openstack/python-novaclient
Code Issues Proposed changes
aa30c13fc5
python-novaclient/novaclient/client.py

766 lines
29 KiB
Python
Raw Normal View History

Tests working again...merged in some work we did earlier.
2011-08-03 17:41:33 -04:00
# Copyright 2010 Jacob Kaplan-Moss
Fix Copyright Headers from LLC to Foundation follow the lead from nova and oslo projects Change-Id: I270c5f1e4eefa4b72e292bfb4a4c60de0c3f6e4a
2013-03-13 18:09:17 -04:00
# Copyright 2011 OpenStack Foundation
Fixes copyright notice and adds script to gen AUTHORS
2011-08-08 13:41:29 -07:00
# Copyright 2011 Piston Cloud Computing, Inc.
Make it possible to authenticate against keystone
2011-08-05 23:17:35 -07:00
new service catalog implementation.
2011-09-26 12:28:43 -07:00
# All Rights Reserved.
Enable hacking check for Apache 2.0 license Removes H102 (license header not found) check from flake8 ignore list. Adds missing apache license headers. Change-Id: I109f23c6d8b2e3efb1dac7f764bd77e0d9d335f0
2013-12-06 10:47:41 +10:30
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
Tests working again...merged in some work we did earlier.
2011-08-03 17:41:33 -04:00
"""
OpenStack Client interface. Handles the REST calls and responses.
"""
Don't log sensitive auth data This code change redacts the password in keystone request, and also redact the token text in keystone response. The code still makes REST call by itelf, instead of calling keystone client. Closes-Bug: 1327019 Change-Id: Ib9c0610c1ef351a127364478721cf961c2a30125
2014-07-15 18:25:57 +08:00
import copy
Overhaul bash-completion to support non-UUID based IDs There are a few things currently wrong with bash-completion as it stands now: 1) IDs are currently required to be UUIDs. This is an arbitrary limitation and doesn't make sense for certain kinds of objects, like `Flavors` where a valid ID could be `performance-16gb`. 2) The code is spread out between Oslo's `Resource` and Novaclient's `Manager` class. This makes it difficult to improve the code because it requires changes to two separate projects. We should centralize the code in Novaclient until the API is stable, then import the code into Oslo in its entirety, not partially like it is now. 3) The completion code is handled by the `Manager` of which there is one per Resource-type. In the interest of centralizing this functionality, we should create a `CompletionCache` class and hang it off of `Client` of which there is one-per-session. 4) The completion-code currently runs by default even in headless mode (e.g. novaclient without the shell). It'd be much more efficient to only write to the completion cache if we're accessing the `Client` from the novaclient shell. We can make this an option to support third-party CLI clients that want to use the completion-cache as well. NOTE: * The corresponding Oslo patch is here: https://review.openstack.org/#/c/101376/ * This patch was tested in multithreaded mode to prevent any regression from: https://bugs.launchpad.net/python-novaclient/+bug/1213958. Change-Id: Idada83de103358974b739f81d4f392574f9e1237 Closes-Bug: 1332270
2014-06-19 18:34:17 -05:00
import errno
Allow us to use keystoneclient's session The session object is a cross-client means of standardizing the transport layer. Novaclient's HTTPClient object has diverged significantly from other clients. It is easier to simply replace it if a session is provided. If a session is provided then users of the library need to be aware that functions such as authenticate() will no longer have any effect/are in error because this is no longer managed by nova. Change-Id: I8f146b878908239d9b6c1c7d6cdc01c7e124f4e5
2014-04-08 11:40:41 +10:00
import functools
Overhaul bash-completion to support non-UUID based IDs There are a few things currently wrong with bash-completion as it stands now: 1) IDs are currently required to be UUIDs. This is an arbitrary limitation and doesn't make sense for certain kinds of objects, like `Flavors` where a valid ID could be `performance-16gb`. 2) The code is spread out between Oslo's `Resource` and Novaclient's `Manager` class. This makes it difficult to improve the code because it requires changes to two separate projects. We should centralize the code in Novaclient until the API is stable, then import the code into Oslo in its entirety, not partially like it is now. 3) The completion code is handled by the `Manager` of which there is one per Resource-type. In the interest of centralizing this functionality, we should create a `CompletionCache` class and hang it off of `Client` of which there is one-per-session. 4) The completion-code currently runs by default even in headless mode (e.g. novaclient without the shell). It'd be much more efficient to only write to the completion cache if we're accessing the `Client` from the novaclient shell. We can make this an option to support third-party CLI clients that want to use the completion-cache as well. NOTE: * The corresponding Oslo patch is here: https://review.openstack.org/#/c/101376/ * This patch was tested in multithreaded mode to prevent any regression from: https://bugs.launchpad.net/python-novaclient/+bug/1213958. Change-Id: Idada83de103358974b739f81d4f392574f9e1237 Closes-Bug: 1332270
2014-06-19 18:34:17 -05:00
import glob
mask keystone token in debug output replaying the keystone token in debug output is both completely burdensome to read (given it's unbounded size), but it's also potentially a security issue given that it could be used in replay attacks. Instead, filter the headers to sha1 sensitive things, with X-Auth-Token being the only one listed so far. The sha1 will at least give us the understanding of tokens being the same or different (and an administrator could use that to figure out if they were valid later). This also removes some extra '\n' that were being injected into the debug logs, because they were not helping with readability. Lastly, actually test logging. This introduces the first tests of the logging path using the logging fixture. It's pretty basic, but does verify that requests are logged at debug, that the SHA1 format works, and that headers which are not listed get shown straight through. DocImpact because this changes the curl dumped strings which people may have been using. They can still do that as long as they generate their own keystone token. Change-Id: I1edb94785705c3b6a05f118b77d3aeb07461cd44
2014-06-09 10:20:31 -04:00
import hashlib
Tests working again...merged in some work we did earlier.
2011-08-03 17:41:33 -04:00
import logging
Overhaul bash-completion to support non-UUID based IDs There are a few things currently wrong with bash-completion as it stands now: 1) IDs are currently required to be UUIDs. This is an arbitrary limitation and doesn't make sense for certain kinds of objects, like `Flavors` where a valid ID could be `performance-16gb`. 2) The code is spread out between Oslo's `Resource` and Novaclient's `Manager` class. This makes it difficult to improve the code because it requires changes to two separate projects. We should centralize the code in Novaclient until the API is stable, then import the code into Oslo in its entirety, not partially like it is now. 3) The completion code is handled by the `Manager` of which there is one per Resource-type. In the interest of centralizing this functionality, we should create a `CompletionCache` class and hang it off of `Client` of which there is one-per-session. 4) The completion-code currently runs by default even in headless mode (e.g. novaclient without the shell). It'd be much more efficient to only write to the completion cache if we're accessing the `Client` from the novaclient shell. We can make this an option to support third-party CLI clients that want to use the completion-cache as well. NOTE: * The corresponding Oslo patch is here: https://review.openstack.org/#/c/101376/ * This patch was tested in multithreaded mode to prevent any regression from: https://bugs.launchpad.net/python-novaclient/+bug/1213958. Change-Id: Idada83de103358974b739f81d4f392574f9e1237 Closes-Bug: 1332270
2014-06-19 18:34:17 -05:00
import os
Add "version-list" for listing REST API versions Nova provides REST API versions. This patch adds a subcommand "version-list" for outputting the versions. Change-Id: I1b40ad57912aa740c0b1d9221018aba9b13a5436
2014-07-08 10:56:36 +09:00
import re
option to bypass managment endpoint and timings support --timings = show timings for each call made to nova (including auth) --bypass_url = api node endpoint to use instead of one from service catalog For example: nova --timings --bypass_url=http://10.24.31.37:8774/v1.1/nova-staging boot --image f304d266-0a49-4877-b34c-63aea8360297 --flavor 3 delete_me_2 Change-Id: Ib2a258b7e969ad56ce4ee2bd64c61310278cb856
2012-06-15 15:12:23 -03:00
import time
Tests working again...merged in some work we did earlier.
2011-08-03 17:41:33 -04:00
Use adapter from keystoneclient SessionClient is mostly common code that wasn't yet released in keystoneclient. Now that 0.10 is released we should use the adapter from there as much as possible. Change-Id: Ief6cd7e752fd8c9e9157364f99e270da7faff074
2014-08-07 20:18:58 +10:00
from keystoneclient import adapter
Use requests module for HTTP/HTTPS * Implement correct certificate verification * Add --os-cacert * Rework tests for requests Pinned requests module to < 1.0 as 1.0.2 is now current in pipi as of 17Dec2012. Blueprint: tls-verify Change-Id: I9a25a94c8dfcaf483c4c8328439809d65cf10b38
2012-12-18 14:05:29 -06:00
import requests
Fix in in novaclient, to avoid excessive conns The current client creates new .Session() on each request, but since Horizon is a stateless app, each Session creates new HttpAdapter, which itself has its own connection pool, and each connection there is used (almost) once and then is being kept in the pool(with Keep-Alive) for a certain amount of time(waiting for inactivity timeout). The problem is that the connection cannot be used anymore from next Django calls - they create new connection pool with new connections, etc. This keeps lots of open connections on the server. Now the client will store an HTTPAdapter for each URL into a singleton object, and will reuse its connections between Django calls, but still taking advantage of Sessions during a single page load(although we do not fully use this). Note: the default pool behavior is non-blocking, which means that if the max_pool_size is reached, a new connection will still be opened, and when released - will be discarded. It could be useful to add max_pool_size param into settings, for performance fine-tuning. The default max_pool_size is 10. Since python-novaclient is also used from non-Django projects, I'd expect feedback from more people on the impact this change could have over other projects. Patch Set 3: Removed explicit connection closing, leaving connections open in the pool. Change-Id: Icc9dc2fa2863d0e0e26a86c8180f2e0fbcd1fcff Closes-Bug: #1247056
2014-02-20 23:11:34 +02:00
from requests import adapters
Allow different auth providers via plugin system. - Remove the NOVA_RAX_AUTH hack and provide (temporary) compatibility with the new system. - Example plugin for RAX and HP provided here : RAX - https://github.com/emonty/rackspace-auth-openstack HP - https://github.com/emonty/hpcloud-auth-openstack - Plugin are allowed to specify their own auth_url directly. - Thanks to mtaylor for helping on this. Change-Id: Ie96835be617c6a20d9c3fc3bd1536083aecfdc0b
2012-08-02 16:41:47 +02:00
Tests working again...merged in some work we did earlier.
2011-08-03 17:41:33 -04:00
try:
import json
except ImportError:
import simplejson as json
Remove usage of module py3kcompat Module py3kcompat was removed from oslo-incubator. We need remove its usage in client side firstly. This make us move smoothly when sync oslo-incubator code. Change-Id: I8b07c32c9852e747579a23685f3c8a07ac13ec01 Partial-Bug: #1280033
2014-02-14 08:43:12 +08:00
from six.moves.urllib import parse
Tests working again...merged in some work we did earlier.
2011-08-03 17:41:33 -04:00
from novaclient import exceptions
Fix i18n messages in novaclient, part I This change make all the text visible by the user i18n. The messages changes are in prints, logs, exceptions, helps, etc Pep8 errors about "Multiple positional placeholders" also fixed Change-Id: I731afea790baddbc34d059b93a35e3d275fc1df8
2013-12-12 23:17:28 -05:00
from novaclient.openstack.common.gettextutils import _
Fix for invalid literal ValueError parsing ipv6 url(s) Switch to using network_utils for splitting the URL. The code in oslo-incubator supports ipv6 urls HEAD of oslo-incubator is bb52a3fc49f033b9f36238231ca56e754a78cf4b Updated openstack-common.conf to pick up the new dependency from oslo-incubator Change-Id: Ifa3dec384e85942a191260d17e8141030d31ff84 Closes-Bug: #1298137
2014-03-27 20:14:48 +00:00
from novaclient.openstack.common import network_utils
Abstract Client building into novaclient.client This prevents clients of the pythonic api from having to know the internal module structure. Change-Id: Idd5c522ac3ff6c2d7915f96ed327323ec83d54fc
2011-12-29 15:37:05 -05:00
from novaclient import service_catalog
from novaclient import utils
Tests working again...merged in some work we did earlier.
2011-08-03 17:41:33 -04:00
Fix session handling in novaclient Prior to this patch, novaclient was handling sessions in an inconsistent manner. Every time we created a client instance, it would use a global connection pool, which made it difficult to use in a process that is meant to be forked. Obviously sessions like the ones provided by the requests library that will automatically cause connections to be kept alive should not be implicit. This patch moves the novaclient back to the age of a single session-less request call by default, but also adds two more resource-reuse friendly options that a user needs to be explicit about. The first one is that both v1_1 and v3 clients can now be used as context managers,. where the session will be kept open (and thus the connection kept-alive) for the duration of the with block. This is far more ideal for a web worker use-case as the session can be made request-long. The second one is the per-instance session. This is very similar to what we had up until now, except it is not a global object so forking is possible as long as each child instantiates it's own client. The session once created will be kept open for the duration of the client object lifetime. Please note: client instances are not thread safe. As can be seen from above forking example - if you wish to use threading/multiprocessing, you *must not* share client instances. DocImpact Related-bug: #1247056 Closes-Bug: #1297796 Co-authored-by: Nikola Dipanov <ndipanov@redhat.com> Change-Id: Id59e48f61bb3f3c6223302355c849e1e99673410
2014-03-26 15:22:03 +04:00
class _ClientConnectionPool(object):
Fix in in novaclient, to avoid excessive conns The current client creates new .Session() on each request, but since Horizon is a stateless app, each Session creates new HttpAdapter, which itself has its own connection pool, and each connection there is used (almost) once and then is being kept in the pool(with Keep-Alive) for a certain amount of time(waiting for inactivity timeout). The problem is that the connection cannot be used anymore from next Django calls - they create new connection pool with new connections, etc. This keeps lots of open connections on the server. Now the client will store an HTTPAdapter for each URL into a singleton object, and will reuse its connections between Django calls, but still taking advantage of Sessions during a single page load(although we do not fully use this). Note: the default pool behavior is non-blocking, which means that if the max_pool_size is reached, a new connection will still be opened, and when released - will be discarded. It could be useful to add max_pool_size param into settings, for performance fine-tuning. The default max_pool_size is 10. Since python-novaclient is also used from non-Django projects, I'd expect feedback from more people on the impact this change could have over other projects. Patch Set 3: Removed explicit connection closing, leaving connections open in the pool. Change-Id: Icc9dc2fa2863d0e0e26a86c8180f2e0fbcd1fcff Closes-Bug: #1247056
2014-02-20 23:11:34 +02:00
Fix session handling in novaclient Prior to this patch, novaclient was handling sessions in an inconsistent manner. Every time we created a client instance, it would use a global connection pool, which made it difficult to use in a process that is meant to be forked. Obviously sessions like the ones provided by the requests library that will automatically cause connections to be kept alive should not be implicit. This patch moves the novaclient back to the age of a single session-less request call by default, but also adds two more resource-reuse friendly options that a user needs to be explicit about. The first one is that both v1_1 and v3 clients can now be used as context managers,. where the session will be kept open (and thus the connection kept-alive) for the duration of the with block. This is far more ideal for a web worker use-case as the session can be made request-long. The second one is the per-instance session. This is very similar to what we had up until now, except it is not a global object so forking is possible as long as each child instantiates it's own client. The session once created will be kept open for the duration of the client object lifetime. Please note: client instances are not thread safe. As can be seen from above forking example - if you wish to use threading/multiprocessing, you *must not* share client instances. DocImpact Related-bug: #1247056 Closes-Bug: #1297796 Co-authored-by: Nikola Dipanov <ndipanov@redhat.com> Change-Id: Id59e48f61bb3f3c6223302355c849e1e99673410
2014-03-26 15:22:03 +04:00
def __init__(self):
self._adapters = {}
Fix in in novaclient, to avoid excessive conns The current client creates new .Session() on each request, but since Horizon is a stateless app, each Session creates new HttpAdapter, which itself has its own connection pool, and each connection there is used (almost) once and then is being kept in the pool(with Keep-Alive) for a certain amount of time(waiting for inactivity timeout). The problem is that the connection cannot be used anymore from next Django calls - they create new connection pool with new connections, etc. This keeps lots of open connections on the server. Now the client will store an HTTPAdapter for each URL into a singleton object, and will reuse its connections between Django calls, but still taking advantage of Sessions during a single page load(although we do not fully use this). Note: the default pool behavior is non-blocking, which means that if the max_pool_size is reached, a new connection will still be opened, and when released - will be discarded. It could be useful to add max_pool_size param into settings, for performance fine-tuning. The default max_pool_size is 10. Since python-novaclient is also used from non-Django projects, I'd expect feedback from more people on the impact this change could have over other projects. Patch Set 3: Removed explicit connection closing, leaving connections open in the pool. Change-Id: Icc9dc2fa2863d0e0e26a86c8180f2e0fbcd1fcff Closes-Bug: #1247056
2014-02-20 23:11:34 +02:00
Fix session handling in novaclient Prior to this patch, novaclient was handling sessions in an inconsistent manner. Every time we created a client instance, it would use a global connection pool, which made it difficult to use in a process that is meant to be forked. Obviously sessions like the ones provided by the requests library that will automatically cause connections to be kept alive should not be implicit. This patch moves the novaclient back to the age of a single session-less request call by default, but also adds two more resource-reuse friendly options that a user needs to be explicit about. The first one is that both v1_1 and v3 clients can now be used as context managers,. where the session will be kept open (and thus the connection kept-alive) for the duration of the with block. This is far more ideal for a web worker use-case as the session can be made request-long. The second one is the per-instance session. This is very similar to what we had up until now, except it is not a global object so forking is possible as long as each child instantiates it's own client. The session once created will be kept open for the duration of the client object lifetime. Please note: client instances are not thread safe. As can be seen from above forking example - if you wish to use threading/multiprocessing, you *must not* share client instances. DocImpact Related-bug: #1247056 Closes-Bug: #1297796 Co-authored-by: Nikola Dipanov <ndipanov@redhat.com> Change-Id: Id59e48f61bb3f3c6223302355c849e1e99673410
2014-03-26 15:22:03 +04:00
def get(self, url):
"""
Store and reuse HTTP adapters per Service URL.
