expiration. Once the token is expired, this will request automatically for a new one. A special case is introduced if the user specified a token when the client is initialized: this is the auth_token_from_user. In this case, we can't know the expiration date, so we just assume it will never expire and don't handle it ourself. Change-Id: I3771ff5d669da015d4aa259de422c5d81aed3eb4 Signed-off-by: Julien Danjou <julien@danjou.info>
2013-01-30 18:07:29 +01:00
self.auth_token_from_user = token
else:
self.auth_token_from_user = None
fixes auth_ref initialization error bug 1078589 * allow client values to be overridden, but use auth_ref if none available * added tests to match this flow * refactored tokens into test_fixtures.py file Change-Id: I771a2dee6dedf31d883417d9b4e6e64bbb620f14
2012-11-14 05:38:16 +00:00
if endpoint:
self.management_url = endpoint.rstrip('/')
removing repeat attempt at authorization in client blueprint solidify-python-api * extended and updated documentation strings * updated README.rst with latest options * made debug a pass-through value, optionally set on client (instead of just being pulled from environment variable) * adding AccessInfo object and associated tests (access.AccessInfo meant to be a cacheable object external to client and ultimately to replace service_catalog and it's existing functionality) * extending authtoken to support lists of endpoints * maintaining a single entity for client.management_url with first from list of possible endpoints * create project_name and project_id synonyms to match tenant_name and tenant_id * replacing authenticate call to a pure method, not overloading the resource/manager path that confuses base URL concepts. * throw AuthorizationFailure if client attempts to access keystone resources before it has a management url * special case listing tenant using auth_url for unscoped tokens authorized through client * special case listing tokens.authenticate for Dashboard to allow unscoped tokens to hand back parity information to dashboard Change-Id: I4bb3a1b6a5ce2c4b3fbcebeb59116286cac8b2e3
2012-10-13 00:15:39 +00:00
self.region_name = region_name
Implements v3 auth client. Added support for domain scoping. Enhancement on AccessInfo to support reading v2/v3 token information. Enhancement on ServiceCatalog for reading/filtering v2/v3 service catalog information. Change-Id: Ibb678b9933d3673e37d0fba857a152a3c5d2b4f4
2013-02-13 22:52:05 -06:00
self.original_ip = original_ip
Use requests module for HTTP/HTTPS * Implement correct certificate verification * Add requests to tools/pip-requires * Fix OS_CACERT env var help text * Add info to README * Rework tests to use requests Pinned requests module to < 1.0 as 1.0.2 is now current in pipi as of 17Dec2012. Change-Id: I120d2c12d6f20ebe2fd7182ec8988cc73f623b80
2012-11-16 17:43:05 -06:00
if cacert:
self.verify_cert = cacert
else:
self.verify_cert = True
if insecure:
self.verify_cert = False
self.cert = cert
if cert and key:
self.cert = (cert, key,)
self.domain = ''
Initial commit.
2011-10-25 16:50:08 -07:00
splitting http req and resp logging also some pep8 cleanup in shell.py Change-Id: I71aa2586a0196c0a6ba64b892b56c9d221bdcc1d
2012-08-16 18:18:22 -07:00
# logging setup
removing repeat attempt at authorization in client blueprint solidify-python-api * extended and updated documentation strings * updated README.rst with latest options * made debug a pass-through value, optionally set on client (instead of just being pulled from environment variable) * adding AccessInfo object and associated tests (access.AccessInfo meant to be a cacheable object external to client and ultimately to replace service_catalog and it's existing functionality) * extending authtoken to support lists of endpoints * maintaining a single entity for client.management_url with first from list of possible endpoints * create project_name and project_id synonyms to match tenant_name and tenant_id * replacing authenticate call to a pure method, not overloading the resource/manager path that confuses base URL concepts. * throw AuthorizationFailure if client attempts to access keystone resources before it has a management url * special case listing tenant using auth_url for unscoped tokens authorized through client * special case listing tokens.authenticate for Dashboard to allow unscoped tokens to hand back parity information to dashboard Change-Id: I4bb3a1b6a5ce2c4b3fbcebeb59116286cac8b2e3
2012-10-13 00:15:39 +00:00
self.debug_log = debug
Only add logging handlers if there currently aren't any This corrects an odd problem where Horizon would stand up multiple client objects, which would cause duplicate/triplicate/dozens of repeated log lines in its log files, due to multiple identical handlers being added to the logging object Fixes Bug 1182678 Change-Id: I020b3999c9008b996286ccb74a7801c96c43e71c
2013-05-21 16:25:11 -07:00
if self.debug_log and not _logger.handlers:
splitting http req and resp logging also some pep8 cleanup in shell.py Change-Id: I71aa2586a0196c0a6ba64b892b56c9d221bdcc1d
2012-08-16 18:18:22 -07:00
ch = logging.StreamHandler()
_logger.setLevel(logging.DEBUG)
_logger.addHandler(ch)
Fix debug with requests. - From http://docs.python.org/2/library/functions.html#hasattr : hasattr(object, name) -- The arguments are an object and a string. - Fixes bug 1124084. Change-Id: I47283abff440abdf827598c2497519f3de510baf
2013-02-09 03:22:00 +01:00
if hasattr(requests, 'logging'):
Allow requests up to 0.8 and greater The requests module dropped all configuration with the 1.0.0 release. There's no danger_mode and no 'verbose'' mode. The former shouldn't be necessary anymore and the latter can be done by setting a different log handler for the request.logging root logger. Change-Id: I41bfaf2574f6d7fc21f86e0124ceae7df6481eee Signed-off-by: Chuck Short <chuck.short@canonical.com>
2013-02-06 09:36:51 -06:00
requests.logging.getLogger(requests.__name__).addHandler(ch)
splitting http req and resp logging also some pep8 cleanup in shell.py Change-Id: I71aa2586a0196c0a6ba64b892b56c9d221bdcc1d
2012-08-16 18:18:22 -07:00
bug-1040361: use keyring to store tokens User can optionally turn off keyring by specifying the --no-cache option. It can also be disabled with environment variable OS-NO-CACHE. Change-Id: I8935260bf7fd6befa14798da9b4d02c81e65c417
2012-11-08 16:32:17 -08:00
# keyring setup
Fix optional keyring support, add basic keyring tests Commit 06d9437e8388b369546d760607f17cb5022750e9 made using a keyring optional by adding a function to handle the imports. The problem is that import needs to be available at a global level for it to be usable in other parts of the code. The function is replaced by a top-level try/except. Fixing the imports isn't enough to get keyring support working because in get_auth_ref_from_keyring() the wrong token was being used when evaluating token expiration. It was using the token already in the HTTPClient object and not the one returned from the keyring. Some simple tests were added to prevent future regressions. These tests will be skipped if the keyring or pickle packages are not installed. Change-Id: I1fe2c9e5cdf275df2047018368da2e4b3d2d6de2 Fixes: bug #1183072
2013-05-22 17:00:53 -04:00
if use_keyring and keyring is None:
_logger.warning('Failed to load keyring modules.')
