openstack/python-mistralclient
Code Issues Proposed changes

Merge "Add KeyCloak OpenID Connect authentication"

Browse Source
This commit is contained in:
Jenkins
2016-07-14 13:33:23 +00:00
committed by Gerrit Code Review
parent 63ad284124 f7c04df5ec
commit d2f9938c60
7 changed files with 325 additions and 74 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
mistralclient/api/client.py
View File

@@ -15,13 +15,15 @@
import six
from mistralclient.api.v2 import client as client_v2
from mistralclient.auth import auth_types
def client(mistral_url=None, username=None, api_key=None,
project_name=None, auth_url=None, project_id=None,
endpoint_type='publicURL', service_type='workflow',
auth_token=None, user_id=None, cacert=None, insecure=False,
profile=None):
profile=None, auth_type=auth_types.KEYSTONE, client_id=None,
client_secret=None):
if mistral_url and not isinstance(mistral_url, six.string_types):
raise RuntimeError('Mistral url should be a string.')
@@ -39,7 +41,10 @@ def client(mistral_url=None, username=None, api_key=None,
user_id=user_id,
cacert=cacert,
insecure=insecure,
profile=profile
profile=profile,
auth_type=auth_type,
client_id=client_id,
client_secret=client_secret
)

115
mistralclient/api/v2/client.py
View File

@@ -28,6 +28,12 @@ from mistralclient.api.v2 import services
from mistralclient.api.v2 import tasks
from mistralclient.api.v2 import workbooks
from mistralclient.api.v2 import workflows
from mistralclient.auth import auth_types
from mistralclient.auth import keycloak
from mistralclient.auth import keystone
_DEFAULT_MISTRAL_URL = "http://localhost:8989/v2"
class Client(object):
@@ -35,31 +41,57 @@ class Client(object):
project_name=None, auth_url=None, project_id=None,
endpoint_type='publicURL', service_type='workflowv2',
auth_token=None, user_id=None, cacert=None, insecure=False,
profile=None):
profile=None, auth_type=auth_types.KEYSTONE, client_id=None,
client_secret=None):
if mistral_url and not isinstance(mistral_url, six.string_types):
raise RuntimeError('Mistral url should be string')
raise RuntimeError('Mistral url should be a string.')
if auth_url:
(mistral_url, auth_token, project_id, user_id) = (
self.authenticate(
mistral_url,
if auth_type == auth_types.KEYSTONE:
(mistral_url, auth_token, project_id, user_id) = (
keystone.authenticate(
mistral_url,
username,
api_key,
project_name,
auth_url,
project_id,
endpoint_type,
service_type,
auth_token,
user_id,
cacert,
insecure
)
)
elif auth_type == auth_types.KEYCLOAK_OIDC:
auth_token = keycloak.authenticate(
auth_url,
client_id,
client_secret,
project_name,
username,
api_key,
project_name,
auth_url,
project_id,
endpoint_type,
service_type,
auth_token,
user_id,
cacert,
insecure
)
)
# In case of KeyCloak OpenID Connect we can treat project
# name and id in the same way because KeyCloak realm is
# essentially a different OpenID Connect Issuer which in
# KeyCloak is represented just as a URL path component
# (see http://openid.net/specs/openid-connect-core-1_0.html).
project_id = project_name
else:
raise RuntimeError(
'Invalid authentication type [value=%s, valid_values=%s]'
% (auth_type, auth_types.ALL)
)
if not mistral_url:
mistral_url = "http://localhost:8989/v2"
mistral_url = _DEFAULT_MISTRAL_URL
if profile:
osprofiler.profiler.init(profile)
@@ -84,60 +116,3 @@ class Client(object):
self.action_executions = action_executions.ActionExecutionManager(self)
self.services = services.ServiceManager(self)
self.members = members.MemberManager(self)
def authenticate(self, mistral_url=None, username=None, api_key=None,
project_name=None, auth_url=None, project_id=None,
endpoint_type='publicURL', service_type='workflowv2',
auth_token=None, user_id=None, cacert=None,
insecure=False):
if project_name and project_id:
raise RuntimeError(
'Only project name or project id should be set'
)
if username and user_id:
raise RuntimeError(
'Only user name or user id should be set'
)
keystone_client = _get_keystone_client(auth_url)
keystone = keystone_client.Client(
username=username,
user_id=user_id,
password=api_key,
token=auth_token,
tenant_id=project_id,
tenant_name=project_name,
auth_url=auth_url,
endpoint=auth_url,
cacert=cacert,
insecure=insecure
)
keystone.authenticate()
token = keystone.auth_token
user_id = keystone.user_id
project_id = keystone.project_id
if not mistral_url:
catalog = keystone.service_catalog.get_endpoints(
service_type=service_type,
endpoint_type=endpoint_type
)
if service_type in catalog:
service = catalog.get(service_type)
mistral_url = service[0].get(
endpoint_type) if service else None
return mistral_url, token, project_id, user_id
def _get_keystone_client(auth_url):
if "v2.0" in auth_url:
from keystoneclient.v2_0 import client
else:
from keystoneclient.v3 import client
return client