"""
if url not in self._adapters:
self._adapters[url] = adapters.HTTPAdapter()
Fix in in novaclient, to avoid excessive conns The current client creates new .Session() on each request, but since Horizon is a stateless app, each Session creates new HttpAdapter, which itself has its own connection pool, and each connection there is used (almost) once and then is being kept in the pool(with Keep-Alive) for a certain amount of time(waiting for inactivity timeout). The problem is that the connection cannot be used anymore from next Django calls - they create new connection pool with new connections, etc. This keeps lots of open connections on the server. Now the client will store an HTTPAdapter for each URL into a singleton object, and will reuse its connections between Django calls, but still taking advantage of Sessions during a single page load(although we do not fully use this). Note: the default pool behavior is non-blocking, which means that if the max_pool_size is reached, a new connection will still be opened, and when released - will be discarded. It could be useful to add max_pool_size param into settings, for performance fine-tuning. The default max_pool_size is 10. Since python-novaclient is also used from non-Django projects, I'd expect feedback from more people on the impact this change could have over other projects. Patch Set 3: Removed explicit connection closing, leaving connections open in the pool. Change-Id: Icc9dc2fa2863d0e0e26a86c8180f2e0fbcd1fcff Closes-Bug: #1247056
2014-02-20 23:11:34 +02:00
Fix session handling in novaclient Prior to this patch, novaclient was handling sessions in an inconsistent manner. Every time we created a client instance, it would use a global connection pool, which made it difficult to use in a process that is meant to be forked. Obviously sessions like the ones provided by the requests library that will automatically cause connections to be kept alive should not be implicit. This patch moves the novaclient back to the age of a single session-less request call by default, but also adds two more resource-reuse friendly options that a user needs to be explicit about. The first one is that both v1_1 and v3 clients can now be used as context managers,. where the session will be kept open (and thus the connection kept-alive) for the duration of the with block. This is far more ideal for a web worker use-case as the session can be made request-long. The second one is the per-instance session. This is very similar to what we had up until now, except it is not a global object so forking is possible as long as each child instantiates it's own client. The session once created will be kept open for the duration of the client object lifetime. Please note: client instances are not thread safe. As can be seen from above forking example - if you wish to use threading/multiprocessing, you *must not* share client instances. DocImpact Related-bug: #1247056 Closes-Bug: #1297796 Co-authored-by: Nikola Dipanov <ndipanov@redhat.com> Change-Id: Id59e48f61bb3f3c6223302355c849e1e99673410
2014-03-26 15:22:03 +04:00
return self._adapters[url]
Fix in in novaclient, to avoid excessive conns The current client creates new .Session() on each request, but since Horizon is a stateless app, each Session creates new HttpAdapter, which itself has its own connection pool, and each connection there is used (almost) once and then is being kept in the pool(with Keep-Alive) for a certain amount of time(waiting for inactivity timeout). The problem is that the connection cannot be used anymore from next Django calls - they create new connection pool with new connections, etc. This keeps lots of open connections on the server. Now the client will store an HTTPAdapter for each URL into a singleton object, and will reuse its connections between Django calls, but still taking advantage of Sessions during a single page load(although we do not fully use this). Note: the default pool behavior is non-blocking, which means that if the max_pool_size is reached, a new connection will still be opened, and when released - will be discarded. It could be useful to add max_pool_size param into settings, for performance fine-tuning. The default max_pool_size is 10. Since python-novaclient is also used from non-Django projects, I'd expect feedback from more people on the impact this change could have over other projects. Patch Set 3: Removed explicit connection closing, leaving connections open in the pool. Change-Id: Icc9dc2fa2863d0e0e26a86c8180f2e0fbcd1fcff Closes-Bug: #1247056
2014-02-20 23:11:34 +02:00
Tests working again...merged in some work we did earlier.
2011-08-03 17:41:33 -04:00
Overhaul bash-completion to support non-UUID based IDs There are a few things currently wrong with bash-completion as it stands now: 1) IDs are currently required to be UUIDs. This is an arbitrary limitation and doesn't make sense for certain kinds of objects, like `Flavors` where a valid ID could be `performance-16gb`. 2) The code is spread out between Oslo's `Resource` and Novaclient's `Manager` class. This makes it difficult to improve the code because it requires changes to two separate projects. We should centralize the code in Novaclient until the API is stable, then import the code into Oslo in its entirety, not partially like it is now. 3) The completion code is handled by the `Manager` of which there is one per Resource-type. In the interest of centralizing this functionality, we should create a `CompletionCache` class and hang it off of `Client` of which there is one-per-session. 4) The completion-code currently runs by default even in headless mode (e.g. novaclient without the shell). It'd be much more efficient to only write to the completion cache if we're accessing the `Client` from the novaclient shell. We can make this an option to support third-party CLI clients that want to use the completion-cache as well. NOTE: * The corresponding Oslo patch is here: https://review.openstack.org/#/c/101376/ * This patch was tested in multithreaded mode to prevent any regression from: https://bugs.launchpad.net/python-novaclient/+bug/1213958. Change-Id: Idada83de103358974b739f81d4f392574f9e1237 Closes-Bug: 1332270
2014-06-19 18:34:17 -05:00
class CompletionCache(object):
"""The completion cache is how we support tab-completion with novaclient.
The `Manager` writes object IDs and Human-IDs to the completion-cache on
object-show, object-list, and object-create calls.
The `nova.bash_completion` script then uses these files to provide the
actual tab-completion.
The cache directory layout is:
~/.novaclient/
<hash-of-endpoint-and-username>/
<resource>-id-cache
<resource>-human-id-cache
"""
def __init__(self, username, auth_url, attributes=('id', 'human_id')):
self.directory = self._make_directory_name(username, auth_url)
self.attributes = attributes
def _make_directory_name(self, username, auth_url):
"""Creates a unique directory name based on the auth_url and username
of the current user.
"""
uniqifier = hashlib.md5(username.encode('utf-8') +
auth_url.encode('utf-8')).hexdigest()
base_dir = utils.env('NOVACLIENT_UUID_CACHE_DIR',
default="~/.novaclient")
return os.path.expanduser(os.path.join(base_dir, uniqifier))
def _prepare_directory(self):
try:
os.makedirs(self.directory, 0o755)
except OSError:
# NOTE(kiall): This is typically either permission denied while
# attempting to create the directory, or the
# directory already exists. Either way, don't
# fail.
pass
def clear_class(self, obj_class):
self._prepare_directory()
resource = obj_class.__name__.lower()
resource_glob = os.path.join(self.directory, "%s-*-cache" % resource)
for filename in glob.iglob(resource_glob):
try:
os.unlink(filename)
except OSError as e:
if e.errno != errno.ENOENT:
raise
def _write_attribute(self, resource, attribute, value):
self._prepare_directory()
filename = "%s-%s-cache" % (resource, attribute.replace('_', '-'))
path = os.path.join(self.directory, filename)
with open(path, 'a') as f:
f.write("%s\n" % value)
def write_object(self, obj):
resource = obj.__class__.__name__.lower()
for attribute in self.attributes:
value = getattr(obj, attribute, None)
if value:
self._write_attribute(resource, attribute, value)
Use adapter from keystoneclient SessionClient is mostly common code that wasn't yet released in keystoneclient. Now that 0.10 is released we should use the adapter from there as much as possible. Change-Id: Ief6cd7e752fd8c9e9157364f99e270da7faff074
2014-08-07 20:18:58 +10:00
class SessionClient(adapter.LegacyJsonAdapter):
Allow us to use keystoneclient's session The session object is a cross-client means of standardizing the transport layer. Novaclient's HTTPClient object has diverged significantly from other clients. It is easier to simply replace it if a session is provided. If a session is provided then users of the library need to be aware that functions such as authenticate() will no longer have any effect/are in error because this is no longer managed by nova. Change-Id: I8f146b878908239d9b6c1c7d6cdc01c7e124f4e5
2014-04-08 11:40:41 +10:00
def request(self, url, method, **kwargs):
Use adapter from keystoneclient SessionClient is mostly common code that wasn't yet released in keystoneclient. Now that 0.10 is released we should use the adapter from there as much as possible. Change-Id: Ief6cd7e752fd8c9e9157364f99e270da7faff074
2014-08-07 20:18:58 +10:00
# NOTE(jamielennox): The standard call raises errors from
# keystoneclient, where we need to raise the novaclient errors.
raise_exc = kwargs.pop('raise_exc', True)
resp, body = super(SessionClient, self).request(url,
method,
raise_exc=False,
**kwargs)
if raise_exc and resp.status_code >= 400:
Allow us to use keystoneclient's session The session object is a cross-client means of standardizing the transport layer. Novaclient's HTTPClient object has diverged significantly from other clients. It is easier to simply replace it if a session is provided. If a session is provided then users of the library need to be aware that functions such as authenticate() will no longer have any effect/are in error because this is no longer managed by nova. Change-Id: I8f146b878908239d9b6c1c7d6cdc01c7e124f4e5
2014-04-08 11:40:41 +10:00
raise exceptions.from_response(resp, body, url, method)
return resp, body
def _original_only(f):
"""Indicates and enforces that this function can only be used if we are
using the original HTTPClient object.
We use this to specify that if you use the newer Session HTTP client then
you are aware that the way you use your client has been updated and certain
functions are no longer allowed to be used.
"""
@functools.wraps(f)
def wrapper(self, *args, **kwargs):
if isinstance(self.client, SessionClient):
msg = ('This call is no longer available. The operation should '
'be performed on the session object instead.')
raise exceptions.InvalidUsage(msg)
return f(self, *args, **kwargs)
return wrapper
Fix in in novaclient, to avoid excessive conns The current client creates new .Session() on each request, but since Horizon is a stateless app, each Session creates new HttpAdapter, which itself has its own connection pool, and each connection there is used (almost) once and then is being kept in the pool(with Keep-Alive) for a certain amount of time(waiting for inactivity timeout). The problem is that the connection cannot be used anymore from next Django calls - they create new connection pool with new connections, etc. This keeps lots of open connections on the server. Now the client will store an HTTPAdapter for each URL into a singleton object, and will reuse its connections between Django calls, but still taking advantage of Sessions during a single page load(although we do not fully use this). Note: the default pool behavior is non-blocking, which means that if the max_pool_size is reached, a new connection will still be opened, and when released - will be discarded. It could be useful to add max_pool_size param into settings, for performance fine-tuning. The default max_pool_size is 10. Since python-novaclient is also used from non-Django projects, I'd expect feedback from more people on the impact this change could have over other projects. Patch Set 3: Removed explicit connection closing, leaving connections open in the pool. Change-Id: Icc9dc2fa2863d0e0e26a86c8180f2e0fbcd1fcff Closes-Bug: #1247056
2014-02-20 23:11:34 +02:00
class HTTPClient(object):
Tests working again...merged in some work we did earlier.
2011-08-03 17:41:33 -04:00
USER_AGENT = 'python-novaclient'
Allow tenant ID for authentication Tenant names are not necessarily unique for a User, so the client should also allow authentication by tenant_id If both ID and Name are specificed then use the ID Fixes bug 1195454 Change-Id: Ib62aabc3702db88f02259cd721f9efb31404bcb7
2013-06-27 22:57:10 +01:00
def __init__(self, user, password, projectid=None, auth_url=None,
Allow different auth providers via plugin system. - Remove the NOVA_RAX_AUTH hack and provide (temporary) compatibility with the new system. - Example plugin for RAX and HP provided here : RAX - https://github.com/emonty/rackspace-auth-openstack HP - https://github.com/emonty/hpcloud-auth-openstack - Plugin are allowed to specify their own auth_url directly. - Thanks to mtaylor for helping on this. Change-Id: Ie96835be617c6a20d9c3fc3bd1536083aecfdc0b
2012-08-02 16:41:47 +02:00
insecure=False, timeout=None, proxy_tenant_id=None,
Fixes lp#948685 proxy_token and proxy_tenant_id behavior * renamed token to proxy_token because of its usage * added a proxy_tenant_id for new keystone tokens/id/?belongsTo Change-Id: Ic7e65612620e5a54f04eddb79bffed7e2df6fba2
2012-03-06 22:40:28 -06:00
proxy_token=None, region_name=None,
Makes novaclient use the volumes endpoint * Depends on https://review.openstack.org/#change,4479 * Adds support to change service type including tests * Adds decorator for methods that need to use another service type * Changes volume and snapshots to use the volume endpoint * These extensions will move into the volume client once it exists * Fixes bug 940017 Change-Id: I683e4ca6c67e278d8aa8a9acec3dc0f1872f43f2
2012-02-24 02:30:48 +00:00
endpoint_type='publicURL', service_type=None,
option to bypass managment endpoint and timings support --timings = show timings for each call made to nova (including auth) --bypass_url = api node endpoint to use instead of one from service catalog For example: nova --timings --bypass_url=http://10.24.31.37:8774/v1.1/nova-staging boot --image f304d266-0a49-4877-b34c-63aea8360297 --flavor 3 delete_me_2 Change-Id: Ib2a258b7e969ad56ce4ee2bd64c61310278cb856
2012-06-15 15:12:23 -03:00
service_name=None, volume_service_name=None,
Adds --os-cache to replace old --no-cache. Deprecates the old --no-cache option in favor of --os-cache. The old CLI args (--no_cache and --no-cache) and ENV option (OS_NO_CACHE) are still supported but no longer show up in help. The new option for --os-cache can also be set via the OS_CACHE ENV variable... which now defaults to False. This should be much more user friendly. Fixes LP Bug #1087776. Change-Id: I3cea089c7e11ce75f22c2d7f3242b02b80441323
2012-12-07 11:47:49 -05:00
timings=False, bypass_url=None,
os_cache=False, no_cache=True,
Use requests module for HTTP/HTTPS * Implement correct certificate verification * Add --os-cacert * Rework tests for requests Pinned requests module to < 1.0 as 1.0.2 is now current in pipi as of 17Dec2012. Blueprint: tls-verify Change-Id: I9a25a94c8dfcaf483c4c8328439809d65cf10b38
2012-12-18 14:05:29 -06:00
http_log_debug=False, auth_system='keystone',
Don't call CS if a token + URL are provided Adds --os-auth-token (matching Glance client at least) to accept a pre-obtained authentication token. CS will be called iff: One or both of token and URL are not provided; AND the cache is empty/disabled or we don't have a tenant-id. Removed some code altering the auth request to a GET if a token is supplied - did not work for me and I think the path was dead previously. Fixed test to account for this change. Completes blueprint token-endpoint-instantiation Change-Id: I67410b80e506bb80c152223cd113b7139a62a536
2013-12-19 19:26:06 +00:00
auth_plugin=None, auth_token=None,
Fix session handling in novaclient Prior to this patch, novaclient was handling sessions in an inconsistent manner. Every time we created a client instance, it would use a global connection pool, which made it difficult to use in a process that is meant to be forked. Obviously sessions like the ones provided by the requests library that will automatically cause connections to be kept alive should not be implicit. This patch moves the novaclient back to the age of a single session-less request call by default, but also adds two more resource-reuse friendly options that a user needs to be explicit about. The first one is that both v1_1 and v3 clients can now be used as context managers,. where the session will be kept open (and thus the connection kept-alive) for the duration of the with block. This is far more ideal for a web worker use-case as the session can be made request-long. The second one is the per-instance session. This is very similar to what we had up until now, except it is not a global object so forking is possible as long as each child instantiates it's own client. The session once created will be kept open for the duration of the client object lifetime. Please note: client instances are not thread safe. As can be seen from above forking example - if you wish to use threading/multiprocessing, you *must not* share client instances. DocImpact Related-bug: #1247056 Closes-Bug: #1297796 Co-authored-by: Nikola Dipanov <ndipanov@redhat.com> Change-Id: Id59e48f61bb3f3c6223302355c849e1e99673410
2014-03-26 15:22:03 +04:00
cacert=None, tenant_id=None, user_id=None,
connection_pool=False):
Tests working again...merged in some work we did earlier.