self.use_keyring = use_keyring and keyring is not None
bug-1040361: use keyring to store tokens User can optionally turn off keyring by specifying the --no-cache option. It can also be disabled with environment variable OS-NO-CACHE. Change-Id: I8935260bf7fd6befa14798da9b4d02c81e65c417
2012-11-08 16:32:17 -08:00
self.force_new_token = force_new_token
self.stale_duration = stale_duration or access.STALE_TOKEN_DURATION
self.stale_duration = int(self.stale_duration)
Implements token expiration handling This implements handling of token expiration. Once the token is expired, this will request automatically for a new one. A special case is introduced if the user specified a token when the client is initialized: this is the auth_token_from_user. In this case, we can't know the expiration date, so we just assume it will never expire and don't handle it ourself. Change-Id: I3771ff5d669da015d4aa259de422c5d81aed3eb4 Signed-off-by: Julien Danjou <julien@danjou.info>
2013-01-30 18:07:29 +01:00
@property
def auth_token(self):
if self.auth_token_from_user:
return self.auth_token_from_user
if self.auth_ref:
if self.auth_ref.will_expire_soon(self.stale_duration):
self.authenticate()
return self.auth_ref.auth_token
@auth_token.setter
def auth_token(self, value):
self.auth_token_from_user = value
@auth_token.deleter
Fix selef to self in class. Change-Id: I1fec9908fb1aa915158996d57fdd82cfdf483535
2013-02-20 08:48:14 +01:00
def auth_token(self):
Implements token expiration handling This implements handling of token expiration. Once the token is expired, this will request automatically for a new one. A special case is introduced if the user specified a token when the client is initialized: this is the auth_token_from_user. In this case, we can't know the expiration date, so we just assume it will never expire and don't handle it ourself. Change-Id: I3771ff5d669da015d4aa259de422c5d81aed3eb4 Signed-off-by: Julien Danjou <julien@danjou.info>
2013-01-30 18:07:29 +01:00
del self.auth_token_from_user
Implements v3 auth client. Added support for domain scoping. Enhancement on AccessInfo to support reading v2/v3 token information. Enhancement on ServiceCatalog for reading/filtering v2/v3 service catalog information. Change-Id: Ibb678b9933d3673e37d0fba857a152a3c5d2b4f4
2013-02-13 22:52:05 -06:00
@property
def service_catalog(self):
"""Returns this client's service catalog."""
return self.auth_ref.service_catalog
def has_service_catalog(self):
"""Returns True if this client provides a service catalog."""
return self.auth_ref.has_service_catalog()
@property
def tenant_id(self):
"""Provide read-only backwards compatibility for tenant_id.
This is deprecated, use project_id instead.
"""
return self.project_id
@property
def tenant_name(self):
"""Provide read-only backwards compatibility for tenant_name.
This is deprecated, use project_name instead.
"""
return self.project_name
bug-1040361: use keyring to store tokens User can optionally turn off keyring by specifying the --no-cache option. It can also be disabled with environment variable OS-NO-CACHE. Change-Id: I8935260bf7fd6befa14798da9b4d02c81e65c417
2012-11-08 16:32:17 -08:00
def authenticate(self, username=None, password=None, tenant_name=None,
Implements v3 auth client. Added support for domain scoping. Enhancement on AccessInfo to support reading v2/v3 token information. Enhancement on ServiceCatalog for reading/filtering v2/v3 service catalog information. Change-Id: Ibb678b9933d3673e37d0fba857a152a3c5d2b4f4
2013-02-13 22:52:05 -06:00
tenant_id=None, auth_url=None, token=None,
user_id=None, domain_name=None, domain_id=None,
project_name=None, project_id=None, user_domain_id=None,
user_domain_name=None, project_domain_id=None,
project_domain_name=None):
"""Authenticate user.
bug-1040361: use keyring to store tokens User can optionally turn off keyring by specifying the --no-cache option. It can also be disabled with environment variable OS-NO-CACHE. Change-Id: I8935260bf7fd6befa14798da9b4d02c81e65c417
2012-11-08 16:32:17 -08:00
Uses the data provided at instantiation to authenticate against
Implements v3 auth client. Added support for domain scoping. Enhancement on AccessInfo to support reading v2/v3 token information. Enhancement on ServiceCatalog for reading/filtering v2/v3 service catalog information. Change-Id: Ibb678b9933d3673e37d0fba857a152a3c5d2b4f4
2013-02-13 22:52:05 -06:00
the Identity server. This may use either a username and password
bug-1040361: use keyring to store tokens User can optionally turn off keyring by specifying the --no-cache option. It can also be disabled with environment variable OS-NO-CACHE. Change-Id: I8935260bf7fd6befa14798da9b4d02c81e65c417
2012-11-08 16:32:17 -08:00
or token for authentication. If a tenant name or id was provided
then the resulting authenticated client will be scoped to that
tenant and contain a service catalog of available endpoints.
With the v2.0 API, if a tenant name or ID is not provided, the
Implements v3 auth client. Added support for domain scoping. Enhancement on AccessInfo to support reading v2/v3 token information. Enhancement on ServiceCatalog for reading/filtering v2/v3 service catalog information. Change-Id: Ibb678b9933d3673e37d0fba857a152a3c5d2b4f4
2013-02-13 22:52:05 -06:00
authentication token returned will be 'unscoped' and limited in
bug-1040361: use keyring to store tokens User can optionally turn off keyring by specifying the --no-cache option. It can also be disabled with environment variable OS-NO-CACHE. Change-Id: I8935260bf7fd6befa14798da9b4d02c81e65c417
2012-11-08 16:32:17 -08:00
capabilities until a fully-scoped token is acquired.
