2012-09-11 11:20:16 -05:00
|
|
|
# Copyright 2011 Nebula, Inc.
|
|
|
|
|
# All Rights Reserved.
|
|
|
|
|
#
|
|
|
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
|
|
|
# not use this file except in compliance with the License. You may obtain
|
|
|
|
|
# a copy of the License at
|
|
|
|
|
#
|
|
|
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
#
|
|
|
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
|
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
|
|
|
# License for the specific language governing permissions and limitations
|
|
|
|
|
# under the License.
|
2014-01-17 20:13:24 +08:00
|
|
|
|
2012-09-11 11:20:16 -05:00
|
|
|
import logging
|
|
|
|
|
|
2014-01-21 11:40:28 +10:00
|
|
|
from keystoneclient.auth.identity import v3 as v3_auth
|
2013-08-01 17:09:55 -05:00
|
|
|
from keystoneclient import exceptions
|
2013-07-31 16:13:13 +10:00
|
|
|
from keystoneclient import httpclient
|
2013-08-16 11:45:44 +10:00
|
|
|
from keystoneclient.openstack.common import jsonutils
|
2014-03-26 17:44:08 +01:00
|
|
|
from keystoneclient.v3.contrib import federation
|
2013-08-02 11:45:38 +01:00
|
|
|
from keystoneclient.v3.contrib import trusts
|
2012-09-11 15:42:38 -05:00
|
|
|
from keystoneclient.v3 import credentials
|
2012-09-11 12:32:01 -05:00
|
|
|
from keystoneclient.v3 import domains
|
2013-02-13 22:52:05 -06:00
|
|
|
from keystoneclient.v3 import endpoints
|
2012-12-07 16:47:56 +00:00
|
|
|
from keystoneclient.v3 import groups
|
2012-09-11 11:44:05 -05:00
|
|
|
from keystoneclient.v3 import policies
|
2012-09-11 15:38:22 -05:00
|
|
|
from keystoneclient.v3 import projects
|
2012-09-11 15:34:56 -05:00
|
|
|
from keystoneclient.v3 import roles
|
2012-09-11 11:22:30 -05:00
|
|
|
from keystoneclient.v3 import services
|
2012-09-11 15:40:37 -05:00
|
|
|
from keystoneclient.v3 import users
|
2012-09-11 11:20:16 -05:00
|
|
|
|
|
|
|
|
|
|
|
|
|
_logger = logging.getLogger(__name__)
|
|
|
|
|
|
|
|
|
|
|
2013-07-31 16:13:13 +10:00
|
|
|
class Client(httpclient.HTTPClient):
|
2012-09-11 11:20:16 -05:00
|
|
|
"""Client for the OpenStack Identity API v3.
|
|
|
|
|
|
2013-02-13 22:52:05 -06:00
|
|
|
:param string user_id: User ID for authentication. (optional)
|
2012-09-11 11:20:16 -05:00
|
|
|
:param string username: Username for authentication. (optional)
|
2013-02-13 22:52:05 -06:00
|
|
|
:param string user_domain_id: User's domain ID for authentication.
|
|
|
|
|
(optional)
|
|
|
|
|
:param string user_domain_name: User's domain name for authentication.
|
|
|
|
|
(optional)
|
2012-09-11 11:20:16 -05:00
|
|
|
:param string password: Password for authentication. (optional)
|
|
|
|
|
:param string token: Token for authentication. (optional)
|
2013-02-13 22:52:05 -06:00
|
|
|
:param string domain_id: Domain ID for domain scoping. (optional)
|
|
|
|
|
:param string domain_name: Domain name for domain scoping. (optional)
|
|
|
|
|
:param string project_id: Project ID for project scoping. (optional)
|
|
|
|
|
:param string project_name: Project name for project scoping. (optional)
|
|
|
|
|
:param string project_domain_id: Project's domain ID for project
|
|
|
|
|
scoping. (optional)
|
|
|
|
|
:param string project_domain_name: Project's domain name for project
|
|
|
|
|
scoping. (optional)
|
|
|
|
|
:param string tenant_name: Tenant name. (optional)
|
|
|
|
|
The tenant_name keyword argument is deprecated,
|
|
|
|
|
use project_name instead.
|
|
|
|
|
:param string tenant_id: Tenant id. (optional)
|
|
|
|
|
The tenant_id keyword argument is deprecated,
|
|
|
|
|
use project_id instead.
