def get_client(session): if settings.AUTH_TYPE == "cloudkitty-noauth": auth = ck_auth.CloudKittyNoAuthPlugin(endpoint=settings.AUTH_URL) client = ck_client.Client(settings.CLOUDKITTY_API_VERSION, auth=auth) return client elif settings.AUTH_TYPE == "keystone": token_as_dict = json.loads(session["token"]) if token_as_dict["project"]["id"]: auth = v3.Token( auth_url=settings.AUTH_URL, token=token_as_dict["unscoped_token"], project_id=token_as_dict["project"]["id"], reauthenticate=False, ) else: auth = v3.Token( auth_url=settings.AUTH_URL, token=token_as_dict["unscoped_token"], user_project_name=token_as_dict["user_domain_name"], reauthenticate=False, ) session = ks_session.Session(auth=auth) client = ck_client.Client("2", session=session) return client return None
def get_token_auth_plugin(auth_url, token, project_id=None, domain_name=None): if domain_name: return v3_auth.Token(auth_url=auth_url, token=token, domain_name=domain_name, reauthenticate=False) return v3_auth.Token(auth_url=auth_url, token=token, project_id=project_id, reauthenticate=False)
def test_websso_login_with_auth_in_url(self): settings.OPENSTACK_KEYSTONE_URL =\ 'http://auth.openstack.org/identity/v3' projects = [self.data.project_one, self.data.project_two] domains = [] form_data = {'token': self.data.unscoped_access_info.auth_token} unscoped_auth = v3_auth.Token( auth_url=settings.OPENSTACK_KEYSTONE_URL, token=self.data.federated_unscoped_access_info.auth_token, project_id=None, reauthenticate=False) unscoped_auth.get_access(mox.IsA(session.Session)).AndReturn( self.data.federated_unscoped_access_info) unscoped_auth.auth_url = settings.OPENSTACK_KEYSTONE_URL unscoped_auth.auth_url = settings.OPENSTACK_KEYSTONE_URL client = self.ks_client_module.Client( session=mox.IsA(session.Session), auth=unscoped_auth) client.auth = self.mox.CreateMockAnything() client.auth.domains().AndReturn(domains) unscoped_auth.auth_url = settings.OPENSTACK_KEYSTONE_URL client = self.ks_client_module.Client( session=mox.IsA(session.Session), auth=unscoped_auth) client.federation = self.mox.CreateMockAnything() client.federation.projects = self.mox.CreateMockAnything() client.federation.projects.list().AndReturn(projects) plugin = v3_auth.Token( auth_url=settings.OPENSTACK_KEYSTONE_URL, token=self.data.unscoped_access_info.auth_token, project_id=self.data.project_one.id, reauthenticate=False) self.scoped_token_auth = plugin plugin.get_access(mox.IsA(session.Session)).AndReturn( self.data.unscoped_access_info) self.ks_client_module.Client( session=mox.IsA(session.Session), auth=plugin) self.mox.ReplayAll() url = reverse('websso') # POST to the page to log in. response = self.client.post(url, form_data) self.assertRedirects(response, settings.LOGIN_REDIRECT_URL)
def __init__(self, auth_ref=None): """ auth_ref = Lớp chung cho cả Auth_Password và Auth_Token. Sử dụng tính chất đa hình Python OOP """ self.auth_url = auth_ref.auth_url self.region_site = auth_ref.region_site self.project_domain_id = auth_ref.project_domain_id self.project_domain_name = auth_ref.project_domain_name self.project_id = auth_ref.project_id self.project_name = auth_ref.project_name if auth_ref.authenticate_type() == 'Token': self.session_auth = v3.Token( auth_url=self.auth_url, token=auth_ref.token_string, project_id=self.project_id, project_name=self.project_name, project_domain_name=self.project_domain_name, ) elif auth_ref.authenticate_type() == 'Password': self.session_auth = v3.Password( auth_url=self.auth_url, username=auth_ref.user_name, password=auth_ref.user_password, project_id=self.project_id, project_name=self.project_name, project_domain_name=self.project_domain_name, user_domain_name=auth_ref.user_domain_name)
def setUp(self): super(TestRequestId, self).setUp() auth = v3.Token(auth_url='http://127.0.0.1:5000', token=self.TEST_TOKEN) session_ = session.Session(auth=auth) self.client = client.Client(session=session_, include_metadata='True')._adapter