Implements v3 auth client. Added support for domain scoping. Enhancement on AccessInfo to support reading v2/v3 token information. Enhancement on ServiceCatalog for reading/filtering v2/v3 service catalog information. Change-Id: Ibb678b9933d3673e37d0fba857a152a3c5d2b4f4
2013-02-13 22:52:05 -06:00
With the v3 API, if a domain name or id was provided then the resulting
authenticated client will be scoped to that domain. If a project name
or ID is not provided, and the authenticating user has a default
project configured, the authentication token returned will be 'scoped'
to the default project. Otherwise, the authentication token returned
will be 'unscoped' and limited in capabilities until a fully-scoped
token is acquired.
bug-1040361: use keyring to store tokens User can optionally turn off keyring by specifying the --no-cache option. It can also be disabled with environment variable OS-NO-CACHE. Change-Id: I8935260bf7fd6befa14798da9b4d02c81e65c417
2012-11-08 16:32:17 -08:00
If successful, sets the self.auth_ref and self.auth_token with
the returned token. If not already set, will also set
self.management_url from the details provided in the token.
:returns: ``True`` if authentication was successful.
:raises: AuthorizationFailure if unable to authenticate or validate
the existing authorization token
:raises: ValueError if insufficient parameters are used.
If keyring is used, token is retrieved from keyring instead.
Authentication will only be necessary if any of the following
conditions are met:
* keyring is not used
* if token is not found in keyring
* if token retrieved from keyring is expired or about to
expired (as determined by stale_duration)
* if force_new_token is true
"""
Revert "Use TokenManager to get token" This reverts commit 22228f526d6ea08b7006be1287afe959b93c23db which appears to be breaking the keystone gating
2013-04-30 17:34:14 +00:00
auth_url = auth_url or self.auth_url
Implements v3 auth client. Added support for domain scoping. Enhancement on AccessInfo to support reading v2/v3 token information. Enhancement on ServiceCatalog for reading/filtering v2/v3 service catalog information. Change-Id: Ibb678b9933d3673e37d0fba857a152a3c5d2b4f4
2013-02-13 22:52:05 -06:00
user_id = user_id or self.user_id
bug-1040361: use keyring to store tokens User can optionally turn off keyring by specifying the --no-cache option. It can also be disabled with environment variable OS-NO-CACHE. Change-Id: I8935260bf7fd6befa14798da9b4d02c81e65c417
2012-11-08 16:32:17 -08:00
username = username or self.username
password = password or self.password
Implements v3 auth client. Added support for domain scoping. Enhancement on AccessInfo to support reading v2/v3 token information. Enhancement on ServiceCatalog for reading/filtering v2/v3 service catalog information. Change-Id: Ibb678b9933d3673e37d0fba857a152a3c5d2b4f4
2013-02-13 22:52:05 -06:00
user_domain_id = user_domain_id or self.user_domain_id
user_domain_name = user_domain_name or self.user_domain_name
domain_id = domain_id or self.domain_id
domain_name = domain_name or self.domain_name
project_id = project_id or tenant_id or self.project_id
project_name = project_name or tenant_name or self.project_name
project_domain_id = project_domain_id or self.project_domain_id
project_domain_name = project_domain_name or self.project_domain_name
Implements token expiration handling This implements handling of token expiration. Once the token is expired, this will request automatically for a new one. A special case is introduced if the user specified a token when the client is initialized: this is the auth_token_from_user. In this case, we can't know the expiration date, so we just assume it will never expire and don't handle it ourself. Change-Id: I3771ff5d669da015d4aa259de422c5d81aed3eb4 Signed-off-by: Julien Danjou <julien@danjou.info>
2013-01-30 18:07:29 +01:00
if not token:
token = self.auth_token_from_user
Fix line continuations (flake8 E125, E126) - E125: continuation line does not distinguish itself from next logical line - E126: continuation line over-indented for hanging indent Change-Id: I626a6d5d57db927e8b239f90569b5601c772f28b
2013-05-28 08:48:44 -05:00
if (not token and self.auth_ref and not
self.auth_ref.will_expire_soon(self.stale_duration)):
Implements token expiration handling This implements handling of token expiration. Once the token is expired, this will request automatically for a new one. A special case is introduced if the user specified a token when the client is initialized: this is the auth_token_from_user. In this case, we can't know the expiration date, so we just assume it will never expire and don't handle it ourself. Change-Id: I3771ff5d669da015d4aa259de422c5d81aed3eb4 Signed-off-by: Julien Danjou <julien@danjou.info>
2013-01-30 18:07:29 +01:00
token = self.auth_ref.auth_token
bug-1040361: use keyring to store tokens User can optionally turn off keyring by specifying the --no-cache option. It can also be disabled with environment variable OS-NO-CACHE. Change-Id: I8935260bf7fd6befa14798da9b4d02c81e65c417
2012-11-08 16:32:17 -08:00
Implements v3 auth client. Added support for domain scoping. Enhancement on AccessInfo to support reading v2/v3 token information. Enhancement on ServiceCatalog for reading/filtering v2/v3 service catalog information. Change-Id: Ibb678b9933d3673e37d0fba857a152a3c5d2b4f4
2013-02-13 22:52:05 -06:00
kwargs = {
'auth_url': auth_url,
'user_id': user_id,
'username': username,
'user_domain_id': user_domain_id,
'user_domain_name': user_domain_name,
'domain_id': domain_id,
'domain_name': domain_name,
'project_id': project_id,
'project_name': project_name,
'project_domain_id': project_domain_id,
'project_domain_name': project_domain_name,
'token': token
}
(keyring_key, auth_ref) = self.get_auth_ref_from_keyring(**kwargs)
bug-1040361: use keyring to store tokens User can optionally turn off keyring by specifying the --no-cache option. It can also be disabled with environment variable OS-NO-CACHE. Change-Id: I8935260bf7fd6befa14798da9b4d02c81e65c417
2012-11-08 16:32:17 -08:00
new_token_needed = False
if auth_ref is None or self.force_new_token:
new_token_needed = True
Implements v3 auth client. Added support for domain scoping. Enhancement on AccessInfo to support reading v2/v3 token information. Enhancement on ServiceCatalog for reading/filtering v2/v3 service catalog information. Change-Id: Ibb678b9933d3673e37d0fba857a152a3c5d2b4f4
2013-02-13 22:52:05 -06:00
kwargs['password'] = password
resp, body = self.get_raw_token_from_identity_service(**kwargs)
self.auth_ref = access.AccessInfo.factory(resp, body)
bug-1040361: use keyring to store tokens User can optionally turn off keyring by specifying the --no-cache option. It can also be disabled with environment variable OS-NO-CACHE. Change-Id: I8935260bf7fd6befa14798da9b4d02c81e65c417
2012-11-08 16:32:17 -08:00
else:
self.auth_ref = auth_ref
self.process_token()
if new_token_needed:
self.store_auth_ref_into_keyring(keyring_key)
return True
Implements v3 auth client. Added support for domain scoping. Enhancement on AccessInfo to support reading v2/v3 token information. Enhancement on ServiceCatalog for reading/filtering v2/v3 service catalog information. Change-Id: Ibb678b9933d3673e37d0fba857a152a3c5d2b4f4
2013-02-13 22:52:05 -06:00
def _build_keyring_key(self, **kwargs):
"""Create a unique key for keyring.
