openstack/python-keystoneclient
Code Issues Proposed changes
c9ae9d1fa2
python-keystoneclient/keystoneclient/session.py

626 lines
25 KiB
Python
Raw Normal View History

Extract a base Session object A wrapper around a number of connection variables. This will be extended later with principals such as Kerberos authentication and http sessions. The intent is that this session object will become the basis for all other client library communications in OpenStack (as keystone wants to control things like authentication for everybody). Change-Id: I8ee728c49d554659d7057ebf17d0f8ceea4d7d8e Part of: blueprint auth-plugins
2013-09-30 10:35:55 +10:00
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
Session loading from CLI options We will want this to standardize session loading amongst the various CLIs. Implements: blueprint standard-client-params Change-Id: Icc740db6d471a0953b7946e00e6317802b6d2255
2014-05-27 18:22:38 +10:00
import argparse
Extract a base Session object A wrapper around a number of connection variables. This will be extended later with principals such as Kerberos authentication and http sessions. The intent is that this session object will become the basis for all other client library communications in OpenStack (as keystone wants to control things like authentication for everybody). Change-Id: I8ee728c49d554659d7057ebf17d0f8ceea4d7d8e Part of: blueprint auth-plugins
2013-09-30 10:35:55 +10:00
import logging
Session loading from CLI options We will want this to standardize session loading amongst the various CLIs. Implements: blueprint standard-client-params Change-Id: Icc740db6d471a0953b7946e00e6317802b6d2255
2014-05-27 18:22:38 +10:00
import os
Extract a base Session object A wrapper around a number of connection variables. This will be extended later with principals such as Kerberos authentication and http sessions. The intent is that this session object will become the basis for all other client library communications in OpenStack (as keystone wants to control things like authentication for everybody). Change-Id: I8ee728c49d554659d7057ebf17d0f8ceea4d7d8e Part of: blueprint auth-plugins
2013-09-30 10:35:55 +10:00
Session loading from conf Allow loading session objects from oslo.config. We want a generic way to do this for auth_token middleware and for servers creating session objects for inter-service communication. DocImpact: This is the first step in standardizing all the config options across projects. There are no changes to the config options that keystoneclient actually consumes in this review. Implements: blueprint standard-client-params Change-Id: I1e83280b2f76f16041ed8d5ed598db70210112bd
2014-05-21 08:45:54 +10:00
from oslo.config import cfg
Extract a base Session object A wrapper around a number of connection variables. This will be extended later with principals such as Kerberos authentication and http sessions. The intent is that this session object will become the basis for all other client library communications in OpenStack (as keystone wants to control things like authentication for everybody). Change-Id: I8ee728c49d554659d7057ebf17d0f8ceea4d7d8e Part of: blueprint auth-plugins
2013-09-30 10:35:55 +10:00
import requests
import six
Handle URLs via the session and auth_plugins In the future clients will simply pass the service they expect to talk to and the path. This will prevent every service trying to get their own base urls from the service catalog individually. This can later be extended to have the auth plugin actually contact the URL from the service catalog which will let us have unversioned endpoints in the catalog handled from a single location. Change-Id: I80f0b5b1dbb45565fec09d1cb2c0552cfb9a72f5 blueprint: auth-plugin-endpoints
2013-12-05 16:32:56 +10:00
from six.moves import urllib
Extract a base Session object A wrapper around a number of connection variables. This will be extended later with principals such as Kerberos authentication and http sessions. The intent is that this session object will become the basis for all other client library communications in OpenStack (as keystone wants to control things like authentication for everybody). Change-Id: I8ee728c49d554659d7057ebf17d0f8ceea4d7d8e Part of: blueprint auth-plugins
2013-09-30 10:35:55 +10:00
from keystoneclient import exceptions
Add profiling support to keystoneclient To be able to create profiling traces for Keystone, client should be able to send special HTTP header that contains trace info. This patch is as well important to be able to make cross project traces. (Typical case nova calls keystone via python client, if profiler is initialized in nova, keystone client will add extra header, that will be parsed by special osprofiler middleware in keystone api) Don't worry no security issue here, trace information is signed by HMAC key that is setted in api-paste.ini. So only person that knows HMAC key is able to send proper header. Change-Id: Ide6fe268613bb0cc9d9ec6fae2957cc570e9f851
2014-06-28 23:37:05 +04:00
from keystoneclient.openstack.common import importutils
Extract a base Session object A wrapper around a number of connection variables. This will be extended later with principals such as Kerberos authentication and http sessions. The intent is that this session object will become the basis for all other client library communications in OpenStack (as keystone wants to control things like authentication for everybody). Change-Id: I8ee728c49d554659d7057ebf17d0f8ceea4d7d8e Part of: blueprint auth-plugins
2013-09-30 10:35:55 +10:00
from keystoneclient.openstack.common import jsonutils
Start using positional decorator Apply the positional decorator to functions. It has been added as I think best practice would dictate, though in some places it has been added in a way that doesn't break existing tests. Closes-Bug: #1295881 Change-Id: I4f7ddbede4cba4ab79d144ad1f9dc83ea76f204a
2014-02-28 13:31:00 +10:00
from keystoneclient import utils
Extract a base Session object A wrapper around a number of connection variables. This will be extended later with principals such as Kerberos authentication and http sessions. The intent is that this session object will become the basis for all other client library communications in OpenStack (as keystone wants to control things like authentication for everybody). Change-Id: I8ee728c49d554659d7057ebf17d0f8ceea4d7d8e Part of: blueprint auth-plugins
2013-09-30 10:35:55 +10:00
Add profiling support to keystoneclient To be able to create profiling traces for Keystone, client should be able to send special HTTP header that contains trace info. This patch is as well important to be able to make cross project traces. (Typical case nova calls keystone via python client, if profiler is initialized in nova, keystone client will add extra header, that will be parsed by special osprofiler middleware in keystone api) Don't worry no security issue here, trace information is signed by HMAC key that is setted in api-paste.ini. So only person that knows HMAC key is able to send proper header. Change-Id: Ide6fe268613bb0cc9d9ec6fae2957cc570e9f851
2014-06-28 23:37:05 +04:00
osprofiler_web = importutils.try_import("osprofiler.web")
Adjust import items according to hacking import rule This patch adjust import items and add missing blank lines acording to http://docs.openstack.org/developer/hacking/#imports {{stdlib imports in human alphabetical order}} \n {{third-party lib imports in human alphabetical order}} \n {{project imports in human alphabetical order}} \n \n {{begin your code}} hacking project also enforce some checks for import group. Let make the change in keytoneclient Change-Id: Ic83bd5ee426905588f4a2d555851a9a01fc69f02
2014-01-17 20:13:24 +08:00
Extract a base Session object A wrapper around a number of connection variables. This will be extended later with principals such as Kerberos authentication and http sessions. The intent is that this session object will become the basis for all other client library communications in OpenStack (as keystone wants to control things like authentication for everybody). Change-Id: I8ee728c49d554659d7057ebf17d0f8ceea4d7d8e Part of: blueprint auth-plugins
2013-09-30 10:35:55 +10:00
USER_AGENT = 'python-keystoneclient'
_logger = logging.getLogger(__name__)
Session loading from CLI options We will want this to standardize session loading amongst the various CLIs. Implements: blueprint standard-client-params Change-Id: Icc740db6d471a0953b7946e00e6317802b6d2255
2014-05-27 18:22:38 +10:00
def _positive_non_zero_float(argument_value):
if argument_value is None:
return None
try:
value = float(argument_value)
except ValueError:
msg = "%s must be a float" % argument_value
raise argparse.ArgumentTypeError(msg)
if value <= 0:
msg = "%s must be greater than 0" % argument_value
raise argparse.ArgumentTypeError(msg)
return value
Extract a base Session object A wrapper around a number of connection variables. This will be extended later with principals such as Kerberos authentication and http sessions. The intent is that this session object will become the basis for all other client library communications in OpenStack (as keystone wants to control things like authentication for everybody). Change-Id: I8ee728c49d554659d7057ebf17d0f8ceea4d7d8e Part of: blueprint auth-plugins
2013-09-30 10:35:55 +10:00
def request(url, method='GET', **kwargs):
return Session().request(url, method=method, **kwargs)
Don't use a connection pool unless provided To prevent left over TCP connections from keystoneclient not correctly cleaning up we shouldn't use a connection pool. This is not ideal but it was a relatively new addition so shouldn't affect performance. When we are able to find a long term solution to keystoneclient's other problems we can move back to using a connection pool. Change-Id: I45678ef89b88eea90ea04de1e3170f584b51fd8f Closes-Bug: #1282089
2014-03-21 16:59:09 +10:00
class _FakeRequestSession(object):
"""This object is a temporary hack that should be removed later.
