067647b6a4
These were removed prematurely from osc-lib (by me) but the real fix in https://review.openstack.org/329189 is having racy functional test issues that may be related to osc-lib, so let's clear this up while we fix that... Change-Id: I8f67466967751fdf6fd24ae1b16ccee2aec52323
418 lines
16 KiB
Python
418 lines
16 KiB
Python
# Copyright 2012-2013 OpenStack Foundation
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
#
|
|
|
|
"""Manage access to the clients, including authenticating when needed."""
|
|
|
|
import copy
|
|
import logging
|
|
import pkg_resources
|
|
import sys
|
|
|
|
from keystoneauth1.loading import base
|
|
from osc_lib.api import auth
|
|
from osc_lib import exceptions
|
|
from oslo_utils import strutils
|
|
import requests
|
|
import six
|
|
|
|
from openstackclient.common import session as osc_session
|
|
from openstackclient.identity import client as identity_client
|
|
|
|
|
|
LOG = logging.getLogger(__name__)
|
|
|
|
PLUGIN_MODULES = []
|
|
|
|
USER_AGENT = 'python-openstackclient'
|
|
|
|
|
|
# NOTE(dtroyer): Bringing back select_auth_plugin() and build_auth_params()
|
|
# temporarily because osc-lib 0.3.0 removed it a wee bit early
|
|
def select_auth_plugin(options):
|
|
"""Pick an auth plugin based on --os-auth-type or other options"""
|
|
|
|
auth_plugin_name = None
|
|
|
|
# Do the token/url check first as this must override the default
|
|
# 'password' set by os-client-config
|
|
# Also, url and token are not copied into o-c-c's auth dict (yet?)
|
|
if options.auth.get('url') and options.auth.get('token'):
|
|
# service token authentication
|
|
auth_plugin_name = 'token_endpoint'
|
|
elif options.auth_type in auth.PLUGIN_LIST:
|
|
# A direct plugin name was given, use it
|
|
auth_plugin_name = options.auth_type
|
|
elif options.auth.get('username'):
|
|
if options.identity_api_version == '3':
|
|
auth_plugin_name = 'v3password'
|
|
elif options.identity_api_version.startswith('2'):
|
|
auth_plugin_name = 'v2password'
|
|
else:
|
|
# let keystoneauth figure it out itself
|
|
auth_plugin_name = 'password'
|
|
elif options.auth.get('token'):
|
|
if options.identity_api_version == '3':
|
|
auth_plugin_name = 'v3token'
|
|
elif options.identity_api_version.startswith('2'):
|
|
auth_plugin_name = 'v2token'
|
|
else:
|
|
# let keystoneauth figure it out itself
|
|
auth_plugin_name = 'token'
|
|
else:
|
|
# The ultimate default is similar to the original behaviour,
|
|
# but this time with version discovery
|
|
auth_plugin_name = 'password'
|
|
LOG.debug("Auth plugin %s selected", auth_plugin_name)
|
|
return auth_plugin_name
|
|
|
|
|
|
def build_auth_params(auth_plugin_name, cmd_options):
|
|
if auth_plugin_name:
|
|
LOG.debug('auth_type: %s', auth_plugin_name)
|
|
auth_plugin_loader = base.get_plugin_loader(auth_plugin_name)
|
|
auth_params = {
|
|
opt.dest: opt.default
|
|
for opt in base.get_plugin_options(auth_plugin_name)
|
|
}
|
|
auth_params.update(dict(cmd_options.auth))
|
|
# grab tenant from project for v2.0 API compatibility
|
|
if auth_plugin_name.startswith("v2"):
|
|
if 'project_id' in auth_params:
|
|
auth_params['tenant_id'] = auth_params['project_id']
|
|
del auth_params['project_id']
|
|
if 'project_name' in auth_params:
|
|
auth_params['tenant_name'] = auth_params['project_name']
|
|
del auth_params['project_name']
|
|
else:
|
|
LOG.debug('no auth_type')
|
|
# delay the plugin choice, grab every option
|
|
auth_plugin_loader = None
|
|
auth_params = dict(cmd_options.auth)
|
|
plugin_options = set(
|
|
[o.replace('-', '_') for o in auth.get_options_list()]
|
|
)
|
|
for option in plugin_options:
|
|
LOG.debug('fetching option %s', option)
|
|
auth_params[option] = getattr(cmd_options.auth, option, None)
|
|
return (auth_plugin_loader, auth_params)
|
|
|
|
|
|
class ClientCache(object):
|
|
"""Descriptor class for caching created client handles."""