def loginTenant(request, tenant_name): """ Create keystone, nova, and glance clients for tenant; on tenant selection """ username = request.session['username'] password = request.session['password'] auth_url = 'https://engage1.massopencloud.org:5000/v3/' print 'lucas-test-auth-loginTenant' unscoped_auth = v3.Password(auth_url=auth_url, username=username, password=password, user_domain_name="Default", unscoped=True) unscoped_sess = session.Session(auth=unscoped_auth) unscoped_token = unscoped_sess.get_token() auth = v3.Token(auth_url=auth_url, token=unscoped_token) sess = session.Session(auth=auth) #scoped_token=sess.get_token() keystone = ksclient.Client(session=sess) # keystone = ksclient.Client(auth_url = 'https://engage1.massopencloud.org:5000/v2.0/', username = username, # password = password, tenant_name = tenant_name) print 'lucas-test-auth-loginTenant-succesfully' # nova = nvclient.Client('2', auth_url = 'https://engage1.massopencloud.org:5000/v2.0/', # username = username, # api_key = password, # project_id = tenant_name) nova = nvclient.Client('2', session=sess) glance = glclient.Client('2', session=sess) return {'keystone': keystone, 'nova': nova, 'glance': glance}
def _create_client(self, context): LOG.debug("Senlin action security context: %s", context) keystone_endpoint = keystone_utils.get_keystone_endpoint() senlin_endpoint = self.get_service_endpoint() if context.is_trust_scoped and keystone_utils.is_token_trust_scoped( context.auth_token): if context.trust_id is None: raise Exception( "'trust_id' must be provided in the admin context.") auth = ks_identity_v3.Password( auth_url=keystone_endpoint.url, trust_id=context.trust_id, username=CONF.keystone_authtoken.username, password=CONF.keystone_authtoken.password, user_domain_name=CONF.keystone_authtoken.user_domain_name) else: auth = ks_identity_v3.Token(auth_url=keystone_endpoint.url, token=context.auth_token, project_id=context.project_id) return self._get_client_class()(endpoint_url=senlin_endpoint.url, session=ks_session.Session(auth=auth), tenant_id=context.project_id, region_name=senlin_endpoint.region, auth_url=keystone_endpoint.url, insecure=context.insecure)
def initiate_os_session( unscoped: str, project: str ) -> keystoneauth1.session.Session: """ Create a new openstack session with the unscoped token and project id. Params: unscoped: str project: str Returns: A usable keystone session object for OS client connections Return type: object(keystoneauth1.session.Session) """ os_auth = v3.Token( auth_url=setd['auth_endpoint_url'], token=unscoped, project_id=project ) return keystoneauth1.session.Session( auth=os_auth, verify=False, )
def __init__(self, OS_USERNAME: str = "", OS_PASSWORD: str = ""): OS_USERNAME = OS_USERNAME or os.environ["OS_USERNAME"] OS_PASSWORD = OS_PASSWORD or os.environ["OS_PASSWORD"] OS_PROJECT_ID = "2dc0b65279674a42833a064ce3677297" # from https://user.cscs.ch/storage/object_storage/usage_examples/tokens/ from keystoneauth1.identity import v3 from keystoneauth1 import session from keystoneauth1.extras._saml2 import V3Saml2Password from keystoneclient.v3 import client saml_auth = V3Saml2Password(auth_url='https://pollux.cscs.ch:13000/v3', identity_provider='cscskc', protocol='mapped', identity_provider_url='https://auth.cscs.ch/auth/realms/cscs/protocol/saml/', username=OS_USERNAME, password=OS_PASSWORD) unscoped_sess = session.Session(auth=saml_auth) kc_token = unscoped_sess.get_token() #With the project id you can now request to the Keystone service a scoped token for project : auth = v3.Token(auth_url=saml_auth.auth_url, token=kc_token, project_id=OS_PROJECT_ID) scoped_sess = session.Session(auth=auth) super().__init__( OS_AUTH_TOKEN=scoped_sess.get_token(), OS_STORAGE_URL=f"https://object.cscs.ch/v1/AUTH_{OS_PROJECT_ID}", OS_IDENTITY_PROVIDER_URL=saml_auth.identity_provider_url, OS_AUTH_URL=saml_auth.auth_url, OS_PROTOCOL=saml_auth.protocol, OS_IDENTITY_API_VERSION="3", OS_AUTH_TYPE="token", OS_IDENTITY_PROVIDER=saml_auth.identity_provider, OS_INTERFACE="public", OS_PROJECT_ID=OS_PROJECT_ID )
