def get_client(self, version=None, session=None): version = version or self.VERSION session = session or keystone_session.Session() adapted = AdapterWithTimeout( session=session, endpoint_override=self.get_base()) return client.Client(version, session=adapted)
redirect_uri = 'https://testuri.com' scope = 'all_info' scopes = [scope] #create a consumer consumer = keystone.oauth2.consumers.create(client_type='confidential', redirect_uris=[redirect_uri], grant_type='authorization_code', scopes=scopes) consumer_id = consumer.id consumer_secret = consumer.secret #store credentials keystone.oauth2.authorization_codes.request_authorization( consumer=consumer_id, redirect_uri=redirect_uri, scope=scope) #grant authorization authorization_code = keystone.oauth2.authorization_codes.authorize( consumer=consumer_id, scopes=scopes) #get an access token access_token = keystone.oauth2.access_tokens.create( consumer_id=consumer_id, authorization_code=authorization_code.code, redirect_uri=redirect_uri, consumer_secret=consumer_secret) # log in and get a keystone token a = auth.OAuth2(url, access_token=access_token.access_token) s = session.Session(auth=a) keystone = client.Client(session=s) keystone.users.list()
def create_keystone_session(cacert, insecure, **kwargs): auth = auth_v2.Password(**kwargs) return session.Session(auth=auth, cert=cacert, verify=not insecure)
def test_no_redirect(self): session = client_session.Session(redirect=False) self.setup_redirects() resp = session.get(self.REDIRECT_CHAIN[0]) self.assertEqual(resp.status_code, 305) self.assertEqual(resp.url, self.REDIRECT_CHAIN[0])
def test_service_url_raises_if_no_url_returned(self): sess = client_session.Session(auth=AuthPlugin()) self.assertRaises(exceptions.EndpointNotFound, sess.get, '/path', endpoint_filter={'service_type': 'unknown', 'interface': 'public'})
def test_does_not_set_tcp_keepalive_on_custom_sessions(self): mock_session = mock.Mock() client_session.Session(session=mock_session) self.assertFalse(mock_session.mount.called)
def test_basic_post_keeps_correct_method(self): session = client_session.Session() self.setup_redirects(method='POST', status_code=301) resp = session.post(self.REDIRECT_CHAIN[-2]) self.assertResponse(resp)
def test_no_reauthenticate(self): a = self._create_expired_auth_plugin(reauthenticate=False) expired_auth_ref = a.auth_ref s = session.Session(auth=a) self.assertIs(expired_auth_ref, a.get_access(s))
def test_get_auth_properties(self): a = self.create_auth_plugin() s = session.Session() self.assertEqual(self.user_id, a.get_user_id(s)) self.assertEqual(self.project_id, a.get_project_id(s))
ks_username = config.get('os_username') ks_password = config.get('os_password') project_name = config.get('os_project_name') yaml_file = config.get('flavor_yaml_file') ca_bundle = config.get('ca_bundle_file') with open(yaml_file) as f: flavors = yaml.safe_load(f) f.close() auth = v2.Password(auth_url=auth_url, username=ks_username, password=ks_password, tenant_name=project_name) sess = session.Session(auth=auth, verify=ca_bundle) nova = client.Client("2", session=sess) current = [] for f in nova.flavors.list(is_public=False): current.append(f.name) inyaml = [] for f in flavors['flavors']: name = "%s.%sc.%sr.%sh" % (f['type'], f['cpu'], f['ram'], f['disk']) if name in inyaml: log.logger.debug( "flavor %s is duplicate in flavor.yaml so it will be skipped" % name)
def _get_keystone_session(**kwargs): # TODO(fabgia): the heavy lifting here should be really done by Keystone. # Unfortunately Keystone does not support a richer method to perform # discovery and return a single viable URL. A bug against Keystone has # been filed: https://bugs.launchpad.net/python-keystoneclient/+bug/1330677 # first create a Keystone session cacert = kwargs.pop('cacert', None) cert = kwargs.pop('cert', None) key = kwargs.pop('key', None) insecure = kwargs.pop('insecure', False) auth_url = kwargs.pop('auth_url', None) project_id = kwargs.pop('project_id', None) project_name = kwargs.pop('project_name', None) if insecure: verify = False else: verify = cacert or True if cert and key: # passing