Keystoneclient has a cyclical dependency with its managers which is
preventing it from being cleaned up correctly. This is always bad but when
we switched to doing connection pooling this object wasn't getting cleaned
either and so we had left over TCP connections hanging around.
Until we can fix the client cleanup we rollback the use of a requests
session and do individual connections like we used to.
"""
def request(self, *args, **kwargs):
return requests.request(*args, **kwargs)
Extract a base Session object A wrapper around a number of connection variables. This will be extended later with principals such as Kerberos authentication and http sessions. The intent is that this session object will become the basis for all other client library communications in OpenStack (as keystone wants to control things like authentication for everybody). Change-Id: I8ee728c49d554659d7057ebf17d0f8ceea4d7d8e Part of: blueprint auth-plugins
2013-09-30 10:35:55 +10:00
class Session(object):
user_agent = None
Controllable redirect handling The requests library handles redirects as a browser would, which has the problem that forwarding a POST will convert it to a GET. This is not necessarily intuitive for an API. Handle all redirection manually and provide some control over how far redirection can go. Closes-Bug: 1267286 Change-Id: I24596a9c39cc29db28a66c3053ef3954b33abf90
2013-12-05 18:11:39 +10:00
REDIRECT_STATUSES = (301, 302, 303, 305, 307)
DEFAULT_REDIRECT_LIMIT = 30
Start using positional decorator Apply the positional decorator to functions. It has been added as I think best practice would dictate, though in some places it has been added in a way that doesn't break existing tests. Closes-Bug: #1295881 Change-Id: I4f7ddbede4cba4ab79d144ad1f9dc83ea76f204a
2014-02-28 13:31:00 +10:00
@utils.positional(2, enforcement=utils.positional.WARN)
Create Authentication Plugins Provides the framework for creating authentication plugins and using them from a session object. To allow this system to co-exist with the original client there is a bit of a hack. The client object itself is now also an authentication plugin, that supports the original client pattern. If a client is created without a session object then that session object uses the client as it's authentication plugin. Change-Id: I682c8dcd3705148aaa804a91f4ed48a5b74bdc12 blueprint: auth-plugins
2013-12-09 16:46:09 +10:00
def __init__(self, auth=None, session=None, original_ip=None, verify=True,
cert=None, timeout=None, user_agent=None,
Controllable redirect handling The requests library handles redirects as a browser would, which has the problem that forwarding a POST will convert it to a GET. This is not necessarily intuitive for an API. Handle all redirection manually and provide some control over how far redirection can go. Closes-Bug: 1267286 Change-Id: I24596a9c39cc29db28a66c3053ef3954b33abf90
2013-12-05 18:11:39 +10:00
redirect=DEFAULT_REDIRECT_LIMIT):
Extract a base Session object A wrapper around a number of connection variables. This will be extended later with principals such as Kerberos authentication and http sessions. The intent is that this session object will become the basis for all other client library communications in OpenStack (as keystone wants to control things like authentication for everybody). Change-Id: I8ee728c49d554659d7057ebf17d0f8ceea4d7d8e Part of: blueprint auth-plugins
2013-09-30 10:35:55 +10:00
"""Maintains client communication state and common functionality.
As much as possible the parameters to this class reflect and are passed
directly to the requests library.
Create Authentication Plugins Provides the framework for creating authentication plugins and using them from a session object. To allow this system to co-exist with the original client there is a bit of a hack. The client object itself is now also an authentication plugin, that supports the original client pattern. If a client is created without a session object then that session object uses the client as it's authentication plugin. Change-Id: I682c8dcd3705148aaa804a91f4ed48a5b74bdc12 blueprint: auth-plugins
2013-12-09 16:46:09 +10:00
:param auth: An authentication plugin to authenticate the session with.
(optional, defaults to None)
:param requests.Session session: A requests session object that can be
used for issuing requests. (optional)
Extract a base Session object A wrapper around a number of connection variables. This will be extended later with principals such as Kerberos authentication and http sessions. The intent is that this session object will become the basis for all other client library communications in OpenStack (as keystone wants to control things like authentication for everybody). Change-Id: I8ee728c49d554659d7057ebf17d0f8ceea4d7d8e Part of: blueprint auth-plugins
2013-09-30 10:35:55 +10:00
:param string original_ip: The original IP of the requesting user
which will be sent to identity service in a
'Forwarded' header. (optional)
:param verify: The verification arguments to pass to requests. These
are of the same form as requests expects, so True or
False to verify (or not) against system certificates or
Add back --insecure option to CURL debug This was added in review: https://review.openstack.org/#/c/53500 but lost in the conversion to using session. Add it back again. Change-Id: Ia063eb018d3a7da706a02d60df63bfa1be21d147 Related-Bug: #1249891
2014-02-03 10:40:06 +10:00
a path to a bundle or CA certs to check against or None
for requests to attempt to locate and use certificates.
Extract a base Session object A wrapper around a number of connection variables. This will be extended later with principals such as Kerberos authentication and http sessions. The intent is that this session object will become the basis for all other client library communications in OpenStack (as keystone wants to control things like authentication for everybody). Change-Id: I8ee728c49d554659d7057ebf17d0f8ceea4d7d8e Part of: blueprint auth-plugins
2013-09-30 10:35:55 +10:00
(optional, defaults to True)
:param cert: A client certificate to pass to requests. These are of the
same form as requests expects. Either a single filename
containing both the certificate and key or a tuple
containing the path to the certificate then a path to the
key. (optional)
:param float timeout: A timeout to pass to requests. This should be a
numerical value indicating some amount
(or fraction) of seconds or 0 for no timeout.
(optional, defaults to 0)
:param string user_agent: A User-Agent header string to use for the
request. If not provided a default is used.
(optional, defaults to
'python-keystoneclient')
Controllable redirect handling The requests library handles redirects as a browser would, which has the problem that forwarding a POST will convert it to a GET. This is not necessarily intuitive for an API. Handle all redirection manually and provide some control over how far redirection can go. Closes-Bug: 1267286 Change-Id: I24596a9c39cc29db28a66c3053ef3954b33abf90
2013-12-05 18:11:39 +10:00
:param int/bool redirect: Controls the maximum number of redirections
that can be followed by a request. Either an
integer for a specific count or True/False
for forever/never. (optional, default to 30)
Extract a base Session object A wrapper around a number of connection variables. This will be extended later with principals such as Kerberos authentication and http sessions. The intent is that this session object will become the basis for all other client library communications in OpenStack (as keystone wants to control things like authentication for everybody). Change-Id: I8ee728c49d554659d7057ebf17d0f8ceea4d7d8e Part of: blueprint auth-plugins
2013-09-30 10:35:55 +10:00
"""
if not session:
Don't use a connection pool unless provided To prevent left over TCP connections from keystoneclient not correctly cleaning up we shouldn't use a connection pool. This is not ideal but it was a relatively new addition so shouldn't affect performance. When we are able to find a long term solution to keystoneclient's other problems we can move back to using a connection pool. Change-Id: I45678ef89b88eea90ea04de1e3170f584b51fd8f Closes-Bug: #1282089
2014-03-21 16:59:09 +10:00
session = _FakeRequestSession()
Extract a base Session object A wrapper around a number of connection variables. This will be extended later with principals such as Kerberos authentication and http sessions. The intent is that this session object will become the basis for all other client library communications in OpenStack (as keystone wants to control things like authentication for everybody). Change-Id: I8ee728c49d554659d7057ebf17d0f8ceea4d7d8e Part of: blueprint auth-plugins
2013-09-30 10:35:55 +10:00
Create Authentication Plugins Provides the framework for creating authentication plugins and using them from a session object. To allow this system to co-exist with the original client there is a bit of a hack. The client object itself is now also an authentication plugin, that supports the original client pattern. If a client is created without a session object then that session object uses the client as it's authentication plugin. Change-Id: I682c8dcd3705148aaa804a91f4ed48a5b74bdc12 blueprint: auth-plugins
2013-12-09 16:46:09 +10:00
self.auth = auth
Extract a base Session object A wrapper around a number of connection variables. This will be extended later with principals such as Kerberos authentication and http sessions. The intent is that this session object will become the basis for all other client library communications in OpenStack (as keystone wants to control things like authentication for everybody). Change-Id: I8ee728c49d554659d7057ebf17d0f8ceea4d7d8e Part of: blueprint auth-plugins