def __init__(self, username, token=None): self.username = username if token: auth = v3.Token(auth_url=OS_AUTH_URL, token=token) else: pwd = os.environ.get('CSCS_PASS') if not pwd: pwd = getpass.getpass("Password: "******"Couldn't authenticate! Incorrect username.") except IndexError: raise Exception("Couldn't authenticate! Incorrect password.") self._ks_projects = {ksprj.name: ksprj for ksprj in self._client.projects.list(user=self.user_id)} self._projects = None
def get_domain_scoped_auth(self, unscoped_auth_ref, domains): domain_auth = None domain_auth_ref = None session = self.get_session() for domain in domains: token = unscoped_auth_ref.auth_token domain_auth = v3.Token( auth_url=settings.AUTH_URL, token=token, domain_name=domain, reauthentificate=False, ) try: domain_auth_ref = domain_auth.get_access(session) except ( ks_exceptions.ClientException, ks_exceptions.AuthorizationFailure, ): LOG.info( "Attempted scope to domain %s failed, will attempt " "to scope to another domain.", domain, ) else: if len(domains) > 1: LOG.info( "More than one valid domain found for user %s," " scoping to %s", unscoped_auth_ref.user_id, domain, ) break return domain_auth, domain_auth_ref
def designateclient(request): token = request.user.token.id if keystone.get_version() < 3: tenant_id = request.user.tenant_id logwrap_info("using keystone v2.") # keystone auth object auth = v2_plugin.Token(auth_url="https://%s:5000/v2.0" % settings.OPENSTACK_HOST, tenant_id=tenant_id, token=token) else: project_id = request.user.project_id project_domain_id = request.session.get('domain_context') logwrap_info("using keystone v3.") auth = v3_plugin.Token(auth_url="https://%s:5000/v3" % settings.OPENSTACK_HOST, token=token, project_id=project_id, project_domain_id=project_domain_id) # create a session ks_session = keystone_session.Session(auth=auth) # spawn designate client object dns_client = designate_client.Client(session=ks_session) logwrap_info("Created a new DNSaaS API Client Object.") return dns_client
def _get_auth(self): if self.context.is_admin: try: auth = ka_loading.load_auth_from_conf_options( CONF, ksconf.CFG_GROUP) except ka_exception.MissingRequiredOptions: auth = self._get_legacy_auth() elif self.context.auth_token_info: access_info = ka_access.create(body=self.context.auth_token_info, auth_token=self.context.auth_token) auth = ka_access_plugin.AccessInfoPlugin(access_info) elif self.context.auth_token: auth = ka_v3.Token(auth_url=self.auth_url, token=self.context.auth_token) elif self.context.trust_id: auth_info = { 'auth_url': self.auth_url, 'username': self.context.user_name, 'password': self.context.password, 'user_domain_id': self.context.user_domain_id, 'user_domain_name': self.context.user_domain_name, 'trust_id': self.context.trust_id } auth = ka_v3.Password(**auth_info) else: LOG.error( _LE('Keystone API connection failed: no password, ' 'trust_id or token found.')) raise exception.AuthorizationFailure() return auth
def get_auth_plugin(opts): auth_version = guess_auth_version(opts) if opts.os_username: if auth_version == '3': return v3.Password(auth_url=opts.os_auth_url, username=opts.os_username, password=opts.os_password, project_name=opts.os_project_name, user_domain_name=opts.os_user_domain_name, project_domain_name=opts.os_project_domain_name) elif auth_version == '2.0': return v2.Password(auth_url=opts.os_auth_url, username=opts.os_username, password=opts.os_password, tenant_name=opts.os_tenant_name) elif opts.os_token: if auth_version == '3': return v3.Token(auth_url=opts.os_auth_url, token=opts.os_token, project_name=opts.os_project_name, project_domain_name=opts.os_project_domain_name) elif auth_version == '2.0': return v2.Token(auth_url=opts.os_auth_url, token=opts.os_token, tenant_name=opts.os_tenant_name) raise Exception('Unable to determine correct auth method, please provide' ' either username or token')