2011-08-03 17:41:33 -04:00
self.user = user
Allow user ID for authentication In Keystone V3 user names are no longer necessarily unique accross domains. A user can still authenticate a user in the non default domain via the V2 API providng they use IDs instead of names. Tenant_ID is already supported, this change adds support for user ID Change-Id: I36ba75f3e67c8cdb959e31923d5e557414ab6f9b
2014-03-06 12:37:12 +00:00
self.user_id = user_id
tests working
2011-11-09 07:10:46 -08:00
self.password = password
Tests working again...merged in some work we did earlier.
2011-08-03 17:41:33 -04:00
self.projectid = projectid
Allow tenant ID for authentication Tenant names are not necessarily unique for a User, so the client should also allow authentication by tenant_id If both ID and Name are specificed then use the ID Fixes bug 1195454 Change-Id: Ib62aabc3702db88f02259cd721f9efb31404bcb7
2013-06-27 22:57:10 +01:00
self.tenant_id = tenant_id
Improve authentication plugins management. The current auth plugin system lacks some functionality to be used with other methods that might require additional configuration options or that do not require a user to pass some options that are now compulsory (for example, X.509 authentication needs to get a certificate file, and does not need either a username or a password). This commit extends the current system to handle these extra features, while remaining compatible with older plugins. DocImpact: We should documment how to implement additional authentication plugins, such as BasicAuth, X509, etc. Implements: blueprint authentication-plugins Change-Id: I7b0ef4981efba8160dea94bf852dba7e2e4068f5
2013-03-06 16:41:46 +01:00
Fix session handling in novaclient Prior to this patch, novaclient was handling sessions in an inconsistent manner. Every time we created a client instance, it would use a global connection pool, which made it difficult to use in a process that is meant to be forked. Obviously sessions like the ones provided by the requests library that will automatically cause connections to be kept alive should not be implicit. This patch moves the novaclient back to the age of a single session-less request call by default, but also adds two more resource-reuse friendly options that a user needs to be explicit about. The first one is that both v1_1 and v3 clients can now be used as context managers,. where the session will be kept open (and thus the connection kept-alive) for the duration of the with block. This is far more ideal for a web worker use-case as the session can be made request-long. The second one is the per-instance session. This is very similar to what we had up until now, except it is not a global object so forking is possible as long as each child instantiates it's own client. The session once created will be kept open for the duration of the client object lifetime. Please note: client instances are not thread safe. As can be seen from above forking example - if you wish to use threading/multiprocessing, you *must not* share client instances. DocImpact Related-bug: #1247056 Closes-Bug: #1297796 Co-authored-by: Nikola Dipanov <ndipanov@redhat.com> Change-Id: Id59e48f61bb3f3c6223302355c849e1e99673410
2014-03-26 15:22:03 +04:00
self._connection_pool = (_ClientConnectionPool()
if connection_pool else None)
Don't call CS if a token + URL are provided Adds --os-auth-token (matching Glance client at least) to accept a pre-obtained authentication token. CS will be called iff: One or both of token and URL are not provided; AND the cache is empty/disabled or we don't have a tenant-id. Removed some code altering the auth request to a GET if a token is supplied - did not work for me and I think the path was dead previously. Fixed test to account for this change. Completes blueprint token-endpoint-instantiation Change-Id: I67410b80e506bb80c152223cd113b7139a62a536
2013-12-19 19:26:06 +00:00
# This will be called by #_get_password if self.password is None.
# EG if a password can only be obtained by prompting the user, but a
# token is available, you don't want to prompt until the token has
# been proven invalid
self.password_func = None
Improve authentication plugins management. The current auth plugin system lacks some functionality to be used with other methods that might require additional configuration options or that do not require a user to pass some options that are now compulsory (for example, X.509 authentication needs to get a certificate file, and does not need either a username or a password). This commit extends the current system to handle these extra features, while remaining compatible with older plugins. DocImpact: We should documment how to implement additional authentication plugins, such as BasicAuth, X509, etc. Implements: blueprint authentication-plugins Change-Id: I7b0ef4981efba8160dea94bf852dba7e2e4068f5
2013-03-06 16:41:46 +01:00
if auth_system and auth_system != 'keystone' and not auth_plugin:
raise exceptions.AuthSystemNotFound(auth_system)
Allow different auth providers via plugin system. - Remove the NOVA_RAX_AUTH hack and provide (temporary) compatibility with the new system. - Example plugin for RAX and HP provided here : RAX - https://github.com/emonty/rackspace-auth-openstack HP - https://github.com/emonty/hpcloud-auth-openstack - Plugin are allowed to specify their own auth_url directly. - Thanks to mtaylor for helping on this. Change-Id: Ie96835be617c6a20d9c3fc3bd1536083aecfdc0b
2012-08-02 16:41:47 +02:00
if not auth_url and auth_system and auth_system != 'keystone':
Improve authentication plugins management. The current auth plugin system lacks some functionality to be used with other methods that might require additional configuration options or that do not require a user to pass some options that are now compulsory (for example, X.509 authentication needs to get a certificate file, and does not need either a username or a password). This commit extends the current system to handle these extra features, while remaining compatible with older plugins. DocImpact: We should documment how to implement additional authentication plugins, such as BasicAuth, X509, etc. Implements: blueprint authentication-plugins Change-Id: I7b0ef4981efba8160dea94bf852dba7e2e4068f5
2013-03-06 16:41:46 +01:00
auth_url = auth_plugin.get_auth_url()
Raises Exception on improper Auth Configuration Addresses bug 1061848. Basically, this bug comes about from not properly setting up the auth_system for novaclient. In this case, an exception of EndPointNotFound is flung. Change-Id: I12533aefd9d0425dd83e2e4c63f4dd5ff6faae71
2012-10-04 16:20:23 -04:00
if not auth_url:
raise exceptions.EndpointNotFound()
Do auth_url.rstrip('/') only if auth_url is set auth_url can be None, for example, when we use bypass_url. Also, add rstrip('/') for bypass_url (and management_url), which is done when management_url is gotten from service catalog. Change-Id: I4f59cc405386a15f8a266d279b27f279eacdb7f1
2014-03-18 00:21:21 +09:00
self.auth_url = auth_url.rstrip('/') if auth_url else auth_url
Removed v1.0 support. Change-Id: I6850075a2ac0e1558aa94539e73f4fb939dfb318
2011-12-15 23:10:59 +00:00
self.version = 'v1.1'
service catalog with multiple endpoints per service
2011-09-07 13:02:50 -07:00
self.region_name = region_name
Handle Ambiguous Endpoints Correctly - Added --service_name argument to allow selecting endpoints by service name - Renamed endpoint_name argument to endpoint_type (this breaks compatibility) - Return AmbiguousEndpoints error if more than one endpoint matches filter - Also addresses bug 924052 Use case: $ nova --projectid xxx --version 1.1 --password xxx --username xxx --url https://identity.openstackcloud.com/ image-list Found more than one valid endpoint. Use a more restrictive filter AmbiguousEndpoints: [ {'serviceName': 'New Cloud', 'region': 'Test', 'publicURL': 'https://test.openstackcloud.com/v1.1/tttt', 'tenantId': 'tttt'}, {'serviceName': 'Old Cloud', 'publicURL': 'https://servers.openstackcloud.com/v1.0/tttt', 'tenantId': 'tttt'}] $ nova --projectid tttt --version 1.1 --password xxx --username xxx --url https://identity.openstackcloud.com/ --service_name 'New Cloud' image-list +--------------------------------------+-----------------------------+--------+--------+ | ID | Name | Status | Server | +--------------------------------------+-----------------------------+--------+--------+ | 346f4039-a81e-4444-9223-4a3d13592a07 | Debian Squeeze (6.0) | ACTIVE | | | ac8985ea-c09e-4544-82af-eb459a02a6b2 | Fedora 15 | ACTIVE | | | ddddc02e-92fa-4f44-b36f-55b39bf66a67 | CentOS 5.6 | ACTIVE | | +--------------------------------------+-----------------------------+--------+--------+ Change-Id: I9a10b9ad5e5b9cf6e762659013496a93a79774db
2012-01-31 18:08:22 -06:00
self.endpoint_type = endpoint_type
Makes novaclient use the volumes endpoint * Depends on https://review.openstack.org/#change,4479 * Adds support to change service type including tests * Adds decorator for methods that need to use another service type * Changes volume and snapshots to use the volume endpoint * These extensions will move into the volume client once it exists * Fixes bug 940017 Change-Id: I683e4ca6c67e278d8aa8a9acec3dc0f1872f43f2
2012-02-24 02:30:48 +00:00
self.service_type = service_type
Handle Ambiguous Endpoints Correctly - Added --service_name argument to allow selecting endpoints by service name - Renamed endpoint_name argument to endpoint_type (this breaks compatibility) - Return AmbiguousEndpoints error if more than one endpoint matches filter - Also addresses bug 924052 Use case: $ nova --projectid xxx --version 1.1 --password xxx --username xxx --url https://identity.openstackcloud.com/ image-list Found more than one valid endpoint. Use a more restrictive filter AmbiguousEndpoints: [ {'serviceName': 'New Cloud', 'region': 'Test', 'publicURL': 'https://test.openstackcloud.com/v1.1/tttt', 'tenantId': 'tttt'}, {'serviceName': 'Old Cloud', 'publicURL': 'https://servers.openstackcloud.com/v1.0/tttt', 'tenantId': 'tttt'}] $ nova --projectid tttt --version 1.1 --password xxx --username xxx --url https://identity.openstackcloud.com/ --service_name 'New Cloud' image-list +--------------------------------------+-----------------------------+--------+--------+ | ID | Name | Status | Server | +--------------------------------------+-----------------------------+--------+--------+ | 346f4039-a81e-4444-9223-4a3d13592a07 | Debian Squeeze (6.0) | ACTIVE | | | ac8985ea-c09e-4544-82af-eb459a02a6b2 | Fedora 15 | ACTIVE | | | ddddc02e-92fa-4f44-b36f-55b39bf66a67 | CentOS 5.6 | ACTIVE | | +--------------------------------------+-----------------------------+--------+--------+ Change-Id: I9a10b9ad5e5b9cf6e762659013496a93a79774db
2012-01-31 18:08:22 -06:00
self.service_name = service_name
refactored --service_name to only work with compute calls and added --volume_service_name for volume calls Change-Id: I2b1188fb57f9576daebfaceaddc6eea44a47b4ee
2012-04-12 15:41:35 -05:00
self.volume_service_name = volume_service_name
option to bypass managment endpoint and timings support --timings = show timings for each call made to nova (including auth) --bypass_url = api node endpoint to use instead of one from service catalog For example: nova --timings --bypass_url=http://10.24.31.37:8774/v1.1/nova-staging boot --image f304d266-0a49-4877-b34c-63aea8360297 --flavor 3 delete_me_2 Change-Id: Ib2a258b7e969ad56ce4ee2bd64c61310278cb856
2012-06-15 15:12:23 -03:00
self.timings = timings
Do auth_url.rstrip('/') only if auth_url is set auth_url can be None, for example, when we use bypass_url. Also, add rstrip('/') for bypass_url (and management_url), which is done when management_url is gotten from service catalog. Change-Id: I4f59cc405386a15f8a266d279b27f279eacdb7f1
2014-03-18 00:21:21 +09:00
self.bypass_url = bypass_url.rstrip('/') if bypass_url else bypass_url
Adds --os-cache to replace old --no-cache. Deprecates the old --no-cache option in favor of --os-cache. The old CLI args (--no_cache and --no-cache) and ENV option (OS_NO_CACHE) are still supported but no longer show up in help. The new option for --os-cache can also be set via the OS_CACHE ENV variable... which now defaults to False. This should be much more user friendly. Fixes LP Bug #1087776. Change-Id: I3cea089c7e11ce75f22c2d7f3242b02b80441323
2012-12-07 11:47:49 -05:00
self.os_cache = os_cache or not no_cache
Bring back the output from client.http_log() Change-Id: If7c583751abe9ae60f299515a5f7778db72fa70c
2012-07-02 15:22:59 -05:00
self.http_log_debug = http_log_debug
Allow request timeout to be specified. Add a new cli argument (--timeout) which is by default 600 seconds which will be set in the requests library so that timeouts can occur correctly. Change-Id: I716ac15fe08f42c9464ee43010bc8fd2667bcbde
2013-01-11 21:44:56 -08:00
if timeout is not None:
self.timeout = float(timeout)
else:
self.timeout = None
option to bypass managment endpoint and timings support --timings = show timings for each call made to nova (including auth) --bypass_url = api node endpoint to use instead of one from service catalog For example: nova --timings --bypass_url=http://10.24.31.37:8774/v1.1/nova-staging boot --image f304d266-0a49-4877-b34c-63aea8360297 --flavor 3 delete_me_2 Change-Id: Ib2a258b7e969ad56ce4ee2bd64c61310278cb856
2012-06-15 15:12:23 -03:00
self.times = [] # [("item", starttime, endtime), ...]
Tests working again...merged in some work we did earlier.
2011-08-03 17:41:33 -04:00
Don't call CS if a token + URL are provided Adds --os-auth-token (matching Glance client at least) to accept a pre-obtained authentication token. CS will be called iff: One or both of token and URL are not provided; AND the cache is empty/disabled or we don't have a tenant-id. Removed some code altering the auth request to a GET if a token is supplied - did not work for me and I think the path was dead previously. Fixed test to account for this change. Completes blueprint token-endpoint-instantiation Change-Id: I67410b80e506bb80c152223cd113b7139a62a536
2013-12-19 19:26:06 +00:00
self.management_url = self.bypass_url or None
self.auth_token = auth_token
Fixes lp#948685 proxy_token and proxy_tenant_id behavior * renamed token to proxy_token because of its usage * added a proxy_tenant_id for new keystone tokens/id/?belongsTo Change-Id: Ic7e65612620e5a54f04eddb79bffed7e2df6fba2
2012-03-06 22:40:28 -06:00
self.proxy_token = proxy_token
self.proxy_tenant_id = proxy_tenant_id
Fix the usage of password, keyrings, and tokens. Fix how you keep on getting prompted for the password all over the place and at the wrong time (the keyring code should be used before a auth request, and not during). Fix this by trying to use the token first (which comes from the keyring module), then falling back to using the password (which will get a token, and then store said token so that it isn't fetched again). Change-Id: I58e69f3b3fbcc7a467797f25695b7ca59178a1d7
2013-01-30 12:53:35 -08:00
self.keyring_saver = None
self.keyring_saved = False
Tests working again...merged in some work we did earlier.
2011-08-03 17:41:33 -04:00
Use requests module for HTTP/HTTPS * Implement correct certificate verification * Add --os-cacert * Rework tests for requests Pinned requests module to < 1.0 as 1.0.2 is now current in pipi as of 17Dec2012. Blueprint: tls-verify Change-Id: I9a25a94c8dfcaf483c4c8328439809d65cf10b38
2012-12-18 14:05:29 -06:00
if insecure:
self.verify_cert = False
else:
if cacert:
self.verify_cert = cacert
else:
self.verify_cert = True
Tests working again...merged in some work we did earlier.
