The fake session object is to prevent a cyclical dependency between
HTTPClient and the session from leaving hanging session objects around.
This is still necessary if you construct a client the old way however if
you are using the session properly then there is no cyclical dependency
and so we shouldn't prevent people using the connection pooling
advantages of the session.
Related-Bug: #1282089
Change-Id: Ifca2c7ddd95a81af01ee43246ecc8e74abf95602
There are certain requests that will always want to be sent to the
auth_url.
Add a new interface type to the get_endpoint command of the base
identity plugin such that if you ask for the 'auth' interface it will
give you the auth_url.
Implements: blueprint session-auth-endpoint
Change-Id: If653970354b919fdd6e80c061611c3aad129c574
keyring is conditionally imported if available on your platform,
however not all versions of keyring actually work. Specifically
we have global-requirements of >=2.1,!=3.3, so we know those are
the only versions we believe work.
If you are on an older platform, using system installed
python-keyring, python-keystoneclient won't install a new version,
because it's optional, but then will use a terriblely old verison,
which explodes with dbus errors.
The fix is to be more explicit on import.
Change-Id: I040f7b2311d7d5a450b8b12642752ac519b206fa
Closes-Bug: #1242992
If you pass a version number to the endpoint_filter then an identity
plugin will make a request to the URL in the service catalog and find an
appropriate URL for the requested version.
It caches the response to each of the discovery queries so that it
should only query once per URL.
This will only work for applications that create session objects
directly as the legacy model does not use the get_endpoint features of
an identity plugin.
This change showed an inconsistency in the docstrings between discovery
and the usage of discovery so the docstring was fixed.
Blueprint: endpoint-version-query
Change-Id: I277f2f6ad6c8cd44f1a9c06cf07d62bc8f8b383b
Fixed most of the errors reported back from hacking 0.9.2.
Specifically:
- E128 continuation line under-indented for visual indent
- E251 unexpected spaces around keyword / parameter equals
- E265 block comment should start with '# '
- H305 imports not grouped correctly
- H307 like imports should be grouped together
- H402 one line docstring needs punctuation
- H904 Wrap long lines in parentheses instead of a backslash
But opted to ignore the following for now:
- E122: continuation line missing indentation or outdented
- H405: multi line docstring summary not separated with an empty line
Change-Id: Ib8e698d85fd598fa91435538657361a1f695ce89
There are files containing string format arguments inside
logging messages. Using logging function parameters should
be preferred.
Change-Id: Ibd9def4cf111d5dcf15dff64f85a723214a3c14e
Closes-Bug: #1320930
In the future clients will simply pass the service they expect to talk
to and the path. This will prevent every service trying to get their own
base urls from the service catalog individually.
This can later be extended to have the auth plugin actually contact the
URL from the service catalog which will let us have unversioned
endpoints in the catalog handled from a single location.
Change-Id: I80f0b5b1dbb45565fec09d1cb2c0552cfb9a72f5
blueprint: auth-plugin-endpoints
Apply the positional decorator to functions. It has been added as I
think best practice would dictate, though in some places it has been
added in a way that doesn't break existing tests.
Closes-Bug: #1295881
Change-Id: I4f7ddbede4cba4ab79d144ad1f9dc83ea76f204a
We don't need vim modelines in each source file, it can be set in
user's vimrc.
Change-Id: Ic7a61430a0a320ce6b0c4518d9f5d988e35f8aae
Closes-Bug: #1229324
Provides the framework for creating authentication plugins and using
them from a session object.
To allow this system to co-exist with the original client there is a bit
of a hack. The client object itself is now also an authentication
plugin, that supports the original client pattern. If a client is
created without a session object then that session object uses the
client as it's authentication plugin.
Change-Id: I682c8dcd3705148aaa804a91f4ed48a5b74bdc12
blueprint: auth-plugins
Session.construct will create a session based upon the kwargs that used
to be passed to a client __init__ function. This will allow clients an
easy path to providing compatibility with deprecated arguments.
Make use of the function throughout discovery. Discovery was initially
released prior to the session object being completed and was therefore
handled with the same arguments as a client. Instead we should use a
session object so use the conversion function to convert those kwargs
into a session object if one is not provided.
Change-Id: I8dc1e0810ea6ebc6ea648ec37d7881825c566676
When deprecating the use of management_url from service_catalog we
updated the management_url setter for the project scoped token, however
we missed the domain scoped token case.
There is actually nothing we can do here to test this scenario as the
backwards compatibility code that was installed handles this for us and
there is no problem, however we should not be internally relying on
deprecated code.
Change-Id: I59bac4d9d74f2eb8bc6edd40518c7cd5a4fe1343
This patch adjust import items and add missing blank lines acording
to http://docs.openstack.org/developer/hacking/#imports
{{stdlib imports in human alphabetical order}}
\n
{{third-party lib imports in human alphabetical order}}
\n
{{project imports in human alphabetical order}}
\n
\n
{{begin your code}}
hacking project also enforce some checks for import group.
Let make the change in keytoneclient
Change-Id: Ic83bd5ee426905588f4a2d555851a9a01fc69f02
Previously the client assumed that if a user passed a token then this
token should be used for everything. This assumption is correct for the
endpoint/token case but not in the auth_url/token case where you will
want to fetch a new token. This is needed in the case where you want to
use an existing token to fetch a token that is re-scoped or activate a
trust.