bug-1040361: use keyring to store tokens User can optionally turn off keyring by specifying the --no-cache option. It can also be disabled with environment variable OS-NO-CACHE. Change-Id: I8935260bf7fd6befa14798da9b4d02c81e65c417
2012-11-08 16:32:17 -08:00
Used to store and retrieve auth_ref from keyring.
Implements v3 auth client. Added support for domain scoping. Enhancement on AccessInfo to support reading v2/v3 token information. Enhancement on ServiceCatalog for reading/filtering v2/v3 service catalog information. Change-Id: Ibb678b9933d3673e37d0fba857a152a3c5d2b4f4
2013-02-13 22:52:05 -06:00
Returns a slash-separated string of values ordered by key name.
bug-1040361: use keyring to store tokens User can optionally turn off keyring by specifying the --no-cache option. It can also be disabled with environment variable OS-NO-CACHE. Change-Id: I8935260bf7fd6befa14798da9b4d02c81e65c417
2012-11-08 16:32:17 -08:00
"""
Implements v3 auth client. Added support for domain scoping. Enhancement on AccessInfo to support reading v2/v3 token information. Enhancement on ServiceCatalog for reading/filtering v2/v3 service catalog information. Change-Id: Ibb678b9933d3673e37d0fba857a152a3c5d2b4f4
2013-02-13 22:52:05 -06:00
return '/'.join([kwargs[k] or '?' for k in sorted(kwargs.keys())])
bug-1040361: use keyring to store tokens User can optionally turn off keyring by specifying the --no-cache option. It can also be disabled with environment variable OS-NO-CACHE. Change-Id: I8935260bf7fd6befa14798da9b4d02c81e65c417
2012-11-08 16:32:17 -08:00
Implements v3 auth client. Added support for domain scoping. Enhancement on AccessInfo to support reading v2/v3 token information. Enhancement on ServiceCatalog for reading/filtering v2/v3 service catalog information. Change-Id: Ibb678b9933d3673e37d0fba857a152a3c5d2b4f4
2013-02-13 22:52:05 -06:00
def get_auth_ref_from_keyring(self, **kwargs):
"""Retrieve auth_ref from keyring.
bug-1040361: use keyring to store tokens User can optionally turn off keyring by specifying the --no-cache option. It can also be disabled with environment variable OS-NO-CACHE. Change-Id: I8935260bf7fd6befa14798da9b4d02c81e65c417
2012-11-08 16:32:17 -08:00
If auth_ref is found in keyring, (keyring_key, auth_ref) is returned.
Otherwise, (keyring_key, None) is returned.
:returns: (keyring_key, auth_ref) or (keyring_key, None)
Fix optional keyring support, add basic keyring tests Commit 06d9437e8388b369546d760607f17cb5022750e9 made using a keyring optional by adding a function to handle the imports. The problem is that import needs to be available at a global level for it to be usable in other parts of the code. The function is replaced by a top-level try/except. Fixing the imports isn't enough to get keyring support working because in get_auth_ref_from_keyring() the wrong token was being used when evaluating token expiration. It was using the token already in the HTTPClient object and not the one returned from the keyring. Some simple tests were added to prevent future regressions. These tests will be skipped if the keyring or pickle packages are not installed. Change-Id: I1fe2c9e5cdf275df2047018368da2e4b3d2d6de2 Fixes: bug #1183072
2013-05-22 17:00:53 -04:00
:returns: or (None, None) if use_keyring is not set in the object
bug-1040361: use keyring to store tokens User can optionally turn off keyring by specifying the --no-cache option. It can also be disabled with environment variable OS-NO-CACHE. Change-Id: I8935260bf7fd6befa14798da9b4d02c81e65c417
2012-11-08 16:32:17 -08:00
"""
keyring_key = None
auth_ref = None
if self.use_keyring:
Implements v3 auth client. Added support for domain scoping. Enhancement on AccessInfo to support reading v2/v3 token information. Enhancement on ServiceCatalog for reading/filtering v2/v3 service catalog information. Change-Id: Ibb678b9933d3673e37d0fba857a152a3c5d2b4f4
2013-02-13 22:52:05 -06:00
keyring_key = self._build_keyring_key(**kwargs)
bug-1040361: use keyring to store tokens User can optionally turn off keyring by specifying the --no-cache option. It can also be disabled with environment variable OS-NO-CACHE. Change-Id: I8935260bf7fd6befa14798da9b4d02c81e65c417
2012-11-08 16:32:17 -08:00
try:
auth_ref = keyring.get_password("keystoneclient_auth",
keyring_key)
if auth_ref:
auth_ref = pickle.loads(auth_ref)
Fix optional keyring support, add basic keyring tests Commit 06d9437e8388b369546d760607f17cb5022750e9 made using a keyring optional by adding a function to handle the imports. The problem is that import needs to be available at a global level for it to be usable in other parts of the code. The function is replaced by a top-level try/except. Fixing the imports isn't enough to get keyring support working because in get_auth_ref_from_keyring() the wrong token was being used when evaluating token expiration. It was using the token already in the HTTPClient object and not the one returned from the keyring. Some simple tests were added to prevent future regressions. These tests will be skipped if the keyring or pickle packages are not installed. Change-Id: I1fe2c9e5cdf275df2047018368da2e4b3d2d6de2 Fixes: bug #1183072
2013-05-22 17:00:53 -04:00
if auth_ref.will_expire_soon(self.stale_duration):
bug-1040361: use keyring to store tokens User can optionally turn off keyring by specifying the --no-cache option. It can also be disabled with environment variable OS-NO-CACHE. Change-Id: I8935260bf7fd6befa14798da9b4d02c81e65c417
2012-11-08 16:32:17 -08:00
# token has expired, don't use it
auth_ref = None
except Exception as e:
auth_ref = None
_logger.warning('Unable to retrieve token from keyring %s' % (
e))
return (keyring_key, auth_ref)
def store_auth_ref_into_keyring(self, keyring_key):
Implements v3 auth client. Added support for domain scoping. Enhancement on AccessInfo to support reading v2/v3 token information. Enhancement on ServiceCatalog for reading/filtering v2/v3 service catalog information. Change-Id: Ibb678b9933d3673e37d0fba857a152a3c5d2b4f4
2013-02-13 22:52:05 -06:00
"""Store auth_ref into keyring.
