From 1c51140028592618334bed49a83913ba0f4dbbd3 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Tue, 5 Jul 2016 19:53:11 +0000 Subject: [PATCH] Initial commit of REST/notification services This is based heavily on the WSGI code in cinder. There are two services: a REST service and a notification listener. Currently both log only to stdout. The configuration file join.conf controls the REST service. nova configuration should look like this (assuming the REST service is running on the nova compute host). vendordata_providers = StaticJSON, DynamicJSON vendordata_dynamic_targets = 'join@http://127.0.0.1:9999/v1/' vendordata_driver = nova.api.metadata.vendordata_http.HTTPFileVendorData vendordata_dynamic_connect_timeout = 5 vendordata_dynamic_read_timeout = 30 vendordata_jsonfile_path = /etc/nova/cloud-config.json For the notification service like this: notification_driver = messaging notification_topic = notifications notify_on_state_change = vm_state Authentication is disabled in api-paste.ini for now. --- README.md | 25 +- files/api-paste.ini | 29 ++ files/cloud-config.json | 2 +- files/freeipa.json | 3 +- files/join.conf | 24 ++ novajoin/__init__.py | 13 + novajoin/base.py | 747 ++++++++++++++++++++++++++++++++++++++ novajoin/cache.py | 45 +++ novajoin/config.py | 62 ++++ novajoin/exception.py | 130 +++++++ novajoin/ipa.py | 315 ++++++++++++++++ novajoin/join.py | 153 ++++++++ novajoin/middleware.py | 39 ++ novajoin/notifications.py | 109 ++++++ novajoin/wsgi.py | 113 ++++++ scripts/join-notify.py | 22 ++ scripts/join-server.py | 22 ++ 17 files changed, 1846 insertions(+), 7 deletions(-) create mode 100644 files/api-paste.ini create mode 100644 files/join.conf create mode 100644 novajoin/__init__.py create mode 100644 novajoin/base.py create mode 100644 novajoin/cache.py create mode 100644 novajoin/config.py create mode 100644 novajoin/exception.py create mode 100644 novajoin/ipa.py create mode 100644 novajoin/join.py create mode 100644 novajoin/middleware.py create mode 100644 novajoin/notifications.py create mode 100644 novajoin/wsgi.py create mode 100644 scripts/join-notify.py create mode 100644 scripts/join-server.py diff --git a/README.md b/README.md index f99ca65..6e43cb0 100644 --- a/README.md +++ b/README.md @@ -1,9 +1,24 @@ +==== WARNING ==== + +These instructions are incomplete and DO NOT WORK + novajoin Package ================== -This Python package provides a hook in the OpenStack nova compute -service to manage host instantiation in an IPA server. +This Python package provides a vendordata plugin for the OpenStack nova +metadata service to manage host instantiation in an IPA server. +It consists of two services: + + - REST service + - notification listener + + +The REST service will respond to dynamic requests from the nova metadata +server. This is used to add hosts into IPA. + +The notification listener will handle instance delete requests and remove +the appropriate host from IPA. Build ===== @@ -24,7 +39,7 @@ In this directory, run: Configuration ============= -Run novajoin-install to install and configure the hooks on a +Run novajoin-install to install and configure the plugin on a pre-installed nova server. Pre-requisites @@ -58,10 +73,10 @@ The installer takes the following options: password is obtained interactively --password-file: the file containing the password for the principal. -Hook Configuration +Metadata REST Service Configuration ================== -The hook is configured in /etc/nova/ipaclient.conf in the DEFAULT +The REST service is configured in /etc/nova/ipaclient.conf in the DEFAULT section. It provides the following options: url: The JSON RPC URL to an IPA server, e.g. https://ipa.host.domain/ipa/json diff --git a/files/api-paste.ini b/files/api-paste.ini new file mode 100644 index 0000000..31311c6 --- /dev/null +++ b/files/api-paste.ini @@ -0,0 +1,29 @@ +[composite:join] +use = call:novajoin.base:root_app_factory +/v1: join_v1 + +[pipeline:join_v1] +pipeline = cors joinv1app + +#[composite:join_v1] +#use = call:middleware:pipeline_factory_auth +##keystone = cors compute_req_id faultwrap sizelimit authtoken keystonecontext legacy_ratelimit osapi_compute_app_legacy_v2 +#keystone = cors authtoken join_v1 + +[app:joinv1app] +paste.app_factory = novajoin.join:Join.factory + +[filter:cors] +paste.filter_factory = oslo_middleware.cors:filter_factory +oslo_config_project = join +latent_allow_headers = X-Auth-Token, X-Identity-Status, X-Roles, X-Service-Catalog, X-User-Id, X-Tenant-Id, X-OpenStack-Request-ID, X-Trace-Info, X-Trace-HMAC, OpenStack-Volume-microversion +latent_expose_headers = X-Auth-Token, X-Subject-Token, X-Service-Token, X-OpenStack-Request-ID, OpenStack-Volume-microversion +latent_allow_methods = GET, PUT, POST, DELETE, PATCH + +[filter:authtoken] +paste.filter_factory = keystonemiddleware.auth_token:filter_factory +oslo_config_project = join +auth_url = http://192.168.0.253:35357 +auth_protocol=http +auth_host=192.168.0.253 +auth_port=35357 diff --git a/files/cloud-config.json b/files/cloud-config.json index 17a8c29..f7f845c 100644 --- a/files/cloud-config.json +++ b/files/cloud-config.json @@ -1 +1 @@ -{"cloud-init": "#cloud-config\nsystem_info:\n default_user:\n name: cloud-user\n plain_text_passwd: password\n lock_passwd: False\npackages:\n - python-simplejson\n - ipa-client\n - ipa-admintools\n - openldap-clients\nruncmd:\n - sh -x /tmp/setup-ipa-client.sh > /var/log/setup-ipa-client.sh.log 2>&1"} +{"cloud-init": "#cloud-config\npackages:\n - python-simplejson\n - ipa-client\n - ipa-admintools\n - openldap-clients\nwrite_files:\n - content: |\n #!/bin/sh\n \n # Get the instance hostname out of the metadata\n #data=`curl http://169.254.169.254/openstack/latest/meta_data.json 2>/dev/null`\n data=`curl http://169.254.169.254/openstack/2016-04-30/vendor_data2.json 2>/dev/null`\n if [[ $? != 0 ]] ; then\n echo \"Unable to retrieve metadata\"\n exit 1\n fi\n \n # Hacky, need to get the join value specifically\n fqdn=`echo $data | python -m json.tool | grep '\"hostname\"' | awk '{ print $2 }' | sed 's/,//' | sed 's/\"//g'`\n \n if [ -z \"$fqdn\" ]; then\n echo \"Unable to determine hostname\"\n exit 1\n fi\n \n # Hacky, also need to fetch join here\n otp=`echo $data | python -m json.tool | grep '\"ipaotp\"' | awk '{ print $2 }' | sed 's/,//' | sed 's/\"//g'`\n\n # run ipa-client-install\n ipa-client-install -U -w $otp --hostname $fqdn\n path: /root/setup-ipa-client.sh\n permissions: '0700'\n owner: root:root\nruncmd:\n- sh -x /root/setup-ipa-client.sh > /var/log/setup-ipa-client.log 2>&1"} diff --git a/files/freeipa.json b/files/freeipa.json index 588d63a..c270d6e 100644 --- a/files/freeipa.json +++ b/files/freeipa.json @@ -7,7 +7,8 @@ "name": "OS::Glance::Image" }, { - "name": "OS::Nova::Instance" + "name": "OS::Nova::Server", + "properties_target": "metadata" } ], "objects": [ diff --git a/files/join.conf b/files/join.conf new file mode 100644 index 0000000..b0444ef --- /dev/null +++ b/files/join.conf @@ -0,0 +1,24 @@ +[DEFAULT] +join_listen_port = 9999 +api_paste_config = /path/to/api-paste.ini +debug = True +auth_strategy=keystone + +keytab = /path/to/krb5.keytab +url = https://ipa.example.com/ipa/json +service_name = HTTP@ipa.example.com +cacert = /etc/ipa/ca.crt +connect_retries = 1 + +[keystone_authtoken] +memcache_servers = 192.168.0.253:11211 +signing_dir = /var/cache/nova +cafile = /path/to/ca-bundle.pem +auth_uri = http://192.168.0.253:5000 +project_domain_id = default +project_name = service +user_domain_id = default +password = password +username = nova +auth_url = http://192.168.0.253:35357 +auth_type = password diff --git a/novajoin/__init__.py b/novajoin/__init__.py new file mode 100644 index 0000000..46ae15d --- /dev/null +++ b/novajoin/__init__.py @@ -0,0 +1,13 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. diff --git a/novajoin/base.py b/novajoin/base.py new file mode 100644 index 0000000..d5dffcd --- /dev/null +++ b/novajoin/base.py @@ -0,0 +1,747 @@ +# Copyright 2010 United States Government as represented by the +# Administrator of the National Aeronautics and Space Administration. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +import paste.urlmap +import routes +import webob.dec +from oslo_utils import excutils +from oslo_log import log +from oslo_serialization import jsonutils +from oslo_config import cfg +import six +import six.moves.urllib.parse as urlparse +import webob.exc +from novajoin import exception +from oslo_service import wsgi +from oslo_utils import strutils + +CONF = cfg.CONF +LOG = log.getLogger(__name__) + + +# Drop all this extra kruft +SUPPORTED_CONTENT_TYPES = ( + 'application/json', +) + +_MEDIA_TYPE_MAP = { + 'application/json': 'json', +} + + +class Request(webob.Request): + + def get_content_type(self): + """Determine content type of the request body. + + Does not do any body introspection, only checks header + """ + if "Content-Type" not in self.headers: + return None + + allowed_types = SUPPORTED_CONTENT_TYPES + content_type = self.content_type + + if content_type not in allowed_types: + raise exception.InvalidContentType(content_type=content_type) + + return content_type + + +class Application(object): + @classmethod + def factory(cls, global_config, **local_config): + """Used for paste app factories in paste.deploy config files. + + Any local configuration (that is, values under the [app:APPNAME] + section of the paste config) will be passed into the `__init__` method + as kwargs. + + A hypothetical configuration would look like: + + [app:wadl] + latest_version = 1.3 + paste.app_factory = cinder.api.fancy_api:Wadl.factory + + which would result in a call to the `Wadl` class as + + import cinder.api.fancy_api + fancy_api.Wadl(latest_version='1.3') + + You could of course re-implement the `factory` method in subclasses, + but using the kwarg passing it shouldn't be necessary. + + """ + return cls(**local_config) + + def __call__(self, environ, start_response): + r"""Subclasses will probably want to implement __call__ like this: + + @webob.dec.wsgify(RequestClass=Request) + def __call__(self, req): + # Any of the following objects work as responses: + + # Option 1: simple string + res = 'message\n' + + # Option 2: a nicely formatted HTTP exception page + res = exc.HTTPForbidden(explanation='Nice try') + + # Option 3: a webob Response object (in case you need to play with + # headers, or you want to be treated like an iterable) + res = Response(); + res.app_iter = open('somefile') + + # Option 4: any wsgi app to be run next + res = self.application + + # Option 5: you can get a Response object for a wsgi app, too, to + # play with headers etc + res = req.get_response(self.application) + + # You can then just return your response... + return res + # ... or set req.response and return None. + req.response = res + + See the end of http://pythonpaste.org/webob/modules/dec.html + for more info. + + """ + raise NotImplementedError('You must implement __call__') + + +def root_app_factory(loader, global_conf, **local_conf): + return paste.urlmap.urlmap_factory(loader, global_conf, **local_conf) + + +class APIMapper(routes.Mapper): + def routematch(self, url=None, environ=None): + if url is "": + result = self._match("", environ) + return result[0], result[1] + return routes.Mapper.routematch(self, url, environ) + + def connect(self, *args, **kwargs): + kwargs.setdefault('requirements', {}) + if not kwargs['requirements'].get('format'): + kwargs['requirements']['format'] = 'json' + return routes.Mapper.connect(self, *args, **kwargs) + + +class ProjectMapper(APIMapper): + def resource(self, member_name, collection_name, **kwargs): + if 'parent_resource' not in kwargs: + kwargs['path_prefix'] = '{project_id}/' + else: + parent_resource = kwargs['parent_resource'] + p_collection = parent_resource['collection_name'] + p_member = parent_resource['member_name'] + kwargs['path_prefix'] = '{project_id}/%s/:%s_id' % (p_collection, + p_member) + routes.Mapper.resource(self, + member_name, + collection_name, + **kwargs) + + +class APIRouter(wsgi.Router): + """Routes requests on the API to the appropriate controller and method.""" + ExtensionManager = None # override in subclasses + + @classmethod + def factory(cls, global_config, **local_config): + """Simple paste factory, :class:`cinder.wsgi.Router` doesn't have.""" + return cls() + + def __init__(self, ext_mgr=None): + mapper = ProjectMapper() + self.resources = {} + self._setup_routes(mapper, ext_mgr) + super(APIRouter, self).__init__(mapper) + + def _setup_routes(self, mapper, ext_mgr): + raise NotImplementedError + + +class ActionDispatcher(object): + """Maps method name to local methods through action name.""" + + def dispatch(self, *args, **kwargs): + """Find and call local method.""" + action = kwargs.pop('action', 'default') + action_method = getattr(self, six.text_type(action), self.default) + return action_method(*args, **kwargs) + + def default(self, data): + raise NotImplementedError() + +class TextDeserializer(ActionDispatcher): + """Default request body deserialization.""" + + def deserialize(self, datastring, action='default'): + return self.dispatch(datastring, action=action) + + def default(self, datastring): + return {} + +class JSONDeserializer(TextDeserializer): + + def _from_json(self, datastring): + try: + return jsonutils.loads(datastring) + except ValueError: + msg = "cannot understand JSON" + raise exception.MalformedRequestBody(reason=msg) + + def default(self, datastring): + return {'body': self._from_json(datastring)} + +class