There are still problems such as if you use auth_url/token
authentication then when the token expires it will try to refresh it,
but authenticating with a token will not extend the token expiry.
Closes-Bug: #1257541
Change-Id: I1c35600ca5437da44071dcea5361bfb42f6b72a3
Particularly 305 is expected to be handled by the tests so we need to
handle this centrally if we want to have session and non-session clients
to work the same way.
Change-Id: Id4ec35ddd8b8304d24df9e6cd2ab995d123ef125
I think debug handling was initially done this way for CLI handling
where we wanted to make sure only the correct information was printed to
the console. However as logging.basicConfig sets up a stream handler on
the root logging object I can't see any purpose to the debug handling in
the actual HTTPClient. Further than this it is completely wrong that a
client library is messing with it's logging level, this should be handled
by an application.
The debug flag is maintained and deprecated in HTTPClient and removed
from the session object. There has been no release since the addition of
session so there is no problem with compatibility.
Change-Id: Ib00f3d93d099ed1a9dd25f17121610a7289f0061
Region name is taken as a parameter but is ignored in all communication
with the service catalog. Currently region can be stored in the token
data and then requests to url functions will return the appropriate
region. This is the wrong approach because there is nothing specific to
the token (or auth_data) that is region specific. Instead region
information should be held by the client.
Closes-Bug: 1147530
Closes-Bug: 1255992
Change-Id: I812aa89c8b4af28e294e63926a7f88e8246fffc5
A wrapper around a number of connection variables. This will be extended
later with principals such as Kerberos authentication and http sessions.
The intent is that this session object will become the basis for all
other client library communications in OpenStack (as keystone wants to
control things like authentication for everybody).
Change-Id: I8ee728c49d554659d7057ebf17d0f8ceea4d7d8e
Part of: blueprint auth-plugins
management_url was originally set once and never changed so that when
specifying an endpoint it wasn't later overridden by the service
catalog. This behaviour would prevent the management_url from being
updated when the client was reauthenticated.
Change-Id: I2fa41e2ae1b853bbb254698cf94b9314eb0f0903
Closes-bug: 1252927
Use six to make it work. While we're not yet able to gate
keystoneclient on py33, we still need keystoneclient to work when
keystoneclient is included in other libraries' test suites. This was
discovered while working on python3 for python-tuskarclient.
Note that together with I65c28896d1551fd537dd7774e87bc479a477a7ab
keystoneclient can be used safely in python-tuskarclient's py33 tests.
Closes-bug: #1239802
Change-Id: Ie6d31dc5fae7e63bb31a5192fa6765fe35dd026a
Copy and pasting the generated curl output into a shell doesn't
work when the URL includes an ampersand, as the URL isn't quoted.
Closes-Bug: #1249891
Change-Id: Ic3d7682a2c034e89c3367c858ea33510f8cbc7d4
Rather than output the request body as a separate line, make it part of
the example curl command using the -d option.
Partial-Bug: #1249891
Change-Id: Ie3fe4535f554333c67244a13c5698c025f000e7e
When the --insecure option is given, the curl command did not have
certificate verification turned off.
Partial-Bug: #1249891
Change-Id: Ia4f21d03f060bac0db51a79b89b0246b2ee3d041
Some files still use trademark OpenStack LLC in header, which
should be changed to OpenStack Foundation.
NOTE: tools/install_venv.py is not touched, should sync with oslo
Change-Id: I01d4f6b64cf1a152c4e190407799ce7d53de845f
Fixes-Bug: #1214176
Use six.iteritems to replace dictionary.iteritems() on python2 or
dictionary.items() on python3.
Change-Id: I972f065414e22d287bd7e00ab2c6e754f17afb75
Signed-off-by: Chuck Short <chuck.short@canonical.com>
For most things there is very little difference, but as we have a
jsonutils module we should probably be using it.
Change-Id: I406ea81bb56ad90cc9ff9b8b58b0d35b694dc802
Implements client support for the basic trusts API operations,
note this does not include support for the roles subpath operations,
support for those can be added in a subsequent patch.
Change-Id: I0c6ba12bad5cc8f3f10697d2a3dcf4f3be8c7ece
blueprint: delegation-impersonation-support
The new apiclient.exceptions hierarchy is more comprehensive
and it covers almost all HTTP error status codes. These
exceptions can be used in novaclient, keystoneclient,
glanceclient, and other client projects thus providing a
single inteface.
Users can have benefit from OpenStack clients raising exceptions
of known classes while now every client has its own classes making
difficult to catch, e.g., NotFound for every client.
Change-Id: Ia7b25880e0ffca3526525a0f0e77c7e77c4f0076
Create a function out of the standard request call that handles common
headers like user agent and logging.
This makes future changes easier to digest.
Change-Id: Ia25f997df64efdce27c8fb815e544922940145c3
The discoverable entry point is to be client.Client however adding this
functionality to the current client.py is impossible as we end up with
circular dependencies.
This patch simply renames the current client.py to httpclient.py to make
future patches that will modify client.py more readable.
Required for: blueprint api-version-discovery
Change-Id: Ibcea03f6e1df0ae05329297166a8b8117fc3ce7b