|
|
|
|
def __init__(self, factory):
|
|
self.factory = factory
|
|
self._handle = None
|
|
|
|
def __get__(self, instance, owner):
|
|
# Tell the ClientManager to login to keystone
|
|
if self._handle is None:
|
|
try:
|
|
self._handle = self.factory(instance)
|
|
except AttributeError as err:
|
|
# Make sure the failure propagates. Otherwise, the plugin just
|
|
# quietly isn't there.
|
|
new_err = exceptions.PluginAttributeError(err)
|
|
six.reraise(new_err.__class__, new_err, sys.exc_info()[2])
|
|
return self._handle
|
|
|
|
|
|
class ClientManager(object):
|
|
"""Manages access to API clients, including authentication."""
|
|
|
|
# A simple incrementing version for the plugin to know what is available
|
|
PLUGIN_INTERFACE_VERSION = "2"
|
|
|
|
identity = ClientCache(identity_client.make_client)
|
|
|
|
def __getattr__(self, name):
|
|
# this is for the auth-related parameters.
|
|
if name in ['_' + o.replace('-', '_')
|
|
for o in auth.OPTIONS_LIST]:
|
|
return self._auth_params[name[1:]]
|
|
|
|
raise AttributeError(name)
|
|
|
|
def __init__(
|
|
self,
|
|
cli_options=None,
|
|
api_version=None,
|
|
verify=True,
|
|
pw_func=None,
|
|
):
|
|
"""Set up a ClientManager
|
|
|
|
:param cli_options:
|
|
Options collected from the command-line, environment, or wherever
|
|
:param api_version:
|
|
Dict of API versions: key is API name, value is the version
|
|
:param verify:
|
|
TLS certificate verification; may be a boolean to enable or disable
|
|
server certificate verification, or a filename of a CA certificate
|
|
bundle to be used in verification (implies True)
|
|
:param pw_func:
|
|
Callback function for asking the user for a password. The function
|
|
takes an optional string for the prompt ('Password: ' on None) and
|
|
returns a string containing the password
|
|
"""
|
|
|
|
self._cli_options = cli_options
|
|
self._api_version = api_version
|
|
self._pw_callback = pw_func
|
|
self._url = self._cli_options.auth.get('url')
|
|
self._region_name = self._cli_options.region_name
|
|
self._interface = self._cli_options.interface
|
|
|
|
self.timing = self._cli_options.timing
|
|
|
|
self._auth_ref = None
|
|
self.session = None
|
|
|
|
# verify is the Requests-compatible form
|
|
self._verify = verify
|
|
# also store in the form used by the legacy client libs
|
|
self._cacert = None
|
|
if isinstance(verify, bool):
|
|
self._insecure = not verify
|
|
else:
|
|
self._cacert = verify
|
|
self._insecure = False
|
|
|
|
# Set up client certificate and key
|
|
# NOTE(cbrandily): This converts client certificate/key to requests
|
|
# cert argument: None (no client certificate), a path
|
|
# to client certificate or a tuple with client
|
|
# certificate/key paths.
|
|
self._cert = self._cli_options.cert
|
|
if self._cert and self._cli_options.key:
|
|
self._cert = self._cert, self._cli_options.key
|
|
|
|
# Get logging from root logger
|
|
root_logger = logging.getLogger('')
|
|
LOG.setLevel(root_logger.getEffectiveLevel())