0
mistralclient/auth/__init__.py Normal file
View File

26
mistralclient/auth/auth_types.py Normal file
View File

@@ -0,0 +1,26 @@
# Copyright 2016 - Nokia Networks
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Valid authentication types.
# Standard Keystone authentication.
KEYSTONE = 'keystone'
# Authentication using OpenID Connect protocol but specific to KeyCloak
# server regarding multi-tenancy support. KeyCloak has a notion of realm
# used as an analog of Keystone project/tenant.
KEYCLOAK_OIDC = 'keycloak-oidc'
ALL = [KEYSTONE, KEYCLOAK_OIDC]

141
mistralclient/auth/keycloak.py Normal file
View File

@@ -0,0 +1,141 @@
# Copyright 2016 - Nokia Networks
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import logging
import pprint
import requests
LOG = logging.getLogger(__name__)
def authenticate(auth_url, client_id, client_secret, realm_name,
username=None, password=None, access_token=None,
cacert=None, insecure=False):
"""Performs authentication using Keycloak OpenID Protocol.
:param auth_url: Base authentication url of KeyCloak server (e.g.
"https://my.keycloak:8443/auth"
:param client_id: Client ID (according to OpenID Connect protocol).
:param client_secret: Client secret (according to OpenID Connect protocol).
:param realm_name: KeyCloak realm name.
:param username: User name (Optional, if None then access_token must be
provided).
:param password: Password (Optional).
:param access_token: Access token. If passed, username and password are
not used and this method just validates the token and refreshes it,
if needed. (Optional, if None then username must be provided)
:param cacert: SSL certificate file (Optional).
:param insecure: If True, SSL certificate is not verified (Optional).
"""
if not auth_url:
raise ValueError('Base authentication url is not provided.')
if not client_id:
raise ValueError('Client ID is not provided.')
if not client_secret:
raise ValueError('Client secret is not provided.')
if not realm_name:
raise ValueError('Project(realm) name is not provided.')
if username and access_token:
raise ValueError(
"User name and access token can't be provided at the same time."
)
if access_token:
return _authenticate_with_token(
auth_url,
client_id,
client_secret,
access_token,
cacert,
insecure
)
if not username:
raise ValueError('Either user name or access token must be provided.')
return _authenticate_with_password(
auth_url,
client_id,
client_secret,
realm_name,
username,
password,
cacert,
insecure
)
def _authenticate_with_token(auth_url, client_id, client_secret, auth_token,
cacert=None, insecure=None):
# TODO(rakhmerov): Implement.
raise NotImplementedError
def _authenticate_with_password(auth_url, client_id, client_secret,
realm_name, username, password,
cacert=None, insecure=None):
access_token_endpoint = (
"%s/realms/%s/protocol/openid-connect/token" % (auth_url, realm_name)
)
client_auth = (client_id, client_secret)
body = {
'grant_type': 'password',
'username': username,
'password': password,
'scope': 'profile'
}
resp = requests.post(
access_token_endpoint,
auth=client_auth,
data=body,
verify=not insecure
)
try:
resp.raise_for_status()
except Exception as e:
raise Exception("Failed to get access token:\n %s" % str(e))
LOG.debug(
"HTTP response from OIDC provider: %s" % pprint.pformat(resp.json())
)
return resp.json()['access_token']
# An example of using KeyCloak OpenID authentication.
if __name__ == '__main__':
print("Using username/password to get access token from KeyCloak...")
a_token = authenticate(
"https://my.keycloak:8443/auth",
client_id="mistral_client",
client_secret="4a080907-921b-409a-b793-c431609c3a47",
realm_name="mistral",
username="user",
password="secret",
insecure=True
)
print("Access token: %s" % a_token)

