def test_legacy_loading_v3(self, load_auth_mock, load_mock):
self.config(auth_version='v3.0', group=ironic_auth.LEGACY_SECTION)
self.expected.update(
dict(project_domain_id='default', user_domain_id='default'))
keystone.get_session(self.test_group)
load_mock.assert_called_once_with(**self.expected)
self.assertEqual(2, load_auth_mock.call_count)
def test_legacy_loading_v3(self, load_auth_mock, load_mock):
self.config(
auth_version='v3.0',
group=ironic_auth.LEGACY_SECTION)
self.expected.update(dict(
project_domain_id='default',
user_domain_id='default'))
keystone.get_session(self.test_group)
load_mock.assert_called_once_with(**self.expected)
self.assertEqual(2, load_auth_mock.call_count)
def _get_api_server_iterator():
"""Return iterator over shuffled API servers.
Shuffle a list of CONF.glance.glance_api_servers and return an iterator
that will cycle through the list, looping around to the beginning if
necessary.
If CONF.glance.glance_api_servers isn't set, we fall back to using this
as the server: CONF.glance.glance_host:CONF.glance.glance_port.
If CONF.glance.glance_host is also not set, fetch the endpoint from the
service catalog.
:returns: iterator that cycles (indefinitely) over shuffled glance API
servers.
"""
api_servers = []
if not CONF.glance.glance_api_servers and not CONF.glance.glance_host:
session = keystone.get_session('glance',
auth=keystone.get_auth('glance'))
api_servers = [keystone.get_service_url(session, service_type='image',
endpoint_type='public')]
else:
configured_servers = (CONF.glance.glance_api_servers or
['%s:%s' % (CONF.glance.glance_host,
CONF.glance.glance_port)])
for api_server in configured_servers:
if '//' not in api_server:
api_server = '%s://%s' % (CONF.glance.glance_protocol,
api_server)
api_servers.append(api_server)
random.shuffle(api_servers)
return itertools.cycle(api_servers)
def _get_api_server_iterator():
"""Return iterator over shuffled API servers.
Shuffle a list of CONF.glance.glance_api_servers and return an iterator
that will cycle through the list, looping around to the beginning if
necessary.
If CONF.glance.glance_api_servers isn't set, fetch the endpoint from the
service catalog.
:returns: iterator that cycles (indefinitely) over shuffled glance API
servers.
"""
api_servers = []
if not CONF.glance.glance_api_servers:
session = keystone.get_session('glance',
auth=keystone.get_auth('glance'))
api_servers = [
keystone.get_service_url(session,
service_type='image',
endpoint_type='public')
]
else:
api_servers = random.sample(CONF.glance.glance_api_servers,
len(CONF.glance.glance_api_servers))
return itertools.cycle(api_servers)
def _get_session():
global _SESSION
if _SESSION is None:
kwargs = {}
auth_strategy = json_rpc.auth_strategy()
if auth_strategy != 'keystone':
auth_type = 'none' if auth_strategy == 'noauth' else auth_strategy
CONF.set_default('auth_type', auth_type, group='json_rpc')
# Deprecated, remove in W
if auth_strategy == 'http_basic':
if CONF.json_rpc.http_basic_username:
kwargs['username'] = CONF.json_rpc.http_basic_username
if CONF.json_rpc.http_basic_password:
kwargs['password'] = CONF.json_rpc.http_basic_password
auth = keystone.get_auth('json_rpc', **kwargs)
session = keystone.get_session('json_rpc', auth=auth)
headers = {'Content-Type': 'application/json'}
# Adds options like connect_retries
_SESSION = keystone.get_adapter('json_rpc',
session=session,
additional_headers=headers)
return _SESSION
def _get_neutron_session():
global _NEUTRON_SESSION
if not _NEUTRON_SESSION:
_NEUTRON_SESSION = keystone.get_session(
'neutron',
timeout=CONF.neutron.timeout)
return _NEUTRON_SESSION
def wrapper(self, *args, **kwargs):
"""Wrapper around methods calls.