def recover(cls, session, verify_ssl=False): if not isinstance(session, dict) or not session.get('auth_ref'): raise OpenStackBackendError('Invalid OpenStack session') args = { 'auth_url': session['auth_url'], 'token': session['auth_ref'].auth_token, } if session.get('project_id'): args['project_id'] = session['project_id'] elif session.get('project_name') and session.get( 'project_domain_name'): args['project_name'] = session['project_name'] args['project_domain_name'] = session['project_domain_name'] auth_method = v3.Token(**args) auth_data = { 'auth_token': session['auth_ref'].auth_token, 'body': session['auth_ref']._data } auth_state = json.dumps(auth_data) auth_method.set_auth_state(auth_state) ks_session = keystone_session.Session(auth=auth_method, verify=verify_ssl) return cls(ks_session=ks_session)
def glance_client(context, region_name=None): # We should allow glance to get the endpoint from the service # catalog, but to do so we would need to be able to specify # the endpoint_filter on the API calls, but glance # doesn't currently allow that. As a result, we must # specify the endpoint explicitly. if CONF.glance_url: endpoint_url = '%(url)s%(tenant)s' % { 'url': normalize_url(CONF.glance_url), 'tenant': context.tenant } else: endpoint_url = get_endpoint(context.service_catalog, service_type=CONF.glance_service_type, endpoint_region=region_name or CONF.os_region_name, endpoint_type=CONF.glance_endpoint_type) auth = v3.Token(CONF.trove_auth_url, context.auth_token) session = ka_session.Session(auth=auth) return Client(CONF.glance_client_version, endpoint=endpoint_url, session=session)
def __init__(self, auth_url, username=None, password=None, token=None, user_domain_id='default', log=None): self.auth_url = auth_url if log is not None: self.log = log else: self.log = logging.getLogger(__name__) if token is not None: auth = v3.Token(auth_url=self.auth_url, token=token, unscoped=True) elif (username is not None and password is not None): auth = v3.Password(auth_url=self.auth_url, username=username, password=password, user_domain_id=user_domain_id, unscoped=True) else: raise ValueError( 'Must provide either auth_state or username/password') self.session = session.Session(auth=auth)
def __init__(self, username=None, password=None, project_name=None, token=None, admin=False): self.ops = Ops.objects.all()[0] if admin: self.info = { 'auth_url': 'http://%s:5000/v3' % self.ops.ip, 'username': self.ops.username, 'password': self.ops.password, 'project_domain_name': self.ops.projectdomain, 'user_domain_name': self.ops.userdomain, 'project_name': self.ops.project } self.auth = v3.Password(**self.info) elif token is None: self.info = { 'auth_url': 'http://%s:5000/v3' % self.ops.ip, 'username': username, 'password': password, 'project_domain_name': self.ops.projectdomain, 'user_domain_name': self.ops.userdomain, 'project_name': project_name } self.auth = v3.Password(**self.info) else: self.info = { 'auth_url': 'http://%s:5000/v3' % self.ops.ip, 'token': token, 'project_name': project_name, 'project_domain_name': self.ops.projectdomain, 'reauthenticate': False } self.auth = v3.Token(**self.info) self.sess = session.Session(self.auth)