DictSerializer(ActionDispatcher): + """Default request body serialization.""" + + def serialize(self, data, action='default'): + return self.dispatch(data, action=action) + + def default(self, data): + return "" + + +class JSONDictSerializer(DictSerializer): + """Default JSON request body serialization.""" + + def default(self, data): + return jsonutils.dump_as_bytes(data) + +def action_peek_json(body): + """Determine action to invoke.""" + + try: + decoded = jsonutils.loads(body) + except ValueError: + msg = "cannot understand JSON" + raise exception.MalformedRequestBody(reason=msg) + + # Make sure there's exactly one key... + if len(decoded) != 1: + msg = "too many body keys" + raise exception.MalformedRequestBody(reason=msg) + + # Return the action and the decoded body... + return list(decoded.keys())[0] + +class ResponseObject(object): + """Bundles a response object with appropriate serializers. + + Object that app methods may return in order to bind alternate + serializers with a response object to be serialized. Its use is + optional. + """ + + def __init__(self, obj, code=None, headers=None, **serializers): + """Binds serializers with an object. + + Takes keyword arguments akin to the @serializer() decorator + for specifying serializers. Serializers specified will be + given preference over default serializers or method-specific + serializers on return. + """ + + self.obj = obj + self.serializers = serializers + self._default_code = 200 + self._code = code + self._headers = headers or {} + self.serializer = None + self.media_type = None + + def __getitem__(self, key): + """Retrieves a header with the given name.""" + + return self._headers[key.lower()] + + def __setitem__(self, key, value): + """Sets a header with the given name to the given value.""" + + self._headers[key.lower()] = value + + def __delitem__(self, key): + """Deletes the header with the given name.""" + + del self._headers[key.lower()] + def _bind_method_serializers(self, meth_serializers): + """Binds method serializers with the response object. + + Binds the method serializers with the response object. + Serializers specified to the constructor will take precedence + over serializers specified to this method. + + :param meth_serializers: A dictionary with keys mapping to + response types and values containing + serializer objects. + """ + + # We can't use update because that would be the wrong + # precedence + for mtype, serializer in meth_serializers.items(): + self.serializers.setdefault(mtype, serializer) + + def get_serializer(self, content_type, default_serializers=None): + """Returns the serializer for the wrapped object. + + Returns the serializer for the wrapped object subject to the + indicated content type. If no serializer matching the content + type is attached, an appropriate serializer drawn from the + default serializers will be used. If no appropriate + serializer is available, raises InvalidContentType. + """ + + default_serializers = default_serializers or {} + + try: + mtype = _MEDIA_TYPE_MAP.get(content_type, content_type) + if mtype in self.serializers: + return mtype, self.serializers[mtype] + else: + return mtype, default_serializers[mtype] + except (KeyError, TypeError): + raise exception.InvalidContentType(content_type=content_type) + + def preserialize(self, content_type, default_serializers=None): + """Prepares the serializer that will be used to serialize. + + Determines the serializer that will be used and prepares an + instance of it for later call. This allows the serializer to + be accessed by extensions for, e.g., template extension. + """ + + mtype, serializer = self.get_serializer(content_type, + default_serializers) + self.media_type = mtype + self.serializer = serializer() + + def attach(self, **kwargs): + """Attach slave templates to serializers.""" + + if self.media_type in kwargs: + self.serializer.attach(kwargs[self.media_type]) + + def serialize(self, request, content_type, default_serializers=None): + """Serializes the wrapped object. + + Utility method for serializing the wrapped object. Returns a + webob.Response object. + """ + + if self.serializer: + serializer = self.serializer + else: + _mtype, _serializer = self.get_serializer(content_type, + default_serializers) + serializer = _serializer() + + response = webob.Response() + response.status_int = self.code + for hdr, value in self._headers.items(): + response.headers[hdr] = six.text_type(value) + response.headers['Content-Type'] = six.text_type(content_type) + if self.obj is not None: + body = serializer.serialize(self.obj) + if isinstance(body, six.text_type): + body = body.encode('utf-8') + response.body = body + + return response + + @property + def code(self): + """Retrieve the response status.""" + + return self._code or self._default_code + + @property + def headers(self): + """Retrieve the headers.""" + + return self._headers.copy() + + +class ResourceExceptionHandler(object): + """Context manager to handle Resource exceptions. + + Used when processing exceptions generated by API implementation + methods (or their extensions). Converts most exceptions to Fault + exceptions, with the appropriate logging. + """ + + def __enter__(self): + return None + + def __exit__(self, ex_type, ex_value, ex_traceback): + if not ex_value: + return True + if isinstance(ex_value, exception.NotAuthorized): + msg = six.text_type(ex_value) + raise Fault(webob.exc.HTTPForbidden(explanation=msg)) + elif isinstance(ex_value, exception.Invalid): + raise Fault(exception.ConvertedException( + code=ex_value.code, explanation=six.text_type(ex_value))) + elif isinstance(ex_value, TypeError): + exc_info = (ex_type, ex_value, ex_traceback) + LOG.error( + 'Exception handling resource: %s', + ex_value, exc_info=exc_info) + raise Fault(webob.exc.HTTPBadRequest()) + elif isinstance(ex_value, Fault): + LOG.info("Fault thrown: %s", six.text_type(ex_value)) + raise ex_value + elif isinstance(ex_value, webob.exc.HTTPException): + LOG.info("HTTP exception thrown: %s", six.text_type(ex_value)) + raise Fault(ex_value) + LOG.info("HTTP exception thrown: %s", six.text_type(ex_value)) + #raise Fault("something bad happened") + + # We didn't handle the exception + return False + + +class Resource(Application): + support_api_request_version = False + + def __init__(self, controller, action_peek=None, **deserializers): + """Initialize Resource. + + :param controller: object that implement methods created by routes lib + :param action_peek: dictionary of routines for peeking into an action + request body to determine the desired action + """ + + self.controller = controller + + default_deserializers = dict(json=JSONDeserializer) + default_deserializers.update(deserializers) + + self.default_deserializers = default_deserializers + self.default_serializers = dict(json=JSONDictSerializer) + + self.action_peek = dict(json=action_peek_json) + self.action_peek.update(action_peek or {}) + + # Copy over the actions dictionary + self.wsgi_actions = {} + if controller: + self.register_actions(controller) + + # Save a mapping of extensions + self.wsgi_extensions = {} + self.wsgi_action_extensions = {} + + def register_actions(self, controller): + """Registers controller actions with this resource.""" + + actions = getattr(controller, 'wsgi_actions', {}) + for key, method_name in actions.items(): + self.wsgi_actions[key] = getattr(controller, method_name) + + def register_extensions(self, controller): + """Registers controller extensions with this resource.""" + + extensions = getattr(controller, 'wsgi_extensions', []) + for method_name, action_name in extensions: + # Look up the extending method + extension = getattr(controller, method_name) + if action_name: + # Extending an action... + if action_name not in self.wsgi_action_extensions: + self.wsgi_action_extensions[action_name] = [] + self.wsgi_action_extensions[action_name].append(extension) + else: + # Extending a regular method + if method_name not in self.wsgi_extensions: + self.wsgi_extensions[method_name] = [] + self.wsgi_extensions[method_name].append(extension) + + def get_action_args(self, request_environment): + """Parse dictionary created by routes library.""" + + # NOTE(Vek): Check for get_action_args() override in the + # controller + if hasattr(self.controller, 'get_action_args'): + return self.controller.get_action_args(request_environment) + + try: + args = request_environment['wsgiorg.routing_args'][1].copy() + except (KeyError, IndexError, AttributeError): + return {} + + try: + del args['controller'] + except KeyError: + pass + + try: + del args['format'] + except KeyError: + pass + + return args + + def get_body(self, request): + + params = urlparse.parse_qs(request.query_string) + if len(request.body) == 0: + LOG.debug("Empty body provided in request") + return None, params + + try: + content_type = request.get_content_type() + except exception.InvalidContentType: + LOG.debug("Unrecognized Content-Type provided in request") + return None, '' + + if not content_type: + LOG.debug("No Content-Type provided in request") + return None, '' + + return content_type, request.body + + def deserialize(self, meth, content_type, body): + meth_deserializers = getattr(meth, 'wsgi_deserializers', {}) + try: + mtype = _MEDIA_TYPE_MAP.get(content_type, content_type) + if mtype in meth_deserializers: + deserializer = meth_deserializers[mtype] + else: + deserializer = self.default_deserializers[mtype] + except (KeyError, TypeError): + raise exception.InvalidContentType(content_type=content_type) + + return deserializer().deserialize(body) + + @webob.dec.wsgify(RequestClass=Request) + def __call__(self, request): + """WSGI method that controls (de)serialization and method dispatch.""" + + LOG.info("%(method)s %(url)s", + {"method": request.method, + "url": request.url}) + + # Identify the action, its arguments, and the requested + # content type + action_args = self.get_action_args(request.environ) + action = action_args.pop('action', None) + content_type, body = self.get_body(request) + accept = 'application/json' + + # NOTE(Vek): Splitting the function up this way allows for + # auditing by external tools that wrap the existing + # function. If we try to audit __call__(), we can + # run into troubles due to the @webob.dec.wsgify() + # decorator. + return self._process_stack(request, action, action_args, + content_type, body, accept) + + def _process_stack(self, request, action, action_args, + content_type, body, accept): + """Implement the processing stack.""" + + # Get the implementing method + try: + meth, extensions = self.get_method(request, action, + content_type, body) + except (AttributeError, TypeError): + return Fault(webob.exc.HTTPNotFound()) + except KeyError as ex: + msg = "There is no such action: %s" % ex.args[0] + return Fault(webob.exc.HTTPBadRequest(explanation=msg)) + except exception.MalformedRequestBody: + msg = "Malformed request body" + return Fault(webob.exc.HTTPBadRequest(explanation=msg)) + + if body: + msg = ("Action: '%(action)s', calling method: %(meth)s, body: " + "%(body)s") % {'action': action, + 'body': six.text_type(body), + 'meth': six.text_type(meth)} + LOG.debug(strutils.mask_password(msg)) + else: + LOG.debug("Calling method '%(meth)s'", + {'meth': six.text_type(meth)}) + + # Now, deserialize the request body... + try: + if content_type: + contents = self.deserialize(meth, content_type, body) + else: + contents = body + except exception.InvalidContentType: + msg = "Unsupported Content-Type" + return Fault(webob.exc.HTTPBadRequest(explanation=msg)) + except exception.MalformedRequestBody: + msg = "Malformed request body" + return Fault(webob.exc.HTTPBadRequest(explanation=msg)) + + # Update the action args + action_args.update(contents) + + project_id = action_args.pop("project_id", None) + context = request.environ.get('cinder.context') + if context and project_id and (project_id != context.project_id): + msg = "Malformed request url" + return Fault(webob.exc.HTTPBadRequest(explanation=msg)) + + response = None + try: + with ResourceExceptionHandler(): + action_result = self.dispatch(meth, request, action_args) + except Fault as ex: + response = ex + + if not response: + # No exceptions; convert action_result into a + # ResponseObject + resp_obj = None + if isinstance(action_result, dict) or action_result is None: + resp_obj = ResponseObject(action_result) + elif isinstance(action_result, ResponseObject): + resp_obj = action_result + else: + response = action_result + + # Run post-processing extensions + if resp_obj: + # Do a preserialize to set up the response object + serializers = getattr(meth, 'wsgi_serializers', {}) + resp_obj._bind_method_serializers(serializers) + if hasattr(meth, 'wsgi_code'): + resp_obj._default_code = meth.wsgi_code + resp_obj.preserialize(accept, self.default_serializers) + + if resp_obj: + response = resp_obj.serialize(request, accept, + self.default_serializers) + + try: + msg_dict = dict(url=request.url, status=response.status_int) + msg = "%(url)s returned with HTTP %(status)d" + except AttributeError as e: + msg_dict = dict(url=request.url, e=e) + msg = "%(url)s returned a fault: %(e)s" + + LOG.info(msg, msg_dict) + + if hasattr(response, 'headers'): + for hdr, val in response.headers.items(): + # Headers must be utf-8 strings + try: + # python 2.x + response.headers[hdr] = val.encode('utf-8') + except Exception: + # python 3.x + response.headers[hdr] = six.text_type(val) + + return response + + def