python-openstackclient/openstackclient/identity/client.py

#   Copyright 2012-2013 OpenStack Foundation
#
#   Licensed under the Apache License, Version 2.0 (the "License"); you may
#   not use this file except in compliance with the License. You may obtain
#   a copy of the License at
#
#        http://www.apache.org/licenses/LICENSE-2.0
#
#   Unless required by applicable law or agreed to in writing, software
#   distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
#   WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
#   License for the specific language governing permissions and limitations
#   under the License.
#

import logging

from keystoneclient.v2_0 import client as identity_client_v2_0
from openstackclient.common import utils


LOG = logging.getLogger(__name__)

DEFAULT_IDENTITY_API_VERSION = '2.0'
API_VERSION_OPTION = 'os_identity_api_version'
API_NAME = 'identity'
API_VERSIONS = {
    '2.0': 'openstackclient.identity.client.IdentityClientv2_0',
    '3': 'keystoneclient.v3.client.Client',
}

# Translate our API version to auth plugin version prefix
AUTH_VERSIONS = {
    '2.0': 'v2',
    '3': 'v3',
}


def make_client(instance):
    """Returns an identity service client."""
    identity_client = utils.get_client_class(
        API_NAME,
        instance._api_version[API_NAME],
        API_VERSIONS)
    LOG.debug('Instantiating identity client: %s', identity_client)

    # TODO(dtroyer): Something doesn't like the session.auth when using
    #                token auth, chase that down.
    if instance._url:
        LOG.debug('Using token auth')
        client = identity_client(
            endpoint=instance._url,
            token=instance._token,
            cacert=instance._cacert,
            insecure=instance._insecure,
            trust_id=instance._trust_id,
        )
    else:
        LOG.debug('Using password auth')
        client = identity_client(
            session=instance.session,
            cacert=instance._cacert,
        )

    # TODO(dtroyer): the identity v2 role commands use this yet, fix that
    #                so we can remove it
    if not instance._url:
        instance.auth_ref = instance.auth.get_auth_ref(instance.session)

    return client


def build_option_parser(parser):
    """Hook to add global options"""
    parser.add_argument(
        '--os-identity-api-version',
        metavar='<identity-api-version>',
        default=utils.env(
            'OS_IDENTITY_API_VERSION',
            default=DEFAULT_IDENTITY_API_VERSION),
        help='Identity API version, default=' +
             DEFAULT_IDENTITY_API_VERSION +
             ' (Env: OS_IDENTITY_API_VERSION)')
    parser.add_argument(
        '--os-trust-id',
        metavar='<trust-id>',
        default=utils.env('OS_TRUST_ID'),
        help='Trust ID to use when authenticating. '
             'This can only be used with Keystone v3 API '
             '(Env: OS_TRUST_ID)')
    return parser


class IdentityClientv2_0(identity_client_v2_0.Client):
    """Tweak the earlier client class to deal with some changes"""
    def __getattr__(self, name):
        # Map v3 'projects' back to v2 'tenants'
        if name == "projects":
            return self.tenants
        else:
            raise AttributeError(name)
Add Identity v2 role and service tests * Add current auth info (auth_ref) to ClientManager * Fix identity.v2_0.role.ListUserRole to get default user/project from ClientManager.auth_ref * Fix identity.v2_0.role.AddRole call to roles.add_user_role() Change-Id: Ie8bf41c491d97b0292a2b86bdc9b7580989a7f97 2013-08-27 16:57:30 -05:00			`# Copyright 2012-2013 OpenStack Foundation`
Add copyright notices and update dates Change-Id: I54a7d99328143205ab97ea930aeeeb69fe92c76c 2012-05-10 14:58:16 -05:00			`#`
Standardize on a copyright header and ensure all files have them. Change-Id: I64812bca01ca655c9cf9239a0daea84907082a29 2013-01-24 12:00:30 -06:00			`# Licensed under the Apache License, Version 2.0 (the "License"); you may`
			`# not use this file except in compliance with the License. You may obtain`
			`# a copy of the License at`
Add copyright notices and update dates Change-Id: I54a7d99328143205ab97ea930aeeeb69fe92c76c 2012-05-10 14:58:16 -05:00			`#`
Standardize on a copyright header and ensure all files have them. Change-Id: I64812bca01ca655c9cf9239a0daea84907082a29 2013-01-24 12:00:30 -06:00			`# http://www.apache.org/licenses/LICENSE-2.0`
Add copyright notices and update dates Change-Id: I54a7d99328143205ab97ea930aeeeb69fe92c76c 2012-05-10 14:58:16 -05:00			`#`
Standardize on a copyright header and ensure all files have them. Change-Id: I64812bca01ca655c9cf9239a0daea84907082a29 2013-01-24 12:00:30 -06:00			`# Unless required by applicable law or agreed to in writing, software`
			`# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT`
			`# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the`
			`# License for the specific language governing permissions and limitations`
			`# under the License.`
Add copyright notices and update dates Change-Id: I54a7d99328143205ab97ea930aeeeb69fe92c76c 2012-05-10 14:58:16 -05:00			`#`