def connect(self): self.__reset_attributes() if 'OS_TOKEN' in os.environ: # We've already been authenticated. We can just set the right variables self.__env['OS_TOKEN'] = os.environ['OS_TOKEN'] self.__env['OS_USERNAME'] = os.environ['OS_USERNAME'] self.__auth = v3.Token(auth_url=self.__env['OS_AUTH_URL'], token=self.__env['OS_TOKEN']) else: ### Authenticate user: self.__env['OS_USERNAME'] = os.environ[ 'OS_USERNAME'] if 'OS_USERNAME' in os.environ else input( 'Username: '******'OS_PASSWORD'] if 'OS_PASSWORD' in os.environ else getpass.getpass( ) self.__auth = V3OidcPassword( auth_url=self.__env['OS_AUTH_URL'], identity_provider=self.__env['OS_IDENTITY_PROVIDER'], protocol=self.__env['OS_PROTOCOL'], client_id=self.__env['OS_CLIENT_ID'], client_secret=self.__env['OS_CLIENT_SECRET'], discovery_endpoint=self.__env['OS_DISCOVERY_ENDPOINT'], username=self.__env['OS_USERNAME'], password=self.__pw) self.__ks_session = keystone_session.Session(auth=self.__auth)
def get_token_auth_plugin(auth_url, token, project_id=None, domain_name=None): if get_keystone_version() >= 3: if domain_name: return v3_auth.Token(auth_url=auth_url, token=token, domain_name=domain_name, reauthenticate=False) else: return v3_auth.Token(auth_url=auth_url, token=token, project_id=project_id, reauthenticate=False) else: return v2_auth.Token(auth_url=auth_url, token=token, tenant_id=project_id, reauthenticate=False)
def get_scoped_auth(self, unscoped_token, project_id): scoped_auth = v3.Token( auth_url=settings.AUTH_URL, token=unscoped_token, project_id=project_id, reauthenticate=False, ) return scoped_auth
def _refresh_trustee_client(self): trustee_token = self.trustee_user_client.session.get_token() trustee_auth = v3.Token( trust_id=self.trust_id, token=trustee_token, auth_url=self.auth_url ) return self._load_client(trustee_auth, self.ssl_settings)
def get_plugin(self, auth_url=None, token=None, project_id=None, **kwargs): if not all((auth_url, token)): return None return v3_auth.Token(auth_url=auth_url, token=token, project_id=project_id, reauthenticate=False)
def _create_token_auth(self, project_id, token=None, url=None, domain_name=None): if not token: token = self.data.unscoped_access_info.auth_token if not url: url = settings.OPENSTACK_KEYSTONE_URL if domain_name: return v3_auth.Token(auth_url=url, token=token, domain_name=domain_name, reauthenticate=False) else: return v3_auth.Token(auth_url=url, token=token, project_id=project_id, reauthenticate=False)
def __init__(self, token=None, auth_url=None, endpoint=None): if not token and not auth_url: raise ValueError("No usable token supplied") self.token = token self.auth_url = auth_url self.endpoint = endpoint auth = v3.Token(auth_url=auth_url, token=token) self._get_session(auth)
def _get_user_session(self, token): # Get user session from token auth = v3.Token(auth_url=CONF.auth_url, project_name=CONF.project_name, project_domain_name=CONF.project_domain_name, token=token) return session.Session(auth=auth)
def _get_user_keystone_session(): ctx = context.get_ctx() auth = v3.Token( auth_url=CONF.keystone_authtoken.www_authenticate_uri, token=ctx.auth_token, ) return session.Session(auth=auth, verify=False)
def validate_token(auth_url=None, token=None): try: auth = auth_identity.Token( auth_url=auth_url, token=token, unscoped=True) sess = session.Session(auth=auth) c = client.Client(session=sess) return c except Unauthorized: # Take their error and resend it as mine raise AuthenticationError('Authentication required: Invalid token')
def connection_token(self, **kwargs): """ Make a connection with a token :param auth_url: str Authentication url :param token: str Authentication token """ self._authentication = v3.Token(auth_url=kwargs['auth_url'], token=kwargs['token']) self._init_session_access_catalog()
def _create_token_auth(self, project_id=None, token=None, url=None): if not token: token = self.data.federated_unscoped_access_info.auth_token if not url: url = settings.OPENSTACK_KEYSTONE_URL return v3_auth.Token(auth_url=url, token=token, project_id=project_id, reauthenticate=False)