bug-1040361: use keyring to store tokens User can optionally turn off keyring by specifying the --no-cache option. It can also be disabled with environment variable OS-NO-CACHE. Change-Id: I8935260bf7fd6befa14798da9b4d02c81e65c417
2012-11-08 16:32:17 -08:00
"""
if self.use_keyring:
try:
keyring.set_password("keystoneclient_auth",
keyring_key,
pickle.dumps(self.auth_ref))
except Exception as e:
_logger.warning("Failed to store token into keyring %s" % (e))
def process_token(self):
Implements v3 auth client. Added support for domain scoping. Enhancement on AccessInfo to support reading v2/v3 token information. Enhancement on ServiceCatalog for reading/filtering v2/v3 service catalog information. Change-Id: Ibb678b9933d3673e37d0fba857a152a3c5d2b4f4
2013-02-13 22:52:05 -06:00
"""Extract and process information from the new auth_ref.
bug-1040361: use keyring to store tokens User can optionally turn off keyring by specifying the --no-cache option. It can also be disabled with environment variable OS-NO-CACHE. Change-Id: I8935260bf7fd6befa14798da9b4d02c81e65c417
2012-11-08 16:32:17 -08:00
Client V3 shouldn't inherit V2 Client V3 is a completely different implementation of the API, if we want to intermix the V2 and V3 APIs then we don't need to version our client at all. Change-Id: I80579cd41df73ccfc6c8feb76843772829afac4e
2013-07-18 15:54:41 +10:00
And set the relevant authentication information.
bug-1040361: use keyring to store tokens User can optionally turn off keyring by specifying the --no-cache option. It can also be disabled with environment variable OS-NO-CACHE. Change-Id: I8935260bf7fd6befa14798da9b4d02c81e65c417
2012-11-08 16:32:17 -08:00
"""
Client V3 shouldn't inherit V2 Client V3 is a completely different implementation of the API, if we want to intermix the V2 and V3 APIs then we don't need to version our client at all. Change-Id: I80579cd41df73ccfc6c8feb76843772829afac4e
2013-07-18 15:54:41 +10:00
# if we got a response without a service catalog, set the local
# list of tenants for introspection, and leave to client user
# to determine what to do. Otherwise, load up the service catalog
if self.auth_ref.project_scoped:
if not self.auth_ref.tenant_id:
raise exceptions.AuthorizationFailure(
"Token didn't provide tenant_id")
if self.management_url is None and self.auth_ref.management_url:
self.management_url = self.auth_ref.management_url[0]
self.project_name = self.auth_ref.tenant_name
self.project_id = self.auth_ref.tenant_id
if not self.auth_ref.user_id:
raise exceptions.AuthorizationFailure(
"Token didn't provide user_id")
self.user_id = self.auth_ref.user_id
self.auth_domain_id = self.auth_ref.domain_id
self.auth_tenant_id = self.auth_ref.tenant_id
self.auth_user_id = self.auth_ref.user_id
bug-1040361: use keyring to store tokens User can optionally turn off keyring by specifying the --no-cache option. It can also be disabled with environment variable OS-NO-CACHE. Change-Id: I8935260bf7fd6befa14798da9b4d02c81e65c417
2012-11-08 16:32:17 -08:00
def get_raw_token_from_identity_service(self, auth_url, username=None,
password=None, tenant_name=None,
Implements v3 auth client. Added support for domain scoping. Enhancement on AccessInfo to support reading v2/v3 token information. Enhancement on ServiceCatalog for reading/filtering v2/v3 service catalog information. Change-Id: Ibb678b9933d3673e37d0fba857a152a3c5d2b4f4
2013-02-13 22:52:05 -06:00
tenant_id=None, token=None,
user_id=None, user_domain_id=None,
user_domain_name=None,
domain_id=None, domain_name=None,
project_id=None, project_name=None,
project_domain_id=None,
project_domain_name=None):
"""Authenticate against the Identity API and get a token.
Initial commit.
2011-10-25 16:50:08 -07:00
Not implemented here because auth protocols should be API
version-specific.
removing repeat attempt at authorization in client blueprint solidify-python-api * extended and updated documentation strings * updated README.rst with latest options * made debug a pass-through value, optionally set on client (instead of just being pulled from environment variable) * adding AccessInfo object and associated tests (access.AccessInfo meant to be a cacheable object external to client and ultimately to replace service_catalog and it's existing functionality) * extending authtoken to support lists of endpoints * maintaining a single entity for client.management_url with first from list of possible endpoints * create project_name and project_id synonyms to match tenant_name and tenant_id * replacing authenticate call to a pure method, not overloading the resource/manager path that confuses base URL concepts. * throw AuthorizationFailure if client attempts to access keystone resources before it has a management url * special case listing tenant using auth_url for unscoped tokens authorized through client * special case listing tokens.authenticate for Dashboard to allow unscoped tokens to hand back parity information to dashboard Change-Id: I4bb3a1b6a5ce2c4b3fbcebeb59116286cac8b2e3
2012-10-13 00:15:39 +00:00
Expected to authenticate or validate an existing authentication
reference already associated with the client. Invoking this call
Implements v3 auth client. Added support for domain scoping. Enhancement on AccessInfo to support reading v2/v3 token information. Enhancement on ServiceCatalog for reading/filtering v2/v3 service catalog information. Change-Id: Ibb678b9933d3673e37d0fba857a152a3c5d2b4f4
2013-02-13 22:52:05 -06:00
*always* makes a call to the Identity service.
