def _generate_session(cls, context, service, privileged_user=False):
LOG.debug("Generate an auth session. privileged_user: %s",
privileged_user)
plugin = cls.get_keystone_plugin()
try:
if privileged_user is True:
auth_plugin = service_token.ServiceTokenAuthWrapper(
plugin.service_auth_plugin, plugin.service_auth_plugin)
else:
auth_plugin = service_token.ServiceTokenAuthWrapper(
plugin.create_user_auth_plugin(context),
plugin.service_auth_plugin)
except Exception:
return None
try:
client_conf = cfg.CONF['%s_client' % service]
auth_insecure = client_conf['%s_auth_insecure' % service]
ca_file = client_conf['%s_ca_cert_file' % service]
verify = False if auth_insecure else (ca_file or True)
except Exception:
verify = True
return keystone_session.Session(auth=auth_plugin, verify=verify)
def get_service_auth(endpoint, auth_token, service_auth):
"""Create auth plugin wrapping both user and service auth.
When properly configured and using auth_token middleware,
requests with valid service auth will not fail
if the user token is expired.
Ideally we would use the plugin provided by auth_token middleware
however this plugin isn't serialized yet.
"""
user_auth = token_endpoint.Token(endpoint, auth_token)
return service_token.ServiceTokenAuthWrapper(user_auth=user_auth,
service_auth=service_auth)
def get_auth_plugin(context):
user_auth = context.get_auth_plugin()
if CONF.service_user.send_service_user_token:
global _SERVICE_AUTH
if not _SERVICE_AUTH:
_SERVICE_AUTH = ks_loading.load_auth_from_conf_options(
CONF,
group=
nova.conf.service_token.SERVICE_USER_GROUP)
return service_token.ServiceTokenAuthWrapper(
user_auth=user_auth,
service_auth=_SERVICE_AUTH)
return user_auth
def get_auth_plugin(context):
user_auth = context.get_auth_plugin()
if CONF.service_user.send_service_user_token:
global _SERVICE_AUTH
if not _SERVICE_AUTH:
_SERVICE_AUTH = ks_loading.load_auth_from_conf_options(
CONF, group=nova.conf.service_token.SERVICE_USER_GROUP)
if _SERVICE_AUTH is None:
# This indicates a misconfiguration so log a warning and
# return the user_auth.
LOG.warning('Unable to load auth from [service_user] '
'configuration. Ensure "auth_type" is set.')
return user_auth
return service_token.ServiceTokenAuthWrapper(
user_auth=user_auth, service_auth=_SERVICE_AUTH)
return user_auth
def setUp(self):
super(ServiceTokenTests, self).setUp()
self.user_token_id = uuid.uuid4().hex
self.user_token = fixture.V3Token()
self.user_token.set_project_scope()
self.user_auth = identity.V3Password(auth_url=self.USER_URL,
user_id=uuid.uuid4().hex,
password=uuid.uuid4().hex,
project_id=uuid.uuid4().hex)
self.service_token_id = uuid.uuid4().hex
self.service_token = fixture.V3Token()
self.service_token.set_project_scope()
self.service_auth = identity.V3Password(auth_url=self.SERVICE_URL,
user_id=uuid.uuid4().hex,
password=uuid.uuid4().hex,
project_id=uuid.uuid4().hex)
for t in (self.user_token, self.service_token):
s = t.add_service('identity')
s.add_standard_endpoints(public='http://keystone.example.com',
admin='http://keystone.example.com',
internal='http://keystone.example.com')
self.test_data = {'data': uuid.uuid4().hex}
self.user_mock = self.requests_mock.post(
self.USER_URL + '/auth/tokens',
json=self.user_token,
headers={'X-Subject-Token': self.user_token_id})
self.service_mock = self.requests_mock.post(
self.SERVICE_URL + '/auth/tokens',
json=self.service_token,
headers={'X-Subject-Token': self.service_token_id})
self.requests_mock.get(self.TEST_URL, json=self.test_data)
self.combined_auth = service_token.ServiceTokenAuthWrapper(
self.user_auth,
self.service_auth)
self.session = session.Session(auth=self.combined_auth)
def get_auth_plugin(context, auth=None):
if auth:
user_auth = auth
else:
user_auth = context.get_auth_plugin()
if CONF.service_user.send_service_user_token:
global _SERVICE_AUTH
if not _SERVICE_AUTH:
_SERVICE_AUTH = ks_loading.load_auth_from_conf_options(
CONF, group=SERVICE_USER_GROUP)
if _SERVICE_AUTH is None:
# This can happen if no auth_type is specified, which probably
# means there's no auth information in the [service_user] group
raise exception.ServiceUserTokenNoAuth()
return service_token.ServiceTokenAuthWrapper(
user_auth=user_auth, service_auth=_SERVICE_AUTH)
return user_auth
def get_ironic_client(context=None):
session = ks_loading.load_session_from_conf_options(CONF, 'ironic')
service_auth = ks_loading.load_auth_from_conf_options(CONF, 'ironic')
# use user context if provided
user_auth = None
if context:
endpoint = ks_loading.load_adapter_from_conf_options(
CONF, 'ironic', session=session, auth=service_auth).get_endpoint()
user_auth = service_token.ServiceTokenAuthWrapper(
user_auth=token_endpoint.Token(endpoint, context.auth_token),
service_auth=service_auth)
sess = ks_loading.load_session_from_conf_options(CONF,
'ironic',
auth=user_auth
or service_auth)
kwargs = {'os_ironic_api_version': '1.65'}
cli = ironic_client.get_client(1, session=sess, **kwargs)
return cli