:param image_href: href that describes the location of an image
"""
if self.client:
return func(self, *args, **kwargs)
global _GLANCE_SESSION
if not _GLANCE_SESSION:
_GLANCE_SESSION = keystone.get_session('glance')
# NOTE(pas-ha) glanceclient uses Adapter-based SessionClient,
# so we can pass session and auth separately, makes things easier
service_auth = keystone.get_auth('glance')
self.endpoint = keystone.get_endpoint('glance',
session=_GLANCE_SESSION,
auth=service_auth)
user_auth = None
# NOTE(pas-ha) our ContextHook removes context.auth_token in noauth
# case, so when ironic is in noauth but glance is not, we will not
# enter the next if-block and use auth from [glance] config section
if self.context.auth_token:
user_auth = keystone.get_service_auth(self.context, self.endpoint,
service_auth)
self.client = client.Client(2,
session=_GLANCE_SESSION,
auth=user_auth or service_auth,
endpoint_override=self.endpoint,
global_request_id=self.context.global_id)
return func(self, *args, **kwargs)
def _get_session():
global _SESSION
if _SESSION is None:
auth_strategy = json_rpc.auth_strategy()
if auth_strategy == 'keystone':
auth = keystone.get_auth('json_rpc')
else:
auth = None
session = keystone.get_session('json_rpc', auth=auth)
headers = {'Content-Type': 'application/json'}
if auth_strategy == 'http_basic':
token = '{}:{}'.format(
CONF.json_rpc.http_basic_username,
CONF.json_rpc.http_basic_password).encode('utf-8')
encoded = base64.b64encode(token).decode('utf-8')
headers['Authorization'] = 'Basic {}'.format(encoded)
# Adds options like connect_retries
_SESSION = keystone.get_adapter('json_rpc',
session=session,
additional_headers=headers)
return _SESSION
def get_client(token=None, context=None, auth_from_config=False):
"""Retrieve a neutron client connection.
:param context: request context,
instance of ironic.common.context.RequestContext
:param auth_from_config: (boolean) When True, use auth values from
conf parameters
:returns: A neutron client.
"""
if not context:
context = ironic_context.RequestContext(auth_token=token)
session = _get_neutron_session()
service_auth = keystone.get_auth('neutron')
endpoint = keystone.get_endpoint('neutron',
session=session,
auth=service_auth)
user_auth = None
if (not auth_from_config and CONF.neutron.auth_type != 'none'
and context.auth_token):
user_auth = keystone.get_service_auth(context, endpoint, service_auth)
sess = keystone.get_session('neutron',
timeout=CONF.neutron.timeout,
auth=user_auth or service_auth)
conn = openstack.connection.Connection(session=sess, oslo_conf=CONF)
return conn.global_request(context.global_id).network
def _get_inspector_session():
if CONF.auth_strategy != 'keystone':
return
global _INSPECTOR_SESSION
if not _INSPECTOR_SESSION:
_INSPECTOR_SESSION = keystone.get_session('inspector')
return _INSPECTOR_SESSION
def test_get_adapter_from_config(self):
self.config(valid_interfaces=['internal', 'public'],
group=self.test_group)
session = keystone.get_session(self.test_group)
adapter = keystone.get_adapter(self.test_group, session=session,
interface='admin')
self.assertEqual('admin', adapter.interface)
self.assertEqual(session, adapter.session)
def _get_neutron_session():
global _NEUTRON_SESSION
if not _NEUTRON_SESSION:
_NEUTRON_SESSION = keystone.get_session(
'neutron',
# TODO(pas-ha) remove in Rocky
timeout=CONF.neutron.timeout or CONF.neutron.url_timeout)
return _NEUTRON_SESSION
def _get_neutron_session():
global _NEUTRON_SESSION
if not _NEUTRON_SESSION:
_NEUTRON_SESSION = keystone.get_session(
'neutron',
# TODO(pas-ha) remove in Rocky
timeout=CONF.neutron.timeout or CONF.neutron.url_timeout)
return _NEUTRON_SESSION
def _get_inspector_session():
if CONF.auth_strategy != 'keystone':
return
global _INSPECTOR_SESSION
if not _INSPECTOR_SESSION:
_INSPECTOR_SESSION = keystone.get_session('inspector')
return _INSPECTOR_SESSION
def test_legacy_loading_new_in_legacy(self, load_auth_mock, load_mock):
# NOTE(pas-ha) this is due to auth_plugin options
# being dynamically registered on first load,
# but we need to set the config before
plugin = kaloading.get_plugin_loader('password')
opts = kaloading.get_auth_plugin_conf_options(plugin)
