def auth_uri(self):
if not self._auth_uri:
try:
self._auth_uri = utils.get_auth_uri()
except Exception:
msg = 'get keystone auth url failed'
raise exception.AuthorizationFailure(obj=msg)
return self._auth_uri
def _get_service_user(self, user_name, user_domain_id):
try:
users = self.client.users.list(name=user_name,
domain=user_domain_id)
return users[0].id if users else None
except Exception as e:
raise exception.AuthorizationFailure(obj=e)
def create_user_auth_plugin(self, context):
if not context.auth_token_info:
msg = ("user=%s, project=%s" %
(context.user_id, context.project_id))
raise exception.AuthorizationFailure(obj=msg)
auth_ref = access.create(body=context.auth_token_info,
auth_token=context.auth_token)
return access_plugin.AccessInfoPlugin(auth_url=self.auth_uri,
auth_ref=auth_ref)
def _get_service_user(self, user_name, user_domain_id):
try:
users = self._client.users.list(name=user_name,
domain=user_domain_id)
return users[0].id if users else None
except Exception:
msg = ("get service's user(%s) endpoint failed" % user_name)
raise exception.AuthorizationFailure(obj=msg)
def _get_keystone_client(self, auth_plugin):
cafile = cfg.CONF.keystone_authtoken.cafile
try:
l_session = keystone_session.Session(
auth=auth_plugin,
verify=False if CONF.keystone_authtoken.insecure else cafile)
return kc_v3.Client(version=KEYSTONECLIENT_VERSION,
session=l_session)
except Exception:
msg = ('create keystone client failed.cafile:(%s)' % cafile)
raise exception.AuthorizationFailure(obj=msg)
def _get_karbor_auth_plugin(self, trust_id=None):
auth_plugin = loading.load_auth_from_conf_options(CONF,
TRUSTEE_CONF_GROUP,
trust_id=trust_id)
if not auth_plugin:
LOG.warning(
'Please add the trustee credentials you need to the'
' %s section of your karbor.conf file.', TRUSTEE_CONF_GROUP)
raise exception.AuthorizationFailure(obj=TRUSTEE_CONF_GROUP)
return auth_plugin
def create_trust_to_karbor(self, context):
if not context.auth_token_info:
msg = ("user=%s, project=%s" %
(context.user_id, context.project_id))
raise exception.AuthorizationFailure(obj=msg)
auth_ref = access.create(body=context.auth_token_info,
auth_token=context.auth_token)
user_auth_plugin = access_plugin.AccessInfoPlugin(
auth_url=self._auth_uri, auth_ref=auth_ref)
l_kc_v3 = self._get_keystone_client(user_auth_plugin)
try:
trust = l_kc_v3.trusts.create(trustor_user=context.user_id,
trustee_user=self._karbor_user_id,
project=context.project_id,
impersonation=True,
role_names=context.roles)
return trust.id
except Exception as e:
raise exception.AuthorizationFailure(obj=str(e))
def create_trust_to_karbor(self, context):
l_kc_v3 = self._get_keystone_client(
self.create_user_auth_plugin(context))
keystone_trust_url = self.auth_uri + 'OS-TRUST'
try:
trust = l_kc_v3.trusts.create(trustor_user=context.user_id,
trustee_user=self.karbor_user_id,
project=context.project_id,
impersonation=True,
role_names=context.roles,
base_url=keystone_trust_url)
return trust.id
except Exception as e:
raise exception.AuthorizationFailure(obj=str(e))
def _do_init(self):
auth_plugin = self._get_karbor_auth_plugin()
# set the project which karbor belongs to
auth_plugin._project_name = "service"
auth_plugin._project_domain_id = "default"
self._client = self._get_keystone_client(auth_plugin)
lcfg = CONF[TRUSTEE_CONF_GROUP]
self._karbor_user_id = self._get_service_user(lcfg.username,
lcfg.user_domain_id)
try:
self._auth_uri = utils.get_auth_uri()
except Exception:
msg = 'get keystone auth url failed'
raise exception.AuthorizationFailure(obj=msg)
def get_service_endpoint(self,
service_name,
service_type,
region_id,
interface='public'):
try:
service = self.client.services.list(name=service_name,
service_type=service_type,
base_url=self.auth_uri)
endpoint = self.client.endpoints.list(service=service[0],
interface=interface,
region_id=region_id,
base_url=self.auth_uri)
return endpoint[0].url if endpoint else None
except Exception:
msg = ('get service(%s) endpoint failed' % service_name)
raise exception.AuthorizationFailure(obj=msg)