bug-1040361: use keyring to store tokens User can optionally turn off keyring by specifying the --no-cache option. It can also be disabled with environment variable OS-NO-CACHE. Change-Id: I8935260bf7fd6befa14798da9b4d02c81e65c417
2012-11-08 16:32:17 -08:00
Implements v3 auth client. Added support for domain scoping. Enhancement on AccessInfo to support reading v2/v3 token information. Enhancement on ServiceCatalog for reading/filtering v2/v3 service catalog information. Change-Id: Ibb678b9933d3673e37d0fba857a152a3c5d2b4f4
2013-02-13 22:52:05 -06:00
:returns: (``resp``, ``body``)
bug-1040361: use keyring to store tokens User can optionally turn off keyring by specifying the --no-cache option. It can also be disabled with environment variable OS-NO-CACHE. Change-Id: I8935260bf7fd6befa14798da9b4d02c81e65c417
2012-11-08 16:32:17 -08:00
Initial commit.
2011-10-25 16:50:08 -07:00
"""
raise NotImplementedError
def _extract_service_catalog(self, url, body):
Implements v3 auth client. Added support for domain scoping. Enhancement on AccessInfo to support reading v2/v3 token information. Enhancement on ServiceCatalog for reading/filtering v2/v3 service catalog information. Change-Id: Ibb678b9933d3673e37d0fba857a152a3c5d2b4f4
2013-02-13 22:52:05 -06:00
"""Set the client's service catalog from the response data.
Initial commit.
2011-10-25 16:50:08 -07:00
Not implemented here because data returned may be API
version-specific.
"""
raise NotImplementedError
splitting http req and resp logging also some pep8 cleanup in shell.py Change-Id: I71aa2586a0196c0a6ba64b892b56c9d221bdcc1d
2012-08-16 18:18:22 -07:00
def http_log_req(self, args, kwargs):
if not self.debug_log:
Initial commit.
2011-10-25 16:50:08 -07:00
return
string_parts = ['curl -i']
for element in args:
if element in ('GET', 'POST'):
string_parts.append(' -X %s' % element)
else:
string_parts.append(' %s' % element)
for element in kwargs['headers']:
header = ' -H "%s: %s"' % (element, kwargs['headers'][element])
string_parts.append(header)
Use requests module for HTTP/HTTPS * Implement correct certificate verification * Add requests to tools/pip-requires * Fix OS_CACERT env var help text * Add info to README * Rework tests to use requests Pinned requests module to < 1.0 as 1.0.2 is now current in pipi as of 17Dec2012. Change-Id: I120d2c12d6f20ebe2fd7182ec8988cc73f623b80
2012-11-16 17:43:05 -06:00
_logger.debug("REQ: %s" % "".join(string_parts))
If you specify the --debug argument, it doesn't show the body of a POST request. The body (string rep) is at 'data' in the kwargs dict. 'body' was deleted prior to this call. Change-Id: Ieea3d11f5246ee785e41df3bc54ac61200808354 Fixes: bug #1104313
2013-01-24 21:42:14 +00:00
if 'data' in kwargs:
_logger.debug("REQ BODY: %s\n" % (kwargs['data']))
splitting http req and resp logging also some pep8 cleanup in shell.py Change-Id: I71aa2586a0196c0a6ba64b892b56c9d221bdcc1d
2012-08-16 18:18:22 -07:00
Use requests module for HTTP/HTTPS * Implement correct certificate verification * Add requests to tools/pip-requires * Fix OS_CACERT env var help text * Add info to README * Rework tests to use requests Pinned requests module to < 1.0 as 1.0.2 is now current in pipi as of 17Dec2012. Change-Id: I120d2c12d6f20ebe2fd7182ec8988cc73f623b80
2012-11-16 17:43:05 -06:00
def http_log_resp(self, resp):
splitting http req and resp logging also some pep8 cleanup in shell.py Change-Id: I71aa2586a0196c0a6ba64b892b56c9d221bdcc1d
2012-08-16 18:18:22 -07:00
if self.debug_log:
Use requests module for HTTP/HTTPS * Implement correct certificate verification * Add requests to tools/pip-requires * Fix OS_CACERT env var help text * Add info to README * Rework tests to use requests Pinned requests module to < 1.0 as 1.0.2 is now current in pipi as of 17Dec2012. Change-Id: I120d2c12d6f20ebe2fd7182ec8988cc73f623b80
2012-11-16 17:43:05 -06:00
_logger.debug(
"RESP: [%s] %s\nRESP BODY: %s\n",
resp.status_code,
resp.headers,
resp.text)
Initial commit.
2011-10-25 16:50:08 -07:00
Allow serialization impl to be overridden Change-Id: I0f955c78897d4212f06942e59a7018dbe5d28540
2012-09-11 11:10:40 -05:00
def serialize(self, entity):
return json.dumps(entity)
Use AuthRef for some client fields This tackles some TODO items left over. Change-Id: Ib062744acbf56f05d09857d244b78b35c0ef4d39 Signed-off-by: Julien Danjou <julien@danjou.info>
2013-01-24 17:46:29 +01:00
@property
def service_catalog(self):
"""Returns this client's service catalog."""
return self.auth_ref.service_catalog
def has_service_catalog(self):
"""Returns True if this client provides a service catalog."""
return self.auth_ref.has_service_catalog()
Initial commit.
2011-10-25 16:50:08 -07:00
def request(self, url, method, **kwargs):
Implements v3 auth client. Added support for domain scoping. Enhancement on AccessInfo to support reading v2/v3 token information. Enhancement on ServiceCatalog for reading/filtering v2/v3 service catalog information. Change-Id: Ibb678b9933d3673e37d0fba857a152a3c5d2b4f4
2013-02-13 22:52:05 -06:00
"""Send an http request with the specified characteristics.
Initial commit.