self.cfg_fixture.register_opts(opts, group=ironic_auth.LEGACY_SECTION)
self.config(group=ironic_auth.LEGACY_SECTION,
auth_uri='http://127.0.0.1:9898',
username='******',
password='******',
project_name='fake_tenant',
auth_url='http://127.0.0.1:9898',
auth_type='password')
load_auth_mock.side_effect = [None, mock.Mock()]
keystone.get_session(self.test_group)
self.assertFalse(load_mock.called)
self.assertEqual(2, load_auth_mock.call_count)
def _get_nova_adapter():
global _NOVA_ADAPTER
if not _NOVA_ADAPTER:
_NOVA_ADAPTER = keystone.get_adapter(
'nova',
session=keystone.get_session('nova'),
auth=keystone.get_auth('nova'),
version=NOVA_API_VERSION)
return _NOVA_ADAPTER
def test_legacy_loading_new_in_legacy(self, load_auth_mock, load_mock):
# NOTE(pas-ha) this is due to auth_plugin options
# being dynamically registered on first load,
# but we need to set the config before
plugin = kaloading.get_plugin_loader('password')
opts = kaloading.get_auth_plugin_conf_options(plugin)
self.cfg_fixture.register_opts(opts, group=ironic_auth.LEGACY_SECTION)
self.config(group=ironic_auth.LEGACY_SECTION,
auth_uri='http://127.0.0.1:9898',
username='******',
password='******',
project_name='fake_tenant',
auth_url='http://127.0.0.1:9898',
auth_type='password')
load_auth_mock.side_effect = [None, mock.Mock()]
keystone.get_session(self.test_group)
self.assertFalse(load_mock.called)
self.assertEqual(2, load_auth_mock.call_count)
def test_get_adapter_from_config(self):
self.config(valid_interfaces=['internal', 'public'],
group=self.test_group)
session = keystone.get_session(self.test_group)
adapter = keystone.get_adapter(self.test_group,
session=session,
interface='admin')
self.assertEqual('admin', adapter.interface)
self.assertEqual(session, adapter.session)
def _get_inspector_session(**kwargs):
global _INSPECTOR_SESSION
if not _INSPECTOR_SESSION:
if CONF.auth_strategy != 'keystone':
# NOTE(dtantsur): using set_default instead of set_override because
# the native keystoneauth option must have priority.
CONF.set_default('auth_type', 'none', group='inspector')
service_auth = keystone.get_auth('inspector')
_INSPECTOR_SESSION = keystone.get_session('inspector',
auth=service_auth,
**kwargs)
return _INSPECTOR_SESSION
def _get_session():
global _SESSION
if _SESSION is None:
if json_rpc.require_authentication():
auth = keystone.get_auth('json_rpc')
else:
auth = None
_SESSION = keystone.get_session('json_rpc', auth=auth)
_SESSION.headers = {'Content-Type': 'application/json'}
return _SESSION
def _get_session():
global _SESSION
if _SESSION is None:
if json_rpc.require_authentication():
auth = keystone.get_auth('json_rpc')
else:
auth = None
_SESSION = keystone.get_session('json_rpc', auth=auth)
_SESSION.headers = {
'Content-Type': 'application/json'
}
return _SESSION
def _get_session():
global _SESSION
if _SESSION is None:
if json_rpc.require_authentication():
auth = keystone.get_auth('json_rpc')
else:
auth = None
session = keystone.get_session('json_rpc', auth=auth)
session.headers = {'Content-Type': 'application/json'}
# Adds options like connect_retries
_SESSION = keystone.get_adapter('json_rpc', session=session)
return _SESSION
def test_get_session_failed_new_auth(self, legacy_get_mock, load_mock):
legacy_mock = mock.Mock()
legacy_get_mock.return_value = legacy_mock
load_mock.side_effect = [None, ksexception.MissingRequiredOptions]
self.assertEqual(legacy_mock,
keystone.get_session(self.test_group).auth)
def _get_swift_session():
global _SWIFT_SESSION
if not _SWIFT_SESSION:
_SWIFT_SESSION = keystone.get_session('swift')
return _SWIFT_SESSION
def _get_cinder_session():
global _CINDER_SESSION
if not _CINDER_SESSION:
auth = keystone.get_auth('cinder')
_CINDER_SESSION = keystone.get_session('cinder', auth=auth)
return _CINDER_SESSION
def _get_swift_session():
global _SWIFT_SESSION
if not _SWIFT_SESSION:
auth = keystone.get_auth('swift')
_SWIFT_SESSION = keystone.get_session('swift', auth=auth)
return _SWIFT_SESSION
def _get_glance_session():
global _GLANCE_SESSION
if not _GLANCE_SESSION:
auth = keystone.get_auth('glance')
_GLANCE_SESSION = keystone.get_session('glance', auth=auth)
return _GLANCE_SESSION
def test_legacy_loading_v2(self, load_auth_mock, load_mock):
