openstack/python-keystoneclient
Code Issues Proposed changes
e39351ec65
python-keystoneclient/keystoneclient/client.py

203 lines
7.0 KiB
Python
Raw Normal View History

Initial commit.
2011-10-25 16:50:08 -07:00
# Copyright 2010 Jacob Kaplan-Moss
# Copyright 2011 OpenStack LLC.
# Copyright 2011 Piston Cloud Computing, Inc.
# Copyright 2011 Nebula, Inc.
# All Rights Reserved.
"""
OpenStack Client interface. Handles the REST calls and responses.
"""
import copy
import logging
import urlparse
import httplib2
try:
import json
except ImportError:
import simplejson as json
# Python 2.5 compat fix
if not hasattr(urlparse, 'parse_qsl'):
import cgi
urlparse.parse_qsl = cgi.parse_qsl
removing repeat attempt at authorization in client blueprint solidify-python-api * extended and updated documentation strings * updated README.rst with latest options * made debug a pass-through value, optionally set on client (instead of just being pulled from environment variable) * adding AccessInfo object and associated tests (access.AccessInfo meant to be a cacheable object external to client and ultimately to replace service_catalog and it's existing functionality) * extending authtoken to support lists of endpoints * maintaining a single entity for client.management_url with first from list of possible endpoints * create project_name and project_id synonyms to match tenant_name and tenant_id * replacing authenticate call to a pure method, not overloading the resource/manager path that confuses base URL concepts. * throw AuthorizationFailure if client attempts to access keystone resources before it has a management url * special case listing tenant using auth_url for unscoped tokens authorized through client * special case listing tokens.authenticate for Dashboard to allow unscoped tokens to hand back parity information to dashboard Change-Id: I4bb3a1b6a5ce2c4b3fbcebeb59116286cac8b2e3
2012-10-13 00:15:39 +00:00
from keystoneclient import access
Initial commit.
2011-10-25 16:50:08 -07:00
from keystoneclient import exceptions
_logger = logging.getLogger(__name__)
class HTTPClient(httplib2.Http):
USER_AGENT = 'python-keystoneclient'
more work on standardization of cliauth
2011-12-17 22:36:59 -08:00
def __init__(self, username=None, tenant_id=None, tenant_name=None,
finish removing project_id
2011-12-19 10:00:39 -08:00
password=None, auth_url=None, region_name=None, timeout=None,
Support 2-way SSL with Keystone server if it is configured to enforce 2-way SSL. See also https://review.openstack.org/#/c/7706/ for the corresponding review for the 2-way SSL addition to Keystone. Change-Id: If0cb46a43d663687396d93604a7139d85a4e7114
2012-05-23 18:16:50 +00:00
endpoint=None, token=None, cacert=None, key=None,
removing repeat attempt at authorization in client blueprint solidify-python-api * extended and updated documentation strings * updated README.rst with latest options * made debug a pass-through value, optionally set on client (instead of just being pulled from environment variable) * adding AccessInfo object and associated tests (access.AccessInfo meant to be a cacheable object external to client and ultimately to replace service_catalog and it's existing functionality) * extending authtoken to support lists of endpoints * maintaining a single entity for client.management_url with first from list of possible endpoints * create project_name and project_id synonyms to match tenant_name and tenant_id * replacing authenticate call to a pure method, not overloading the resource/manager path that confuses base URL concepts. * throw AuthorizationFailure if client attempts to access keystone resources before it has a management url * special case listing tenant using auth_url for unscoped tokens authorized through client * special case listing tokens.authenticate for Dashboard to allow unscoped tokens to hand back parity information to dashboard Change-Id: I4bb3a1b6a5ce2c4b3fbcebeb59116286cac8b2e3
2012-10-13 00:15:39 +00:00
cert=None, insecure=False, original_ip=None, debug=False,
auth_ref=None):
Support 2-way SSL with Keystone server if it is configured to enforce 2-way SSL. See also https://review.openstack.org/#/c/7706/ for the corresponding review for the 2-way SSL addition to Keystone. Change-Id: If0cb46a43d663687396d93604a7139d85a4e7114
2012-05-23 18:16:50 +00:00
super(HTTPClient, self).__init__(timeout=timeout, ca_certs=cacert)