|
|
|
|
|
:param string auth_url: Identity service endpoint for authorization.
|
2012-09-11 11:20:16 -05:00
|
|
|
:param string region_name: Name of a region to select when choosing an
|
|
|
|
|
endpoint from the service catalog.
|
2013-02-13 22:52:05 -06:00
|
|
|
:param string endpoint: A user-supplied endpoint URL for the identity
|
2012-09-11 11:20:16 -05:00
|
|
|
service. Lazy-authentication is possible for API
|
|
|
|
|
service calls if endpoint is set at
|
2013-02-13 22:52:05 -06:00
|
|
|
instantiation. (optional)
|
2012-09-11 11:20:16 -05:00
|
|
|
:param integer timeout: Allows customization of the timeout for client
|
|
|
|
|
http requests. (optional)
|
|
|
|
|
|
|
|
|
|
Example::
|
|
|
|
|
|
|
|
|
|
>>> from keystoneclient.v3 import client
|
2013-02-13 22:52:05 -06:00
|
|
|
>>> keystone = client.Client(user_domain_name=DOMAIN_NAME,
|
|
|
|
|
... username=USER,
|
2013-05-28 09:22:03 -05:00
|
|
|
... password=PASS,
|
2013-02-13 22:52:05 -06:00
|
|
|
... project_domain_name=PROJECT_DOMAIN_NAME,
|
|
|
|
|
... project_name=PROJECT_NAME,
|
2013-05-28 09:22:03 -05:00
|
|
|
... auth_url=KEYSTONE_URL)
|
|
|
|
|
...
|
2013-02-13 22:52:05 -06:00
|
|
|
>>> keystone.projects.list()
|
2012-09-11 11:20:16 -05:00
|
|
|
...
|
|
|
|
|
>>> user = keystone.users.get(USER_ID)
|
|
|
|
|
>>> user.delete()
|
|
|
|
|
|
|
|
|
|
"""
|
|
|
|
|
|
2013-09-23 11:50:57 +10:00
|
|
|
version = 'v3'
|
|
|
|
|
|
2013-02-13 22:52:05 -06:00
|
|
|
def __init__(self, **kwargs):
|
2013-06-21 19:04:50 +02:00
|
|
|
"""Initialize a new client for the Keystone v3 API."""
|
2013-02-13 22:52:05 -06:00
|
|
|
super(Client, self).__init__(**kwargs)
|
2012-09-11 11:20:16 -05:00
|
|
|
|
2012-09-11 15:42:38 -05:00
|
|
|
self.credentials = credentials.CredentialManager(self)
|
2012-09-11 11:40:25 -05:00
|
|
|
self.endpoints = endpoints.EndpointManager(self)
|
2012-09-11 12:32:01 -05:00
|
|
|
self.domains = domains.DomainManager(self)
|
2014-03-26 17:44:08 +01:00
|
|
|
self.federation = federation.FederationManager(self)
|
2012-12-07 16:47:56 +00:00
|
|
|
self.groups = groups.GroupManager(self)
|
2012-09-11 11:44:05 -05:00
|
|
|
self.policies = policies.PolicyManager(self)
|
2012-09-11 15:38:22 -05:00
|
|
|
self.projects = projects.ProjectManager(self)
|
2012-09-11 15:34:56 -05:00
|
|
|
self.roles = roles.RoleManager(self)
|
2012-09-11 11:22:30 -05:00
|
|
|
self.services = services.ServiceManager(self)
|
2012-09-11 15:40:37 -05:00
|
|
|
self.users = users.UserManager(self)
|
2013-08-02 11:45:38 +01:00
|
|
|
self.trusts = trusts.TrustManager(self)
|
2012-09-11 11:22:30 -05:00
|
|
|
|
2014-01-21 11:40:28 +10:00
|
|
|
# DEPRECATED: if session is passed then we go to the new behaviour of
|
|
|
|
|
# authenticating on the first required call.
|
|
|
|
|
if 'session' not in kwargs and self.management_url is None:
|
2013-07-18 15:54:41 +10:00
|
|
|
self.authenticate()
|
|
|
|
|
|
2012-09-11 11:20:16 -05:00
|
|
|
def serialize(self, entity):
|
2013-08-16 11:45:44 +10:00
|
|
|
return jsonutils.dumps(entity, sort_keys=True)
|
2013-02-13 22:52:05 -06:00
|
|
|
|
2013-10-22 09:41:00 +10:00
|
|
|
def process_token(self, **kwargs):
|
2013-06-21 19:04:50 +02:00
|
|
|
"""Extract and process information from the new auth_ref.