keystone.get_session(self.test_group)
load_mock.assert_called_once_with(**self.expected)
self.assertEqual(2, load_auth_mock.call_count)
def test_get_session(self, auth_get_mock):
auth_mock = mock.Mock()
auth_get_mock.return_value = auth_mock
session = keystone.get_session(self.test_group)
self.assertEqual(auth_mock, session.auth)
def _get_ironic_session():
global _IRONIC_SESSION
if not _IRONIC_SESSION:
_IRONIC_SESSION = keystone.get_session('service_catalog')
return _IRONIC_SESSION
def _get_swift_session():
global _SWIFT_SESSION
if not _SWIFT_SESSION:
_SWIFT_SESSION = keystone.get_session('swift')
return _SWIFT_SESSION
def _get_inspector_session(**kwargs):
global _INSPECTOR_SESSION
if not _INSPECTOR_SESSION:
_INSPECTOR_SESSION = keystone.get_session('inspector', **kwargs)
return _INSPECTOR_SESSION
def _get_glance_session(**session_kwargs):
global _GLANCE_SESSION
if not _GLANCE_SESSION:
_GLANCE_SESSION = keystone.get_session('glance', **session_kwargs)
return _GLANCE_SESSION
def _get_ironic_session():
global _IRONIC_SESSION
if not _IRONIC_SESSION:
_IRONIC_SESSION = keystone.get_session('service_catalog')
return _IRONIC_SESSION
def _get_cinder_session():
global _CINDER_SESSION
if not _CINDER_SESSION:
auth = keystone.get_auth('cinder')
_CINDER_SESSION = keystone.get_session('cinder', auth=auth)
return _CINDER_SESSION
def test_get_session(self, auth_get_mock):
auth_mock = mock.Mock()
auth_get_mock.return_value = auth_mock
session = keystone.get_session(self.test_group)
self.assertEqual(auth_mock, session.auth)
def test_legacy_loading_v2(self, load_auth_mock, load_mock):
keystone.get_session(self.test_group)
load_mock.assert_called_once_with(**self.expected)
self.assertEqual(2, load_auth_mock.call_count)
def _get_cinder_session():
global _CINDER_SESSION
if not _CINDER_SESSION:
_CINDER_SESSION = keystone.get_session('cinder')
return _CINDER_SESSION
def test_get_session_failed_new_auth(self, legacy_get_mock, load_mock):
legacy_mock = mock.Mock()
legacy_get_mock.return_value = legacy_mock
load_mock.side_effect = [None, ksexception.MissingRequiredOptions]
self.assertEqual(legacy_mock,
keystone.get_session(self.test_group).auth)
def _get_glance_session(**session_kwargs):
global _GLANCE_SESSION
if not _GLANCE_SESSION:
_GLANCE_SESSION = keystone.get_session('glance', **session_kwargs)
return _GLANCE_SESSION
def test_get_session(self):
self.config(timeout=10, group=self.test_group)
session = keystone.get_session(self.test_group, timeout=20)
self.assertEqual(20, session.timeout)
def _get_neutron_session():
global _NEUTRON_SESSION
if not _NEUTRON_SESSION:
auth = keystone.get_auth('neutron')
_NEUTRON_SESSION = keystone.get_session('neutron', auth=auth)
return _NEUTRON_SESSION
def _get_neutron_session():
global _NEUTRON_SESSION
if not _NEUTRON_SESSION:
_NEUTRON_SESSION = keystone.get_session('neutron')
return _NEUTRON_SESSION
def _get_glance_session():
global _GLANCE_SESSION
if not _GLANCE_SESSION:
_GLANCE_SESSION = keystone.get_session('glance')
return _GLANCE_SESSION
def _get_neutron_session():
global _NEUTRON_SESSION
if not _NEUTRON_SESSION:
_NEUTRON_SESSION = keystone.get_session('neutron')
return _NEUTRON_SESSION
def _get_cinder_session():
global _CINDER_SESSION
if not _CINDER_SESSION:
_CINDER_SESSION = keystone.get_session('cinder')
return _CINDER_SESSION
def _get_inspector_session(**kwargs):
global _INSPECTOR_SESSION
if not _INSPECTOR_SESSION:
_INSPECTOR_SESSION = keystone.get_session('inspector', **kwargs)
return _INSPECTOR_SESSION
def test_get_session(self):
self.config(timeout=10, group=self.test_group)
session = keystone.get_session(self.test_group, timeout=20)
self.assertEqual(20, session.timeout)
def _get_glance_session():
global _GLANCE_SESSION
if not _GLANCE_SESSION:
auth = keystone.get_auth('glance')
_GLANCE_SESSION = keystone.get_session('glance', auth=auth)
return _GLANCE_SESSION
def get_swift_session():
global _SWIFT_SESSION
if not _SWIFT_SESSION:
auth = keystone.get_auth('swift')
_SWIFT_SESSION = keystone.get_session('swift', auth=auth)
return _SWIFT_SESSION
def _get_glance_session():
global _GLANCE_SESSION
if not _GLANCE_SESSION:
_GLANCE_SESSION = keystone.get_session("glance")
return _GLANCE_SESSION