if cert:
if key:
self.add_certificate(key=key, cert=cert, domain='')
else:
self.add_certificate(key=cert, cert=cert, domain='')
removing repeat attempt at authorization in client blueprint solidify-python-api * extended and updated documentation strings * updated README.rst with latest options * made debug a pass-through value, optionally set on client (instead of just being pulled from environment variable) * adding AccessInfo object and associated tests (access.AccessInfo meant to be a cacheable object external to client and ultimately to replace service_catalog and it's existing functionality) * extending authtoken to support lists of endpoints * maintaining a single entity for client.management_url with first from list of possible endpoints * create project_name and project_id synonyms to match tenant_name and tenant_id * replacing authenticate call to a pure method, not overloading the resource/manager path that confuses base URL concepts. * throw AuthorizationFailure if client attempts to access keystone resources before it has a management url * special case listing tenant using auth_url for unscoped tokens authorized through client * special case listing tokens.authenticate for Dashboard to allow unscoped tokens to hand back parity information to dashboard Change-Id: I4bb3a1b6a5ce2c4b3fbcebeb59116286cac8b2e3
2012-10-13 00:15:39 +00:00
self.version = 'v2.0'
self.auth_ref = access.AccessInfo(**auth_ref) if auth_ref else None
if self.auth_ref:
self.username = self.auth_ref.username
self.tenant_id = self.auth_ref.tenant_id
self.tenant_name = self.auth_ref.tenant_name
self.auth_url = self.auth_ref.auth_url
self.management_url = self.auth_ref.management_url
self.auth_token = self.auth_ref.auth_token
#NOTE(heckj): allow override of the auth_ref defaults from explicit
# values provided to the client
more work on standardization of cliauth
2011-12-17 22:36:59 -08:00
self.username = username
initial pass to cliauth blueprint
2011-12-17 22:07:13 -08:00
self.tenant_id = tenant_id
self.tenant_name = tenant_name
Initial commit.
2011-10-25 16:50:08 -07:00
self.password = password
Blueprint cli-auth: common cli args Remove os_ from internal variable names corresponding to OS_ env variables. Strip trailing '/' from --auth_url since server doesn't seem to tolerate '//' in the URL path. Fixes lp923920 Change-Id: I3e48441d63b6504fd088aa07241f66d63590d935
2012-01-30 14:13:57 -06:00
self.auth_url = auth_url.rstrip('/') if auth_url else None
initial pass to cliauth blueprint
2011-12-17 22:07:13 -08:00
self.auth_token = token
add a new HTTPClient attr for setting the original IP The original IP is useful in cases where keystoneclient is used by a different openstack component and we need to know who made the original request. Otherwise it gets overwritten by e.g. Dashboard's host's IP. bug 1046837 Change-Id: Ic22c565e92010afd89c8573c375919215b70d73d
2012-09-13 15:45:40 +02:00
self.original_ip = original_ip
Initial commit.
2011-10-25 16:50:08 -07:00
removing repeat attempt at authorization in client blueprint solidify-python-api * extended and updated documentation strings * updated README.rst with latest options * made debug a pass-through value, optionally set on client (instead of just being pulled from environment variable) * adding AccessInfo object and associated tests (access.AccessInfo meant to be a cacheable object external to client and ultimately to replace service_catalog and it's existing functionality) * extending authtoken to support lists of endpoints * maintaining a single entity for client.management_url with first from list of possible endpoints * create project_name and project_id synonyms to match tenant_name and tenant_id * replacing authenticate call to a pure method, not overloading the resource/manager path that confuses base URL concepts. * throw AuthorizationFailure if client attempts to access keystone resources before it has a management url * special case listing tenant using auth_url for unscoped tokens authorized through client * special case listing tokens.authenticate for Dashboard to allow unscoped tokens to hand back parity information to dashboard Change-Id: I4bb3a1b6a5ce2c4b3fbcebeb59116286cac8b2e3
2012-10-13 00:15:39 +00:00
self.management_url = endpoint.rstrip('/') if endpoint else None
self.region_name = region_name
Initial commit.
