146 lines
3.9 KiB
Python
146 lines
3.9 KiB
Python
# Copyright 2017 Catalyst IT Limited
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
from keystoneauth1.identity import generic
|
|
from keystoneauth1 import session
|
|
from keystoneclient.v3 import client as ks_client
|
|
from oslo_config import cfg
|
|
from oslo_log import log as logging
|
|
import swiftclient
|
|
|
|
from qinling import context
|
|
from qinling.utils import common
|
|
|
|
LOG = logging.getLogger(__name__)
|
|
CONF = cfg.CONF
|
|
|
|
|
|
def _get_user_keystone_session():
|
|
ctx = context.get_ctx()
|
|
|
|
auth = generic.Token(
|
|
auth_url=CONF.keystone_authtoken.auth_uri,
|
|
token=ctx.auth_token,
|
|
)
|
|
|
|
return session.Session(auth=auth, verify=False)
|
|
|
|
|
|
@common.disable_ssl_warnings
|
|
def get_swiftclient():
|
|
session = _get_user_keystone_session()
|
|
|
|
conn = swiftclient.Connection(session=session)
|
|
|
|
return conn
|
|
|
|
|
|
@common.disable_ssl_warnings
|
|
def get_keystone_client(use_session=True):
|
|
if use_session:
|
|
session = _get_user_keystone_session()
|
|
keystone = ks_client.Client(session=session)
|
|
else:
|
|
ctx = context.get_ctx()
|
|
auth_url = CONF.keystone_authtoken.auth_uri
|
|
keystone = ks_client.Client(
|
|
user_id=ctx.user,
|
|
token=ctx.auth_token,
|
|
tenant_id=ctx.projectid,
|
|
auth_url=auth_url
|
|
)
|
|
keystone.management_url = auth_url
|
|
|
|
return keystone
|
|
|
|
|
|
@common.disable_ssl_warnings
|
|
def _get_admin_user_id():
|
|
auth_url = CONF.keystone_authtoken.auth_uri
|
|
client = ks_client.Client(
|
|
username=CONF.keystone_authtoken.username,
|
|
password=CONF.keystone_authtoken.password,
|
|
project_name=CONF.keystone_authtoken.project_name,
|
|
auth_url=auth_url,
|
|
)
|
|
|
|
return client.user_id
|
|
|
|
|
|
@common.disable_ssl_warnings
|
|
def _get_trust_client(trust_id):
|
|
"""Get project keystone client using admin credential."""
|
|
client = ks_client.Client(
|
|
username=CONF.keystone_authtoken.username,
|
|
password=CONF.keystone_authtoken.password,
|
|
auth_url=CONF.keystone_authtoken.auth_uri,
|
|
trust_id=trust_id
|
|
)
|
|
client.management_url = CONF.keystone_authtoken.auth_uri
|
|
|
|
return client
|
|
|
|
|
|
@common.disable_ssl_warnings
|
|
def create_trust():
|
|
client = get_keystone_client()
|
|
ctx = context.get_ctx()
|
|
trustee_id = _get_admin_user_id()
|
|
|
|
return client.trusts.create(
|
|
trustor_user=ctx.user,
|
|
trustee_user=trustee_id,
|
|
impersonation=True,
|
|
role_names=ctx.roles,
|
|
project=ctx.tenant
|
|
)
|
|
|
|
|
|
@common.disable_ssl_warnings
|
|
def delete_trust(trust_id):
|
|
"""Delete trust from keystone.
|
|
|
|
The trust can only be deleted by original user(trustor)
|
|
"""
|
|
if not trust_id:
|
|
return
|
|
|
|
try:
|
|
client = get_keystone_client()
|
|
client.trusts.delete(trust_id)
|
|
LOG.debug('Trust %s deleted.', trust_id)
|
|
except Exception:
|
|
LOG.exception("Failed to delete trust [id=%s]", trust_id)
|
|
|
|
|
|
def create_trust_context(trust_id, project_id):
|
|
"""Creates Qinling context on behalf of the project."""
|
|
if CONF.pecan.auth_enable:
|
|
client = _get_trust_client(trust_id)
|
|
|
|
return context.Context(
|
|
user=client.user_id,
|
|
tenant=project_id,
|
|
auth_token=client.auth_token,
|
|
is_trust_scoped=True,
|
|
trust_id=trust_id,
|
|
)
|
|
|
|
return context.Context(
|
|
user=None,
|
|
tenant=context.DEFAULT_PROJECT_ID,
|
|
auth_token=None,
|
|
is_admin=True
|
|
)
|