|
|
|
|
# NOTE(gyee): use this flag to indicate whether auth setup has already
|
|
# been completed. If so, do not perform auth setup again. The reason
|
|
# we need this flag is that we want to be able to perform auth setup
|
|
# outside of auth_ref as auth_ref itself is a property. We can not
|
|
# retrofit auth_ref to optionally skip scope check. Some operations
|
|
# do not require a scoped token. In those cases, we call setup_auth
|
|
# prior to dereferrencing auth_ref.
|
|
self._auth_setup_completed = False
|
|
|
|
def _set_default_scope_options(self):
|
|
# TODO(mordred): This is a usability improvement that's broadly useful
|
|
# We should port it back up into os-client-config.
|
|
default_domain = self._cli_options.default_domain
|
|
|
|
# NOTE(hieulq): If USER_DOMAIN_NAME, USER_DOMAIN_ID, PROJECT_DOMAIN_ID
|
|
# or PROJECT_DOMAIN_NAME is present and API_VERSION is 2.0, then
|
|
# ignore all domain related configs.
|
|
if (self._api_version.get('identity') == '2.0' and
|
|
self.auth_plugin_name.endswith('password')):
|
|
domain_props = ['project_domain_name', 'project_domain_id',
|
|
'user_domain_name', 'user_domain_id']
|
|
for prop in domain_props:
|
|
if self._auth_params.pop(prop, None) is not None:
|
|
LOG.warning("Ignoring domain related configs " +
|
|
prop + " because identity API version is 2.0")
|
|
return
|
|
|
|
# NOTE(aloga): The scope parameters below only apply to v3 and v3
|
|
# related auth plugins, so we stop the parameter checking if v2 is
|
|
# being used.
|
|
if (self._api_version.get('identity') != '3' or
|
|
self.auth_plugin_name.startswith('v2')):
|
|
return
|
|
|
|
# NOTE(stevemar): If PROJECT_DOMAIN_ID or PROJECT_DOMAIN_NAME is
|
|
# present, then do not change the behaviour. Otherwise, set the
|
|
# PROJECT_DOMAIN_ID to 'OS_DEFAULT_DOMAIN' for better usability.
|
|
if ('project_domain_id' in self._auth_params and
|
|
not self._auth_params.get('project_domain_id') and
|
|
not self._auth_params.get('project_domain_name')):
|
|
self._auth_params['project_domain_id'] = default_domain
|
|
|
|
# NOTE(stevemar): If USER_DOMAIN_ID or USER_DOMAIN_NAME is present,
|
|
# then do not change the behaviour. Otherwise, set the
|
|
# USER_DOMAIN_ID to 'OS_DEFAULT_DOMAIN' for better usability.
|
|
if ('user_domain_id' in self._auth_params and
|
|
not self._auth_params.get('user_domain_id') and
|
|
not self._auth_params.get('user_domain_name')):
|
|
self._auth_params['user_domain_id'] = default_domain
|
|
|
|
def setup_auth(self):
|
|
"""Set up authentication
|
|
|
|
This is deferred until authentication is actually attempted because
|
|
it gets in the way of things that do not require auth.
|
|
"""
|
|
|
|
if self._auth_setup_completed:
|
|
return
|
|
|
|
# If no auth type is named by the user, select one based on
|
|
# the supplied options
|
|
self.auth_plugin_name = select_auth_plugin(self._cli_options)
|
|
|
|
# Basic option checking to avoid unhelpful error messages
|
|
auth.check_valid_authentication_options(self._cli_options,
|
|
self.auth_plugin_name)
|
|
|
|
# Horrible hack alert...must handle prompt for null password if
|
|
# password auth is requested.
|
|
if (self.auth_plugin_name.endswith('password') and
|
|
not self._cli_options.auth.get('password')):
|
|
self._cli_options.auth['password'] = self._pw_callback()
|
|
|
|
(auth_plugin, self._auth_params) = build_auth_params(
|
|
self.auth_plugin_name,
|
|
self._cli_options,
|
|
)
|
|
|
|
self._set_default_scope_options()
|
|
|
|
# For compatibility until all clients can be updated
|
|
if 'project_name' in self._auth_params:
|
|
self._project_name = self._auth_params['project_name']
|
|
elif 'tenant_name' in self._auth_params:
|
|
self._project_name = self._auth_params['tenant_name']
|
|
|
|
LOG.info('Using auth plugin: %s', self.auth_plugin_name)
|
|
LOG.debug('Using parameters %s',
|
|
strutils.mask_password(self._auth_params))
|
|
self.auth = auth_plugin.load_from_options(**self._auth_params)
|
|
# needed by SAML authentication
|
|
request_session = requests.session()
|
|
self.session = osc_session.TimingSession(
|
|
auth=self.auth,
|
|
session=request_session,
|
|
verify=self._verify,
|
|
cert=self._cert,
|
|
user_agent=USER_AGENT,
|
|
)
|
|
|
|
self._auth_setup_completed = True
|
|
|
|
def validate_scope(self):
|
|
if self._auth_ref.project_id is not None:
|
|
# We already have a project scope.
|
|
return
|
|
if self._auth_ref.domain_id is not None:
|
|
# We already have a domain scope.
|
|
return
|
|
|
|
# We do not have a scoped token (and the user's default project scope
|
|
# was not implied), so the client needs to be explicitly configured
|
|
# with a scope.
|
|
auth.check_valid_authorization_options(self._cli_options,
|
|
self.auth_plugin_name)
|
|
|
|
@property
|
|
def auth_ref(self):
|
|
"""Dereference will trigger an auth if it hasn't already"""
|
|
if not self._auth_ref:
|
|
self.setup_auth()
|
|
LOG.debug("Get auth_ref")
|
|
self._auth_ref = self.auth.get_auth_ref(self.session)
|
|
return self._auth_ref
|
|
|
|
def is_network_endpoint_enabled(self):
|
|
"""Check if the network endpoint is enabled"""
|
|
# Trigger authentication necessary to determine if the network
|
|
# endpoint is enabled.
|
|
if self.auth_ref:
|
|
service_catalog = self.auth_ref.service_catalog
|
|
else:
|
|
service_catalog = None
|
|
# Assume that the network endpoint is enabled.
|
|
network_endpoint_enabled = True
|
|
if service_catalog:
|
|
if 'network' in service_catalog.get_endpoints():
|
|
LOG.debug("Network endpoint in service catalog")
|
|
else:
|
|
LOG.debug("No network endpoint in service catalog")
|
|
network_endpoint_enabled = False
|
|
else:
|
|
LOG.debug("No service catalog, assuming network endpoint enabled")
|
|
return network_endpoint_enabled
|
|
|
|
def get_endpoint_for_service_type(self, service_type, region_name=None,
|
|
interface='public'):
|
|
"""Return the endpoint URL for the service type."""
|
|
if not interface:
|
|
interface = 'public'
|
|
# See if we are using password flow auth, i.e. we have a
|
|
# service catalog to select endpoints from
|
|
if self.auth_ref:
|
|
endpoint = self.auth_ref.service_catalog.url_for(
|
|
service_type=service_type,
|
|
region_name=region_name,
|
|
interface=interface,
|
|
)
|
|
else:
|
|
# Get the passed endpoint directly from the auth plugin
|
|
endpoint = self.auth.get_endpoint(self.session,
|
|
interface=interface)
|
|
return endpoint
|
|
|
|
def get_configuration(self):
|
|
return copy.deepcopy(self._cli_options.config)
|
|
|
|
|
|
# Plugin Support
|
|
|
|
def get_plugin_modules(group):
|
|
"""Find plugin entry points"""
|
|
mod_list = []
|
|
for ep in pkg_resources.iter_entry_points(group):
|
|
LOG.debug('Found plugin %r', ep.name)
|
|
|
|
__import__(ep.module_name)
|
|
module = sys.modules[ep.module_name]
|
|
mod_list.append(module)
|
|
init_func = getattr(module, 'Initialize', None)
|
|
if init_func:
|
|
init_func('x')
|
|
|
|
# Add the plugin to the ClientManager
|
|
setattr(
|
|
ClientManager,
|
|
module.API_NAME,
|
|
ClientCache(
|
|
getattr(sys.modules[ep.module_name], 'make_client', None)
|
|
),
|
|
)
|
|
return mod_list
|
|
|
|
|
|
def build_plugin_option_parser(parser):
|
|
"""Add plugin options to the parser"""
|
|
|
|
# Loop through extensions to get parser additions
|
|
for mod in PLUGIN_MODULES:
|
|
parser = mod.build_option_parser(parser)
|
|
return parser
|
|
|
|
|
|
# Get list of base plugin modules
|
|
PLUGIN_MODULES = get_plugin_modules(
|
|
'openstack.cli.base',
|
|
)
|
|
# Append list of external plugin modules
|
|
PLUGIN_MODULES.extend(get_plugin_modules(
|
|
'openstack.cli.extension',
|
|
))
|