2013-09-30 10:35:55 +10:00
self.session = session
self.original_ip = original_ip
self.verify = verify
self.cert = cert
self.timeout = None
Controllable redirect handling The requests library handles redirects as a browser would, which has the problem that forwarding a POST will convert it to a GET. This is not necessarily intuitive for an API. Handle all redirection manually and provide some control over how far redirection can go. Closes-Bug: 1267286 Change-Id: I24596a9c39cc29db28a66c3053ef3954b33abf90
2013-12-05 18:11:39 +10:00
self.redirect = redirect
Extract a base Session object A wrapper around a number of connection variables. This will be extended later with principals such as Kerberos authentication and http sessions. The intent is that this session object will become the basis for all other client library communications in OpenStack (as keystone wants to control things like authentication for everybody). Change-Id: I8ee728c49d554659d7057ebf17d0f8ceea4d7d8e Part of: blueprint auth-plugins
2013-09-30 10:35:55 +10:00
if timeout is not None:
self.timeout = float(timeout)
# don't override the class variable if none provided
if user_agent is not None:
self.user_agent = user_agent
Start using positional decorator Apply the positional decorator to functions. It has been added as I think best practice would dictate, though in some places it has been added in a way that doesn't break existing tests. Closes-Bug: #1295881 Change-Id: I4f7ddbede4cba4ab79d144ad1f9dc83ea76f204a
2014-02-28 13:31:00 +10:00
@utils.positional(enforcement=utils.positional.WARN)
Remove debug specific handling I think debug handling was initially done this way for CLI handling where we wanted to make sure only the correct information was printed to the console. However as logging.basicConfig sets up a stream handler on the root logging object I can't see any purpose to the debug handling in the actual HTTPClient. Further than this it is completely wrong that a client library is messing with it's logging level, this should be handled by an application. The debug flag is maintained and deprecated in HTTPClient and removed from the session object. There has been no release since the addition of session so there is no problem with compatibility. Change-Id: Ib00f3d93d099ed1a9dd25f17121610a7289f0061
2013-12-17 15:30:51 +10:00
def request(self, url, method, json=None, original_ip=None,
Create Authentication Plugins Provides the framework for creating authentication plugins and using them from a session object. To allow this system to co-exist with the original client there is a bit of a hack. The client object itself is now also an authentication plugin, that supports the original client pattern. If a client is created without a session object then that session object uses the client as it's authentication plugin. Change-Id: I682c8dcd3705148aaa804a91f4ed48a5b74bdc12 blueprint: auth-plugins
2013-12-09 16:46:09 +10:00
user_agent=None, redirect=None, authenticated=None,
Allow session to return an error response object Typically we want to have exceptions thrown when dealing with requests that return an HTTP error. However when looking at integrating the session object with other clients it becomes apparent that the exception handling is sufficiently different that it is best for now to let the existing error handling work. Add an option to return the failed request rather than raise an exception so existing clients can do there own error handling. Blueprint: session-propagation DocImpact: New session parameter. Change-Id: I63ea034e7c6eaaf42d4329526a902677a8dd709d
2014-03-28 10:15:11 +10:00
endpoint_filter=None, auth=None, requests_auth=None,
Auth Plugin invalidation To allow session to re-fetch a token on an Unauthorized call we add an invalidate method to auth plugins that is expected to flush all the current authentication data from the plugin such that it will be refreshed on next request. This is then used to reissue requests from session when an Unauthorized is called. Change-Id: I98fa76fd67e97dc0a8c1ec0bf734792c337b5177 blueprint: keystoneclient-auth-token
2014-05-21 13:55:27 +10:00
raise_exc=True, allow_reauth=True, **kwargs):
Extract a base Session object A wrapper around a number of connection variables. This will be extended later with principals such as Kerberos authentication and http sessions. The intent is that this session object will become the basis for all other client library communications in OpenStack (as keystone wants to control things like authentication for everybody). Change-Id: I8ee728c49d554659d7057ebf17d0f8ceea4d7d8e Part of: blueprint auth-plugins
2013-09-30 10:35:55 +10:00
"""Send an HTTP request with the specified characteristics.
Wrapper around `requests.Session.request` to handle tasks such as
setting headers, JSON encoding/decoding, and error handling.
Arguments that are not handled are passed through to the requests
library.
Handle URLs via the session and auth_plugins In the future clients will simply pass the service they expect to talk to and the path. This will prevent every service trying to get their own base urls from the service catalog individually. This can later be extended to have the auth plugin actually contact the URL from the service catalog which will let us have unversioned endpoints in the catalog handled from a single location. Change-Id: I80f0b5b1dbb45565fec09d1cb2c0552cfb9a72f5 blueprint: auth-plugin-endpoints
2013-12-05 16:32:56 +10:00
:param string url: Path or fully qualified URL of HTTP request. If only
a path is provided then endpoint_filter must also be
provided such that the base URL can be determined.
If a fully qualified URL is provided then
endpoint_filter will be ignored.
fixed typos found by RETF rules rules are avaialble at https://en.wikipedia.org/wiki/Wikipedia:AutoWikiBrowser/Typos Change-Id: I67fb3e0d02c931cb7e605ac74ea8272956afa8e1
2014-05-02 16:12:20 +02:00
:param string method: The http method to use. (e.g. 'GET', 'POST')
Extract a base Session object A wrapper around a number of connection variables. This will be extended later with principals such as Kerberos authentication and http sessions. The intent is that this session object will become the basis for all other client library communications in OpenStack (as keystone wants to control things like authentication for everybody). Change-Id: I8ee728c49d554659d7057ebf17d0f8ceea4d7d8e Part of: blueprint auth-plugins
2013-09-30 10:35:55 +10:00
:param string original_ip: Mark this request as forwarded for this ip.
(optional)
:param dict headers: Headers to be included in the request. (optional)
:param json: Some data to be represented as JSON. (optional)
:param string user_agent: A user_agent to use for the request. If
present will override one present in headers.
(optional)
Controllable redirect handling The requests library handles redirects as a browser would, which has the problem that forwarding a POST will convert it to a GET. This is not necessarily intuitive for an API. Handle all redirection manually and provide some control over how far redirection can go. Closes-Bug: 1267286 Change-Id: I24596a9c39cc29db28a66c3053ef3954b33abf90
2013-12-05 18:11:39 +10:00
:param int/bool redirect: the maximum number of redirections that
can be followed by a request. Either an
integer for a specific count or True/False
for forever/never. (optional)
Create Authentication Plugins Provides the framework for creating authentication plugins and using them from a session object. To allow this system to co-exist with the original client there is a bit of a hack. The client object itself is now also an authentication plugin, that supports the original client pattern. If a client is created without a session object then that session object uses the client as it's authentication plugin. Change-Id: I682c8dcd3705148aaa804a91f4ed48a5b74bdc12 blueprint: auth-plugins
2013-12-09 16:46:09 +10:00
:param bool authenticated: True if a token should be attached to this
request, False if not or None for attach if
an auth_plugin is available.
(optional, defaults to None)
Handle URLs via the session and auth_plugins In the future clients will simply pass the service they expect to talk to and the path. This will prevent every service trying to get their own base urls from the service catalog individually. This can later be extended to have the auth plugin actually contact the URL from the service catalog which will let us have unversioned endpoints in the catalog handled from a single location. Change-Id: I80f0b5b1dbb45565fec09d1cb2c0552cfb9a72f5 blueprint: auth-plugin-endpoints
2013-12-05 16:32:56 +10:00
:param dict endpoint_filter: Data to be provided to an auth plugin with
which it should be able to determine an
endpoint to use for this request. If not
provided then URL is expected to be a
fully qualified URL. (optional)
Allow passing auth plugin as a parameter This further separates the concept of session and auth plugin so that the session can be a completely standalone transport layer. This is similar to how requests handles things. You can install an auth plugin on the session object and then everything that works through the session will be authenticated or you can specify the auth plugin per request and only authenticate that request. Change-Id: If4ed5af831cc35e259d9f963062261819f08a9d5
2014-03-28 16:16:41 +10:00
:param auth: The auth plugin to use when authenticating this request.