2011-08-03 17:41:33 -04:00
Allow different auth providers via plugin system. - Remove the NOVA_RAX_AUTH hack and provide (temporary) compatibility with the new system. - Example plugin for RAX and HP provided here : RAX - https://github.com/emonty/rackspace-auth-openstack HP - https://github.com/emonty/hpcloud-auth-openstack - Plugin are allowed to specify their own auth_url directly. - Thanks to mtaylor for helping on this. Change-Id: Ie96835be617c6a20d9c3fc3bd1536083aecfdc0b
2012-08-02 16:41:47 +02:00
self.auth_system = auth_system
Improve authentication plugins management. The current auth plugin system lacks some functionality to be used with other methods that might require additional configuration options or that do not require a user to pass some options that are now compulsory (for example, X.509 authentication needs to get a certificate file, and does not need either a username or a password). This commit extends the current system to handle these extra features, while remaining compatible with older plugins. DocImpact: We should documment how to implement additional authentication plugins, such as BasicAuth, X509, etc. Implements: blueprint authentication-plugins Change-Id: I7b0ef4981efba8160dea94bf852dba7e2e4068f5
2013-03-06 16:41:46 +01:00
self.auth_plugin = auth_plugin
Fix session handling in novaclient Prior to this patch, novaclient was handling sessions in an inconsistent manner. Every time we created a client instance, it would use a global connection pool, which made it difficult to use in a process that is meant to be forked. Obviously sessions like the ones provided by the requests library that will automatically cause connections to be kept alive should not be implicit. This patch moves the novaclient back to the age of a single session-less request call by default, but also adds two more resource-reuse friendly options that a user needs to be explicit about. The first one is that both v1_1 and v3 clients can now be used as context managers,. where the session will be kept open (and thus the connection kept-alive) for the duration of the with block. This is far more ideal for a web worker use-case as the session can be made request-long. The second one is the per-instance session. This is very similar to what we had up until now, except it is not a global object so forking is possible as long as each child instantiates it's own client. The session once created will be kept open for the duration of the client object lifetime. Please note: client instances are not thread safe. As can be seen from above forking example - if you wish to use threading/multiprocessing, you *must not* share client instances. DocImpact Related-bug: #1247056 Closes-Bug: #1297796 Co-authored-by: Nikola Dipanov <ndipanov@redhat.com> Change-Id: Id59e48f61bb3f3c6223302355c849e1e99673410
2014-03-26 15:22:03 +04:00
self._session = None
Fix in in novaclient, to avoid excessive conns The current client creates new .Session() on each request, but since Horizon is a stateless app, each Session creates new HttpAdapter, which itself has its own connection pool, and each connection there is used (almost) once and then is being kept in the pool(with Keep-Alive) for a certain amount of time(waiting for inactivity timeout). The problem is that the connection cannot be used anymore from next Django calls - they create new connection pool with new connections, etc. This keeps lots of open connections on the server. Now the client will store an HTTPAdapter for each URL into a singleton object, and will reuse its connections between Django calls, but still taking advantage of Sessions during a single page load(although we do not fully use this). Note: the default pool behavior is non-blocking, which means that if the max_pool_size is reached, a new connection will still be opened, and when released - will be discarded. It could be useful to add max_pool_size param into settings, for performance fine-tuning. The default max_pool_size is 10. Since python-novaclient is also used from non-Django projects, I'd expect feedback from more people on the impact this change could have over other projects. Patch Set 3: Removed explicit connection closing, leaving connections open in the pool. Change-Id: Icc9dc2fa2863d0e0e26a86c8180f2e0fbcd1fcff Closes-Bug: #1247056
2014-02-20 23:11:34 +02:00
self._current_url = None
Bring back the output from client.http_log() Change-Id: If7c583751abe9ae60f299515a5f7778db72fa70c
2012-07-02 15:22:59 -05:00
self._logger = logging.getLogger(__name__)
Fix in in novaclient, to avoid excessive conns The current client creates new .Session() on each request, but since Horizon is a stateless app, each Session creates new HttpAdapter, which itself has its own connection pool, and each connection there is used (almost) once and then is being kept in the pool(with Keep-Alive) for a certain amount of time(waiting for inactivity timeout). The problem is that the connection cannot be used anymore from next Django calls - they create new connection pool with new connections, etc. This keeps lots of open connections on the server. Now the client will store an HTTPAdapter for each URL into a singleton object, and will reuse its connections between Django calls, but still taking advantage of Sessions during a single page load(although we do not fully use this). Note: the default pool behavior is non-blocking, which means that if the max_pool_size is reached, a new connection will still be opened, and when released - will be discarded. It could be useful to add max_pool_size param into settings, for performance fine-tuning. The default max_pool_size is 10. Since python-novaclient is also used from non-Django projects, I'd expect feedback from more people on the impact this change could have over other projects. Patch Set 3: Removed explicit connection closing, leaving connections open in the pool. Change-Id: Icc9dc2fa2863d0e0e26a86c8180f2e0fbcd1fcff Closes-Bug: #1247056
2014-02-20 23:11:34 +02:00
Only add logging handlers if there currently aren't any This corrects an odd problem where Horizon would stand up multiple client objects, which would cause duplicate/triplicate/dozens of repeated log lines in its log files, due to multiple identical handlers being added to the logging object Fixes Bug 1182678 Change-Id: I1f3bae0a39f28412c99e5d04f4364611f2a5facb
2013-05-21 16:23:50 -07:00
if self.http_log_debug and not self._logger.handlers:
Set up debug level on root logger. If we set up the debug level on the root logger, this can be used by the submodules that might need to print some debug output. Change-Id: I2a00b40d4748cc62e6081df7d6a44622f5ad4467
2013-03-13 16:47:16 +01:00
# Logging level is already set on the root logger
Bring back the output from client.http_log() Change-Id: If7c583751abe9ae60f299515a5f7778db72fa70c
2012-07-02 15:22:59 -05:00
ch = logging.StreamHandler()
self._logger.addHandler(ch)
Set up debug level on root logger. If we set up the debug level on the root logger, this can be used by the submodules that might need to print some debug output. Change-Id: I2a00b40d4748cc62e6081df7d6a44622f5ad4467
2013-03-13 16:47:16 +01:00
self._logger.propagate = False
Corrects 2nd argument type for logging Fixes a regression introduced in commit c73afa9fd1df14bff9186c1e73ac8f3593ef81db. This completely breaks Horizon in last DevStack version. Change-Id: Ib754c6ea325534399a34ff76a290475ac652fea9 Fixes: bug #1122958
2013-02-12 11:46:02 -03:00
if hasattr(requests, 'logging'):
Set up debug level on root logger. If we set up the debug level on the root logger, this can be used by the submodules that might need to print some debug output. Change-Id: I2a00b40d4748cc62e6081df7d6a44622f5ad4467
2013-03-13 16:47:16 +01:00
rql = requests.logging.getLogger(requests.__name__)
rql.addHandler(ch)
# Since we have already setup the root logger on debug, we
# have to set it up here on WARNING (its original level)
Fix typo in novaclient sapshot --> snapshot messanges --> messages Change-Id: I21d9f3bd02c435f92f8ba20e85898d7a11e6a0af
2014-02-25 14:17:35 +08:00
# otherwise we will get all the requests logging messages
Set up debug level on root logger. If we set up the debug level on the root logger, this can be used by the submodules that might need to print some debug output. Change-Id: I2a00b40d4748cc62e6081df7d6a44622f5ad4467
2013-03-13 16:47:16 +01:00
rql.setLevel(logging.WARNING)
Bring back the output from client.http_log() Change-Id: If7c583751abe9ae60f299515a5f7778db72fa70c
2012-07-02 15:22:59 -05:00
'endpoints' and 'credentials' work with token caching. The recently introduced token caching busted these two commands since there was no longer a ServiceCatalog to access. This patch disables token caching for these commands. LP1020669 Change-Id: I198acea44fca99b4c907c11198813412df5559bd
2012-07-05 09:45:46 -03:00
def use_token_cache(self, use_it):
Adds --os-cache to replace old --no-cache. Deprecates the old --no-cache option in favor of --os-cache. The old CLI args (--no_cache and --no-cache) and ENV option (OS_NO_CACHE) are still supported but no longer show up in help. The new option for --os-cache can also be set via the OS_CACHE ENV variable... which now defaults to False. This should be much more user friendly. Fixes LP Bug #1087776. Change-Id: I3cea089c7e11ce75f22c2d7f3242b02b80441323
2012-12-07 11:47:49 -05:00
self.os_cache = use_it
'endpoints' and 'credentials' work with token caching. The recently introduced token caching busted these two commands since there was no longer a ServiceCatalog to access. This patch disables token caching for these commands. LP1020669 Change-Id: I198acea44fca99b4c907c11198813412df5559bd
2012-07-05 09:45:46 -03:00
def unauthenticate(self):
"""Forget all of our authentication information."""
self.management_url = None
self.auth_token = None
option to bypass managment endpoint and timings support --timings = show timings for each call made to nova (including auth) --bypass_url = api node endpoint to use instead of one from service catalog For example: nova --timings --bypass_url=http://10.24.31.37:8774/v1.1/nova-staging boot --image f304d266-0a49-4877-b34c-63aea8360297 --flavor 3 delete_me_2 Change-Id: Ib2a258b7e969ad56ce4ee2bd64c61310278cb856
2012-06-15 15:12:23 -03:00
def set_management_url(self, url):
self.management_url = url
def get_timings(self):
return self.times
More friendly keyring support when token caching is off. The token caching would always try to save the token even if --no_cache was specified. The downside of this is environments where there is no keyring agent it would prompt for a password. Now, if --no_cache is specified it won't try to save the token. Also ability to reset timings (--timings) which is handy for client-driven profiling efforts. Yes, this should be a separate branch, but it's so tiny it's hardly worth the effort. I'd also like to take this time to express my admiration for Brian Waldon. A stalwart young fellow and a fine coder. Change-Id: I97c2c5f6864fe156a3e204927b2831b74fb1c893
2012-06-28 17:00:47 -03:00
def reset_timings(self):
self.times = []
Don't log sensitive auth data This code change redacts the password in keystone request, and also redact the token text in keystone response. The code still makes REST call by itelf, instead of calling keystone client. Closes-Bug: 1327019 Change-Id: Ib9c0610c1ef351a127364478721cf961c2a30125
2014-07-15 18:25:57 +08:00
def _redact(self, target, path, text=None):
"""Replace the value of a key in `target`.
The key can be at the top level by specifying a list with a single
key as the path. Nested dictionaries are also supported by passing a
list of keys to be navigated to find the one that should be replaced.
In this case the last one is the one that will be replaced.
:param dict target: the dictionary that may have a key to be redacted;
modified in place
:param list path: a list representing the nested structure in `target`
that should be redacted; modified in place
:param string text: optional text to use as a replacement for the
redacted key. if text is not specified, the
default text will be sha1 hash of the value being
redacted
"""
key = path.pop()
# move to the most nested dict
for p in path:
try:
target = target[p]
except KeyError:
return
if key in target:
if text:
target[key] = text
else:
# because in python3 byte string handling is ... ug
value = target[key].encode('utf-8')
sha1sum = hashlib.sha1(value)
target[key] = "{SHA1}%s" % sha1sum.hexdigest()
mask keystone token in debug output replaying the keystone token in debug output is both completely burdensome to read (given it's unbounded size), but it's also potentially a security issue given that it could be used in replay attacks. Instead, filter the headers to sha1 sensitive things, with X-Auth-Token being the only one listed so far. The sha1 will at least give us the understanding of tokens being the same or different (and an administrator could use that to figure out if they were valid later). This also removes some extra '\n' that were being injected into the debug logs, because they were not helping with readability. Lastly, actually test logging. This introduces the first tests of the logging path using the logging fixture. It's pretty basic, but does verify that requests are logged at debug, that the SHA1 format works, and that headers which are not listed get shown straight through. DocImpact because this changes the curl dumped strings which people may have been using. They can still do that as long as they generate their own keystone token. Change-Id: I1edb94785705c3b6a05f118b77d3aeb07461cd44
2014-06-09 10:20:31 -04:00
Quote URL in curl output to handle query params Copy and pasting the generated curl output into a shell doesn't work when the URL includes an ampersand, as the URL isn't quoted. This simplifies the logic in client.http_log_req to be able to output the URL and method separately and quote the URL. Change-Id: I1e497886ea9334771ab91e657e7c1121d89f7f33
2013-10-24 14:56:20 +11:00
def http_log_req(self, method, url, kwargs):
Bring back the output from client.http_log() Change-Id: If7c583751abe9ae60f299515a5f7778db72fa70c
2012-07-02 15:22:59 -05:00
if not self.http_log_debug:
Tests working again...merged in some work we did earlier.
2011-08-03 17:41:33 -04:00
return
string_parts = ['curl -i']
Add --insecure to curl output if required Change-Id: I5762f6659a6687b86c94a6e371ccc7509d1e26f9
2013-10-24 14:52:34 +11:00
if not kwargs.get('verify', True):
string_parts.append(' --insecure')
Quote URL in curl output to handle query params Copy and pasting the generated curl output into a shell doesn't work when the URL includes an ampersand, as the URL isn't quoted. This simplifies the logic in client.http_log_req to be able to output the URL and method separately and quote the URL. Change-Id: I1e497886ea9334771ab91e657e7c1121d89f7f33
2013-10-24 14:56:20 +11:00
string_parts.append(" '%s'" % url)
string_parts.append(' -X %s' % method)
Tests working again...merged in some work we did earlier.
2011-08-03 17:41:33 -04:00
Don't log sensitive auth data This code change redacts the password in keystone request, and also redact the token text in keystone response. The code still makes REST call by itelf, instead of calling keystone client. Closes-Bug: 1327019 Change-Id: Ib9c0610c1ef351a127364478721cf961c2a30125
2014-07-15 18:25:57 +08:00
headers = copy.deepcopy(kwargs['headers'])
self._redact(headers, ['X-Auth-Token'])
mask keystone token in debug output replaying the keystone token in debug output is both completely burdensome to read (given it's unbounded size), but it's also potentially a security issue given that it could be used in replay attacks. Instead, filter the headers to sha1 sensitive things, with X-Auth-Token being the only one listed so far. The sha1 will at least give us the understanding of tokens being the same or different (and an administrator could use that to figure out if they were valid later). This also removes some extra '\n' that were being injected into the debug logs, because they were not helping with readability. Lastly, actually test logging. This introduces the first tests of the logging path using the logging fixture. It's pretty basic, but does verify that requests are logged at debug, that the SHA1 format works, and that headers which are not listed get shown straight through. DocImpact because this changes the curl dumped strings which people may have been using. They can still do that as long as they generate their own keystone token. Change-Id: I1edb94785705c3b6a05f118b77d3aeb07461cd44
2014-06-09 10:20:31 -04:00
# because dict ordering changes from 2 to 3
Don't log sensitive auth data This code change redacts the password in keystone request, and also redact the token text in keystone response. The code still makes REST call by itelf, instead of calling keystone client. Closes-Bug: 1327019 Change-Id: Ib9c0610c1ef351a127364478721cf961c2a30125
2014-07-15 18:25:57 +08:00
keys = sorted(headers.keys())
mask keystone token in debug output replaying the keystone token in debug output is both completely burdensome to read (given it's unbounded size), but it's also potentially a security issue given that it could be used in replay attacks. Instead, filter the headers to sha1 sensitive things, with X-Auth-Token being the only one listed so far. The sha1 will at least give us the understanding of tokens being the same or different (and an administrator could use that to figure out if they were valid later). This also removes some extra '\n' that were being injected into the debug logs, because they were not helping with readability. Lastly, actually test logging. This introduces the first tests of the logging path using the logging fixture. It's pretty basic, but does verify that requests are logged at debug, that the SHA1 format works, and that headers which are not listed get shown straight through. DocImpact because this changes the curl dumped strings which people may have been using. They can still do that as long as they generate their own keystone token. Change-Id: I1edb94785705c3b6a05f118b77d3aeb07461cd44
2014-06-09 10:20:31 -04:00
for name in keys:
Don't log sensitive auth data This code change redacts the password in keystone request, and also redact the token text in keystone response. The code still makes REST call by itelf, instead of calling keystone client. Closes-Bug: 1327019 Change-Id: Ib9c0610c1ef351a127364478721cf961c2a30125
2014-07-15 18:25:57 +08:00
value = headers[name]
header = ' -H "%s: %s"' % (name, value)
Tests working again...merged in some work we did earlier.