Add Identity to ClientManager * Make the Identity client in identity.client.make_client() * Auth via ClientManager.identity * Skip extra auth roundtrip in compute client Change-Id: I0190639e38f83997c233195f6cc27ff3afdfba10 2012-05-04 12:28:35 -05:00			`import logging`

Add security group commands * Add security group: create, delete, list, set, show * Add server: add secgroup, remove secgroup * Add security group rule: create, delete, list * Add Oslo's strutils and gettextutils * Adds parseractions.RangeAction() to handle option arguments of either a single number or a range of numbers: '--port 25' or '--port 1024:65535' Blueprint: nova-client Change-Id: Iad2de1b273ba29197709fc4c6a1036b4ae99725f 2013-07-12 15:49:03 -05:00			`from keystoneclient.v2_0 import client as identity_client_v2_0`
Add API versioning support * Specific versions supported are managed in XXXXXX.client.py with a mapping from version to client class. This is based on the scheme that is included in novaclient; none of the other client libs have that capability. Change-Id: I930b197f1189e7f52c3b0096e73e0773cf925542 2012-05-10 15:47:59 -05:00			`from openstackclient.common import utils`
Add Identity to ClientManager * Make the Identity client in identity.client.make_client() * Auth via ClientManager.identity * Skip extra auth roundtrip in compute client Change-Id: I0190639e38f83997c233195f6cc27ff3afdfba10 2012-05-04 12:28:35 -05:00
Upgraded to PEP8 1.3.3 to stay aligned with Nova, etc. Made all the necessary changes to pass new PEP8 standards. Also cleaned up docstrings to conform to the HACKING stanards. Change-Id: Ib8df3030da7a7885655689ab5da0717748c9edbe 2013-01-31 13:31:41 -06:00
Add Identity to ClientManager * Make the Identity client in identity.client.make_client() * Auth via ClientManager.identity * Skip extra auth roundtrip in compute client Change-Id: I0190639e38f83997c233195f6cc27ff3afdfba10 2012-05-04 12:28:35 -05:00			`LOG = logging.getLogger(__name__)`

Expand support for command extensions Allows client libraries to have complete access to the rest of the OSC ClientManager. In addition, extension libraries can define global options (for API version options/env vars) and define versioned API entry points similar to the in-repo commands. The changes to ClientManager exposed some issues in the existing object api tests that needed to be cleaned up. Change-Id: Ic9662edf34c5dd130a2f1a69d2454adefc1f8a95 2013-11-20 18:02:09 -06:00			`DEFAULT_IDENTITY_API_VERSION = '2.0'`
			`API_VERSION_OPTION = 'os_identity_api_version'`
Move get_client_class() to common.utils * add constants for API_NAME Change-Id: I8ccf72f032227e0a452d96303181549b1b11a5d1 2012-05-10 16:25:31 -05:00			`API_NAME = 'identity'`
Add API versioning support * Specific versions supported are managed in XXXXXX.client.py with a mapping from version to client class. This is based on the scheme that is included in novaclient; none of the other client libs have that capability. Change-Id: I930b197f1189e7f52c3b0096e73e0773cf925542 2012-05-10 15:47:59 -05:00			`API_VERSIONS = {`
Add security group commands * Add security group: create, delete, list, set, show * Add server: add secgroup, remove secgroup * Add security group rule: create, delete, list * Add Oslo's strutils and gettextutils * Adds parseractions.RangeAction() to handle option arguments of either a single number or a range of numbers: '--port 25' or '--port 1024:65535' Blueprint: nova-client Change-Id: Iad2de1b273ba29197709fc4c6a1036b4ae99725f 2013-07-12 15:49:03 -05:00			`'2.0': 'openstackclient.identity.client.IdentityClientv2_0',`
v3 identity - group and project api updated with latest comments modified entry points in setup.py added group.py (v3) added project.py (v3) fixed indentation updated to include new headers Change-Id: Ice68b6c5bacb68d2e95321d903043056a9b8e810 2013-01-17 22:11:05 -05:00			`'3': 'keystoneclient.v3.client.Client',`
Add API versioning support * Specific versions supported are managed in XXXXXX.client.py with a mapping from version to client class. This is based on the scheme that is included in novaclient; none of the other client libs have that capability. Change-Id: I930b197f1189e7f52c3b0096e73e0773cf925542 2012-05-10 15:47:59 -05:00			`}`