2011-10-25 16:50:08 -07:00
# httplib2 overrides
self.force_exception_to_status_code = True
Add '--insecure' commandline argument Allows to ignore validation errors that typically occur with self-signed SSL certificates. Making this explicit is important as one would typically only use this in development or in-house deployments. This should also fix bug 1012591. Change-Id: I1210fafc9257648c902176fbcfae9d47e47fc557
2012-07-09 17:07:41 +02:00
self.disable_ssl_certificate_validation = insecure
Initial commit.
2011-10-25 16:50:08 -07:00
splitting http req and resp logging also some pep8 cleanup in shell.py Change-Id: I71aa2586a0196c0a6ba64b892b56c9d221bdcc1d
2012-08-16 18:18:22 -07:00
# logging setup
removing repeat attempt at authorization in client blueprint solidify-python-api * extended and updated documentation strings * updated README.rst with latest options * made debug a pass-through value, optionally set on client (instead of just being pulled from environment variable) * adding AccessInfo object and associated tests (access.AccessInfo meant to be a cacheable object external to client and ultimately to replace service_catalog and it's existing functionality) * extending authtoken to support lists of endpoints * maintaining a single entity for client.management_url with first from list of possible endpoints * create project_name and project_id synonyms to match tenant_name and tenant_id * replacing authenticate call to a pure method, not overloading the resource/manager path that confuses base URL concepts. * throw AuthorizationFailure if client attempts to access keystone resources before it has a management url * special case listing tenant using auth_url for unscoped tokens authorized through client * special case listing tokens.authenticate for Dashboard to allow unscoped tokens to hand back parity information to dashboard Change-Id: I4bb3a1b6a5ce2c4b3fbcebeb59116286cac8b2e3
2012-10-13 00:15:39 +00:00
self.debug_log = debug
splitting http req and resp logging also some pep8 cleanup in shell.py Change-Id: I71aa2586a0196c0a6ba64b892b56c9d221bdcc1d
2012-08-16 18:18:22 -07:00
if self.debug_log:
ch = logging.StreamHandler()
_logger.setLevel(logging.DEBUG)
_logger.addHandler(ch)
Initial commit.
2011-10-25 16:50:08 -07:00
def authenticate(self):
Replace refs to 'Keystone API' with 'Identity API' Formally, OpenStack Keystone implements the OpenStack Identity API, and this is a client to the API, not to Keystone itself. Change-Id: If568866221a29ba041f0f2cd56dc81deeb9ebc00
2012-10-24 07:12:30 -05:00
""" Authenticate against the Identity API.
Initial commit.
2011-10-25 16:50:08 -07:00
Not implemented here because auth protocols should be API
version-specific.
removing repeat attempt at authorization in client blueprint solidify-python-api * extended and updated documentation strings * updated README.rst with latest options * made debug a pass-through value, optionally set on client (instead of just being pulled from environment variable) * adding AccessInfo object and associated tests (access.AccessInfo meant to be a cacheable object external to client and ultimately to replace service_catalog and it's existing functionality) * extending authtoken to support lists of endpoints * maintaining a single entity for client.management_url with first from list of possible endpoints * create project_name and project_id synonyms to match tenant_name and tenant_id * replacing authenticate call to a pure method, not overloading the resource/manager path that confuses base URL concepts. * throw AuthorizationFailure if client attempts to access keystone resources before it has a management url * special case listing tenant using auth_url for unscoped tokens authorized through client * special case listing tokens.authenticate for Dashboard to allow unscoped tokens to hand back parity information to dashboard Change-Id: I4bb3a1b6a5ce2c4b3fbcebeb59116286cac8b2e3
2012-10-13 00:15:39 +00:00
Expected to authenticate or validate an existing authentication
reference already associated with the client. Invoking this call
*always* makes a call to the Keystone.