This will override the plugin that is attached to the
session (if any). (optional)
:type auth: :class:`keystoneclient.auth.base.BaseAuthPlugin`
:param requests_auth: A requests library auth plugin that cannot be
passed via kwarg because the `auth` kwarg
collides with our own auth plugins. (optional)
:type requests_auth: :class:`requests.auth.AuthBase`
Allow session to return an error response object Typically we want to have exceptions thrown when dealing with requests that return an HTTP error. However when looking at integrating the session object with other clients it becomes apparent that the exception handling is sufficiently different that it is best for now to let the existing error handling work. Add an option to return the failed request rather than raise an exception so existing clients can do there own error handling. Blueprint: session-propagation DocImpact: New session parameter. Change-Id: I63ea034e7c6eaaf42d4329526a902677a8dd709d
2014-03-28 10:15:11 +10:00
:param bool raise_exc: If True then raise an appropriate exception for
failed HTTP requests. If False then return the
request object. (optional, default True)
Auth Plugin invalidation To allow session to re-fetch a token on an Unauthorized call we add an invalidate method to auth plugins that is expected to flush all the current authentication data from the plugin such that it will be refreshed on next request. This is then used to reissue requests from session when an Unauthorized is called. Change-Id: I98fa76fd67e97dc0a8c1ec0bf734792c337b5177 blueprint: keystoneclient-auth-token
2014-05-21 13:55:27 +10:00
:param bool allow_reauth: Allow fetching a new token and retrying the
request on receiving a 401 Unauthorized
response. (optional, default True)
Controllable redirect handling The requests library handles redirects as a browser would, which has the problem that forwarding a POST will convert it to a GET. This is not necessarily intuitive for an API. Handle all redirection manually and provide some control over how far redirection can go. Closes-Bug: 1267286 Change-Id: I24596a9c39cc29db28a66c3053ef3954b33abf90
2013-12-05 18:11:39 +10:00
:param kwargs: any other parameter that can be passed to
requests.Session.request (such as `headers`). Except:
'data' will be overwritten by the data in 'json' param.
'allow_redirects' is ignored as redirects are handled
by the session.
Extract a base Session object A wrapper around a number of connection variables. This will be extended later with principals such as Kerberos authentication and http sessions. The intent is that this session object will become the basis for all other client library communications in OpenStack (as keystone wants to control things like authentication for everybody). Change-Id: I8ee728c49d554659d7057ebf17d0f8ceea4d7d8e Part of: blueprint auth-plugins
2013-09-30 10:35:55 +10:00
:raises exceptions.ClientException: For connection failure, or to
indicate an error response code.
:returns: The response to the request.
"""
headers = kwargs.setdefault('headers', dict())
Create Authentication Plugins Provides the framework for creating authentication plugins and using them from a session object. To allow this system to co-exist with the original client there is a bit of a hack. The client object itself is now also an authentication plugin, that supports the original client pattern. If a client is created without a session object then that session object uses the client as it's authentication plugin. Change-Id: I682c8dcd3705148aaa804a91f4ed48a5b74bdc12 blueprint: auth-plugins
2013-12-09 16:46:09 +10:00
if authenticated is None:
Allow passing auth plugin as a parameter This further separates the concept of session and auth plugin so that the session can be a completely standalone transport layer. This is similar to how requests handles things. You can install an auth plugin on the session object and then everything that works through the session will be authenticated or you can specify the auth plugin per request and only authenticate that request. Change-Id: If4ed5af831cc35e259d9f963062261819f08a9d5
2014-03-28 16:16:41 +10:00
authenticated = bool(auth or self.auth)
Create Authentication Plugins Provides the framework for creating authentication plugins and using them from a session object. To allow this system to co-exist with the original client there is a bit of a hack. The client object itself is now also an authentication plugin, that supports the original client pattern. If a client is created without a session object then that session object uses the client as it's authentication plugin. Change-Id: I682c8dcd3705148aaa804a91f4ed48a5b74bdc12 blueprint: auth-plugins
2013-12-09 16:46:09 +10:00
if authenticated:
Allow passing auth plugin as a parameter This further separates the concept of session and auth plugin so that the session can be a completely standalone transport layer. This is similar to how requests handles things. You can install an auth plugin on the session object and then everything that works through the session will be authenticated or you can specify the auth plugin per request and only authenticate that request. Change-Id: If4ed5af831cc35e259d9f963062261819f08a9d5
2014-03-28 16:16:41 +10:00
token = self.get_token(auth)
Create Authentication Plugins Provides the framework for creating authentication plugins and using them from a session object. To allow this system to co-exist with the original client there is a bit of a hack. The client object itself is now also an authentication plugin, that supports the original client pattern. If a client is created without a session object then that session object uses the client as it's authentication plugin. Change-Id: I682c8dcd3705148aaa804a91f4ed48a5b74bdc12 blueprint: auth-plugins
2013-12-09 16:46:09 +10:00
if not token:
raise exceptions.AuthorizationFailure("No token Available")
headers['X-Auth-Token'] = token
Add profiling support to keystoneclient To be able to create profiling traces for Keystone, client should be able to send special HTTP header that contains trace info. This patch is as well important to be able to make cross project traces. (Typical case nova calls keystone via python client, if profiler is initialized in nova, keystone client will add extra header, that will be parsed by special osprofiler middleware in keystone api) Don't worry no security issue here, trace information is signed by HMAC key that is setted in api-paste.ini. So only person that knows HMAC key is able to send proper header. Change-Id: Ide6fe268613bb0cc9d9ec6fae2957cc570e9f851
2014-06-28 23:37:05 +04:00
if osprofiler_web:
headers.update(osprofiler_web.get_trace_id_headers())
fixed typos found by RETF rules rules are avaialble at https://en.wikipedia.org/wiki/Wikipedia:AutoWikiBrowser/Typos Change-Id: I67fb3e0d02c931cb7e605ac74ea8272956afa8e1
2014-05-02 16:12:20 +02:00
# if we are passed a fully qualified URL and an endpoint_filter we
Handle URLs via the session and auth_plugins In the future clients will simply pass the service they expect to talk to and the path. This will prevent every service trying to get their own base urls from the service catalog individually. This can later be extended to have the auth plugin actually contact the URL from the service catalog which will let us have unversioned endpoints in the catalog handled from a single location. Change-Id: I80f0b5b1dbb45565fec09d1cb2c0552cfb9a72f5 blueprint: auth-plugin-endpoints
2013-12-05 16:32:56 +10:00
# should ignore the filter. This will make it easier for clients who
# want to overrule the default endpoint_filter data added to all client
# requests. We check fully qualified here by the presence of a host.
url_data = urllib.parse.urlparse(url)
if endpoint_filter and not url_data.netloc:
Allow passing auth plugin as a parameter This further separates the concept of session and auth plugin so that the session can be a completely standalone transport layer. This is similar to how requests handles things. You can install an auth plugin on the session object and then everything that works through the session will be authenticated or you can specify the auth plugin per request and only authenticate that request. Change-Id: If4ed5af831cc35e259d9f963062261819f08a9d5
2014-03-28 16:16:41 +10:00
base_url = self.get_endpoint(auth, **endpoint_filter)
Handle URLs via the session and auth_plugins In the future clients will simply pass the service they expect to talk to and the path. This will prevent every service trying to get their own base urls from the service catalog individually. This can later be extended to have the auth plugin actually contact the URL from the service catalog which will let us have unversioned endpoints in the catalog handled from a single location. Change-Id: I80f0b5b1dbb45565fec09d1cb2c0552cfb9a72f5 blueprint: auth-plugin-endpoints
2013-12-05 16:32:56 +10:00
if not base_url:
raise exceptions.EndpointNotFound()
url = '%s/%s' % (base_url.rstrip('/'), url.lstrip('/'))
Extract a base Session object A wrapper around a number of connection variables. This will be extended later with principals such as Kerberos authentication and http sessions. The intent is that this session object will become the basis for all other client library communications in OpenStack (as keystone wants to control things like authentication for everybody). Change-Id: I8ee728c49d554659d7057ebf17d0f8ceea4d7d8e Part of: blueprint auth-plugins
2013-09-30 10:35:55 +10:00
if self.cert:
kwargs.setdefault('cert', self.cert)
if self.timeout is not None:
kwargs.setdefault('timeout', self.timeout)
if user_agent:
headers['User-Agent'] = user_agent
elif self.user_agent:
user_agent = headers.setdefault('User-Agent', self.user_agent)
else:
user_agent = headers.setdefault('User-Agent', USER_AGENT)
if self.original_ip:
headers.setdefault('Forwarded',
'for=%s;by=%s' % (self.original_ip, user_agent))
if json is not None:
headers['Content-Type'] = 'application/json'
kwargs['data'] = jsonutils.dumps(json)
kwargs.setdefault('verify', self.verify)
Allow passing auth plugin as a parameter This further separates the concept of session and auth plugin so that the session can be a completely standalone transport layer. This is similar to how requests handles things. You can install an auth plugin on the session object and then everything that works through the session will be authenticated or you can specify the auth plugin per request and only authenticate that request. Change-Id: If4ed5af831cc35e259d9f963062261819f08a9d5
2014-03-28 16:16:41 +10:00
if requests_auth:
kwargs['auth'] = requests_auth
Remove debug specific handling I think debug handling was initially done this way for CLI handling where we wanted to make sure only the correct information was printed to the console. However as logging.basicConfig sets up a stream handler on the root logging object I can't see any purpose to the debug handling in the actual HTTPClient. Further than this it is completely wrong that a client library is messing with it's logging level, this should be handled by an application. The debug flag is maintained and deprecated in HTTPClient and removed from the session object. There has been no release since the addition of session so there is no problem with compatibility. Change-Id: Ib00f3d93d099ed1a9dd25f17121610a7289f0061
2013-12-17 15:30:51 +10:00
string_parts = ['curl -i']
Extract a base Session object A wrapper around a number of connection variables. This will be extended later with principals such as Kerberos authentication and http sessions. The intent is that this session object will become the basis for all other client library communications in OpenStack (as keystone wants to control things like authentication for everybody). Change-Id: I8ee728c49d554659d7057ebf17d0f8ceea4d7d8e Part of: blueprint auth-plugins
2013-09-30 10:35:55 +10:00
Add back --insecure option to CURL debug This was added in review: https://review.openstack.org/#/c/53500 but lost in the conversion to using session. Add it back again. Change-Id: Ia063eb018d3a7da706a02d60df63bfa1be21d147 Related-Bug: #1249891