73
mistralclient/auth/keystone.py Normal file
View File

@@ -0,0 +1,73 @@
# Copyright 2016 - Nokia Networks
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
def authenticate(mistral_url=None, username=None,
api_key=None, project_name=None, auth_url=None,
project_id=None, endpoint_type='publicURL',
service_type='workflowv2', auth_token=None, user_id=None,
cacert=None, insecure=False):
if project_name and project_id:
raise RuntimeError(
'Only project name or project id should be set'
)
if username and user_id:
raise RuntimeError(
'Only user name or user id should be set'
)
keystone_client = _get_keystone_client(auth_url)
keystone = keystone_client.Client(
username=username,
user_id=user_id,
password=api_key,
token=auth_token,
tenant_id=project_id,
tenant_name=project_name,
auth_url=auth_url,
endpoint=auth_url,
cacert=cacert,
insecure=insecure
)
keystone.authenticate()
token = keystone.auth_token
user_id = keystone.user_id
project_id = keystone.project_id
if not mistral_url:
catalog = keystone.service_catalog.get_endpoints(
service_type=service_type,
endpoint_type=endpoint_type
)
if service_type in catalog:
service = catalog.get(service_type)
mistral_url = service[0].get(
endpoint_type) if service else None
return mistral_url, token, project_id, user_id
def _get_keystone_client(auth_url):
if "v2.0" in auth_url:
from keystoneclient.v2_0 import client
else:
from keystoneclient.v3 import client
return client

35
mistralclient/shell.py
View File

@@ -20,6 +20,7 @@ import logging
import sys
from mistralclient.api import client
from mistralclient.auth import auth_types
import mistralclient.commands.v2.action_executions
import mistralclient.commands.v2.actions
import mistralclient.commands.v2.cron_triggers
@@ -297,6 +298,33 @@ class MistralShell(app.App):
'(Env: MISTRALCLIENT_INSECURE)'
)
parser.add_argument(
'--auth-type',
action='store',
dest='auth_type',
default=c.env('MISTRAL_AUTH_TYPE', default=auth_types.KEYSTONE),
help='Authentication type. Valid options are: %s.'
' (Env: MISTRAL_AUTH_TYPE)' % auth_types.ALL
)
parser.add_argument(
'--openid-client-id',
action='store',
dest='client_id',
default=c.env('OPENID_CLIENT_ID'),
help='Client ID (according to OpenID Connect).'
' (Env: OPENID_CLIENT_ID)'
)
parser.add_argument(
'--openid-client-secret',
action='store',
dest='client_secret',
default=c.env('OPENID_CLIENT_SECRET'),
help='Client secret (according to OpenID Connect)'
' (Env: OPENID_CLIENT_SECRET)'
)
parser.add_argument(
'--profile',
dest='profile',
@@ -344,11 +372,14 @@ class MistralShell(app.App):
auth_token=self.options.token,
cacert=self.options.cacert,
insecure=self.options.insecure,
profile=self.options.profile
profile=self.options.profile,
auth_type=self.options.auth_type,
client_id=self.options.client_id,
client_secret=self.options.client_secret,
)
# Adding client_manager variable to make mistral client work with
# unified openstack client.
# unified OpenStack client.
ClientManager = type(
'ClientManager',
(object,),