2011-08-03 17:41:33 -04:00
string_parts.append(header)
When logging request include request data When the --debug flag is used it should print out the body of a POST request. It did that previously but the kwargs dict used for the request stopped using 'body' which is what the logging relied on. This changes it to use 'data' which is a string representation of what was in 'body'. Bug 1098241 Change-Id: I82f36e59b459706d9d5a3a38563a45c80e84c6e2
2013-01-10 11:20:07 -05:00
if 'data' in kwargs:
Don't log sensitive auth data This code change redacts the password in keystone request, and also redact the token text in keystone response. The code still makes REST call by itelf, instead of calling keystone client. Closes-Bug: 1327019 Change-Id: Ib9c0610c1ef351a127364478721cf961c2a30125
2014-07-15 18:25:57 +08:00
data = json.loads(kwargs['data'])
self._redact(data, ['auth', 'passwordCredentials', 'password'])
string_parts.append(" -d '%s'" % json.dumps(data))
mask keystone token in debug output replaying the keystone token in debug output is both completely burdensome to read (given it's unbounded size), but it's also potentially a security issue given that it could be used in replay attacks. Instead, filter the headers to sha1 sensitive things, with X-Auth-Token being the only one listed so far. The sha1 will at least give us the understanding of tokens being the same or different (and an administrator could use that to figure out if they were valid later). This also removes some extra '\n' that were being injected into the debug logs, because they were not helping with readability. Lastly, actually test logging. This introduces the first tests of the logging path using the logging fixture. It's pretty basic, but does verify that requests are logged at debug, that the SHA1 format works, and that headers which are not listed get shown straight through. DocImpact because this changes the curl dumped strings which people may have been using. They can still do that as long as they generate their own keystone token. Change-Id: I1edb94785705c3b6a05f118b77d3aeb07461cd44
2014-06-09 10:20:31 -04:00
self._logger.debug("REQ: %s" % "".join(string_parts))
split req and response logging this allows capture of timestamps prior to and after request for timing also did some pep8 1.3 cleanup while I was in there Change-Id: I7fdc3f812d22c9e903279541219c53b35f510706
2012-08-16 17:57:09 -07:00
Use requests module for HTTP/HTTPS * Implement correct certificate verification * Add --os-cacert * Rework tests for requests Pinned requests module to < 1.0 as 1.0.2 is now current in pipi as of 17Dec2012. Blueprint: tls-verify Change-Id: I9a25a94c8dfcaf483c4c8328439809d65cf10b38
2012-12-18 14:05:29 -06:00
def http_log_resp(self, resp):
split req and response logging this allows capture of timestamps prior to and after request for timing also did some pep8 1.3 cleanup while I was in there Change-Id: I7fdc3f812d22c9e903279541219c53b35f510706
2012-08-16 17:57:09 -07:00
if not self.http_log_debug:
return
Don't log sensitive auth data This code change redacts the password in keystone request, and also redact the token text in keystone response. The code still makes REST call by itelf, instead of calling keystone client. Closes-Bug: 1327019 Change-Id: Ib9c0610c1ef351a127364478721cf961c2a30125
2014-07-15 18:25:57 +08:00
if resp.text and resp.status_code != 400:
try:
body = json.loads(resp.text)
self._redact(body, ['access', 'token', 'id'])
except ValueError:
body = None
else:
body = None
debug level logs should not be translated According to the OpenStack translation policy available at https://wiki.openstack.org/wiki/LoggingStandards debug messages should not be translated. Like mentioned in several changes in Nova by garyk this is to help prioritize log translation. Change-Id: I43c5d4ecd2286f1a622b6822603ba62881a317a2
2014-05-12 19:09:50 +02:00
self._logger.debug("RESP: [%(status)s] %(headers)s\nRESP BODY: "
"%(text)s\n", {'status': resp.status_code,
'headers': resp.headers,
Don't log sensitive auth data This code change redacts the password in keystone request, and also redact the token text in keystone response. The code still makes REST call by itelf, instead of calling keystone client. Closes-Bug: 1327019 Change-Id: Ib9c0610c1ef351a127364478721cf961c2a30125
2014-07-15 18:25:57 +08:00
'text': json.dumps(body)})
Tests working again...merged in some work we did earlier.
2011-08-03 17:41:33 -04:00
Fix session handling in novaclient Prior to this patch, novaclient was handling sessions in an inconsistent manner. Every time we created a client instance, it would use a global connection pool, which made it difficult to use in a process that is meant to be forked. Obviously sessions like the ones provided by the requests library that will automatically cause connections to be kept alive should not be implicit. This patch moves the novaclient back to the age of a single session-less request call by default, but also adds two more resource-reuse friendly options that a user needs to be explicit about. The first one is that both v1_1 and v3 clients can now be used as context managers,. where the session will be kept open (and thus the connection kept-alive) for the duration of the with block. This is far more ideal for a web worker use-case as the session can be made request-long. The second one is the per-instance session. This is very similar to what we had up until now, except it is not a global object so forking is possible as long as each child instantiates it's own client. The session once created will be kept open for the duration of the client object lifetime. Please note: client instances are not thread safe. As can be seen from above forking example - if you wish to use threading/multiprocessing, you *must not* share client instances. DocImpact Related-bug: #1247056 Closes-Bug: #1297796 Co-authored-by: Nikola Dipanov <ndipanov@redhat.com> Change-Id: Id59e48f61bb3f3c6223302355c849e1e99673410
2014-03-26 15:22:03 +04:00
def open_session(self):
if not self._connection_pool:
self._session = requests.Session()
def close_session(self):
if self._session and not self._connection_pool:
self._session.close()
self._session = None
def _get_session(self, url):
if self._connection_pool:
magic_tuple = parse.urlsplit(url)
scheme, netloc, path, query, frag = magic_tuple
service_url = '%s://%s' % (scheme, netloc)
if self._current_url != service_url:
# Invalidate Session object in case the url is somehow changed
if self._session:
self._session.close()
self._current_url = service_url
self._logger.debug(
"New session created for: (%s)" % service_url)
self._session = requests.Session()
self._session.mount(service_url,
self._connection_pool.get(service_url))
return self._session
elif self._session:
return self._session
Fix in in novaclient, to avoid excessive conns The current client creates new .Session() on each request, but since Horizon is a stateless app, each Session creates new HttpAdapter, which itself has its own connection pool, and each connection there is used (almost) once and then is being kept in the pool(with Keep-Alive) for a certain amount of time(waiting for inactivity timeout). The problem is that the connection cannot be used anymore from next Django calls - they create new connection pool with new connections, etc. This keeps lots of open connections on the server. Now the client will store an HTTPAdapter for each URL into a singleton object, and will reuse its connections between Django calls, but still taking advantage of Sessions during a single page load(although we do not fully use this). Note: the default pool behavior is non-blocking, which means that if the max_pool_size is reached, a new connection will still be opened, and when released - will be discarded. It could be useful to add max_pool_size param into settings, for performance fine-tuning. The default max_pool_size is 10. Since python-novaclient is also used from non-Django projects, I'd expect feedback from more people on the impact this change could have over other projects. Patch Set 3: Removed explicit connection closing, leaving connections open in the pool. Change-Id: Icc9dc2fa2863d0e0e26a86c8180f2e0fbcd1fcff Closes-Bug: #1247056
2014-02-20 23:11:34 +02:00
Use requests module for HTTP/HTTPS * Implement correct certificate verification * Add --os-cacert * Rework tests for requests Pinned requests module to < 1.0 as 1.0.2 is now current in pipi as of 17Dec2012. Blueprint: tls-verify Change-Id: I9a25a94c8dfcaf483c4c8328439809d65cf10b38
2012-12-18 14:05:29 -06:00
def request(self, url, method, **kwargs):
proxy token support - no tests
2011-09-09 06:33:38 -07:00
kwargs.setdefault('headers', kwargs.get('headers', {}))
Tests working again...merged in some work we did earlier.
2011-08-03 17:41:33 -04:00
kwargs['headers']['User-Agent'] = self.USER_AGENT
Add Accept: applicaton/json header to all service requests. Fixes bug 904436 Change-Id: I5f7c78f0ea516a7a96c32b1f745686e130c2b9af
2012-02-02 16:37:55 -08:00
kwargs['headers']['Accept'] = 'application/json'
Tests working again...merged in some work we did earlier.
2011-08-03 17:41:33 -04:00
if 'body' in kwargs:
kwargs['headers']['Content-Type'] = 'application/json'
Use requests module for HTTP/HTTPS * Implement correct certificate verification * Add --os-cacert * Rework tests for requests Pinned requests module to < 1.0 as 1.0.2 is now current in pipi as of 17Dec2012. Blueprint: tls-verify Change-Id: I9a25a94c8dfcaf483c4c8328439809d65cf10b38
2012-12-18 14:05:29 -06:00
kwargs['data'] = json.dumps(kwargs['body'])
del kwargs['body']
Allow request timeout to be specified. Add a new cli argument (--timeout) which is by default 600 seconds which will be set in the requests library so that timeouts can occur correctly. Change-Id: I716ac15fe08f42c9464ee43010bc8fd2667bcbde
2013-01-11 21:44:56 -08:00
if self.timeout is not None:
kwargs.setdefault('timeout', self.timeout)
Add --insecure to curl output if required Change-Id: I5762f6659a6687b86c94a6e371ccc7509d1e26f9
2013-10-24 14:52:34 +11:00
kwargs['verify'] = self.verify_cert
Use requests module for HTTP/HTTPS * Implement correct certificate verification * Add --os-cacert * Rework tests for requests Pinned requests module to < 1.0 as 1.0.2 is now current in pipi as of 17Dec2012. Blueprint: tls-verify Change-Id: I9a25a94c8dfcaf483c4c8328439809d65cf10b38
2012-12-18 14:05:29 -06:00
Quote URL in curl output to handle query params Copy and pasting the generated curl output into a shell doesn't work when the URL includes an ampersand, as the URL isn't quoted. This simplifies the logic in client.http_log_req to be able to output the URL and method separately and quote the URL. Change-Id: I1e497886ea9334771ab91e657e7c1121d89f7f33
2013-10-24 14:56:20 +11:00
self.http_log_req(method, url, kwargs)
Fix session handling in novaclient Prior to this patch, novaclient was handling sessions in an inconsistent manner. Every time we created a client instance, it would use a global connection pool, which made it difficult to use in a process that is meant to be forked. Obviously sessions like the ones provided by the requests library that will automatically cause connections to be kept alive should not be implicit. This patch moves the novaclient back to the age of a single session-less request call by default, but also adds two more resource-reuse friendly options that a user needs to be explicit about. The first one is that both v1_1 and v3 clients can now be used as context managers,. where the session will be kept open (and thus the connection kept-alive) for the duration of the with block. This is far more ideal for a web worker use-case as the session can be made request-long. The second one is the per-instance session. This is very similar to what we had up until now, except it is not a global object so forking is possible as long as each child instantiates it's own client. The session once created will be kept open for the duration of the client object lifetime. Please note: client instances are not thread safe. As can be seen from above forking example - if you wish to use threading/multiprocessing, you *must not* share client instances. DocImpact Related-bug: #1247056 Closes-Bug: #1297796 Co-authored-by: Nikola Dipanov <ndipanov@redhat.com> Change-Id: Id59e48f61bb3f3c6223302355c849e1e99673410
2014-03-26 15:22:03 +04:00
request_func = requests.request
session = self._get_session(url)
if session:
request_func = session.request
resp = request_func(
Use requests module for HTTP/HTTPS * Implement correct certificate verification * Add --os-cacert * Rework tests for requests Pinned requests module to < 1.0 as 1.0.2 is now current in pipi as of 17Dec2012. Blueprint: tls-verify Change-Id: I9a25a94c8dfcaf483c4c8328439809d65cf10b38
2012-12-18 14:05:29 -06:00
method,
url,
**kwargs)
Fix in in novaclient, to avoid excessive conns The current client creates new .Session() on each request, but since Horizon is a stateless app, each Session creates new HttpAdapter, which itself has its own connection pool, and each connection there is used (almost) once and then is being kept in the pool(with Keep-Alive) for a certain amount of time(waiting for inactivity timeout). The problem is that the connection cannot be used anymore from next Django calls - they create new connection pool with new connections, etc. This keeps lots of open connections on the server. Now the client will store an HTTPAdapter for each URL into a singleton object, and will reuse its connections between Django calls, but still taking advantage of Sessions during a single page load(although we do not fully use this). Note: the default pool behavior is non-blocking, which means that if the max_pool_size is reached, a new connection will still be opened, and when released - will be discarded. It could be useful to add max_pool_size param into settings, for performance fine-tuning. The default max_pool_size is 10. Since python-novaclient is also used from non-Django projects, I'd expect feedback from more people on the impact this change could have over other projects. Patch Set 3: Removed explicit connection closing, leaving connections open in the pool. Change-Id: Icc9dc2fa2863d0e0e26a86c8180f2e0fbcd1fcff Closes-Bug: #1247056
2014-02-20 23:11:34 +02:00
Use requests module for HTTP/HTTPS * Implement correct certificate verification * Add --os-cacert * Rework tests for requests Pinned requests module to < 1.0 as 1.0.2 is now current in pipi as of 17Dec2012. Blueprint: tls-verify Change-Id: I9a25a94c8dfcaf483c4c8328439809d65cf10b38
2012-12-18 14:05:29 -06:00
self.http_log_resp(resp)
if resp.text:
# TODO(dtroyer): verify the note below in a requests context
Add ConnectionRefused exception. When novaclient gets a Connection Refused it now presents that as a ConnectionRefused exception with appropriate information rather than as an HTTP exception. Addresses bug 1047078. vagrant@precise64:/opt/stack/python-novaclient$ nova image-list ERROR: ConnectionRefused: '[Errno 111] Connection refused' Change-Id: Iebf4d78a524004d5e79d2219b35f90fbd38ee690
2012-09-07 15:59:42 -04:00
# NOTE(alaski): Because force_exceptions_to_status_code=True
# httplib2 returns a connection refused event as a 400 response.
# To determine if it is a bad request or refused connection we need
# to check the body. httplib2 tests check for 'Connection refused'
# or 'actively refused' in the body, so that's what we'll do.
Use requests module for HTTP/HTTPS * Implement correct certificate verification * Add --os-cacert * Rework tests for requests Pinned requests module to < 1.0 as 1.0.2 is now current in pipi as of 17Dec2012. Blueprint: tls-verify Change-Id: I9a25a94c8dfcaf483c4c8328439809d65cf10b38
2012-12-18 14:05:29 -06:00
if resp.status_code == 400:
if ('Connection refused' in resp.text or
'actively refused' in resp.text):
raise exceptions.ConnectionRefused(resp.text)
Tests working again...merged in some work we did earlier.
2011-08-03 17:41:33 -04:00
try:
Use requests module for HTTP/HTTPS * Implement correct certificate verification * Add --os-cacert * Rework tests for requests Pinned requests module to < 1.0 as 1.0.2 is now current in pipi as of 17Dec2012. Blueprint: tls-verify Change-Id: I9a25a94c8dfcaf483c4c8328439809d65cf10b38
2012-12-18 14:05:29 -06:00
body = json.loads(resp.text)
Miscellaneous code cleanup. Change-Id: I6028247466378327f03b71dc2063dd2777b9382a
2012-04-02 12:27:30 -05:00
except ValueError:
Use requests module for HTTP/HTTPS * Implement correct certificate verification * Add --os-cacert * Rework tests for requests Pinned requests module to < 1.0 as 1.0.2 is now current in pipi as of 17Dec2012. Blueprint: tls-verify Change-Id: I9a25a94c8dfcaf483c4c8328439809d65cf10b38
2012-12-18 14:05:29 -06:00
body = None
Tests working again...merged in some work we did earlier.
2011-08-03 17:41:33 -04:00
else:
body = None
Use requests module for HTTP/HTTPS * Implement correct certificate verification * Add --os-cacert * Rework tests for requests Pinned requests module to < 1.0 as 1.0.2 is now current in pipi as of 17Dec2012. Blueprint: tls-verify Change-Id: I9a25a94c8dfcaf483c4c8328439809d65cf10b38
2012-12-18 14:05:29 -06:00
if resp.status_code >= 400:
ClientExceptions should include url and method Fixes Bug 1103557. novaclient abstracts out http request from user/client making it unknown to user what root cause behind nova client exceptions being raised. By including url and method in exception handling, this allows user to handle accordingly. Change-Id: I1a509bb932b3fd029bd0870ab699a39e21da19bb
2013-01-23 11:14:41 -06:00
raise exceptions.from_response(resp, body, url, method)
Tests working again...merged in some work we did earlier.
2011-08-03 17:41:33 -04:00
return resp, body
option to bypass managment endpoint and timings support --timings = show timings for each call made to nova (including auth) --bypass_url = api node endpoint to use instead of one from service catalog For example: nova --timings --bypass_url=http://10.24.31.37:8774/v1.1/nova-staging boot --image f304d266-0a49-4877-b34c-63aea8360297 --flavor 3 delete_me_2 Change-Id: Ib2a258b7e969ad56ce4ee2bd64c61310278cb856
2012-06-15 15:12:23 -03:00
def _time_request(self, url, method, **kwargs):
start_time = time.time()
resp, body = self.request(url, method, **kwargs)
self.times.append(("%s %s" % (method, url),
start_time, time.time()))
return resp, body
Tests working again...merged in some work we did earlier.
2011-08-03 17:41:33 -04:00
def _cs_request(self, url, method, **kwargs):
if not self.management_url:
self.authenticate()
Add "version-list" for listing REST API versions Nova provides REST API versions. This patch adds a subcommand "version-list" for outputting the versions. Change-Id: I1b40ad57912aa740c0b1d9221018aba9b13a5436
2014-07-08 10:56:36 +09:00
if url is None:
# To get API version information, it is necessary to GET
# a nova endpoint directly without "v2/<tenant-id>".
magic_tuple = parse.urlsplit(self.management_url)
scheme, netloc, path, query, frag = magic_tuple
path = re.sub(r'v[1-9]/[a-z0-9]+$', '', path)
url = parse.urlunsplit((scheme, netloc, path, None, None))
else:
url = self.management_url + url
Tests working again...merged in some work we did earlier.