2014-02-03 10:40:06 +10:00
# NOTE(jamielennox): None means let requests do its default validation
# so we need to actually check that this is False.
if self.verify is False:
string_parts.append('--insecure')
Remove debug specific handling I think debug handling was initially done this way for CLI handling where we wanted to make sure only the correct information was printed to the console. However as logging.basicConfig sets up a stream handler on the root logging object I can't see any purpose to the debug handling in the actual HTTPClient. Further than this it is completely wrong that a client library is messing with it's logging level, this should be handled by an application. The debug flag is maintained and deprecated in HTTPClient and removed from the session object. There has been no release since the addition of session so there is no problem with compatibility. Change-Id: Ib00f3d93d099ed1a9dd25f17121610a7289f0061
2013-12-17 15:30:51 +10:00
if method:
Saner debug log message generation For some reason building the debug log would include spaces in the message elements and join on the empty string. It makes much more sense to just build the list and join on the space. Change-Id: Idd82787b87518c56122d0b13551f84529306337c
2013-12-17 15:34:57 +10:00
string_parts.extend(['-X', method])
Extract a base Session object A wrapper around a number of connection variables. This will be extended later with principals such as Kerberos authentication and http sessions. The intent is that this session object will become the basis for all other client library communications in OpenStack (as keystone wants to control things like authentication for everybody). Change-Id: I8ee728c49d554659d7057ebf17d0f8ceea4d7d8e Part of: blueprint auth-plugins
2013-09-30 10:35:55 +10:00
Saner debug log message generation For some reason building the debug log would include spaces in the message elements and join on the empty string. It makes much more sense to just build the list and join on the space. Change-Id: Idd82787b87518c56122d0b13551f84529306337c
2013-12-17 15:34:57 +10:00
string_parts.append(url)
Extract a base Session object A wrapper around a number of connection variables. This will be extended later with principals such as Kerberos authentication and http sessions. The intent is that this session object will become the basis for all other client library communications in OpenStack (as keystone wants to control things like authentication for everybody). Change-Id: I8ee728c49d554659d7057ebf17d0f8ceea4d7d8e Part of: blueprint auth-plugins
2013-09-30 10:35:55 +10:00
Remove debug specific handling I think debug handling was initially done this way for CLI handling where we wanted to make sure only the correct information was printed to the console. However as logging.basicConfig sets up a stream handler on the root logging object I can't see any purpose to the debug handling in the actual HTTPClient. Further than this it is completely wrong that a client library is messing with it's logging level, this should be handled by an application. The debug flag is maintained and deprecated in HTTPClient and removed from the session object. There has been no release since the addition of session so there is no problem with compatibility. Change-Id: Ib00f3d93d099ed1a9dd25f17121610a7289f0061
2013-12-17 15:30:51 +10:00
if headers:
for header in six.iteritems(headers):
Saner debug log message generation For some reason building the debug log would include spaces in the message elements and join on the empty string. It makes much more sense to just build the list and join on the space. Change-Id: Idd82787b87518c56122d0b13551f84529306337c
2013-12-17 15:34:57 +10:00
string_parts.append('-H "%s: %s"' % header)
Extract a base Session object A wrapper around a number of connection variables. This will be extended later with principals such as Kerberos authentication and http sessions. The intent is that this session object will become the basis for all other client library communications in OpenStack (as keystone wants to control things like authentication for everybody). Change-Id: I8ee728c49d554659d7057ebf17d0f8ceea4d7d8e Part of: blueprint auth-plugins
2013-09-30 10:35:55 +10:00
Fix debug curl commands for included data Include the submitted data in the curl debug statement. Initially fixed in: https://review.openstack.org/#/c/53501 Change-Id: I4e3e9e4799a508666fb37fafe864eea25b676836 Closes-Bug: #1249891
2014-02-03 11:12:00 +10:00
try:
string_parts.append("-d '%s'" % kwargs['data'])
except KeyError:
pass
Extract a base Session object A wrapper around a number of connection variables. This will be extended later with principals such as Kerberos authentication and http sessions. The intent is that this session object will become the basis for all other client library communications in OpenStack (as keystone wants to control things like authentication for everybody). Change-Id: I8ee728c49d554659d7057ebf17d0f8ceea4d7d8e Part of: blueprint auth-plugins
2013-09-30 10:35:55 +10:00
Fix debug curl commands for included data Include the submitted data in the curl debug statement. Initially fixed in: https://review.openstack.org/#/c/53501 Change-Id: I4e3e9e4799a508666fb37fafe864eea25b676836 Closes-Bug: #1249891
2014-02-03 11:12:00 +10:00
_logger.debug('REQ: %s', ' '.join(string_parts))
Extract a base Session object A wrapper around a number of connection variables. This will be extended later with principals such as Kerberos authentication and http sessions. The intent is that this session object will become the basis for all other client library communications in OpenStack (as keystone wants to control things like authentication for everybody). Change-Id: I8ee728c49d554659d7057ebf17d0f8ceea4d7d8e Part of: blueprint auth-plugins
2013-09-30 10:35:55 +10:00
Controllable redirect handling The requests library handles redirects as a browser would, which has the problem that forwarding a POST will convert it to a GET. This is not necessarily intuitive for an API. Handle all redirection manually and provide some control over how far redirection can go. Closes-Bug: 1267286 Change-Id: I24596a9c39cc29db28a66c3053ef3954b33abf90
2013-12-05 18:11:39 +10:00
# Force disable requests redirect handling. We will manage this below.
kwargs['allow_redirects'] = False
if redirect is None:
redirect = self.redirect
resp = self._send_request(url, method, redirect, **kwargs)
Auth Plugin invalidation To allow session to re-fetch a token on an Unauthorized call we add an invalidate method to auth plugins that is expected to flush all the current authentication data from the plugin such that it will be refreshed on next request. This is then used to reissue requests from session when an Unauthorized is called. Change-Id: I98fa76fd67e97dc0a8c1ec0bf734792c337b5177 blueprint: keystoneclient-auth-token
