
Abstract authentication function so plugins for other authentication backends can be implemented in cases where keystone is not used. Currently, mistral is hard coded to support keystone and keycloak. Change-Id: If6ff35e91c3d35c2741332c7e739bb92b1234c54 Implements: blueprint mistral-abstract-auth
127 lines
4.3 KiB
Python
127 lines
4.3 KiB
Python
# Copyright 2016 - Nokia Networks
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
from mistralclient import auth
|
|
|
|
|
|
def _get_keystone_client(auth_url):
|
|
if 'v2.0' in auth_url:
|
|
from keystoneclient.v2_0 import client
|
|
else:
|
|
from keystoneclient.v3 import client
|
|
|
|
return client
|
|
|
|
|
|
class KeystoneAuthHandler(auth.AuthHandler):
|
|
|
|
def authenticate(self, req):
|
|
"""Performs authentication via Keystone.
|
|
|
|
:param req: Request dict containing list of parameters required
|
|
for Keystone authentication.
|
|
|
|
"""
|
|
if not isinstance(req, dict):
|
|
raise TypeError('The input "req" is not typeof dict.')
|
|
|
|
auth_url = req.get('auth_url')
|
|
mistral_url = req.get('mistral_url')
|
|
endpoint_type = req.get('endpoint_type', 'publicURL')
|
|
service_type = req.get('service_type', 'workflow2')
|
|
username = req.get('username')
|
|
user_id = req.get('user_id')
|
|
api_key = req.get('api_key')
|
|
auth_token = req.get('auth_token')
|
|
project_name = req.get('project_name')
|
|
project_id = req.get('project_id')
|
|
cacert = req.get('cacert')
|
|
insecure = req.get('insecure', False)
|
|
target_username = req.get('target_username')
|
|
target_api_key = req.get('target_api_key')
|
|
target_project_name = req.get('target_project_name')
|
|
target_auth_url = req.get('target_auth_url')
|
|
target_project_id = req.get('target_project_id')
|
|
target_auth_token = req.get('target_auth_token')
|
|
target_user_id = req.get('target_user_id')
|
|
target_cacert = req.get('target_cacert')
|
|
target_insecure = req.get('target_insecure')
|
|
|
|
if project_name and project_id:
|
|
raise RuntimeError(
|
|
'Only project name or project id should be set'
|
|
)
|
|
|
|
if username and user_id:
|
|
raise RuntimeError(
|
|
'Only user name or user id should be set'
|
|
)
|
|
|
|
if auth_url:
|
|
keystone_client = _get_keystone_client(auth_url)
|
|
|
|
keystone = keystone_client.Client(
|
|
username=username,
|
|
user_id=user_id,
|
|
password=api_key,
|
|
token=auth_token,
|
|
tenant_id=project_id,
|
|
tenant_name=project_name,
|
|
auth_url=auth_url,
|
|
endpoint=auth_url,
|
|
cacert=cacert,
|
|
insecure=insecure
|
|
)
|
|
|
|
keystone.authenticate()
|
|
auth_token = keystone.auth_token
|
|
user_id = keystone.user_id
|
|
project_id = keystone.project_id
|
|
|
|
if target_auth_url:
|
|
target_keystone_client = _get_keystone_client(target_auth_url)
|
|
|
|
target_keystone = target_keystone_client.Client(
|
|
username=target_username,
|
|
user_id=target_user_id,
|
|
password=target_api_key,
|
|
token=target_auth_token,
|
|
tenant_id=target_project_id,
|
|
tenant_name=target_project_name,
|
|
auth_url=target_auth_url,
|
|
endpoint=target_auth_url,
|
|
cacert=target_cacert,
|
|
insecure=target_insecure
|
|
)
|
|
|
|
target_keystone.authenticate()
|
|
|
|
if not mistral_url:
|
|
try:
|
|
mistral_url = keystone.service_catalog.url_for(
|
|
service_type=service_type,
|
|
endpoint_type=endpoint_type
|
|
)
|
|
except Exception:
|
|
mistral_url = None
|
|
|
|
return {
|
|
'mistral_url': mistral_url,
|
|
'token': auth_token,
|
|
'project_id': target_project_id if target_auth_url else project_id,
|
|
'user_id': target_user_id if target_auth_url else user_id,
|
|
'target_auth_token': target_auth_token,
|
|
'target_auth_url': target_auth_url
|
|
}
|