get_method(self, request, action, content_type, body): + """Look up the action-specific method and its extensions.""" + + # Look up the method + try: + if not self.controller: + meth = getattr(self, action) + else: + meth = getattr(self.controller, action) + except AttributeError as e: + with excutils.save_and_reraise_exception(e) as ctxt: + if (not self.wsgi_actions or action not in ['action', + 'create', + 'delete', + 'update']): + LOG.exception('Get method error.') + else: + ctxt.reraise = False + else: + return meth, self.wsgi_extensions.get(action, []) + + if action == 'action': + # OK, it's an action; figure out which action... + mtype = _MEDIA_TYPE_MAP.get(content_type) + action_name = self.action_peek[mtype](body) + LOG.debug("Action body: %s", body) + else: + action_name = action + + # Look up the action method + return (self.wsgi_actions[action_name], + self.wsgi_action_extensions.get(action_name, [])) + + def dispatch(self, method, request, action_args): + """Dispatch a call to the action-specific method.""" + + return method(req=request, **action_args) + + +class Fault(webob.exc.HTTPException): + """Wrap webob.exc.HTTPException to provide API friendly response.""" + + _fault_names = {400: "badRequest", + 401: "unauthorized", + 403: "forbidden", + 404: "itemNotFound", + 405: "badMethod", + 409: "conflictingRequest", + 413: "overLimit", + 415: "badMediaType", + 501: "notImplemented", + 503: "serviceUnavailable"} + + def __init__(self, exc): + """Create a Fault for the given webob.exc.exception.""" + self.wrapped_exc = exc + self.status_int = exc.status_int + + @webob.dec.wsgify(RequestClass=Request) + def __call__(self, req): + """Generate a WSGI response based on the exception passed to ctor.""" + # Replace the body with fault details. + code = self.wrapped_exc.status_int + fault_name = self._fault_names.get(code, "computeFault") + explanation = self.wrapped_exc.explanation + fault_data = { + fault_name: { + 'code': code, + 'message': explanation}} + if code == 413: + retry = self.wrapped_exc.headers.get('Retry-After', None) + if retry: + fault_data[fault_name]['retryAfter'] = retry + + content_type = 'application/json' + serializer = { + 'application/json': JSONDictSerializer(), + }[content_type] + + body = serializer.serialize(fault_data) + if isinstance(body, six.text_type): + body = body.encode('utf-8') + self.wrapped_exc.body = body + self.wrapped_exc.content_type = content_type + + return self.wrapped_exc + + def __str__(self): + return self.wrapped_exc.__str__() diff --git a/novajoin/cache.py b/novajoin/cache.py new file mode 100644 index 0000000..48a15c8 --- /dev/null +++ b/novajoin/cache.py @@ -0,0 +1,45 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import sqlite3 + + +class Cache(object): + + def __init__(self): + self.conn = self._getconn() + + self.conn.execute('''CREATE TABLE IF NOT EXISTS cache + (id TEXT PRIMARY KEY NOT NULL, + data TEXT NOT NULL);''') + self.conn.close() + + def _getconn(self): + self.conn = sqlite3.connect('test.db') + + def add(self, id, data): + self._getconn() + s = ("INSERT INTO cache (id, data) VALUES (\'{id}\', \'{data}\')".format(id=id, data=data)); + self.conn.execute(s) + self.conn.commit() + self.conn.close() + + def get(self, id): + data = None + self._getconn() + cursor = self.conn.execute("SELECT id, data from cache where id=\'%s\'" % id) + for row in cursor: + data = row[1] + self.conn.close() + return data diff --git a/novajoin/config.py b/novajoin/config.py new file mode 100644 index 0000000..d5ede85 --- /dev/null +++ b/novajoin/config.py @@ -0,0 +1,62 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_config import cfg +from oslo_log import log + + +service_opts = [ + cfg.StrOpt('join_listen', + default="0.0.0.0", + help='IP address to listen on'), + cfg.PortOpt('join_listen_port', + default=9090, + help='Port to listen on'), + cfg.StrOpt('url', default=None, + help='IPA JSON RPC URL (e.g. ' + 'https://ipa.host.domain/ipa/json)'), + cfg.StrOpt('keytab', default='/etc/krb5.keytab', + help='Kerberos client keytab file'), + cfg.StrOpt('service_name', default=None, + help='HTTP IPA Kerberos service name ' + '(e.g. HTTP@ipa.host.domain)'), + cfg.StrOpt('domain', default='test', + help='Domain for new hosts'), + cfg.IntOpt('connect_retries', default=1, + help='How many times to attempt to retry ' + 'the connection to IPA before giving up'), + cfg.BoolOpt('project_subdomain', default=False, + help='Treat the project as a DNS subdomain ' + 'so a hostname would take the form: ' + 'instance.project.domain'), + cfg.BoolOpt('normalize_project', default=True, + help='Normalize the project name to be a valid DNS label'), +] + + +#CONF = cfg.ConfigOpts() +CONF = cfg.CONF +CONF.register_opts(service_opts) +log.register_options(CONF) + +# CONF(sys.argv[1:], project='join', version='1.0.0') +# log.setup(CONF, 'join') +# launcher = process_launcher() +# server = WSGIService('join') +# launcher.launch_service(server, workers=server.workers) +# launcher.wait() +# +# +#if __name__ == '__main__': +# main() diff --git a/novajoin/exception.py b/novajoin/exception.py new file mode 100644 index 0000000..fdc3cad --- /dev/null +++ b/novajoin/exception.py @@ -0,0 +1,130 @@ +# Copyright 2010 United States Government as represented by the +# Administrator of the National Aeronautics and Space Administration. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +"""Join base exception handling. Based on exception.py from cinder project + +""" + +import sys + +from oslo_log import log as logging +import six +import webob.exc +from webob.util import status_generic_reasons +from webob.util import status_reasons + + + +LOG = logging.getLogger(__name__) + + +class ConvertedException(webob.exc.WSGIHTTPException): + def __init__(self, code=500, title="", explanation=""): + self.code = code + # There is a strict rule about constructing status line for HTTP: + # '...Status-Line, consisting of the protocol version followed by a + # numeric status code and its associated textual phrase, with each + # element separated by SP characters' + # (http://www.faqs.org/rfcs/rfc2616.html) + # 'code' and 'title' can not be empty because they correspond + # to numeric status code and its associated text + if title: + self.title = title + else: + try: + self.title = status_reasons[self.code] + except KeyError: + generic_code = self.code // 100 + self.title = status_generic_reasons[generic_code] + self.explanation = explanation + super(ConvertedException, self).