2014-05-21 13:55:27 +10:00
# handle getting a 401 Unauthorized response by invalidating the plugin
# and then retrying the request. This is only tried once.
if resp.status_code == 401 and authenticated and allow_reauth:
if self.invalidate(auth):
token = self.get_token(auth)
if token:
headers['X-Auth-Token'] = token
resp = self._send_request(url, method, redirect, **kwargs)
Allow session to return an error response object Typically we want to have exceptions thrown when dealing with requests that return an HTTP error. However when looking at integrating the session object with other clients it becomes apparent that the exception handling is sufficiently different that it is best for now to let the existing error handling work. Add an option to return the failed request rather than raise an exception so existing clients can do there own error handling. Blueprint: session-propagation DocImpact: New session parameter. Change-Id: I63ea034e7c6eaaf42d4329526a902677a8dd709d
2014-03-28 10:15:11 +10:00
if raise_exc and resp.status_code >= 400:
Move redirect handling to session Particularly 305 is expected to be handled by the tests so we need to handle this centrally if we want to have session and non-session clients to work the same way. Change-Id: Id4ec35ddd8b8304d24df9e6cd2ab995d123ef125
2013-12-17 14:19:18 +10:00
_logger.debug('Request returned failure status: %s',
resp.status_code)
raise exceptions.from_response(resp, method, url)
return resp
Controllable redirect handling The requests library handles redirects as a browser would, which has the problem that forwarding a POST will convert it to a GET. This is not necessarily intuitive for an API. Handle all redirection manually and provide some control over how far redirection can go. Closes-Bug: 1267286 Change-Id: I24596a9c39cc29db28a66c3053ef3954b33abf90
2013-12-05 18:11:39 +10:00
def _send_request(self, url, method, redirect, **kwargs):
# NOTE(jamielennox): We handle redirection manually because the
# requests lib follows some browser patterns where it will redirect
# POSTs as GETs for certain statuses which is not want we want for an
# API. See: https://en.wikipedia.org/wiki/Post/Redirect/Get
Extract a base Session object A wrapper around a number of connection variables. This will be extended later with principals such as Kerberos authentication and http sessions. The intent is that this session object will become the basis for all other client library communications in OpenStack (as keystone wants to control things like authentication for everybody). Change-Id: I8ee728c49d554659d7057ebf17d0f8ceea4d7d8e Part of: blueprint auth-plugins
2013-09-30 10:35:55 +10:00
try:
resp = self.session.request(method, url, **kwargs)
except requests.exceptions.SSLError:
msg = 'SSL exception connecting to %s' % url
raise exceptions.SSLError(msg)
except requests.exceptions.Timeout:
msg = 'Request to %s timed out' % url
Reuse module `exceptions` from Oslo The exception module in oslo common code and in keystoneclient are similar. In case of unification openstack clients, we should use modules from Oslo. Changes of this patch: - imported exceptions from common code instead of `apiclient.exception` - added aliases for exceptions which was renamed (reason: backwards compatibility) - moved exceptions `EmptyCatalog` from `apiclient.exception` to `exceptions` - cleaned `apiclient.exception` from duplicated exceptions - `apiclient.__init__` and `apiclient.exceptions` are kept and labeled as 'deprecated'(reason: backwards compatibility) bp common-client-library-2 Change-Id: Iedf4e5d753d4278d81751ba0f55fdef3566b56de
2014-02-17 12:06:36 +02:00
raise exceptions.RequestTimeout(msg)
Extract a base Session object A wrapper around a number of connection variables. This will be extended later with principals such as Kerberos authentication and http sessions. The intent is that this session object will become the basis for all other client library communications in OpenStack (as keystone wants to control things like authentication for everybody). Change-Id: I8ee728c49d554659d7057ebf17d0f8ceea4d7d8e Part of: blueprint auth-plugins
2013-09-30 10:35:55 +10:00
except requests.exceptions.ConnectionError:
msg = 'Unable to establish connection to %s' % url
Reuse module `exceptions` from Oslo The exception module in oslo common code and in keystoneclient are similar. In case of unification openstack clients, we should use modules from Oslo. Changes of this patch: - imported exceptions from common code instead of `apiclient.exception` - added aliases for exceptions which was renamed (reason: backwards compatibility) - moved exceptions `EmptyCatalog` from `apiclient.exception` to `exceptions` - cleaned `apiclient.exception` from duplicated exceptions - `apiclient.__init__` and `apiclient.exceptions` are kept and labeled as 'deprecated'(reason: backwards compatibility) bp common-client-library-2 Change-Id: Iedf4e5d753d4278d81751ba0f55fdef3566b56de
2014-02-17 12:06:36 +02:00
raise exceptions.ConnectionRefused(msg)
Extract a base Session object A wrapper around a number of connection variables. This will be extended later with principals such as Kerberos authentication and http sessions. The intent is that this session object will become the basis for all other client library communications in OpenStack (as keystone wants to control things like authentication for everybody). Change-Id: I8ee728c49d554659d7057ebf17d0f8ceea4d7d8e Part of: blueprint auth-plugins
2013-09-30 10:35:55 +10:00
Remove debug specific handling I think debug handling was initially done this way for CLI handling where we wanted to make sure only the correct information was printed to the console. However as logging.basicConfig sets up a stream handler on the root logging object I can't see any purpose to the debug handling in the actual HTTPClient. Further than this it is completely wrong that a client library is messing with it's logging level, this should be handled by an application. The debug flag is maintained and deprecated in HTTPClient and removed from the session object. There has been no release since the addition of session so there is no problem with compatibility. Change-Id: Ib00f3d93d099ed1a9dd25f17121610a7289f0061
2013-12-17 15:30:51 +10:00
_logger.debug('RESP: [%s] %s\nRESP BODY: %s\n',
resp.status_code, resp.headers, resp.text)
Extract a base Session object A wrapper around a number of connection variables. This will be extended later with principals such as Kerberos authentication and http sessions. The intent is that this session object will become the basis for all other client library communications in OpenStack (as keystone wants to control things like authentication for everybody). Change-Id: I8ee728c49d554659d7057ebf17d0f8ceea4d7d8e Part of: blueprint auth-plugins
2013-09-30 10:35:55 +10:00
Controllable redirect handling The requests library handles redirects as a browser would, which has the problem that forwarding a POST will convert it to a GET. This is not necessarily intuitive for an API. Handle all redirection manually and provide some control over how far redirection can go. Closes-Bug: 1267286 Change-Id: I24596a9c39cc29db28a66c3053ef3954b33abf90
2013-12-05 18:11:39 +10:00
if resp.status_code in self.REDIRECT_STATUSES:
# be careful here in python True == 1 and False == 0
if isinstance(redirect, bool):
redirect_allowed = redirect
else:
redirect -= 1
redirect_allowed = redirect >= 0
if not redirect_allowed:
return resp
try:
location = resp.headers['location']
except KeyError:
_logger.warn("Failed to redirect request to %s as new "
"location was not provided.", resp.url)
else:
new_resp = self._send_request(location, method, redirect,
**kwargs)
if not isinstance(new_resp.history, list):
new_resp.history = list(new_resp.history)
new_resp.history.insert(0, resp)
resp = new_resp
Extract a base Session object A wrapper around a number of connection variables. This will be extended later with principals such as Kerberos authentication and http sessions. The intent is that this session object will become the basis for all other client library communications in OpenStack (as keystone wants to control things like authentication for everybody). Change-Id: I8ee728c49d554659d7057ebf17d0f8ceea4d7d8e Part of: blueprint auth-plugins
2013-09-30 10:35:55 +10:00
return resp
def head(self, url, **kwargs):
return self.request(url, 'HEAD', **kwargs)
def get(self, url, **kwargs):
return self.request(url, 'GET', **kwargs)
def post(self, url, **kwargs):
return self.request(url, 'POST', **kwargs)
def put(self, url, **kwargs):
return self.request(url, 'PUT', **kwargs)
def delete(self, url, **kwargs):
return self.request(url, 'DELETE', **kwargs)
def patch(self, url, **kwargs):
return self.request(url, 'PATCH', **kwargs)
Provide a conversion function for creating session Session.construct will create a session based upon the kwargs that used to be passed to a client __init__ function. This will allow clients an easy path to providing compatibility with deprecated arguments. Make use of the function throughout discovery. Discovery was initially released prior to the session object being completed and was therefore handled with the same arguments as a client. Instead we should use a session object so use the conversion function to convert those kwargs into a session object if one is not provided. Change-Id: I8dc1e0810ea6ebc6ea648ec37d7881825c566676
2013-12-11 07:38:46 +10:00
@classmethod
def construct(cls, kwargs):
"""Handles constructing a session from the older HTTPClient args as
well as the new request style arguments.
*DEPRECATED*: This function is purely for bridging the gap between
older client arguments and the session arguments that they relate to.
It is not intended to be used as a generic Session Factory.
This function purposefully modifies the input kwargs dictionary so that
the remaining kwargs dict can be reused and passed on to other
functionswithout session arguments.