Initial commit.
2011-10-25 16:50:08 -07:00
"""
raise NotImplementedError
def _extract_service_catalog(self, url, body):
""" Set the client's service catalog from the response data.
Not implemented here because data returned may be API
version-specific.
"""
raise NotImplementedError
splitting http req and resp logging also some pep8 cleanup in shell.py Change-Id: I71aa2586a0196c0a6ba64b892b56c9d221bdcc1d
2012-08-16 18:18:22 -07:00
def http_log_req(self, args, kwargs):
if not self.debug_log:
Initial commit.
2011-10-25 16:50:08 -07:00
return
string_parts = ['curl -i']
for element in args:
if element in ('GET', 'POST'):
string_parts.append(' -X %s' % element)
else:
string_parts.append(' %s' % element)
for element in kwargs['headers']:
header = ' -H "%s: %s"' % (element, kwargs['headers'][element])
string_parts.append(header)
_logger.debug("REQ: %s\n" % "".join(string_parts))
if 'body' in kwargs:
_logger.debug("REQ BODY: %s\n" % (kwargs['body']))
splitting http req and resp logging also some pep8 cleanup in shell.py Change-Id: I71aa2586a0196c0a6ba64b892b56c9d221bdcc1d
2012-08-16 18:18:22 -07:00
def http_log_resp(self, resp, body):
if self.debug_log:
_logger.debug("RESP: %s\nRESP BODY: %s\n", resp, body)
Initial commit.
2011-10-25 16:50:08 -07:00
Allow serialization impl to be overridden Change-Id: I0f955c78897d4212f06942e59a7018dbe5d28540
2012-09-11 11:10:40 -05:00
def serialize(self, entity):
return json.dumps(entity)
Initial commit.
2011-10-25 16:50:08 -07:00
def request(self, url, method, **kwargs):
""" Send an http request with the specified characteristics.
Wrapper around httplib2.Http.request to handle tasks such as
setting headers, JSON encoding/decoding, and error handling.
"""
# Copy the kwargs so we can reuse the original in case of redirects
request_kwargs = copy.copy(kwargs)
request_kwargs.setdefault('headers', kwargs.get('headers', {}))
request_kwargs['headers']['User-Agent'] = self.USER_AGENT
add a new HTTPClient attr for setting the original IP The original IP is useful in cases where keystoneclient is used by a different openstack component and we need to know who made the original request. Otherwise it gets overwritten by e.g. Dashboard's host's IP. bug 1046837 Change-Id: Ic22c565e92010afd89c8573c375919215b70d73d
2012-09-13 15:45:40 +02:00
if self.original_ip:
request_kwargs['headers']['Forwarded'] = "for=%s;by=%s" % (
self.original_ip, self.USER_AGENT)
Initial commit.
2011-10-25 16:50:08 -07:00
if 'body' in kwargs:
request_kwargs['headers']['Content-Type'] = 'application/json'
Allow serialization impl to be overridden Change-Id: I0f955c78897d4212f06942e59a7018dbe5d28540
2012-09-11 11:10:40 -05:00
request_kwargs['body'] = self.serialize(kwargs['body'])
Initial commit.
2011-10-25 16:50:08 -07:00
splitting http req and resp logging also some pep8 cleanup in shell.py Change-Id: I71aa2586a0196c0a6ba64b892b56c9d221bdcc1d
2012-08-16 18:18:22 -07:00
self.http_log_req((url, method,), request_kwargs)
more pep8 cleanup
2011-11-10 17:23:48 -08:00
resp, body = super(HTTPClient, self).request(url,
method,
**request_kwargs)
splitting http req and resp logging also some pep8 cleanup in shell.py Change-Id: I71aa2586a0196c0a6ba64b892b56c9d221bdcc1d
2012-08-16 18:18:22 -07:00
self.http_log_resp(resp, body)
Initial commit.