__init__() + + +class JoinException(Exception): + """Base Join Exception + + To correctly use this class, inherit from it and define + a 'message' property. That message will get printf'd + with the keyword arguments provided to the constructor. + + """ + message = "An unknown exception occurred." + code = 500 + headers = {} + safe = False + + def __init__(self, message=None, **kwargs): + self.kwargs = kwargs + self.kwargs['message'] = message + + if 'code' not in self.kwargs: + try: + self.kwargs['code'] = self.code + except AttributeError: + pass + + for k, v in self.kwargs.items(): + if isinstance(v, Exception): + self.kwargs[k] = six.text_type(v) + + if self._should_format(): + try: + message = self.message % kwargs + + except Exception: + exc_info = sys.exc_info() + # kwargs doesn't match a variable in the message + # log the issue and the kwargs + LOG.exception('Exception in string format operation') + for name, value in kwargs.items(): + LOG.error("%(name)s: %(value)s", + {'name': name, 'value': value}) + message = self.message + elif isinstance(message, Exception): + message = six.text_type(message) + + # NOTE(luisg): We put the actual message in 'msg' so that we can access + # it, because if we try to access the message via 'message' it will be + # overshadowed by the class' message attribute + self.msg = message + super(JoinException, self).__init__(message) + + def _should_format(self): + return self.kwargs['message'] is None or '%(message)' in self.message + + def __unicode__(self): + return six.text_type(self.msg) + + +class NotAuthorized(JoinException): + message = "Not authorized." + code = 403 + +class Invalid(JoinException): + message = "Unacceptable parameters." + code = 400 + + +class InvalidInput(Invalid): + message = "Invalid input received: %(reason)s" + + +class InvalidContentType(Invalid): + message = "Invalid content type %(content_type)s." + + +class MalformedRequestBody(JoinException): + message = "Malformed message body: %(reason)s" diff --git a/novajoin/ipa.py b/novajoin/ipa.py new file mode 100644 index 0000000..6469c35 --- /dev/null +++ b/novajoin/ipa.py @@ -0,0 +1,315 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import os +import time +import pprint +import requests +import uuid +import kerberos +import six +import re + +from oslo_config import cfg +from oslo_log import log as logging +from oslo_serialization import jsonutils as json + + +CONF = cfg.CONF + +LOG = logging.getLogger(__name__) + +dns_regex = re.compile('[^0-9a-zA-Z]+') + + +class IPABaseError(Exception): + error_code = 500 + error_type = 'unknown_ipa_error' + error_message = None + errors = None + + def __init__(self, *args, **kwargs): + self.errors = kwargs.pop('errors', None) + self.object = kwargs.pop('object', None) + + super(IPABaseError, self).__init__(*args, **kwargs) + + if len(args) > 0 and isinstance(args[0], six.string_types): + self.error_message = args[0] + + +class IPAAuthError(IPABaseError): + error_type = 'authentication_error' + + +IPA_INVALID_DATA = 3009 +IPA_NOT_FOUND = 4001 +IPA_DUPLICATE = 4002 +IPA_NO_DNS_RECORD = 4019 +IPA_NO_CHANGES = 4202 + + +class IPAUnknownError(IPABaseError): + pass + + +class IPACommunicationFailure(IPABaseError): + error_type = 'communication_failure' + + +class IPAInvalidData(IPABaseError): + error_type = 'invalid_data' + + +class IPADuplicateEntry(IPABaseError): + error_type = 'duplicate_entry' + + +ipaerror2exception = { + IPA_INVALID_DATA: { + 'host': IPAInvalidData, + 'dnsrecord': IPAInvalidData + }, + IPA_NO_CHANGES: { + 'host': None, + 'dnsrecord': None + }, + IPA_NO_DNS_RECORD: { + 'host': None, # ignore - means already added + }, + IPA_DUPLICATE: { + 'host': IPADuplicateEntry, + 'dnsrecord': IPADuplicateEntry + }, + IPA_NOT_FOUND: { + 'host': None, # ignore - means tried to delete non-existent host + } +} + + +class IPAAuth(requests.auth.AuthBase): + def __init__(self, keytab, service): + # store the kerberos credentials in memory rather than on disk + os.environ['KRB5CCNAME'] = "MEMORY:" + str(uuid.uuid4()) + self.token = None + self.keytab = keytab + self.service = service + if self.keytab: + os.environ['KRB5_CLIENT_KTNAME'] = self.keytab + else: + LOG.warn('No IPA client kerberos keytab file given') + + def __call__(self, request): + if not self.token: + self.refresh_auth() + request.headers['Authorization'] = 'negotiate ' + self.token + return request + + def refresh_auth(self): + flags = kerberos.GSS_C_MUTUAL_FLAG | kerberos.GSS_C_SEQUENCE_FLAG + try: + (unused, vc) = kerberos.authGSSClientInit(self.service, + gssflags=flags) + except kerberos.GSSError as e: + LOG.error("caught kerberos exception %r" % e) + raise IPAAuthError(str(e)) + try: + kerberos.authGSSClientStep(vc, "") + except kerberos.GSSError as e: + LOG.error("caught kerberos exception %r" % e) + raise IPAAuthError(str(e)) + self.token = kerberos.authGSSClientResponse(vc) + + +class IPANovaJoinBase(object): + + session = None + inject_files = [] + + @classmethod + def start(cls): + if not cls.session: + # set up session to share among all instances + cls.session = requests.Session() + cls.session.auth = IPAAuth(CONF.keytab, CONF.service_name) + xtra_hdrs = {'Content-Type': 'application/json', + 'Referer': CONF.url} + cls.session.headers.update(xtra_hdrs) + cls.session.verify = True + + def __init__(self): + IPANovaJoinBase.start() + self.session = IPANovaJoinBase.session + self.ntries = CONF.connect_retries + self.inject_files = IPANovaJoinBase.inject_files + + def _ipa_error_to_exception(self, resp, ipareq): + exc = None + if resp['error'] is None: + return exc + errcode = resp['error']['code'] + method = ipareq['method'] + methtype = method.split('_')[0] + exclass = ipaerror2exception.get(errcode, {}).get(methtype, + IPAUnknownError) + if exclass: + LOG.debug("Error: ipa command [%s] returned error [%s]" % + (pprint.pformat(ipareq), pprint.pformat(resp))) + elif errcode: # not mapped + LOG.debug("Ignoring IPA error code %d for command %s: %s" % + (errcode, method, pprint.pformat(resp))) + return exclass + + def _call_and_handle_error(self, ipareq): + need_reauth = False + while True: + status_code = 200 + try: + if need_reauth: + self.session.auth.refresh_auth() + rawresp = self.session.post(CONF.url, + data=json.dumps(ipareq)) + status_code = rawresp.status_code + except IPAAuthError: + status_code = 401 + if status_code == 401: + if self.ntries == 0: + # persistent inability to auth + LOG.error("Error: could not authenticate to IPA - " + "please check for correct keytab file") + # reset for next time + self.ntries = CONF.connect_retries + raise IPACommunicationFailure() + else: + LOG.debug("Refresh authentication") + need_reauth = True + self.ntries -= 1 + time.sleep(1) + else: + # successful - reset + self.ntries = CONF.connect_retries + break + try: + resp = json.loads(rawresp.text) + except ValueError: + # response was not json - some sort of error response + LOG.debug("Error: unknown error from IPA [%s]" % rawresp.text) + raise IPAUnknownError("unable to process response from IPA") + # raise