Use Keystone client session.Session This replaces the restapi requests wrapper with the one from Keystone client so we can take advantage of the auth plugins. As a first step only the v2 and v3 token and password plugins are supported. This maintainis no changes to the command options or environment variables. The next steps will include reworking the other API client interfaces to fully utilize the single auth session. Blueprint: ksc-session-auth Change-Id: I47ec63291e4c3cf36c8061299a4764f60b36ab89 2014-08-22 17:26:07 -05:00			`# Translate our API version to auth plugin version prefix`
			`AUTH_VERSIONS = {`
			`'2.0': 'v2',`
			`'3': 'v3',`
			`}`

Add API versioning support * Specific versions supported are managed in XXXXXX.client.py with a mapping from version to client class. This is based on the scheme that is included in novaclient; none of the other client libs have that capability. Change-Id: I930b197f1189e7f52c3b0096e73e0773cf925542 2012-05-10 15:47:59 -05:00
Add Identity to ClientManager * Make the Identity client in identity.client.make_client() * Auth via ClientManager.identity * Skip extra auth roundtrip in compute client Change-Id: I0190639e38f83997c233195f6cc27ff3afdfba10 2012-05-04 12:28:35 -05:00			`def make_client(instance):`
Upgraded to PEP8 1.3.3 to stay aligned with Nova, etc. Made all the necessary changes to pass new PEP8 standards. Also cleaned up docstrings to conform to the HACKING stanards. Change-Id: Ib8df3030da7a7885655689ab5da0717748c9edbe 2013-01-31 13:31:41 -06:00			`"""Returns an identity service client."""`
Move get_client_class() to common.utils * add constants for API_NAME Change-Id: I8ccf72f032227e0a452d96303181549b1b11a5d1 2012-05-10 16:25:31 -05:00			`identity_client = utils.get_client_class(`
			`API_NAME,`
			`instance._api_version[API_NAME],`
Upgraded to PEP8 1.3.3 to stay aligned with Nova, etc. Made all the necessary changes to pass new PEP8 standards. Also cleaned up docstrings to conform to the HACKING stanards. Change-Id: Ib8df3030da7a7885655689ab5da0717748c9edbe 2013-01-31 13:31:41 -06:00			`API_VERSIONS)`
More make_client() logging cleanup Change-Id: I5af4b9c52c69d6e31e6ca5f90d5880c097880a71 2014-07-08 01:44:55 -05:00			`LOG.debug('Instantiating identity client: %s', identity_client)`
Clean up make_client() logging Change-Id: I0b6760a6401b50e3dfb891af75424ae89df42ebc 2014-07-08 01:44:55 -05:00
Use Keystone client session.Session This replaces the restapi requests wrapper with the one from Keystone client so we can take advantage of the auth plugins. As a first step only the v2 and v3 token and password plugins are supported. This maintainis no changes to the command options or environment variables. The next steps will include reworking the other API client interfaces to fully utilize the single auth session. Blueprint: ksc-session-auth Change-Id: I47ec63291e4c3cf36c8061299a4764f60b36ab89 2014-08-22 17:26:07 -05:00			`# TODO(dtroyer): Something doesn't like the session.auth when using`
			`# token auth, chase that down.`
More identity client config * move auth option checking back to OpenStackShell() to keep the shell-level interaction at that level; add checking for token flow options * make identity.client.make_client() configure keystoneclient.v2_0.Client() properly for both password flow and token flow auth * eliminated ClientManager.init_token(), set _service_catalog in __init__() * compute client handles token flow Change-Id: I42481b5424489387798c4ec6d3e2a723ab1e6067 2012-05-09 17:15:43 -05:00			`if instance._url:`
Clean up make_client() logging Change-Id: I0b6760a6401b50e3dfb891af75424ae89df42ebc 2014-07-08 01:44:55 -05:00			`LOG.debug('Using token auth')`
Add API versioning support * Specific versions supported are managed in XXXXXX.client.py with a mapping from version to client class. This is based on the scheme that is included in novaclient; none of the other client libs have that capability. Change-Id: I930b197f1189e7f52c3b0096e73e0773cf925542 2012-05-10 15:47:59 -05:00			`client = identity_client(`
More identity client config * move auth option checking back to OpenStackShell() to keep the shell-level interaction at that level; add checking for token flow options * make identity.client.make_client() configure keystoneclient.v2_0.Client() properly for both password flow and token flow auth * eliminated ClientManager.init_token(), set _service_catalog in __init__() * compute client handles token flow Change-Id: I42481b5424489387798c4ec6d3e2a723ab1e6067 2012-05-09 17:15:43 -05:00			`endpoint=instance._url,`
Use cacert values when creating identity client These were ignored when the client was created with a username and password. Change-Id: Id7557a5b07a41c7f79ab1a05ede385da31889940 Closes-Bug: #1284957 2014-02-26 13:26:45 +10:00			`token=instance._token,`
			`cacert=instance._cacert,`