2011-08-03 17:41:33 -04:00
# Perform the request once. If we get a 401 back then it
# might be because the auth token expired, so try to
# re-authenticate and try again. If it still fails, bail.
try:
kwargs.setdefault('headers', {})['X-Auth-Token'] = self.auth_token
if self.projectid:
kwargs['headers']['X-Auth-Project-Id'] = self.projectid
Add "version-list" for listing REST API versions Nova provides REST API versions. This patch adds a subcommand "version-list" for outputting the versions. Change-Id: I1b40ad57912aa740c0b1d9221018aba9b13a5436
2014-07-08 10:56:36 +09:00
resp, body = self._time_request(url, method, **kwargs)
Tests working again...merged in some work we did earlier.
2011-08-03 17:41:33 -04:00
return resp, body
A minimum of Python3 fixes so that installation works without errors/warnings. Fixes bug: 1130937 Change-Id: I740652fcd5804fc1c120fc409afdf4693c8e5781
2013-02-20 09:46:57 +01:00
except exceptions.Unauthorized as e:
Tests working again...merged in some work we did earlier.
2011-08-03 17:41:33 -04:00
try:
Make os-cache retry on an invalid token client.authenticate doesn't actually do any rest calls if a token is present, it just assumes the token is valid. Instead re-authentication is done if the request raises an Unauthorized exception, at which point we want to unauthenticate (delete the token from in-memory) and overwrite the old token in the keyring. Also if a password is present allways pass it into the client so re-authentication is possible during _cs_request. Change-Id: I86d0356d5685ffa802f1bdc97e33727ff2dd075e
2013-10-10 08:21:48 +00:00
# first discard auth token, to avoid the possibly expired
Discard possibly expired token before re-authenticating Fixes bug 1192656 Previously, the attempt to re-authenticate on possible token expiry actually re-used the expired token, which was clearly bound to fail in the expired case. Now the old authentication state is discarded before attempting re-authentication. Change-Id: I3fd125702061f7ac84eb501d2a488aab5b2385b9
2013-06-19 18:27:24 +00:00
# token being re-used in the re-authentication attempt
self.unauthenticate()
Make os-cache retry on an invalid token client.authenticate doesn't actually do any rest calls if a token is present, it just assumes the token is valid. Instead re-authentication is done if the request raises an Unauthorized exception, at which point we want to unauthenticate (delete the token from in-memory) and overwrite the old token in the keyring. Also if a password is present allways pass it into the client so re-authentication is possible during _cs_request. Change-Id: I86d0356d5685ffa802f1bdc97e33727ff2dd075e
2013-10-10 08:21:48 +00:00
# overwrite bad token
self.keyring_saved = False
Tests working again...merged in some work we did earlier.
2011-08-03 17:41:33 -04:00
self.authenticate()
Better handling of stale tokens (no more 401's) There was a problem with stale tokens generating 401's. The headers for the request where not replacing the stale token with the freshly obtained one. This patch remedies that. Change-Id: I8e7c7e01fddeec17ad9ff4254b1223820bb8e2b7
2012-08-01 13:23:07 -05:00
kwargs['headers']['X-Auth-Token'] = self.auth_token
Add "version-list" for listing REST API versions Nova provides REST API versions. This patch adds a subcommand "version-list" for outputting the versions. Change-Id: I1b40ad57912aa740c0b1d9221018aba9b13a5436
2014-07-08 10:56:36 +09:00
resp, body = self._time_request(url, method, **kwargs)
Tests working again...merged in some work we did earlier.
2011-08-03 17:41:33 -04:00
return resp, body
except exceptions.Unauthorized:
A minimum of Python3 fixes so that installation works without errors/warnings. Fixes bug: 1130937 Change-Id: I740652fcd5804fc1c120fc409afdf4693c8e5781
2013-02-20 09:46:57 +01:00
raise e
Tests working again...merged in some work we did earlier.
2011-08-03 17:41:33 -04:00
Don't call CS if a token + URL are provided Adds --os-auth-token (matching Glance client at least) to accept a pre-obtained authentication token. CS will be called iff: One or both of token and URL are not provided; AND the cache is empty/disabled or we don't have a tenant-id. Removed some code altering the auth request to a GET if a token is supplied - did not work for me and I think the path was dead previously. Fixed test to account for this change. Completes blueprint token-endpoint-instantiation Change-Id: I67410b80e506bb80c152223cd113b7139a62a536
2013-12-19 19:26:06 +00:00
def _get_password(self):
if not self.password and self.password_func:
self.password = self.password_func()
return self.password
Tests working again...merged in some work we did earlier.
2011-08-03 17:41:33 -04:00
def get(self, url, **kwargs):
return self._cs_request(url, 'GET', **kwargs)
def post(self, url, **kwargs):
return self._cs_request(url, 'POST', **kwargs)
def put(self, url, **kwargs):
return self._cs_request(url, 'PUT', **kwargs)
def delete(self, url, **kwargs):
return self._cs_request(url, 'DELETE', **kwargs)
new service catalog semantics
2011-10-25 06:28:30 -07:00
def _extract_service_catalog(self, url, resp, body, extract_token=True):
proxy token support - no tests
2011-09-09 06:33:38 -07:00
"""See what the auth service told us and process the response.
We may get redirected to another site, fail or actually get
Enables H403 pep8 rules Updates tox.ini to reduce ignored rules. Updates code for H403 violation. Change-Id: Iee7b34a27c62ce8cb0f26166b3c16e3386e2fecd
2013-12-12 03:55:50 +00:00
back a service catalog with a token and our endpoints.
"""
proxy token support - no tests
2011-09-09 06:33:38 -07:00
Accept 201 status code on POST On POST requests, keystone should return '201 Created' according to api docs. Related to but not dependent on: https://bugs.launchpad.net/keystone/+bug/1131119 Change-Id: I04c398ad7946f5ddcfd2059e4f8d97608e5d0ed3
2013-02-22 13:33:40 -05:00
# content must always present
if resp.status_code == 200 or resp.status_code == 201:
proxy token support - no tests
2011-09-09 06:33:38 -07:00
try:
self.auth_url = url
self.service_catalog = \
service_catalog.ServiceCatalog(body)
new service catalog semantics
2011-10-25 06:28:30 -07:00
if extract_token:
self.auth_token = self.service_catalog.get_token()
Store tenant_id from keystone and use for quotas Some calls in nova require a tenant_id when it could be interpreted from the current authentication data, so save the tenant id and use it in the quotas command if tenant_id is not specified. Change-Id: I89647cfe9da73bc474ef80a61a5678db42a5571c
2013-01-31 11:51:29 -08:00
self.tenant_id = self.service_catalog.get_tenant_id()
Fix bug 904364: Consistiently handle trailing '/' on URLs novaclient used to require a trailing '/' on --auth-url and would mysteriously break if it was not present. This is mostly due to urlparse.urljoin()'s behaviour; it was only used here for concatenation so it was eliminated and trailing '/' chars consistiently stripped. All url concatenation now requires the second element to begin with '/'. Change-Id: I99e95ea92682d917348201bc3190a1e77bbcbff0
2012-02-03 14:48:51 -06:00
management_url = self.service_catalog.url_for(
split req and response logging this allows capture of timestamps prior to and after request for timing also did some pep8 1.3 cleanup while I was in there Change-Id: I7fdc3f812d22c9e903279541219c53b35f510706
2012-08-16 17:57:09 -07:00
attr='region',
filter_value=self.region_name,
endpoint_type=self.endpoint_type,
service_type=self.service_type,
service_name=self.service_name,
volume_service_name=self.volume_service_name,)
Fix bug 904364: Consistiently handle trailing '/' on URLs novaclient used to require a trailing '/' on --auth-url and would mysteriously break if it was not present. This is mostly due to urlparse.urljoin()'s behaviour; it was only used here for concatenation so it was eliminated and trailing '/' chars consistiently stripped. All url concatenation now requires the second element to begin with '/'. Change-Id: I99e95ea92682d917348201bc3190a1e77bbcbff0
2012-02-03 14:48:51 -06:00
self.management_url = management_url.rstrip('/')
proxy token support - no tests
2011-09-09 06:33:38 -07:00
return None
Miscellaneous code cleanup. Change-Id: I6028247466378327f03b71dc2063dd2777b9382a
2012-04-02 12:27:30 -05:00
except exceptions.AmbiguousEndpoints:
Fix i18n messages in novaclient, part I This change make all the text visible by the user i18n. The messages changes are in prints, logs, exceptions, helps, etc Pep8 errors about "Multiple positional placeholders" also fixed Change-Id: I731afea790baddbc34d059b93a35e3d275fc1df8
2013-12-12 23:17:28 -05:00
print(_("Found more than one valid endpoint. Use a more "
"restrictive filter"))
Handle Ambiguous Endpoints Correctly - Added --service_name argument to allow selecting endpoints by service name - Renamed endpoint_name argument to endpoint_type (this breaks compatibility) - Return AmbiguousEndpoints error if more than one endpoint matches filter - Also addresses bug 924052 Use case: $ nova --projectid xxx --version 1.1 --password xxx --username xxx --url https://identity.openstackcloud.com/ image-list Found more than one valid endpoint. Use a more restrictive filter AmbiguousEndpoints: [ {'serviceName': 'New Cloud', 'region': 'Test', 'publicURL': 'https://test.openstackcloud.com/v1.1/tttt', 'tenantId': 'tttt'}, {'serviceName': 'Old Cloud', 'publicURL': 'https://servers.openstackcloud.com/v1.0/tttt', 'tenantId': 'tttt'}] $ nova --projectid tttt --version 1.1 --password xxx --username xxx --url https://identity.openstackcloud.com/ --service_name 'New Cloud' image-list +--------------------------------------+-----------------------------+--------+--------+ | ID | Name | Status | Server | +--------------------------------------+-----------------------------+--------+--------+ | 346f4039-a81e-4444-9223-4a3d13592a07 | Debian Squeeze (6.0) | ACTIVE | | | ac8985ea-c09e-4544-82af-eb459a02a6b2 | Fedora 15 | ACTIVE | | | ddddc02e-92fa-4f44-b36f-55b39bf66a67 | CentOS 5.6 | ACTIVE | | +--------------------------------------+-----------------------------+--------+--------+ Change-Id: I9a10b9ad5e5b9cf6e762659013496a93a79774db
2012-01-31 18:08:22 -06:00
raise
removed unicode casts
2011-09-26 12:58:03 -07:00
except KeyError:
proxy token support - no tests
2011-09-09 06:33:38 -07:00
raise exceptions.AuthorizationFailure()
cleaned up exception handling
2011-09-26 12:53:29 -07:00
except exceptions.EndpointNotFound:
Fix i18n messages in novaclient, part I This change make all the text visible by the user i18n. The messages changes are in prints, logs, exceptions, helps, etc Pep8 errors about "Multiple positional placeholders" also fixed Change-Id: I731afea790baddbc34d059b93a35e3d275fc1df8
2013-12-12 23:17:28 -05:00
print(_("Could not find any suitable endpoint. Correct "
"region?"))
cleaned up exception handling
2011-09-26 12:53:29 -07:00
raise
Use requests module for HTTP/HTTPS * Implement correct certificate verification * Add --os-cacert * Rework tests for requests Pinned requests module to < 1.0 as 1.0.2 is now current in pipi as of 17Dec2012. Blueprint: tls-verify Change-Id: I9a25a94c8dfcaf483c4c8328439809d65cf10b38
2012-12-18 14:05:29 -06:00
elif resp.status_code == 305:
return resp.headers['location']
proxy token support - no tests
2011-09-09 06:33:38 -07:00
else:
ClientExceptions should include url and method Fixes Bug 1103557. novaclient abstracts out http request from user/client making it unknown to user what root cause behind nova client exceptions being raised. By including url and method in exception handling, this allows user to handle accordingly. Change-Id: I1a509bb932b3fd029bd0870ab699a39e21da19bb
2013-01-23 11:14:41 -06:00
raise exceptions.from_response(resp, body, url)
proxy token support - no tests
2011-09-09 06:33:38 -07:00
def _fetch_endpoints_from_auth(self, url):
"""We have a token, but don't know the final endpoint for
the region. We have to go back to the auth service and
ask again. This request requires an admin-level token
to work. The proxy token supplied could be from a low-level enduser.
properly uses keystone admin endpoint for token lookup
2011-09-12 06:39:11 -07:00
We can't get this from the keystone service endpoint, we have to use
the admin endpoint.
proxy token support - no tests
2011-09-09 06:33:38 -07:00
This will overwrite our admin token with the user token.
"""
properly uses keystone admin endpoint for token lookup
2011-09-12 06:39:11 -07:00
# GET ...:5001/v2.0/tokens/#####/endpoints
Fixes lp#948685 proxy_token and proxy_tenant_id behavior * renamed token to proxy_token because of its usage * added a proxy_tenant_id for new keystone tokens/id/?belongsTo Change-Id: Ic7e65612620e5a54f04eddb79bffed7e2df6fba2
2012-03-06 22:40:28 -06:00
url = '/'.join([url, 'tokens', '%s?belongsTo=%s'
% (self.proxy_token, self.proxy_tenant_id)])
debug level logs should not be translated According to the OpenStack translation policy available at https://wiki.openstack.org/wiki/LoggingStandards debug messages should not be translated. Like mentioned in several changes in Nova by garyk this is to help prioritize log translation. Change-Id: I43c5d4ecd2286f1a622b6822603ba62881a317a2
2014-05-12 19:09:50 +02:00
self._logger.debug("Using Endpoint URL: %s" % url)
split req and response logging this allows capture of timestamps prior to and after request for timing also did some pep8 1.3 cleanup while I was in there Change-Id: I7fdc3f812d22c9e903279541219c53b35f510706
2012-08-16 17:57:09 -07:00
resp, body = self._time_request(
Fix mispelt x-auth-token header Fixes bug 1163546 Change-Id: I4b40ee2be950ee2cd13217f954d72fe1e42a1d6c
2013-04-02 15:43:47 -04:00
url, "GET", headers={'X-Auth-Token': self.auth_token})
minor tweaks and long overdue pep8
2011-10-25 09:34:23 -07:00
return self._extract_service_catalog(url, resp, body,
extract_token=False)
proxy token support - no tests
2011-09-09 06:33:38 -07:00
Tests working again...merged in some work we did earlier.
2011-08-03 17:41:33 -04:00
def authenticate(self):
Fix for invalid literal ValueError parsing ipv6 url(s) Switch to using network_utils for splitting the URL. The code in oslo-incubator supports ipv6 urls HEAD of oslo-incubator is bb52a3fc49f033b9f36238231ca56e754a78cf4b Updated openstack-common.conf to pick up the new dependency from oslo-incubator Change-Id: Ifa3dec384e85942a191260d17e8141030d31ff84 Closes-Bug: #1298137
2014-03-27 20:14:48 +00:00
magic_tuple = network_utils.urlsplit(self.auth_url)
properly uses keystone admin endpoint for token lookup
2011-09-12 06:39:11 -07:00
scheme, netloc, path, query, frag = magic_tuple
port = magic_tuple.port
PEP8 python-novaclient cleanup Fixes bug #911552 The None, True, and False values are singletons. All variable *comparisons* to singletons should use 'is' or 'is not'. All variable *evaluations* to boolean should use 'if' or 'if not'. All Object type comparisons should use isinstance() instead of comparing types directly Change-Id: Ia5571e58e2662c652f0e996d8c1a1acb4531623d
2012-01-04 09:54:39 +08:00
if port is None:
properly uses keystone admin endpoint for token lookup
2011-09-12 06:39:11 -07:00
port = 80
Tests working again...merged in some work we did earlier.