the appropriate exception, if error + exclass = self._ipa_error_to_exception(resp, ipareq) + if exclass: + # could add additional info/message to exception here + raise exclass() + return resp + + def _ipa_client_configured(self): + """ + Return boolean indicating whether this machine is enrolled + in IPA. This is a rather weak detection method but better + than nothing. + """ + return os.path.exists('/etc/ipa/default.conf') + + +class IPAClient(IPANovaJoinBase): + + def add_host(self, hostname, ipaotp, metadata={}, system_metadata={}): + """ + If requested in the metadata, add a host to IPA. The assumption + is that hostname is already fully-qualified. + """ + LOG.debug('In IPABuildInstance') + + if not self._ipa_client_configured(): + LOG.debug('IPA is not configured') + return + + enroll = metadata.get('ipa_enroll', '') + if enroll.lower() != 'true': + LOG.debug('IPA enrollment not requested') + return + + ipareq = {'method': 'host_add', 'id': 0} + + params = [hostname] + hostclass = metadata.get('ipa_hostclass', '') + location = metadata.get('ipa_host_location', '') + osdistro = system_metadata.get('image_os_distro', None) + osver = system_metadata.get('image_os_version', None) +# 'description': 'IPA host for %s' % inst.display_description, + hostargs = { + 'description': 'IPA host for OpenStack', + 'userpassword': ipaotp, + 'force': True # we don't have an ip addr yet so + # use force to add anyway + } + if hostclass: + hostargs['userclass'] = hostclass + if osdistro or osver: + hostargs['nsosversion'] = '%s %s' % (osdistro, osver) + hostargs['nsosversion'] = hostargs['nsosversion'].strip() + if location: + hostargs['nshostlocation'] = location + ipareq['params'] = [params, hostargs] + self._call_and_handle_error(ipareq) + + def delete_host(self, hostname, metadata={}): + """ + Delete a host from IPA and remove all related DNS entries. + """ + LOG.debug('In IPADeleteInstance') + + if not self._ipa_client_configured(): + LOG.debug('IPA is not configured') + return + + # TODO: lookup instance in nova to get metadata to see if + # the host was enrolled. For now assume yes. + + ipareq = {'method': 'host_del', 'id': 0} + params = [hostname] + args = { + 'updatedns': True, + } + ipareq['params'] = [params, args] + self._call_and_handle_error(ipareq) + + def add_ip(self, hostname, floating_ip): + """ + Add a floating IP to a given hostname. + """ + LOG.debug('In add_ip') + + if not self._ipa_client_configured(): + LOG.debug('IPA is not configured') + return + + ipareq = {'method': 'dnsrecord_add', 'id': 0} + params = [{"__dns_name__": CONF.domain + "."}, + {"__dns_name__": hostname}] + args = {'a_part_ip_address': floating_ip} + ipareq['params'] = [params, args] + self._call_and_handle_error(ipareq) + + def remove_ip(self, hostname, floating_ip): + """ + Remove a floating IP from a given hostname. + """ + LOG.debug('In remove_ip') + + if not self._ipa_client_configured(): + LOG.debug('IPA is not configured') + return + + LOG.debug('Current a no-op') diff --git a/novajoin/join.py b/novajoin/join.py new file mode 100644 index 0000000..08d97e2 --- /dev/null +++ b/novajoin/join.py @@ -0,0 +1,153 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import uuid +import logging +import webob.exc +from oslo_serialization import jsonutils +from oslo_config import cfg +from novajoin.ipa import IPAClient +from novajoin import base +from novajoin import cache + +CONF = cfg.CONF + +LOG = logging.getLogger(__name__) + + +def create_version_resource(): + return base.Resource(VersionsController()) + + +def create_join_resource(): + return base.Resource(JoinController()) + + +def response(code): + """Attaches response code to a method. + + This decorator associates a response code with a method. Note + that the function attributes are directly manipulated; the method + is not wrapped. + """ + + def decorator(func): + func.wsgi_code = code + return func + return decorator + + +class Versions(base.APIRouter): + """Route versions requests.""" + + def _setup_routes(self, mapper, ext_mgr): + self.resources['versions'] = create_version_resource() + mapper.connect('versions', '/', + controller=self.resources['versions'], + action='all') + mapper.redirect('', '/') + + +class Join(base.APIRouter): + """Route join requests.""" + + def _setup_routes(self, mapper, ext_mgr): + self.resources['join'] = create_join_resource() + mapper.connect('join', '/', + controller=self.resources['join'], + action='create') + mapper.redirect('', '/') + + +class Controller(object): + """Default controller.""" + + _view_builder_class = None + + def __init__(self, view_builder=None): + """Initialize controller with a view builder instance.""" + if view_builder: + self._view_builder = view_builder + else: + self._view_builder = None + + +class VersionsController(Controller): + + def __init__(self): + super(VersionsController, self).__init__(None) + + @response(300) + def all(self, req, body=None): + """Return all known versions.""" + if body: + return {'views': '%s' % body.get('foo', '')} + + return {'views': 'foo'} + + +class JoinController(Controller): + + def __init__(self): + super(JoinController, self).__init__(None) + self.uuidcache = cache.Cache() + + @response(200) + def create(self, req, body=None): + """Generate the OTP, register it with IPA""" + if not body: + raise base.Fault(webob.exc.HTTPBadRequest()) + + project_id = body.get('project-id') + instance_id = body.get('instance-id') + image_id = body.get('image-id') + user_data = body.get('user-data') + hostname = body.get('hostname') + metadata = body.get('metadata') + system_metadata = body.get('system_metadata') + + enroll = metadata.get('ipa_enroll', '') + + if enroll.lower() != 'true': + LOG.debug('IPA enrollment not requested') + return {} + + if instance_id: + data = self.uuidcache.get(instance_id) + if data: + return jsonutils.loads(data) + + data = {} + + ipaotp = uuid.uuid4().hex + + data['ipaotp'] = ipaotp + if hostname: + if CONF.project_subdomain: + hostname = '%s.%s.%s' % (hostname, project, CONF.domain) + else: + hostname = '%s.