"""
Session loading from conf Allow loading session objects from oslo.config. We want a generic way to do this for auth_token middleware and for servers creating session objects for inter-service communication. DocImpact: This is the first step in standardizing all the config options across projects. There are no changes to the config options that keystoneclient actually consumes in this review. Implements: blueprint standard-client-params Change-Id: I1e83280b2f76f16041ed8d5ed598db70210112bd
2014-05-21 08:45:54 +10:00
params = {}
Provide a conversion function for creating session Session.construct will create a session based upon the kwargs that used to be passed to a client __init__ function. This will allow clients an easy path to providing compatibility with deprecated arguments. Make use of the function throughout discovery. Discovery was initially released prior to the session object being completed and was therefore handled with the same arguments as a client. Instead we should use a session object so use the conversion function to convert those kwargs into a session object if one is not provided. Change-Id: I8dc1e0810ea6ebc6ea648ec37d7881825c566676
2013-12-11 07:38:46 +10:00
Session loading from conf Allow loading session objects from oslo.config. We want a generic way to do this for auth_token middleware and for servers creating session objects for inter-service communication. DocImpact: This is the first step in standardizing all the config options across projects. There are no changes to the config options that keystoneclient actually consumes in this review. Implements: blueprint standard-client-params Change-Id: I1e83280b2f76f16041ed8d5ed598db70210112bd
2014-05-21 08:45:54 +10:00
for attr in ('verify', 'cacert', 'cert', 'key', 'insecure',
'timeout', 'session', 'original_ip', 'user_agent'):
try:
params[attr] = kwargs.pop(attr)
except KeyError:
pass
return cls._make(**params)
@classmethod
def _make(cls, insecure=False, verify=None, cacert=None, cert=None,
key=None, **kwargs):
"""Create a session with individual certificate parameters.
Some parameters used to create a session don't lend themselves to be
loaded from config/CLI etc. Create a session by converting those
parameters into session __init__ parameters.
"""
Provide a conversion function for creating session Session.construct will create a session based upon the kwargs that used to be passed to a client __init__ function. This will allow clients an easy path to providing compatibility with deprecated arguments. Make use of the function throughout discovery. Discovery was initially released prior to the session object being completed and was therefore handled with the same arguments as a client. Instead we should use a session object so use the conversion function to convert those kwargs into a session object if one is not provided. Change-Id: I8dc1e0810ea6ebc6ea648ec37d7881825c566676
2013-12-11 07:38:46 +10:00
if verify is None:
if insecure:
verify = False
else:
verify = cacert or True
if cert and key:
# passing cert and key together is deprecated in favour of the
# requests lib form of having the cert and key as a tuple
cert = (cert, key)
Session loading from conf Allow loading session objects from oslo.config. We want a generic way to do this for auth_token middleware and for servers creating session objects for inter-service communication. DocImpact: This is the first step in standardizing all the config options across projects. There are no changes to the config options that keystoneclient actually consumes in this review. Implements: blueprint standard-client-params Change-Id: I1e83280b2f76f16041ed8d5ed598db70210112bd
2014-05-21 08:45:54 +10:00
return cls(verify=verify, cert=cert, **kwargs)
Create Authentication Plugins Provides the framework for creating authentication plugins and using them from a session object. To allow this system to co-exist with the original client there is a bit of a hack. The client object itself is now also an authentication plugin, that supports the original client pattern. If a client is created without a session object then that session object uses the client as it's authentication plugin. Change-Id: I682c8dcd3705148aaa804a91f4ed48a5b74bdc12 blueprint: auth-plugins
2013-12-09 16:46:09 +10:00
Allow passing auth plugin as a parameter This further separates the concept of session and auth plugin so that the session can be a completely standalone transport layer. This is similar to how requests handles things. You can install an auth plugin on the session object and then everything that works through the session will be authenticated or you can specify the auth plugin per request and only authenticate that request. Change-Id: If4ed5af831cc35e259d9f963062261819f08a9d5
2014-03-28 16:16:41 +10:00
def get_token(self, auth=None):
Create V2 Auth Plugins Extract the authentication code from a v2 client and move it to a series of auth plugins. Auth plugins each represent one method of authenticating with a server and there is a factory method on the base class to select the appropriate plugin from a group of arguments. When a v2 client wants to do authentication it will create a new v2 auth plugin, do the authentication and then take that result for the client to use. Change-Id: I4dd7474643ed5c2a3204ea2ec56029f926010c2c blueprint: auth-plugins
2014-01-21 11:40:16 +10:00
"""Return a token as provided by the auth plugin.
Allow passing auth plugin as a parameter This further separates the concept of session and auth plugin so that the session can be a completely standalone transport layer. This is similar to how requests handles things. You can install an auth plugin on the session object and then everything that works through the session will be authenticated or you can specify the auth plugin per request and only authenticate that request. Change-Id: If4ed5af831cc35e259d9f963062261819f08a9d5
2014-03-28 16:16:41 +10:00
:param auth: The auth plugin to use for token. Overrides the plugin
on the session. (optional)
:type auth: :class:`keystoneclient.auth.base.BaseAuthPlugin`
Create V2 Auth Plugins Extract the authentication code from a v2 client and move it to a series of auth plugins. Auth plugins each represent one method of authenticating with a server and there is a factory method on the base class to select the appropriate plugin from a group of arguments. When a v2 client wants to do authentication it will create a new v2 auth plugin, do the authentication and then take that result for the client to use. Change-Id: I4dd7474643ed5c2a3204ea2ec56029f926010c2c blueprint: auth-plugins
2014-01-21 11:40:16 +10:00
:raises AuthorizationFailure: if a new token fetch fails.
:returns string: A valid token.
"""
Allow passing auth plugin as a parameter This further separates the concept of session and auth plugin so that the session can be a completely standalone transport layer. This is similar to how requests handles things. You can install an auth plugin on the session object and then everything that works through the session will be authenticated or you can specify the auth plugin per request and only authenticate that request. Change-Id: If4ed5af831cc35e259d9f963062261819f08a9d5
2014-03-28 16:16:41 +10:00
if not auth:
auth = self.auth
if not auth:
Create Authentication Plugins Provides the framework for creating authentication plugins and using them from a session object. To allow this system to co-exist with the original client there is a bit of a hack. The client object itself is now also an authentication plugin, that supports the original client pattern. If a client is created without a session object then that session object uses the client as it's authentication plugin. Change-Id: I682c8dcd3705148aaa804a91f4ed48a5b74bdc12 blueprint: auth-plugins
2013-12-09 16:46:09 +10:00
raise exceptions.MissingAuthPlugin("Token Required")
Create V2 Auth Plugins Extract the authentication code from a v2 client and move it to a series of auth plugins. Auth plugins each represent one method of authenticating with a server and there is a factory method on the base class to select the appropriate plugin from a group of arguments. When a v2 client wants to do authentication it will create a new v2 auth plugin, do the authentication and then take that result for the client to use. Change-Id: I4dd7474643ed5c2a3204ea2ec56029f926010c2c blueprint: auth-plugins
2014-01-21 11:40:16 +10:00
try:
Allow passing auth plugin as a parameter This further separates the concept of session and auth plugin so that the session can be a completely standalone transport layer. This is similar to how requests handles things. You can install an auth plugin on the session object and then everything that works through the session will be authenticated or you can specify the auth plugin per request and only authenticate that request. Change-Id: If4ed5af831cc35e259d9f963062261819f08a9d5
2014-03-28 16:16:41 +10:00
return auth.get_token(self)
Rename HTTPError -> HttpError With the move to the apiclient exceptions from oslo the basic HTTP error class was renamed. This was not reflected in all places in the code. It was also not picked up by the tests because the apiclient tests weren't running due to a missing __init__.py file. Because this should be backwards compatible it was added to the list in exceptions, the check that this is available is in the (now running) apiclient tests. Blueprint: common-client-library-2 Change-Id: I307c1083f29e3207cc86aa938043270e5c32b4bb
2014-04-15 09:29:20 +10:00
except exceptions.HttpError as exc:
Create V2 Auth Plugins Extract the authentication code from a v2 client and move it to a series of auth plugins. Auth plugins each represent one method of authenticating with a server and there is a factory method on the base class to select the appropriate plugin from a group of arguments. When a v2 client wants to do authentication it will create a new v2 auth plugin, do the authentication and then take that result for the client to use. Change-Id: I4dd7474643ed5c2a3204ea2ec56029f926010c2c blueprint: auth-plugins
2014-01-21 11:40:16 +10:00
raise exceptions.AuthorizationFailure("Authentication failure: "
"%s" % exc)
Handle URLs via the session and auth_plugins In the future clients will simply pass the service they expect to talk to and the path. This will prevent every service trying to get their own base urls from the service catalog individually. This can later be extended to have the auth plugin actually contact the URL from the service catalog which will let us have unversioned endpoints in the catalog handled from a single location. Change-Id: I80f0b5b1dbb45565fec09d1cb2c0552cfb9a72f5 blueprint: auth-plugin-endpoints
2013-12-05 16:32:56 +10:00
Allow passing auth plugin as a parameter This further separates the concept of session and auth plugin so that the session can be a completely standalone transport layer. This is similar to how requests handles things. You can install an auth plugin on the session object and then everything that works through the session will be authenticated or you can specify the auth plugin per request and only authenticate that request. Change-Id: If4ed5af831cc35e259d9f963062261819f08a9d5
2014-03-28 16:16:41 +10:00
def get_endpoint(self, auth=None, **kwargs):
"""Get an endpoint as provided by the auth plugin.