2011-10-25 16:50:08 -07:00
Use requests module for HTTP/HTTPS * Implement correct certificate verification * Add requests to tools/pip-requires * Fix OS_CACERT env var help text * Add info to README * Rework tests to use requests Pinned requests module to < 1.0 as 1.0.2 is now current in pipi as of 17Dec2012. Change-Id: I120d2c12d6f20ebe2fd7182ec8988cc73f623b80
2012-11-16 17:43:05 -06:00
Wrapper around requests.request to handle tasks such as
Initial commit.
2011-10-25 16:50:08 -07:00
setting headers, JSON encoding/decoding, and error handling.
"""
# Copy the kwargs so we can reuse the original in case of redirects
request_kwargs = copy.copy(kwargs)
request_kwargs.setdefault('headers', kwargs.get('headers', {}))
request_kwargs['headers']['User-Agent'] = self.USER_AGENT
add a new HTTPClient attr for setting the original IP The original IP is useful in cases where keystoneclient is used by a different openstack component and we need to know who made the original request. Otherwise it gets overwritten by e.g. Dashboard's host's IP. bug 1046837 Change-Id: Ic22c565e92010afd89c8573c375919215b70d73d
2012-09-13 15:45:40 +02:00
if self.original_ip:
request_kwargs['headers']['Forwarded'] = "for=%s;by=%s" % (
self.original_ip, self.USER_AGENT)
Initial commit.
2011-10-25 16:50:08 -07:00
if 'body' in kwargs:
request_kwargs['headers']['Content-Type'] = 'application/json'
Use requests module for HTTP/HTTPS * Implement correct certificate verification * Add requests to tools/pip-requires * Fix OS_CACERT env var help text * Add info to README * Rework tests to use requests Pinned requests module to < 1.0 as 1.0.2 is now current in pipi as of 17Dec2012. Change-Id: I120d2c12d6f20ebe2fd7182ec8988cc73f623b80
2012-11-16 17:43:05 -06:00
request_kwargs['data'] = self.serialize(kwargs['body'])
del request_kwargs['body']
if self.cert:
request_kwargs['cert'] = self.cert
Allow request timeout to be specified. Add a new cli argument (--timeout) which is by default 600 seconds which will be set in the requests library so that timeouts can occur correctly. Change-Id: I845c55dfb6f6b8345663ccdb5b150a2655f20026
2013-01-11 21:56:24 -08:00
if self.timeout is not None:
request_kwargs.setdefault('timeout', self.timeout)
Initial commit.
2011-10-25 16:50:08 -07:00
splitting http req and resp logging also some pep8 cleanup in shell.py Change-Id: I71aa2586a0196c0a6ba64b892b56c9d221bdcc1d
2012-08-16 18:18:22 -07:00
self.http_log_req((url, method,), request_kwargs)
Convert requests.ConnectionError to ClientException Fixes bug 1163678 Change-Id: I16201eda29a56e3c1e6008989260425ddc124ea6
2013-04-02 21:25:30 -07:00
try:
resp = requests.request(
method,
url,
verify=self.verify_cert,
**request_kwargs)
except requests.ConnectionError:
msg = 'Unable to establish connection to %s' % url
raise exceptions.ClientException(msg)
Use requests module for HTTP/HTTPS * Implement correct certificate verification * Add requests to tools/pip-requires * Fix OS_CACERT env var help text * Add info to README * Rework tests to use requests Pinned requests module to < 1.0 as 1.0.2 is now current in pipi as of 17Dec2012. Change-Id: I120d2c12d6f20ebe2fd7182ec8988cc73f623b80
2012-11-16 17:43:05 -06:00
self.http_log_resp(resp)
if resp.text:
Initial commit.
2011-10-25 16:50:08 -07:00
try:
Use requests module for HTTP/HTTPS * Implement correct certificate verification * Add requests to tools/pip-requires * Fix OS_CACERT env var help text * Add info to README * Rework tests to use requests Pinned requests module to < 1.0 as 1.0.2 is now current in pipi as of 17Dec2012. Change-Id: I120d2c12d6f20ebe2fd7182ec8988cc73f623b80
2012-11-16 17:43:05 -06:00
body = json.loads(resp.text)
Pass json object when invoking exception handler. Fixes bug 1154753. Change-Id: I6ca7c758d42e8586c8adf2529ce5362108a57a56
2013-03-13 20:59:03 -07:00
except (ValueError, TypeError):
Use requests module for HTTP/HTTPS * Implement correct certificate verification * Add requests to tools/pip-requires * Fix OS_CACERT env var help text * Add info to README * Rework tests to use requests Pinned requests module to < 1.0 as 1.0.2 is now current in pipi as of 17Dec2012. Change-Id: I120d2c12d6f20ebe2fd7182ec8988cc73f623b80
2012-11-16 17:43:05 -06:00
body = None
_logger.debug("Could not decode JSON from body: %s"
% resp.text)
Initial commit.
2011-10-25 16:50:08 -07:00
else:
_logger.debug("No body was returned.")
body = None
Pass json object when invoking exception handler. Fixes bug 1154753. Change-Id: I6ca7c758d42e8586c8adf2529ce5362108a57a56
2013-03-13 20:59:03 -07:00
if resp.status_code >= 400:
_logger.debug(
"Request returned failure status: %s",
resp.status_code)
raise exceptions.from_response(resp, body or resp.text)
elif resp.status_code in (301, 302, 305):
# Redirected. Reissue the request to the new location.
return self.request(resp.headers['location'], method, **kwargs)
Initial commit.