2011-08-03 17:41:33 -04:00
path_parts = path.split('/')
for part in path_parts:
if len(part) > 0 and part[0] == 'v':
self.version = part
break
Don't call CS if a token + URL are provided Adds --os-auth-token (matching Glance client at least) to accept a pre-obtained authentication token. CS will be called iff: One or both of token and URL are not provided; AND the cache is empty/disabled or we don't have a tenant-id. Removed some code altering the auth request to a GET if a token is supplied - did not work for me and I think the path was dead previously. Fixed test to account for this change. Completes blueprint token-endpoint-instantiation Change-Id: I67410b80e506bb80c152223cd113b7139a62a536
2013-12-19 19:26:06 +00:00
if self.auth_token and self.management_url:
self._save_keys()
return
new service catalog semantics
2011-10-25 06:28:30 -07:00
# TODO(sandy): Assume admin endpoint is 35357 for now.
# Ideally this is going to have to be provided by the service catalog.
minor tweaks and long overdue pep8
2011-10-25 09:34:23 -07:00
new_netloc = netloc.replace(':%d' % port, ':%d' % (35357,))
Remove usage of module py3kcompat Module py3kcompat was removed from oslo-incubator. We need remove its usage in client side firstly. This make us move smoothly when sync oslo-incubator code. Change-Id: I8b07c32c9852e747579a23685f3c8a07ac13ec01 Partial-Bug: #1280033
2014-02-14 08:43:12 +08:00
admin_url = parse.urlunsplit(
split req and response logging this allows capture of timestamps prior to and after request for timing also did some pep8 1.3 cleanup while I was in there Change-Id: I7fdc3f812d22c9e903279541219c53b35f510706
2012-08-16 17:57:09 -07:00
(scheme, new_netloc, path, query, frag))
properly uses keystone admin endpoint for token lookup
2011-09-12 06:39:11 -07:00
more cleanup
2011-08-24 05:32:40 -07:00
auth_url = self.auth_url
pep8, again
2011-08-09 01:44:01 +04:00
if self.version == "v2.0": # FIXME(chris): This should be better.
Recursion handling.
2011-08-09 01:41:51 +04:00
while auth_url:
Allow different auth providers via plugin system. - Remove the NOVA_RAX_AUTH hack and provide (temporary) compatibility with the new system. - Example plugin for RAX and HP provided here : RAX - https://github.com/emonty/rackspace-auth-openstack HP - https://github.com/emonty/hpcloud-auth-openstack - Plugin are allowed to specify their own auth_url directly. - Thanks to mtaylor for helping on this. Change-Id: Ie96835be617c6a20d9c3fc3bd1536083aecfdc0b
2012-08-02 16:41:47 +02:00
if not self.auth_system or self.auth_system == 'keystone':
Add support for RAX authentication. Change-Id: Ia9180a3919373d3ec2e794d4dffe21838b23fc95
2011-12-13 15:54:09 -06:00
auth_url = self._v2_auth(auth_url)
Allow different auth providers via plugin system. - Remove the NOVA_RAX_AUTH hack and provide (temporary) compatibility with the new system. - Example plugin for RAX and HP provided here : RAX - https://github.com/emonty/rackspace-auth-openstack HP - https://github.com/emonty/hpcloud-auth-openstack - Plugin are allowed to specify their own auth_url directly. - Thanks to mtaylor for helping on this. Change-Id: Ie96835be617c6a20d9c3fc3bd1536083aecfdc0b
2012-08-02 16:41:47 +02:00
else:
auth_url = self._plugin_auth(auth_url)
proxy token support - no tests
2011-09-09 06:33:38 -07:00
# Are we acting on behalf of another user via an
# existing token? If so, our actual endpoints may
# be different than that of the admin token.
if self.proxy_token:
Allow for bypass_url when using proxy_token Change-Id: I1cb76f79fbf2fe02ce012aaa278f50987c073831
2013-04-02 15:48:44 -04:00
if self.bypass_url:
self.set_management_url(self.bypass_url)
else:
self._fetch_endpoints_from_auth(admin_url)
minor fixes
2011-10-25 16:49:22 -07:00
# Since keystone no longer returns the user token
# with the endpoints any more, we need to replace
# our service account token with the user token.
self.auth_token = self.proxy_token
Redirection handling.
2011-08-09 00:06:55 +04:00
else:
Recursion handling.
2011-08-09 01:41:51 +04:00
try:
while auth_url:
auth_url = self._v1_auth(auth_url)
# In some configurations nova makes redirection to
# v2.0 keystone endpoint. Also, new location does not contain
# real endpoint, only hostname and port.
Merge with trunk
2011-08-15 10:36:55 +04:00
except exceptions.AuthorizationFailure:
Recursion handling.
2011-08-09 01:41:51 +04:00
if auth_url.find('v2.0') < 0:
Fix bug 904364: Consistiently handle trailing '/' on URLs novaclient used to require a trailing '/' on --auth-url and would mysteriously break if it was not present. This is mostly due to urlparse.urljoin()'s behaviour; it was only used here for concatenation so it was eliminated and trailing '/' chars consistiently stripped. All url concatenation now requires the second element to begin with '/'. Change-Id: I99e95ea92682d917348201bc3190a1e77bbcbff0
2012-02-03 14:48:51 -06:00
auth_url = auth_url + '/v2.0'
Recursion handling.
2011-08-09 01:41:51 +04:00
self._v2_auth(auth_url)
Auth token caching on by default. --no_cache to disable. Better bypass support too. Will use and/or store your Openstack Auth token in the operating system's keyring if available. Cuts about a 1/2 second off operations. Change-Id: Ibe2dc0c49baefd23afe3844a78c1df884a4fb7c7
2012-06-18 17:37:45 -03:00
if self.bypass_url:
self.set_management_url(self.bypass_url)
management_url not set by authenticate method Fixes Bug 1109243. If management_url not set, raise UnAuthorized exception, otherwise url chaining methods fail and cause NoneType exceptions. Change-Id: I19e87a5dcfcf93b4fa1d423bd99de352679fa16d
2013-02-08 14:54:36 -06:00
elif not self.management_url:
raise exceptions.Unauthorized('Nova Client')
Auth token caching on by default. --no_cache to disable. Better bypass support too. Will use and/or store your Openstack Auth token in the operating system's keyring if available. Cuts about a 1/2 second off operations. Change-Id: Ibe2dc0c49baefd23afe3844a78c1df884a4fb7c7
2012-06-18 17:37:45 -03:00
Don't call CS if a token + URL are provided Adds --os-auth-token (matching Glance client at least) to accept a pre-obtained authentication token. CS will be called iff: One or both of token and URL are not provided; AND the cache is empty/disabled or we don't have a tenant-id. Removed some code altering the auth request to a GET if a token is supplied - did not work for me and I think the path was dead previously. Fixed test to account for this change. Completes blueprint token-endpoint-instantiation Change-Id: I67410b80e506bb80c152223cd113b7139a62a536
2013-12-19 19:26:06 +00:00
self._save_keys()
def _save_keys(self):
Auth token caching on by default. --no_cache to disable. Better bypass support too. Will use and/or store your Openstack Auth token in the operating system's keyring if available. Cuts about a 1/2 second off operations. Change-Id: Ibe2dc0c49baefd23afe3844a78c1df884a4fb7c7
2012-06-18 17:37:45 -03:00
# Store the token/mgmt url in the keyring for later requests.
Don't call CS if a token + URL are provided Adds --os-auth-token (matching Glance client at least) to accept a pre-obtained authentication token. CS will be called iff: One or both of token and URL are not provided; AND the cache is empty/disabled or we don't have a tenant-id. Removed some code altering the auth request to a GET if a token is supplied - did not work for me and I think the path was dead previously. Fixed test to account for this change. Completes blueprint token-endpoint-instantiation Change-Id: I67410b80e506bb80c152223cd113b7139a62a536
2013-12-19 19:26:06 +00:00
if (self.keyring_saver and self.os_cache and not self.keyring_saved
and self.auth_token and self.management_url
and self.tenant_id):
Store tenant_id from keystone and use for quotas Some calls in nova require a tenant_id when it could be interpreted from the current authentication data, so save the tenant id and use it in the quotas command if tenant_id is not specified. Change-Id: I89647cfe9da73bc474ef80a61a5678db42a5571c
2013-01-31 11:51:29 -08:00
self.keyring_saver.save(self.auth_token,
self.management_url,
self.tenant_id)
Fix the usage of password, keyrings, and tokens. Fix how you keep on getting prompted for the password all over the place and at the wrong time (the keyring code should be used before a auth request, and not during). Fix this by trying to use the token first (which comes from the keyring module), then falling back to using the password (which will get a token, and then store said token so that it isn't fetched again). Change-Id: I58e69f3b3fbcc7a467797f25695b7ca59178a1d7
2013-01-30 12:53:35 -08:00
# Don't save it again
self.keyring_saved = True
Auth token caching on by default. --no_cache to disable. Better bypass support too. Will use and/or store your Openstack Auth token in the operating system's keyring if available. Cuts about a 1/2 second off operations. Change-Id: Ibe2dc0c49baefd23afe3844a78c1df884a4fb7c7
2012-06-18 17:37:45 -03:00
Recursion handling.
2011-08-09 01:41:51 +04:00
def _v1_auth(self, url):
proxy token support - no tests
2011-09-09 06:33:38 -07:00
if self.proxy_token:
Remove unused imports and fix NameError on exc Change-Id: Ie35ccd7abaada74acb298ace97ae88eb0e0cce1e
2011-12-29 11:10:04 -05:00
raise exceptions.NoTokenLookupException()
proxy token support - no tests
2011-09-09 06:33:38 -07:00
Redirection handling.
2011-08-09 00:06:55 +04:00
headers = {'X-Auth-User': self.user,
Don't call CS if a token + URL are provided Adds --os-auth-token (matching Glance client at least) to accept a pre-obtained authentication token. CS will be called iff: One or both of token and URL are not provided; AND the cache is empty/disabled or we don't have a tenant-id. Removed some code altering the auth request to a GET if a token is supplied - did not work for me and I think the path was dead previously. Fixed test to account for this change. Completes blueprint token-endpoint-instantiation Change-Id: I67410b80e506bb80c152223cd113b7139a62a536
2013-12-19 19:26:06 +00:00
'X-Auth-Key': self._get_password()}
Redirection handling.
2011-08-09 00:06:55 +04:00
if self.projectid:
headers['X-Auth-Project-Id'] = self.projectid
Make it possible to authenticate against keystone
2011-08-05 23:17:35 -07:00
option to bypass managment endpoint and timings support --timings = show timings for each call made to nova (including auth) --bypass_url = api node endpoint to use instead of one from service catalog For example: nova --timings --bypass_url=http://10.24.31.37:8774/v1.1/nova-staging boot --image f304d266-0a49-4877-b34c-63aea8360297 --flavor 3 delete_me_2 Change-Id: Ib2a258b7e969ad56ce4ee2bd64c61310278cb856
2012-06-15 15:12:23 -03:00
resp, body = self._time_request(url, 'GET', headers=headers)
Use requests module for HTTP/HTTPS * Implement correct certificate verification * Add --os-cacert * Rework tests for requests Pinned requests module to < 1.0 as 1.0.2 is now current in pipi as of 17Dec2012. Blueprint: tls-verify Change-Id: I9a25a94c8dfcaf483c4c8328439809d65cf10b38
2012-12-18 14:05:29 -06:00
if resp.status_code in (200, 204): # in some cases we get No Content
Added self.auth_url updating, WrongResponse exception.
2011-08-11 13:43:51 +04:00
try:
Fix bug 904364: Consistiently handle trailing '/' on URLs novaclient used to require a trailing '/' on --auth-url and would mysteriously break if it was not present. This is mostly due to urlparse.urljoin()'s behaviour; it was only used here for concatenation so it was eliminated and trailing '/' chars consistiently stripped. All url concatenation now requires the second element to begin with '/'. Change-Id: I99e95ea92682d917348201bc3190a1e77bbcbff0
2012-02-03 14:48:51 -06:00
mgmt_header = 'x-server-management-url'
Use requests module for HTTP/HTTPS * Implement correct certificate verification * Add --os-cacert * Rework tests for requests Pinned requests module to < 1.0 as 1.0.2 is now current in pipi as of 17Dec2012. Blueprint: tls-verify Change-Id: I9a25a94c8dfcaf483c4c8328439809d65cf10b38
2012-12-18 14:05:29 -06:00
self.management_url = resp.headers[mgmt_header].rstrip('/')
self.auth_token = resp.headers['x-auth-token']
Added self.auth_url updating, WrongResponse exception.
2011-08-11 13:43:51 +04:00
self.auth_url = url
Use requests module for HTTP/HTTPS * Implement correct certificate verification * Add --os-cacert * Rework tests for requests Pinned requests module to < 1.0 as 1.0.2 is now current in pipi as of 17Dec2012. Blueprint: tls-verify Change-Id: I9a25a94c8dfcaf483c4c8328439809d65cf10b38
2012-12-18 14:05:29 -06:00
except (KeyError, TypeError):
catching authorization failure (x-server-management-url KeyError)
2011-08-10 13:25:17 -04:00
raise exceptions.AuthorizationFailure()
Use requests module for HTTP/HTTPS * Implement correct certificate verification * Add --os-cacert * Rework tests for requests Pinned requests module to < 1.0 as 1.0.2 is now current in pipi as of 17Dec2012. Blueprint: tls-verify Change-Id: I9a25a94c8dfcaf483c4c8328439809d65cf10b38
2012-12-18 14:05:29 -06:00
elif resp.status_code == 305:
return resp.headers['location']
Make it possible to authenticate against keystone
2011-08-05 23:17:35 -07:00
else:
ClientExceptions should include url and method Fixes Bug 1103557. novaclient abstracts out http request from user/client making it unknown to user what root cause behind nova client exceptions being raised. By including url and method in exception handling, this allows user to handle accordingly. Change-Id: I1a509bb932b3fd029bd0870ab699a39e21da19bb
2013-01-23 11:14:41 -06:00
raise exceptions.from_response(resp, body, url)
Make it possible to authenticate against keystone
2011-08-05 23:17:35 -07:00
Allow different auth providers via plugin system. - Remove the NOVA_RAX_AUTH hack and provide (temporary) compatibility with the new system. - Example plugin for RAX and HP provided here : RAX - https://github.com/emonty/rackspace-auth-openstack HP - https://github.com/emonty/hpcloud-auth-openstack - Plugin are allowed to specify their own auth_url directly. - Thanks to mtaylor for helping on this. Change-Id: Ie96835be617c6a20d9c3fc3bd1536083aecfdc0b
2012-08-02 16:41:47 +02:00
def _plugin_auth(self, auth_url):
make v2_auth and plugin_auth explictly return their results In cases where the respective authentication methods return non-NoneTypes, (e.g., HTTP 305 redirects) they would get dropped on the floor previously. This patch set splits the test_auth_redirect unit test into two nearly-identical unit tests to exercise the different code paths. Without the patch, the test_v2_auth_redirect unit test fails with an HTTP 401 error Change-Id: I2018bc5b73ce86d6d5383958375d5dbbde2e763c Fixes: Bug 1197191
2013-07-02 16:49:03 -07:00
return self.auth_plugin.authenticate(self, auth_url)
Allow different auth providers via plugin system. - Remove the NOVA_RAX_AUTH hack and provide (temporary) compatibility with the new system. - Example plugin for RAX and HP provided here : RAX - https://github.com/emonty/rackspace-auth-openstack HP - https://github.com/emonty/hpcloud-auth-openstack - Plugin are allowed to specify their own auth_url directly. - Thanks to mtaylor for helping on this. Change-Id: Ie96835be617c6a20d9c3fc3bd1536083aecfdc0b
2012-08-02 16:41:47 +02:00
Recursion handling.
2011-08-09 01:41:51 +04:00
def _v2_auth(self, url):
proxy token support - no tests
2011-09-09 06:33:38 -07:00
"""Authenticate against a v2.0 auth service."""