%s' % (hostname, CONF.domain) + + data['hostname'] = hostname + + if instance_id: + try: + self.uuidcache.add(instance_id, jsonutils.dumps(data)) + ipaclient = IPAClient() + ipaclient.add_host(data['hostname'], ipaotp, metadata, + system_metadata) + except Exception as e: + LOG.error('caching or adding host failed %s', e) + + return data diff --git a/novajoin/middleware.py b/novajoin/middleware.py new file mode 100644 index 0000000..07bf3ab --- /dev/null +++ b/novajoin/middleware.py @@ -0,0 +1,39 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +""" +Common Auth Middleware. + +""" + +from oslo_config import cfg +from oslo_log import log as logging + +CONF = cfg.CONF + +LOG = logging.getLogger(__name__) + + +def pipeline_factory(loader, global_conf, **local_conf): + """A paste pipeline replica that keys off of auth_strategy.""" + pipeline = local_conf[CONF.auth_strategy] + if not CONF.api_rate_limit: + limit_name = CONF.auth_strategy + '_nolimit' + pipeline = local_conf.get(limit_name, pipeline) + pipeline = pipeline.split() + filters = [loader.get_filter(n) for n in pipeline[:-1]] + app = loader.get_app(pipeline[-1]) + filters.reverse() + for filter in filters: + app = filter(app) + return app diff --git a/novajoin/notifications.py b/novajoin/notifications.py new file mode 100644 index 0000000..4f5147c --- /dev/null +++ b/novajoin/notifications.py @@ -0,0 +1,109 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# To enable in nova, put this into [DEFAULT] +# notification_driver = messaging +# notification_topic = notifications +# notify_on_state_change = vm_state + +import time +import json +import oslo_messaging +from oslo_serialization import jsonutils +from oslo_log import log as logging + +import config +import cache +from ipa import IPAClient + + +CONF = config.CONF + +LOG = logging.getLogger(__name__) + +class NotificationEndpoint(object): + + filter_rule = oslo_messaging.notify.filter.NotificationFilter( + publisher_id='^compute.*|^network.*', + event_type='^compute.instance.create.end|' \ + '^compute.instance.delete.end|' \ + '^network.floating_ip.(dis)?associate',) + + def __init__(self): + self.uuidcache = cache.Cache() + self.ipaclient = IPAClient() + + def info(self, ctxt, publisher_id, event_type, payload, metadata): + LOG.debug('notification:') + LOG.debug(json.dumps(payload, indent=4)) + + LOG.debug("publisher: %s, event: %s, metadata: %s", publisher_id, + event_type, metadata) + + if event_type == 'compute.instance.create.end': + LOG.info("Add new host") + elif event_type == 'compute.instance.delete.end': + LOG.info("Delete host") + hostname = payload.get('hostname') + # FIXME: Don't re-calculate the hostname, fetch it from somewhere + project = 'foo' + if CONF.project_subdomain: + hostname = '%s.%s.%s' % (hostname, project, CONF.domain) + else: + hostname = '%s.%s' % (hostname, CONF.domain) + + self.ipaclient.delete_host(hostname, {}) + elif event_type == 'network.floating_ip.associate': + floating_ip = payload.get('floating_ip') + LOG.info("Associate floating IP %s" % floating_ip) + entry = self.uuidcache.get(payload.get('instance_id')) + if entry: + data = jsonutils.loads(entry) + self.ipaclient.add_ip(data.get('hostname'), floating_ip) + else: + LOG.error("Could not resolve %s into a hostname", + payload.get('instance_id')) + elif event_type == 'network.floating_ip.disassociate': + floating_ip = payload.get('floating_ip') + LOG.info("Disassociate floating IP %s" % floating_ip) + entry = self.uuidcache.get(payload.get('instance_id')) + if entry: + data = jsonutils.loads(entry) + self.ipaclient.remove_ip(data.get('hostname'), floating_ip) + else: + LOG.error("Could not resolve %s into a hostname", + payload.get('instance_id')) + else: + LOG.error("Status update or unknown") + + +def main(): + + CONF(default_config_files=['join.conf']) + logging.setup(CONF, 'join') + + transport = oslo_messaging.get_transport(CONF) + targets = [ oslo_messaging.Target(topic='notifications') ] + endpoints = [ NotificationEndpoint() ] + + server = oslo_messaging.get_notification_listener(transport, targets, endpoints) + LOG.info("Starting") + server.start() + try: + while True: + time.sleep(1) + except KeyboardInterrupt: + LOG.info("Stopping, be patient") + server.stop() + server.wait() diff --git a/novajoin/wsgi.py b/novajoin/wsgi.py new file mode 100644 index 0000000..dab462a --- /dev/null +++ b/novajoin/wsgi.py @@ -0,0 +1,113 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import sys +from oslo_concurrency import processutils +from oslo_config import cfg +from oslo_service import service +from oslo_service import wsgi +from oslo_log import log +from novajoin import config + +from novajoin import exception + + +CONF = config.CONF + +LOG = log.getLogger(__name__) + + +class WSGIService(service.ServiceBase): + """Provides ability to launch API from a 'paste' configuration.""" + + def __init__(self, name, loader=None): + """Initialize, but do not start the WSGI server. + + :param name: The name of the WSGI server given to the loader. + :param loader: Loads the WSGI application using the given name. + :returns: None + + """ + self.name = name + self.loader = loader or wsgi.Loader(CONF) + self.app = self.loader.load_app(name) + self.host = getattr(CONF, '%s_listen' % name, "0.0.0.0") + self.port = getattr(CONF, '%s_listen_port' % name, 0) + self.workers = (getattr(CONF, '%s_workers' % name, None) or + processutils.get_worker_count()) + if self.workers and self.workers < 1: + worker_name = '%s_workers' % name + msg = ("%(worker_name)s value of %(workers)d is invalid, " + "must be greater than 0." % + {'worker_name': worker_name, + 'workers': self.workers}) + raise exception.InvalidInput(msg) + + self.server = wsgi.Server(CONF, + name, + self.app, + host=self.host, + port=self.port) + + def start(self): + """Start serving this service using loaded configuration. + + Also, retrieve updated port number in case '0' was passed in, which + indicates a random port should be used. + + :returns: None + + """ + self.server.start() + self.port = self.server.port + print "Starting on port %d" % self.port + + def stop(self): + """Stop serving this API. + + :returns: None + + """ + self.server.stop() + + def wait(self): + """Wait for the service to stop serving this API. + + :returns: None + + """ + self.server.wait() + + def reset(self): + """Reset server greenpool size to default. + + :returns: None + + """ + self.server.reset() + + +def process_launcher(): + return service.ProcessLauncher(CONF) + + +def main(): + +# CONF(sys.argv[1:], project='join', version='1.0.0') + CONF(default_config_files=['join.conf']) + log.setup(CONF, 'join') + launcher = process_launcher() + server = WSGIService('join') + launcher.launch_service(server, workers=server.workers) + launcher.wait() diff --git a/scripts/join-notify.py b/scripts/join-notify.py new file mode 100644 index 0000000..fbd6d3b --- /dev/null +++ b/scripts/join-notify.py @@ -0,0 +1,22 @@ +#!/usr/bin/python +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import sys + +from novajoin.notifications import main + + +if __name__ == "__main__": + sys.exit(main()) diff --git a/scripts/join-server.py b/scripts/join-server.py new file mode 100644 index 0000000..04155c1 --- /dev/null +++ b/scripts/join-server.py @@ -0,0 +1,22 @@ +#!/usr/bin/python +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import sys + +from novajoin.wsgi import main + + +if __name__ == "__main__": + sys.exit(main())