2011-10-25 16:50:08 -07:00
return resp, body
def _cs_request(self, url, method, **kwargs):
Implements v3 auth client. Added support for domain scoping. Enhancement on AccessInfo to support reading v2/v3 token information. Enhancement on ServiceCatalog for reading/filtering v2/v3 service catalog information. Change-Id: Ibb678b9933d3673e37d0fba857a152a3c5d2b4f4
2013-02-13 22:52:05 -06:00
"""Makes an authenticated request to keystone endpoint by
removing repeat attempt at authorization in client blueprint solidify-python-api * extended and updated documentation strings * updated README.rst with latest options * made debug a pass-through value, optionally set on client (instead of just being pulled from environment variable) * adding AccessInfo object and associated tests (access.AccessInfo meant to be a cacheable object external to client and ultimately to replace service_catalog and it's existing functionality) * extending authtoken to support lists of endpoints * maintaining a single entity for client.management_url with first from list of possible endpoints * create project_name and project_id synonyms to match tenant_name and tenant_id * replacing authenticate call to a pure method, not overloading the resource/manager path that confuses base URL concepts. * throw AuthorizationFailure if client attempts to access keystone resources before it has a management url * special case listing tenant using auth_url for unscoped tokens authorized through client * special case listing tokens.authenticate for Dashboard to allow unscoped tokens to hand back parity information to dashboard Change-Id: I4bb3a1b6a5ce2c4b3fbcebeb59116286cac8b2e3
2012-10-13 00:15:39 +00:00
concatenating self.management_url and url and passing in method and
Implements v3 auth client. Added support for domain scoping. Enhancement on AccessInfo to support reading v2/v3 token information. Enhancement on ServiceCatalog for reading/filtering v2/v3 service catalog information. Change-Id: Ibb678b9933d3673e37d0fba857a152a3c5d2b4f4
2013-02-13 22:52:05 -06:00
any associated kwargs.
"""
Initial commit.
2011-10-25 16:50:08 -07:00
Add command to allow users to change their own password Fixes Bug 1082539 The Equivalent of doing curl -X PATCH http://localhost:5000/v2.0/OS-KSCRUD/users/<userid> \ -H "Content-type: application/json" \ -H "X_Auth_Token: <authtokenid>" \ -d '{"user": {"password": "ABCD", "original_password": "DCBA"}}' Change-Id: Ia1a907c5fd138c4252196145b361f43671047a1a
2012-11-23 09:17:24 +00:00
is_management = kwargs.pop('management', True)
if is_management and self.management_url is None:
removing repeat attempt at authorization in client blueprint solidify-python-api * extended and updated documentation strings * updated README.rst with latest options * made debug a pass-through value, optionally set on client (instead of just being pulled from environment variable) * adding AccessInfo object and associated tests (access.AccessInfo meant to be a cacheable object external to client and ultimately to replace service_catalog and it's existing functionality) * extending authtoken to support lists of endpoints * maintaining a single entity for client.management_url with first from list of possible endpoints * create project_name and project_id synonyms to match tenant_name and tenant_id * replacing authenticate call to a pure method, not overloading the resource/manager path that confuses base URL concepts. * throw AuthorizationFailure if client attempts to access keystone resources before it has a management url * special case listing tenant using auth_url for unscoped tokens authorized through client * special case listing tokens.authenticate for Dashboard to allow unscoped tokens to hand back parity information to dashboard Change-Id: I4bb3a1b6a5ce2c4b3fbcebeb59116286cac8b2e3
2012-10-13 00:15:39 +00:00
raise exceptions.AuthorizationFailure(
'Current authorization does not have a known management url')
Add command to allow users to change their own password Fixes Bug 1082539 The Equivalent of doing curl -X PATCH http://localhost:5000/v2.0/OS-KSCRUD/users/<userid> \ -H "Content-type: application/json" \ -H "X_Auth_Token: <authtokenid>" \ -d '{"user": {"password": "ABCD", "original_password": "DCBA"}}' Change-Id: Ia1a907c5fd138c4252196145b361f43671047a1a
2012-11-23 09:17:24 +00:00
url_to_use = self.auth_url
if is_management:
url_to_use = self.management_url
Initial commit.
2011-10-25 16:50:08 -07:00
kwargs.setdefault('headers', {})
Revert "Use TokenManager to get token" This reverts commit 22228f526d6ea08b7006be1287afe959b93c23db which appears to be breaking the keystone gating
2013-04-30 17:34:14 +00:00
if self.auth_token:
kwargs['headers']['X-Auth-Token'] = self.auth_token
Initial commit.
2011-10-25 16:50:08 -07:00
Add command to allow users to change their own password Fixes Bug 1082539 The Equivalent of doing curl -X PATCH http://localhost:5000/v2.0/OS-KSCRUD/users/<userid> \ -H "Content-type: application/json" \ -H "X_Auth_Token: <authtokenid>" \ -d '{"user": {"password": "ABCD", "original_password": "DCBA"}}' Change-Id: Ia1a907c5fd138c4252196145b361f43671047a1a
2012-11-23 09:17:24 +00:00
resp, body = self.request(url_to_use + url, method,
removing repeat attempt at authorization in client blueprint solidify-python-api * extended and updated documentation strings * updated README.rst with latest options * made debug a pass-through value, optionally set on client (instead of just being pulled from environment variable) * adding AccessInfo object and associated tests (access.AccessInfo meant to be a cacheable object external to client and ultimately to replace service_catalog and it's existing functionality) * extending authtoken to support lists of endpoints * maintaining a single entity for client.management_url with first from list of possible endpoints * create project_name and project_id synonyms to match tenant_name and tenant_id * replacing authenticate call to a pure method, not overloading the resource/manager path that confuses base URL concepts. * throw AuthorizationFailure if client attempts to access keystone resources before it has a management url * special case listing tenant using auth_url for unscoped tokens authorized through client * special case listing tokens.authenticate for Dashboard to allow unscoped tokens to hand back parity information to dashboard Change-Id: I4bb3a1b6a5ce2c4b3fbcebeb59116286cac8b2e3
2012-10-13 00:15:39 +00:00
**kwargs)
return resp, body
Initial commit.
2011-10-25 16:50:08 -07:00
def get(self, url, **kwargs):
return self._cs_request(url, 'GET', **kwargs)
Add support for HEAD and PATCH Change-Id: Ic874c49b791e9d2cb3d44b15511cbb467a551589
2012-09-11 11:06:54 -05:00
def head(self, url, **kwargs):
return self._cs_request(url, 'HEAD', **kwargs)
Initial commit.
2011-10-25 16:50:08 -07:00
def post(self, url, **kwargs):
return self._cs_request(url, 'POST', **kwargs)
def put(self, url, **kwargs):
return self._cs_request(url, 'PUT', **kwargs)
Add support for HEAD and PATCH Change-Id: Ic874c49b791e9d2cb3d44b15511cbb467a551589
2012-09-11 11:06:54 -05:00
def patch(self, url, **kwargs):
return self._cs_request(url, 'PATCH', **kwargs)
Initial commit.
2011-10-25 16:50:08 -07:00
def delete(self, url, **kwargs):
return self._cs_request(url, 'DELETE', **kwargs)
Copy Permalink