			`insecure=instance._insecure,`
trust authentication This patch enables authenticating by using a trust. The trust ID must be set with the parameter --os-trust-id or the env variable OS_TRUST_ID. Trusts are available for the identity v3 API. Co-Authored-By: Florent Flament <florent.flament@cloudwatt.com> Change-Id: Iacc389b203bbadda53ca31a7f5a9b8b6e1a1f522 2014-06-30 19:12:27 +02:00			`trust_id=instance._trust_id,`
Use cacert values when creating identity client These were ignored when the client was created with a username and password. Change-Id: Id7557a5b07a41c7f79ab1a05ede385da31889940 Closes-Bug: #1284957 2014-02-26 13:26:45 +10:00			`)`
More identity client config * move auth option checking back to OpenStackShell() to keep the shell-level interaction at that level; add checking for token flow options * make identity.client.make_client() configure keystoneclient.v2_0.Client() properly for both password flow and token flow auth * eliminated ClientManager.init_token(), set _service_catalog in __init__() * compute client handles token flow Change-Id: I42481b5424489387798c4ec6d3e2a723ab1e6067 2012-05-09 17:15:43 -05:00			`else:`
Clean up make_client() logging Change-Id: I0b6760a6401b50e3dfb891af75424ae89df42ebc 2014-07-08 01:44:55 -05:00			`LOG.debug('Using password auth')`
Add API versioning support * Specific versions supported are managed in XXXXXX.client.py with a mapping from version to client class. This is based on the scheme that is included in novaclient; none of the other client libs have that capability. Change-Id: I930b197f1189e7f52c3b0096e73e0773cf925542 2012-05-10 15:47:59 -05:00			`client = identity_client(`
Use Keystone client session.Session This replaces the restapi requests wrapper with the one from Keystone client so we can take advantage of the auth plugins. As a first step only the v2 and v3 token and password plugins are supported. This maintainis no changes to the command options or environment variables. The next steps will include reworking the other API client interfaces to fully utilize the single auth session. Blueprint: ksc-session-auth Change-Id: I47ec63291e4c3cf36c8061299a4764f60b36ab89 2014-08-22 17:26:07 -05:00			`session=instance.session,`
Add options to support TLS certificate verification Add --os-cacert and --verify\|--insecure options using the same sematics as the other project CLIs. --verify is included for completeness. Bug: 1236608 Change-Id: I8a116d790db5aa4cb17a2207efedce7cb229eba3 2013-10-07 12:23:00 -05:00			`cacert=instance._cacert,`
			`)`
Change app.restapi to app.client_manager.session This is step 1 toward using Keystone client's session.Session as the primary session/requests interface in OSC. * Move the session create into ClientManager and rename 'restapi' attribute to 'session' * Set up ClientManager and session loggers * Fix container and object command references to restapi/api Change-Id: I013d81520b336c7a6422cd22c05d1d65655e64f8 2014-08-08 17:38:44 -05:00
Use Keystone client session.Session This replaces the restapi requests wrapper with the one from Keystone client so we can take advantage of the auth plugins. As a first step only the v2 and v3 token and password plugins are supported. This maintainis no changes to the command options or environment variables. The next steps will include reworking the other API client interfaces to fully utilize the single auth session. Blueprint: ksc-session-auth Change-Id: I47ec63291e4c3cf36c8061299a4764f60b36ab89 2014-08-22 17:26:07 -05:00			`# TODO(dtroyer): the identity v2 role commands use this yet, fix that`
			`# so we can remove it`
			`if not instance._url:`
			`instance.auth_ref = instance.auth.get_auth_ref(instance.session)`
Change app.restapi to app.client_manager.session This is step 1 toward using Keystone client's session.Session as the primary session/requests interface in OSC. * Move the session create into ClientManager and rename 'restapi' attribute to 'session' * Set up ClientManager and session loggers * Fix container and object command references to restapi/api Change-Id: I013d81520b336c7a6422cd22c05d1d65655e64f8 2014-08-08 17:38:44 -05:00
Add Identity to ClientManager * Make the Identity client in identity.client.make_client() * Auth via ClientManager.identity * Skip extra auth roundtrip in compute client Change-Id: I0190639e38f83997c233195f6cc27ff3afdfba10 2012-05-04 12:28:35 -05:00			`return client`
Add security group commands * Add security group: create, delete, list, set, show * Add server: add secgroup, remove secgroup * Add security group rule: create, delete, list * Add Oslo's strutils and gettextutils * Adds parseractions.RangeAction() to handle option arguments of either a single number or a range of numbers: '--port 25' or '--port 1024:65535' Blueprint: nova-client Change-Id: Iad2de1b273ba29197709fc4c6a1036b4ae99725f 2013-07-12 15:49:03 -05:00