:param auth: The auth plugin to use for token. Overrides the plugin on
the session. (optional)
:type auth: :class:`keystoneclient.auth.base.BaseAuthPlugin`
:raises MissingAuthPlugin: if a plugin is not available.
:returns string: An endpoint if available or None.
"""
if not auth:
auth = self.auth
if not auth:
Handle URLs via the session and auth_plugins In the future clients will simply pass the service they expect to talk to and the path. This will prevent every service trying to get their own base urls from the service catalog individually. This can later be extended to have the auth plugin actually contact the URL from the service catalog which will let us have unversioned endpoints in the catalog handled from a single location. Change-Id: I80f0b5b1dbb45565fec09d1cb2c0552cfb9a72f5 blueprint: auth-plugin-endpoints
2013-12-05 16:32:56 +10:00
raise exceptions.MissingAuthPlugin('An auth plugin is required to '
'determine the endpoint URL.')
Allow passing auth plugin as a parameter This further separates the concept of session and auth plugin so that the session can be a completely standalone transport layer. This is similar to how requests handles things. You can install an auth plugin on the session object and then everything that works through the session will be authenticated or you can specify the auth plugin per request and only authenticate that request. Change-Id: If4ed5af831cc35e259d9f963062261819f08a9d5
2014-03-28 16:16:41 +10:00
return auth.get_endpoint(self, **kwargs)
Auth Plugin invalidation To allow session to re-fetch a token on an Unauthorized call we add an invalidate method to auth plugins that is expected to flush all the current authentication data from the plugin such that it will be refreshed on next request. This is then used to reissue requests from session when an Unauthorized is called. Change-Id: I98fa76fd67e97dc0a8c1ec0bf734792c337b5177 blueprint: keystoneclient-auth-token
2014-05-21 13:55:27 +10:00
def invalidate(self, auth=None):
"""Invalidate an authentication plugin.
"""
if not auth:
auth = self.auth
if not auth:
msg = 'Auth plugin not available to invalidate'
raise exceptions.MissingAuthPlugin(msg)
return auth.invalidate()
Session loading from conf Allow loading session objects from oslo.config. We want a generic way to do this for auth_token middleware and for servers creating session objects for inter-service communication. DocImpact: This is the first step in standardizing all the config options across projects. There are no changes to the config options that keystoneclient actually consumes in this review. Implements: blueprint standard-client-params Change-Id: I1e83280b2f76f16041ed8d5ed598db70210112bd
2014-05-21 08:45:54 +10:00
@utils.positional.classmethod()
def get_conf_options(cls, deprecated_opts=None):
"""Get the oslo.config options that are needed for a session.
These may be useful without being registered for config file generation
or to manipulate the options before registering them yourself.
The options that are set are:
:cafile: The certificate authority filename.
:certfile: The client certificate file to present.
:keyfile: The key for the client certificate.
:insecure: Whether to ignore SSL verification.
:timeout: The max time to wait for HTTP connections.
:param dict deprecated_opts: Deprecated options that should be included
in the definition of new options. This should be a dictionary from
the name of the new option to a list of oslo.DeprecatedOpts that
correspond to the new option. (optional)
Example to support the 'ca_file' option pointing to the new
'cafile' option name::
old_opt = oslo.cfg.DeprecatedOpt('ca_file', 'old_group')
deprecated_opts={'cafile': [old_opt]}
:returns: A list of oslo.config options.
"""
if deprecated_opts is None:
deprecated_opts = {}
return [cfg.StrOpt('cafile',
deprecated_opts=deprecated_opts.get('cafile'),
help='PEM encoded Certificate Authority to use '
'when verifying HTTPs connections.'),
cfg.StrOpt('certfile',
deprecated_opts=deprecated_opts.get('certfile'),
help='PEM encoded client certificate cert file'),
cfg.StrOpt('keyfile',
deprecated_opts=deprecated_opts.get('keyfile'),
help='PEM encoded client certificate key file'),
cfg.BoolOpt('insecure',
default=False,
deprecated_opts=deprecated_opts.get('insecure'),
help='Verify HTTPS connections.'),
cfg.IntOpt('timeout',
deprecated_opts=deprecated_opts.get('timeout'),
help='Timeout value for http requests'),
]
@utils.positional.classmethod()
def register_conf_options(cls, conf, group, deprecated_opts=None):
"""Register the oslo.config options that are needed for a session.
The options that are set are:
:cafile: The certificate authority filename.
:certfile: The client certificate file to present.
:keyfile: The key for the client certificate.
:insecure: Whether to ignore SSL verification.
:timeout: The max time to wait for HTTP connections.
:param oslo.config.Cfg conf: config object to register with.
:param string group: The ini group to register options in.
:param dict deprecated_opts: Deprecated options that should be included
in the definition of new options. This should be a dictionary from
the name of the new option to a list of oslo.DeprecatedOpts that
correspond to the new option. (optional)
Example to support the 'ca_file' option pointing to the new
'cafile' option name::
old_opt = oslo.cfg.DeprecatedOpt('ca_file', 'old_group')
deprecated_opts={'cafile': [old_opt]}
:returns: The list of options that was registered.
"""
opts = cls.get_conf_options(deprecated_opts=deprecated_opts)
conf.register_group(cfg.OptGroup(group))
conf.register_opts(opts, group=group)
return opts
@classmethod
def load_from_conf_options(cls, conf, group, **kwargs):
"""Create a session object from an oslo.config object.
The options must have been previously registered with
register_conf_options.
:param oslo.config.Cfg conf: config object to register with.
:param string group: The ini group to register options in.
:param dict kwargs: Additional parameters to pass to session
construction.
:returns: A new session object.
"""
c = conf[group]
kwargs['insecure'] = c.insecure
kwargs['cacert'] = c.cafile
kwargs['cert'] = c.certfile
kwargs['key'] = c.keyfile
kwargs['timeout'] = c.timeout
return cls._make(**kwargs)
Session loading from CLI options We will want this to standardize session loading amongst the various CLIs. Implements: blueprint standard-client-params Change-Id: Icc740db6d471a0953b7946e00e6317802b6d2255
2014-05-27 18:22:38 +10:00
@staticmethod
def register_cli_options(parser):
"""Register the argparse arguments that are needed for a session.
:param argparse.ArgumentParser parser: parser to add to.
"""
parser.add_argument('--insecure',
default=False,
action='store_true',
help='Explicitly allow client to perform '
'"insecure" TLS (https) requests. The '
'server\'s certificate will not be verified '
'against any certificate authorities. This '
'option should be used with caution.')
parser.add_argument('--os-cacert',
metavar='<ca-certificate>',
default=os.environ.get('OS_CACERT'),
help='Specify a CA bundle file to use in '
'verifying a TLS (https) server certificate. '
'Defaults to env[OS_CACERT].')
parser.add_argument('--os-cert',
metavar='<certificate>',
default=os.environ.get('OS_CERT'),
help='Defaults to env[OS_CERT].')
parser.add_argument('--os-key',
metavar='<key>',
default=os.environ.get('OS_KEY'),
help='Defaults to env[OS_KEY].')
parser.add_argument('--timeout',
default=600,
type=_positive_non_zero_float,
metavar='<seconds>',
help='Set request timeout (in seconds).')
@classmethod
def load_from_cli_options(cls, args, **kwargs):
"""Create a session object from CLI arguments.
The CLI arguments must have been registered with register_cli_options.
:param Namespace args: result of parsed arguments.
:returns: A new session object.
"""
kwargs['insecure'] = args.insecure
kwargs['cacert'] = args.os_cacert
kwargs['cert'] = args.os_cert
kwargs['key'] = args.os_key
kwargs['timeout'] = args.timeout
return cls._make(**kwargs)
Copy Permalink