|
2013-02-13 22:52:05 -06:00
|
|
|
|
|
|
|
|
And set the relevant authentication information.
|
|
|
|
|
"""
|
2013-10-22 09:41:00 +10:00
|
|
|
super(Client, self).process_token(**kwargs)
|
2013-02-13 22:52:05 -06:00
|
|
|
if self.auth_ref.domain_scoped:
|
|
|
|
|
if not self.auth_ref.domain_id:
|
|
|
|
|
raise exceptions.AuthorizationFailure(
|
|
|
|
|
"Token didn't provide domain_id")
|
2014-01-10 16:38:55 +10:00
|
|
|
self._process_management_url(kwargs.get('region_name'))
|
2013-02-13 22:52:05 -06:00
|
|
|
self.domain_name = self.auth_ref.domain_name
|
|
|
|
|
self.domain_id = self.auth_ref.domain_id
|
2014-02-24 01:47:21 +01:00
|
|
|
if self._management_url:
|
|
|
|
|
self._management_url = self._management_url.replace('/v2.0', '/v3')
|
2013-02-13 22:52:05 -06:00
|
|
|
|
|
|
|
|
def get_raw_token_from_identity_service(self, auth_url, user_id=None,
|
|
|
|
|
username=None,
|
|
|
|
|
user_domain_id=None,
|
|
|
|
|
user_domain_name=None,
|
|
|
|
|
password=None,
|
|
|
|
|
domain_id=None, domain_name=None,
|
|
|
|
|
project_id=None, project_name=None,
|
|
|
|
|
project_domain_id=None,
|
|
|
|
|
project_domain_name=None,
|
2013-08-02 11:45:38 +01:00
|
|
|
token=None,
|
|
|
|
|
trust_id=None,
|
|
|
|
|
**kwargs):
|
2013-06-21 19:04:50 +02:00
|
|
|
"""Authenticate against the v3 Identity API.
|
2013-02-13 22:52:05 -06:00
|
|
|
|
2014-01-21 11:40:28 +10:00
|
|
|
:returns: access.AccessInfo if authentication was successful.
|
2013-02-13 22:52:05 -06:00
|
|
|
:raises: AuthorizationFailure if unable to authenticate or validate
|
|
|
|
|
the existing authorization token
|
|
|
|
|
:raises: Unauthorized if authentication fails due to invalid token
|
|
|
|
|
|
|
|
|
|
"""
|
|
|
|
|
try:
|
2014-01-21 11:40:28 +10:00
|
|
|
if auth_url is None:
|
|
|
|
|
raise ValueError("Cannot authenticate without an auth_url")
|
|
|
|
|
|
2014-03-03 18:48:35 +10:00
|
|
|
a = v3_auth.Auth._factory(auth_url,
|
|
|
|
|
username=username,
|
|
|
|
|
password=password,
|
|
|
|
|
token=token,
|
|
|
|
|
trust_id=trust_id,
|
|
|
|
|
user_id=user_id,
|
|
|
|
|
domain_id=domain_id,
|
|
|
|
|
domain_name=domain_name,
|
|
|
|
|
user_domain_id=user_domain_id,
|
|
|
|
|
user_domain_name=user_domain_name,
|
|
|
|
|
project_id=project_id,
|
|
|
|
|
project_name=project_name,
|
|
|
|
|
project_domain_id=project_domain_id,
|
|
|
|
|
project_domain_name=project_domain_name)
|
2014-01-21 11:40:28 +10:00
|
|
|
|
|
|
|
|
return a.get_auth_ref(self.session)
|
2013-02-13 22:52:05 -06:00
|
|
|
except (exceptions.AuthorizationFailure, exceptions.Unauthorized):
|
|
|
|
|
_logger.debug('Authorization failed.')
|
|
|
|
|
raise
|
2013-12-05 16:32:56 +10:00
|
|
|
except exceptions.EndpointNotFound:
|
|
|
|
|
msg = 'There was no suitable authentication url for this request'
|
|
|
|
|
raise exceptions.AuthorizationFailure(msg)
|
2013-02-13 22:52:05 -06:00
|
|
|
except Exception as e:
|
|
|
|
|
raise exceptions.AuthorizationFailure('Authorization failed: '
|
|
|
|
|
'%s' % e)
|