Make Identity client load like the others This does a couple of things: * Loads the Identity client module in the same manner as the other 'base' clients (where 'base' == 'included in the OSC repo') * Changes the entry point group name for the base clients to 'openstack.cli.base'. The extension group name remains the same. * Loads the base modules first followed by the extension modules. This load order ensures that the extension module commands are all loaded _after_ the base commands, allowing extensions to now override the base commands. Change-Id: I4b9ca7f1df6eb8bbe8e3f663f3065c2ed80ce20b 2014-08-27 23:25:44 -05:00			`def build_option_parser(parser):`
			`"""Hook to add global options"""`
			`parser.add_argument(`
			`'--os-identity-api-version',`
			`metavar='<identity-api-version>',`
			`default=utils.env(`
			`'OS_IDENTITY_API_VERSION',`
			`default=DEFAULT_IDENTITY_API_VERSION),`
			`help='Identity API version, default=' +`
			`DEFAULT_IDENTITY_API_VERSION +`
			`' (Env: OS_IDENTITY_API_VERSION)')`
			`parser.add_argument(`
			`'--os-trust-id',`
			`metavar='<trust-id>',`
			`default=utils.env('OS_TRUST_ID'),`
			`help='Trust ID to use when authenticating. '`
			`'This can only be used with Keystone v3 API '`
			`'(Env: OS_TRUST_ID)')`
			`return parser`


Add security group commands * Add security group: create, delete, list, set, show * Add server: add secgroup, remove secgroup * Add security group rule: create, delete, list * Add Oslo's strutils and gettextutils * Adds parseractions.RangeAction() to handle option arguments of either a single number or a range of numbers: '--port 25' or '--port 1024:65535' Blueprint: nova-client Change-Id: Iad2de1b273ba29197709fc4c6a1036b4ae99725f 2013-07-12 15:49:03 -05:00			`class IdentityClientv2_0(identity_client_v2_0.Client):`
			`"""Tweak the earlier client class to deal with some changes"""`
			`def __getattr__(self, name):`
			`# Map v3 'projects' back to v2 'tenants'`
			`if name == "projects":`
			`return self.tenants`
			`else:`
Python 3: fix a syntax error "raise AttributeError, name" is invalid in Python 3. Change-Id: Id61bd3747f49c2bd810cbfeae56506e7ed9d2bd0 2014-02-11 15:44:54 +01:00			`raise AttributeError(name)`