2011-10-25 16:50:08 -07:00
Ensure JSON isn't read on no HTTP response body This patch moves the json.loads(body) call in the HTTP response handling to after the check for non- 200-300 return codes. This gets rid of the ValueError exception raise when you hit, for instance, a 400 or 404. Also changes a number of logger.exception() calls to logger.debug() calls, since some exceptions are expected and should not be logged as exceptions per-se. fixes LP bug#1067512 Change-Id: If66fb1846ddc19da5bc2f15c6e0dd09019a56932
2012-10-17 14:52:48 -04:00
if resp.status in (400, 401, 403, 404, 408, 409, 413, 500, 501):
removing repeat attempt at authorization in client blueprint solidify-python-api * extended and updated documentation strings * updated README.rst with latest options * made debug a pass-through value, optionally set on client (instead of just being pulled from environment variable) * adding AccessInfo object and associated tests (access.AccessInfo meant to be a cacheable object external to client and ultimately to replace service_catalog and it's existing functionality) * extending authtoken to support lists of endpoints * maintaining a single entity for client.management_url with first from list of possible endpoints * create project_name and project_id synonyms to match tenant_name and tenant_id * replacing authenticate call to a pure method, not overloading the resource/manager path that confuses base URL concepts. * throw AuthorizationFailure if client attempts to access keystone resources before it has a management url * special case listing tenant using auth_url for unscoped tokens authorized through client * special case listing tokens.authenticate for Dashboard to allow unscoped tokens to hand back parity information to dashboard Change-Id: I4bb3a1b6a5ce2c4b3fbcebeb59116286cac8b2e3
2012-10-13 00:15:39 +00:00
_logger.debug("Request returned failure status: %s", resp.status)
Ensure JSON isn't read on no HTTP response body This patch moves the json.loads(body) call in the HTTP response handling to after the check for non- 200-300 return codes. This gets rid of the ValueError exception raise when you hit, for instance, a 400 or 404. Also changes a number of logger.exception() calls to logger.debug() calls, since some exceptions are expected and should not be logged as exceptions per-se. fixes LP bug#1067512 Change-Id: If66fb1846ddc19da5bc2f15c6e0dd09019a56932
2012-10-17 14:52:48 -04:00
raise exceptions.from_response(resp, body)
elif resp.status in (301, 302, 305):
# Redirected. Reissue the request to the new location.
return self.request(resp['location'], method, **kwargs)
Initial commit.
2011-10-25 16:50:08 -07:00
if body:
try:
body = json.loads(body)
Removed unused imports and variables. Also fixes AUTHORS file. Previous version was copied directly from python-novaclient. Change-Id: I33654b6fe7197efbff300ebaf4892a8b53d85c54
2012-04-05 17:25:37 -05:00
except ValueError:
Initial commit.
2011-10-25 16:50:08 -07:00
_logger.debug("Could not decode JSON from body: %s" % body)
else:
_logger.debug("No body was returned.")
body = None
return resp, body
def _cs_request(self, url, method, **kwargs):
removing repeat attempt at authorization in client blueprint solidify-python-api * extended and updated documentation strings * updated README.rst with latest options * made debug a pass-through value, optionally set on client (instead of just being pulled from environment variable) * adding AccessInfo object and associated tests (access.AccessInfo meant to be a cacheable object external to client and ultimately to replace service_catalog and it's existing functionality) * extending authtoken to support lists of endpoints * maintaining a single entity for client.management_url with first from list of possible endpoints * create project_name and project_id synonyms to match tenant_name and tenant_id * replacing authenticate call to a pure method, not overloading the resource/manager path that confuses base URL concepts. * throw AuthorizationFailure if client attempts to access keystone resources before it has a management url * special case listing tenant using auth_url for unscoped tokens authorized through client * special case listing tokens.authenticate for Dashboard to allow unscoped tokens to hand back parity information to dashboard Change-Id: I4bb3a1b6a5ce2c4b3fbcebeb59116286cac8b2e3
2012-10-13 00:15:39 +00:00
""" Makes an authenticated request to keystone endpoint by
concatenating self.management_url and url and passing in method and
any associated kwargs. """
Initial commit.