Fix the usage of password, keyrings, and tokens. Fix how you keep on getting prompted for the password all over the place and at the wrong time (the keyring code should be used before a auth request, and not during). Fix this by trying to use the token first (which comes from the keyring module), then falling back to using the password (which will get a token, and then store said token so that it isn't fetched again). Change-Id: I58e69f3b3fbcc7a467797f25695b7ca59178a1d7
2013-01-30 12:53:35 -08:00
if self.auth_token:
Revert "Add-in some re-auth logic when using os_cache" This patch didn't do what it was supposed to do, make os_cache work. Instead it just adds complexity, so just remove it. This reverts commit 8eed73ce20ff0808d350fc9af66d6ba55ebda017. Change-Id: I7c118cbf8d8e2218e198d603f1984a9de18266c4
2013-10-10 06:01:26 +00:00
body = {"auth": {
"token": {"id": self.auth_token}}}
Allow user ID for authentication In Keystone V3 user names are no longer necessarily unique accross domains. A user can still authenticate a user in the non default domain via the V2 API providng they use IDs instead of names. Tenant_ID is already supported, this change adds support for user ID Change-Id: I36ba75f3e67c8cdb959e31923d5e557414ab6f9b
2014-03-06 12:37:12 +00:00
elif self.user_id:
body = {"auth": {
"passwordCredentials": {"userId": self.user_id,
"password": self._get_password()}}}
Fix the usage of password, keyrings, and tokens. Fix how you keep on getting prompted for the password all over the place and at the wrong time (the keyring code should be used before a auth request, and not during). Fix this by trying to use the token first (which comes from the keyring module), then falling back to using the password (which will get a token, and then store said token so that it isn't fetched again). Change-Id: I58e69f3b3fbcc7a467797f25695b7ca59178a1d7
2013-01-30 12:53:35 -08:00
else:
Revert "Add-in some re-auth logic when using os_cache" This patch didn't do what it was supposed to do, make os_cache work. Instead it just adds complexity, so just remove it. This reverts commit 8eed73ce20ff0808d350fc9af66d6ba55ebda017. Change-Id: I7c118cbf8d8e2218e198d603f1984a9de18266c4
2013-10-10 06:01:26 +00:00
body = {"auth": {
"passwordCredentials": {"username": self.user,
Don't call CS if a token + URL are provided Adds --os-auth-token (matching Glance client at least) to accept a pre-obtained authentication token. CS will be called iff: One or both of token and URL are not provided; AND the cache is empty/disabled or we don't have a tenant-id. Removed some code altering the auth request to a GET if a token is supplied - did not work for me and I think the path was dead previously. Fixed test to account for this change. Completes blueprint token-endpoint-instantiation Change-Id: I67410b80e506bb80c152223cd113b7139a62a536
2013-12-19 19:26:06 +00:00
"password": self._get_password()}}}
Make it possible to authenticate against keystone
2011-08-05 23:17:35 -07:00
Allow tenant ID for authentication Tenant names are not necessarily unique for a User, so the client should also allow authentication by tenant_id If both ID and Name are specificed then use the ID Fixes bug 1195454 Change-Id: Ib62aabc3702db88f02259cd721f9efb31404bcb7
2013-06-27 22:57:10 +01:00
if self.tenant_id:
body['auth']['tenantId'] = self.tenant_id
elif self.projectid:
now uses tenantName vs. tenantId to auth
2011-09-28 11:00:15 -07:00
body['auth']['tenantName'] = self.projectid
Make it possible to authenticate against keystone
2011-08-05 23:17:35 -07:00
Revert "Add-in some re-auth logic when using os_cache" This patch didn't do what it was supposed to do, make os_cache work. Instead it just adds complexity, so just remove it. This reverts commit 8eed73ce20ff0808d350fc9af66d6ba55ebda017. Change-Id: I7c118cbf8d8e2218e198d603f1984a9de18266c4
2013-10-10 06:01:26 +00:00
return self._authenticate(url, body)
Add support for RAX authentication. Change-Id: Ia9180a3919373d3ec2e794d4dffe21838b23fc95
2011-12-13 15:54:09 -06:00
Improve authentication plugins management. The current auth plugin system lacks some functionality to be used with other methods that might require additional configuration options or that do not require a user to pass some options that are now compulsory (for example, X.509 authentication needs to get a certificate file, and does not need either a username or a password). This commit extends the current system to handle these extra features, while remaining compatible with older plugins. DocImpact: We should documment how to implement additional authentication plugins, such as BasicAuth, X509, etc. Implements: blueprint authentication-plugins Change-Id: I7b0ef4981efba8160dea94bf852dba7e2e4068f5
2013-03-06 16:41:46 +01:00
def _authenticate(self, url, body, **kwargs):
Add support for RAX authentication. Change-Id: Ia9180a3919373d3ec2e794d4dffe21838b23fc95
2011-12-13 15:54:09 -06:00
"""Authenticate and extract the service catalog."""
if we have a valid auth token, use it instead of generating a new one If authenticating with a valid token (i.e., token auth, not username/password auth), novaclient would instruct keystone to issue a new token with an identical expiry to the one used, and pivot onto it. This makes it appear as though Nova is leaking Keystone tokens. Since there's zero benefit to issuing a new token that is ostensibly identical to the perfectly good token used to authenticate, make novaclient keep using the token it already has after successful validation, and not issue a new one. This patch set adds a new pair of tests to the AuthenticateAgainstKeystoneTests class, which parrot the current authentication pass/fail tests, but exercise the new code paths Also adds a fix by Joe Gordon to make os_cache work correctly. Change-Id: Ic4f0e6d506d8d81f0b1d46138e7e19d3b3392e1d Fixes: Bug 1197201 Related-Bug: 1214658
2013-07-03 11:08:41 -07:00
method = "POST"
Fix bug 904364: Consistiently handle trailing '/' on URLs novaclient used to require a trailing '/' on --auth-url and would mysteriously break if it was not present. This is mostly due to urlparse.urljoin()'s behaviour; it was only used here for concatenation so it was eliminated and trailing '/' chars consistiently stripped. All url concatenation now requires the second element to begin with '/'. Change-Id: I99e95ea92682d917348201bc3190a1e77bbcbff0
2012-02-03 14:48:51 -06:00
token_url = url + "/tokens"
Follow redirects when calling out to Keystone.
2011-11-09 16:54:58 -06:00
# Make sure we follow redirects when trying to reach Keystone
if we have a valid auth token, use it instead of generating a new one If authenticating with a valid token (i.e., token auth, not username/password auth), novaclient would instruct keystone to issue a new token with an identical expiry to the one used, and pivot onto it. This makes it appear as though Nova is leaking Keystone tokens. Since there's zero benefit to issuing a new token that is ostensibly identical to the perfectly good token used to authenticate, make novaclient keep using the token it already has after successful validation, and not issue a new one. This patch set adds a new pair of tests to the AuthenticateAgainstKeystoneTests class, which parrot the current authentication pass/fail tests, but exercise the new code paths Also adds a fix by Joe Gordon to make os_cache work correctly. Change-Id: Ic4f0e6d506d8d81f0b1d46138e7e19d3b3392e1d Fixes: Bug 1197201 Related-Bug: 1214658
2013-07-03 11:08:41 -07:00
resp, respbody = self._time_request(
Use requests module for HTTP/HTTPS * Implement correct certificate verification * Add --os-cacert * Rework tests for requests Pinned requests module to < 1.0 as 1.0.2 is now current in pipi as of 17Dec2012. Blueprint: tls-verify Change-Id: I9a25a94c8dfcaf483c4c8328439809d65cf10b38
2012-12-18 14:05:29 -06:00
token_url,
if we have a valid auth token, use it instead of generating a new one If authenticating with a valid token (i.e., token auth, not username/password auth), novaclient would instruct keystone to issue a new token with an identical expiry to the one used, and pivot onto it. This makes it appear as though Nova is leaking Keystone tokens. Since there's zero benefit to issuing a new token that is ostensibly identical to the perfectly good token used to authenticate, make novaclient keep using the token it already has after successful validation, and not issue a new one. This patch set adds a new pair of tests to the AuthenticateAgainstKeystoneTests class, which parrot the current authentication pass/fail tests, but exercise the new code paths Also adds a fix by Joe Gordon to make os_cache work correctly. Change-Id: Ic4f0e6d506d8d81f0b1d46138e7e19d3b3392e1d Fixes: Bug 1197201 Related-Bug: 1214658
2013-07-03 11:08:41 -07:00
method,
Use requests module for HTTP/HTTPS * Implement correct certificate verification * Add --os-cacert * Rework tests for requests Pinned requests module to < 1.0 as 1.0.2 is now current in pipi as of 17Dec2012. Blueprint: tls-verify Change-Id: I9a25a94c8dfcaf483c4c8328439809d65cf10b38
2012-12-18 14:05:29 -06:00
body=body,
Improve authentication plugins management. The current auth plugin system lacks some functionality to be used with other methods that might require additional configuration options or that do not require a user to pass some options that are now compulsory (for example, X.509 authentication needs to get a certificate file, and does not need either a username or a password). This commit extends the current system to handle these extra features, while remaining compatible with older plugins. DocImpact: We should documment how to implement additional authentication plugins, such as BasicAuth, X509, etc. Implements: blueprint authentication-plugins Change-Id: I7b0ef4981efba8160dea94bf852dba7e2e4068f5
2013-03-06 16:41:46 +01:00
allow_redirects=True,
**kwargs)
Follow redirects when calling out to Keystone.
2011-11-09 16:54:58 -06:00
if we have a valid auth token, use it instead of generating a new one If authenticating with a valid token (i.e., token auth, not username/password auth), novaclient would instruct keystone to issue a new token with an identical expiry to the one used, and pivot onto it. This makes it appear as though Nova is leaking Keystone tokens. Since there's zero benefit to issuing a new token that is ostensibly identical to the perfectly good token used to authenticate, make novaclient keep using the token it already has after successful validation, and not issue a new one. This patch set adds a new pair of tests to the AuthenticateAgainstKeystoneTests class, which parrot the current authentication pass/fail tests, but exercise the new code paths Also adds a fix by Joe Gordon to make os_cache work correctly. Change-Id: Ic4f0e6d506d8d81f0b1d46138e7e19d3b3392e1d Fixes: Bug 1197201 Related-Bug: 1214658
2013-07-03 11:08:41 -07:00
return self._extract_service_catalog(url, resp, respbody)
Abstract Client building into novaclient.client This prevents clients of the pythonic api from having to know the internal module structure. Change-Id: Idd5c522ac3ff6c2d7915f96ed327323ec83d54fc
2011-12-29 15:37:05 -05:00
Allow us to use keystoneclient's session The session object is a cross-client means of standardizing the transport layer. Novaclient's HTTPClient object has diverged significantly from other clients. It is easier to simply replace it if a session is provided. If a session is provided then users of the library need to be aware that functions such as authenticate() will no longer have any effect/are in error because this is no longer managed by nova. Change-Id: I8f146b878908239d9b6c1c7d6cdc01c7e124f4e5
2014-04-08 11:40:41 +10:00
def _construct_http_client(username=None, password=None, project_id=None,
auth_url=None, insecure=False, timeout=None,
proxy_tenant_id=None, proxy_token=None,
region_name=None, endpoint_type='publicURL',
extensions=None, service_type='compute',
service_name=None, volume_service_name=None,
timings=False, bypass_url=None, os_cache=False,
no_cache=True, http_log_debug=False,
auth_system='keystone', auth_plugin=None,
auth_token=None, cacert=None, tenant_id=None,
user_id=None, connection_pool=False, session=None,
Use adapter from keystoneclient SessionClient is mostly common code that wasn't yet released in keystoneclient. Now that 0.10 is released we should use the adapter from there as much as possible. Change-Id: Ief6cd7e752fd8c9e9157364f99e270da7faff074
2014-08-07 20:18:58 +10:00
auth=None, user_agent='python-novaclient',
**kwargs):
Allow us to use keystoneclient's session The session object is a cross-client means of standardizing the transport layer. Novaclient's HTTPClient object has diverged significantly from other clients. It is easier to simply replace it if a session is provided. If a session is provided then users of the library need to be aware that functions such as authenticate() will no longer have any effect/are in error because this is no longer managed by nova. Change-Id: I8f146b878908239d9b6c1c7d6cdc01c7e124f4e5
2014-04-08 11:40:41 +10:00
if session:
return SessionClient(session=session,
auth=auth,
interface=endpoint_type,
service_type=service_type,
Use adapter from keystoneclient SessionClient is mostly common code that wasn't yet released in keystoneclient. Now that 0.10 is released we should use the adapter from there as much as possible. Change-Id: Ief6cd7e752fd8c9e9157364f99e270da7faff074
2014-08-07 20:18:58 +10:00
region_name=region_name,
service_name=service_name,
user_agent=user_agent,
**kwargs)
Allow us to use keystoneclient's session The session object is a cross-client means of standardizing the transport layer. Novaclient's HTTPClient object has diverged significantly from other clients. It is easier to simply replace it if a session is provided. If a session is provided then users of the library need to be aware that functions such as authenticate() will no longer have any effect/are in error because this is no longer managed by nova. Change-Id: I8f146b878908239d9b6c1c7d6cdc01c7e124f4e5
2014-04-08 11:40:41 +10:00
else:
# FIXME(jamielennox): username and password are now optional. Need
# to test that they were provided in this mode.
return HTTPClient(username,
password,
user_id=user_id,
projectid=project_id,
tenant_id=tenant_id,
auth_url=auth_url,
auth_token=auth_token,
insecure=insecure,
timeout=timeout,
auth_system=auth_system,
auth_plugin=auth_plugin,
proxy_token=proxy_token,
proxy_tenant_id=proxy_tenant_id,
region_name=region_name,
endpoint_type=endpoint_type,
service_type=service_type,
service_name=service_name,
volume_service_name=volume_service_name,
timings=timings,
bypass_url=bypass_url,
os_cache=os_cache,
http_log_debug=http_log_debug,
cacert=cacert,
connection_pool=connection_pool)
Abstract Client building into novaclient.client This prevents clients of the pythonic api from having to know the internal module structure. Change-Id: Idd5c522ac3ff6c2d7915f96ed327323ec83d54fc
2011-12-29 15:37:05 -05:00
def get_client_class(version):
do not require NOVA_VERSION in env, default to 1.1 fixes bug 920474. the nova client was not defaulting to version 1.1 unless NOVA_VERSION was set. This makes version 1.1 the default if NOVA_VERSION is not set in the environment. It also makes shell.py usable from a git checkout as in: PYTHONPATH=$PWD python novaclient/shell.py image-list Change-Id: I02b7e060d1c0694639fcb146a7394b92014c140b
2012-01-23 13:10:03 -05:00
version_map = {
'1.1': 'novaclient.v1_1.client.Client',
'2': 'novaclient.v1_1.client.Client',
Enable v3 api code Add mappings to enable v3 code bp v3-api Change-Id: I035e5b9d65c06ce5691573832bb9b6c4c705b121
2013-08-06 12:48:24 -05:00
'3': 'novaclient.v3.client.Client',
do not require NOVA_VERSION in env, default to 1.1 fixes bug 920474. the nova client was not defaulting to version 1.1 unless NOVA_VERSION was set. This makes version 1.1 the default if NOVA_VERSION is not set in the environment. It also makes shell.py usable from a git checkout as in: PYTHONPATH=$PWD python novaclient/shell.py image-list Change-Id: I02b7e060d1c0694639fcb146a7394b92014c140b
2012-01-23 13:10:03 -05:00
}
Abstract Client building into novaclient.client This prevents clients of the pythonic api from having to know the internal module structure. Change-Id: Idd5c522ac3ff6c2d7915f96ed327323ec83d54fc
2011-12-29 15:37:05 -05:00
try:
do not require NOVA_VERSION in env, default to 1.1 fixes bug 920474. the nova client was not defaulting to version 1.1 unless NOVA_VERSION was set. This makes version 1.1 the default if NOVA_VERSION is not set in the environment. It also makes shell.py usable from a git checkout as in: PYTHONPATH=$PWD python novaclient/shell.py image-list Change-Id: I02b7e060d1c0694639fcb146a7394b92014c140b
2012-01-23 13:10:03 -05:00
client_path = version_map[str(version)]
Abstract Client building into novaclient.client This prevents clients of the pythonic api from having to know the internal module structure. Change-Id: Idd5c522ac3ff6c2d7915f96ed327323ec83d54fc
2011-12-29 15:37:05 -05:00
except (KeyError, ValueError):
Fix i18n messages in novaclient, part I This change make all the text visible by the user i18n. The messages changes are in prints, logs, exceptions, helps, etc Pep8 errors about "Multiple positional placeholders" also fixed Change-Id: I731afea790baddbc34d059b93a35e3d275fc1df8
2013-12-12 23:17:28 -05:00
msg = _("Invalid client version '%(version)s'. must be one of: "
"%(keys)s") % {'version': version,
Invalid client version message unclear The error message when using an invalid os-compute-api-version is created by joining all the available versions without space. This patch will add ', ' between versions. Ex: nova --os-compute-api-version v3 list ERROR: Invalid client version 'v3'. must be one of: 321.1 Now: nova --os-compute-api-version v3 list ERROR: Invalid client version 'v3'. must be one of: 3, 2, 1.1 Change-Id: I825df89d38adc9e4bd3fb900cd0199f159c04a6b
2014-02-19 13:20:36 -03:00
'keys': ', '.join(version_map.keys())}
do not require NOVA_VERSION in env, default to 1.1 fixes bug 920474. the nova client was not defaulting to version 1.1 unless NOVA_VERSION was set. This makes version 1.1 the default if NOVA_VERSION is not set in the environment. It also makes shell.py usable from a git checkout as in: PYTHONPATH=$PWD python novaclient/shell.py image-list Change-Id: I02b7e060d1c0694639fcb146a7394b92014c140b
2012-01-23 13:10:03 -05:00
raise exceptions.UnsupportedVersion(msg)
Abstract Client building into novaclient.client This prevents clients of the pythonic api from having to know the internal module structure. Change-Id: Idd5c522ac3ff6c2d7915f96ed327323ec83d54fc
2011-12-29 15:37:05 -05:00
return utils.import_class(client_path)
def Client(version, *args, **kwargs):
client_class = get_client_class(version)
return client_class(*args, **kwargs)
Copy Permalink