2011-10-25 16:50:08 -07:00
removing repeat attempt at authorization in client blueprint solidify-python-api * extended and updated documentation strings * updated README.rst with latest options * made debug a pass-through value, optionally set on client (instead of just being pulled from environment variable) * adding AccessInfo object and associated tests (access.AccessInfo meant to be a cacheable object external to client and ultimately to replace service_catalog and it's existing functionality) * extending authtoken to support lists of endpoints * maintaining a single entity for client.management_url with first from list of possible endpoints * create project_name and project_id synonyms to match tenant_name and tenant_id * replacing authenticate call to a pure method, not overloading the resource/manager path that confuses base URL concepts. * throw AuthorizationFailure if client attempts to access keystone resources before it has a management url * special case listing tenant using auth_url for unscoped tokens authorized through client * special case listing tokens.authenticate for Dashboard to allow unscoped tokens to hand back parity information to dashboard Change-Id: I4bb3a1b6a5ce2c4b3fbcebeb59116286cac8b2e3
2012-10-13 00:15:39 +00:00
if self.management_url is None:
raise exceptions.AuthorizationFailure(
'Current authorization does not have a known management url')
Initial commit.
2011-10-25 16:50:08 -07:00
kwargs.setdefault('headers', {})
Allow --token and --endpoint to bypass catalog * allows skipping of service catalog * removes odd logic about password equivalence * also removes extra call to authenticate Change-Id: I5c0979107da99593b4ce8eb16c9695ba530da095
2012-02-09 01:44:11 +00:00
if self.auth_token:
Initial commit.
2011-10-25 16:50:08 -07:00
kwargs['headers']['X-Auth-Token'] = self.auth_token
removing repeat attempt at authorization in client blueprint solidify-python-api * extended and updated documentation strings * updated README.rst with latest options * made debug a pass-through value, optionally set on client (instead of just being pulled from environment variable) * adding AccessInfo object and associated tests (access.AccessInfo meant to be a cacheable object external to client and ultimately to replace service_catalog and it's existing functionality) * extending authtoken to support lists of endpoints * maintaining a single entity for client.management_url with first from list of possible endpoints * create project_name and project_id synonyms to match tenant_name and tenant_id * replacing authenticate call to a pure method, not overloading the resource/manager path that confuses base URL concepts. * throw AuthorizationFailure if client attempts to access keystone resources before it has a management url * special case listing tenant using auth_url for unscoped tokens authorized through client * special case listing tokens.authenticate for Dashboard to allow unscoped tokens to hand back parity information to dashboard Change-Id: I4bb3a1b6a5ce2c4b3fbcebeb59116286cac8b2e3
2012-10-13 00:15:39 +00:00
resp, body = self.request(self.management_url + url, method,
**kwargs)
return resp, body
Initial commit.
2011-10-25 16:50:08 -07:00
def get(self, url, **kwargs):
return self._cs_request(url, 'GET', **kwargs)
Add support for HEAD and PATCH Change-Id: Ic874c49b791e9d2cb3d44b15511cbb467a551589
2012-09-11 11:06:54 -05:00
def head(self, url, **kwargs):
return self._cs_request(url, 'HEAD', **kwargs)
Initial commit.
2011-10-25 16:50:08 -07:00
def post(self, url, **kwargs):
return self._cs_request(url, 'POST', **kwargs)
def put(self, url, **kwargs):
return self._cs_request(url, 'PUT', **kwargs)
Add support for HEAD and PATCH Change-Id: Ic874c49b791e9d2cb3d44b15511cbb467a551589
2012-09-11 11:06:54 -05:00
def patch(self, url, **kwargs):
return self._cs_request(url, 'PATCH', **kwargs)
Initial commit.
2011-10-25 16:50:08 -07:00
def delete(self, url, **kwargs):
return self._cs_request(url, 'DELETE', **kwargs)
Copy Permalink