cert and key together is deprecated in favour of the # requests lib form of having the cert and key as a tuple cert = (cert, key) # create the keystone client session ks_session = session.Session(verify=verify, cert=cert) v2_auth_url, v3_auth_url = _discover_auth_versions(ks_session, auth_url) username = kwargs.pop('username', None) user_id = kwargs.pop('user_id', None) user_domain_name = kwargs.pop('user_domain_name', None) user_domain_id = kwargs.pop('user_domain_id', None) project_domain_name = kwargs.pop('project_domain_name', None) project_domain_id = kwargs.pop('project_domain_id', None) auth = None use_domain = (user_domain_id or user_domain_name or project_domain_id or project_domain_name) use_v3 = v3_auth_url and (use_domain or (not v2_auth_url)) use_v2 = v2_auth_url and not use_domain if use_v3: # the auth_url as v3 specified # e.g. http://no.where:5000/v3 # Keystone will return only v3 as viable option auth = v3_auth.Password( v3_auth_url, username=username, password=kwargs.pop('password', None), user_id=user_id, user_domain_name=user_domain_name, user_domain_id=user_domain_id, project_name=project_name, project_id=project_id, project_domain_name=project_domain_name, project_domain_id=project_domain_id) elif use_v2: # the auth_url as v2 specified # e.g. http://no.where:5000/v2.0 # Keystone will return only v2 as viable option auth = v2_auth.Password( v2_auth_url, username, kwargs.pop('password', None), tenant_id=project_id, tenant_name=project_name) else: raise exc.CommandError('Unable to determine the Keystone version ' 'to authenticate with using the given ' 'auth_url.') ks_session.auth = auth return ks_session
def login(username, project_id, password, region): params_no_version = { 'username': username, 'project_id': project_id, 'auth_url': config.os_auth_url, 'user_domain_id': 'default', 'tenant_name': project_id, 'password': password, 'project_domain_id': 'default' } request_session = requests.session() auth = auth_plugin.load_from_options(**params_no_version) session = osc_session.Session(auth=auth, session=request_session, verify=True) catalog = auth.get_auth_ref(session)['catalog'] nova_catalog = [ res for res in catalog if res['type'] == 'compute' and res['endpoints'][0]['region'] == region ] neutron_catalog = [ res for res in catalog if res['type'] == 'network' and res['endpoints'][0]['region'] == region ] cinder_catalog = [ res for res in catalog if res['type'] == 'volumev2' and res['endpoints'][0]['region'] == region ] glance_catalog = [ res for res in catalog if res['type'] == 'image' and res['endpoints'][0]['region'] == region ] final_nova_catalog = [] for res in nova_catalog: for r in res['endpoints']: if r['interface'] == 'public': final_nova_catalog.append(r['url']) final_neutron_catalog = [] for res in neutron_catalog: for r in res['endpoints']: if r['interface'] == 'public': final_neutron_catalog.append(r['url'] + '/v2.0') final_cinder_catalog = [] for res in cinder_catalog: for r in res['endpoints']: if r['interface'] == 'public': final_cinder_catalog.append(r['url']) final_glance_catalog = [] for res in glance_catalog: for r in res['endpoints']: if r['interface'] == 'public': final_glance_catalog.append(r['url']) return (session.get_token(), final_nova_catalog, final_neutron_catalog, final_cinder_catalog, final_glance_catalog)
def test_400_api_connection(self): """Simple api calls to check service is up and responding""" u.log.debug('Checking api functionality...') # This handles both keystone v2 and v3. # For keystone v2 we need a user: # - 'demo' user # - has a project 'demo' # - in the 'demo' project # - with an 'admin' role # For keystone v3 we need a user: # - 'default' domain # - 'demo' user # - 'demo' project # - 'admin' role -- to be able to delete. # manila requires a user with creator or admin role on the project # when creating a secret (which this test does). Therefore, we create # a demo user, demo project, and then get a demo manila client and do # the secret. ensure that the default domain is created. if self._keystone_version == '2': # find or create the 'demo' tenant (project) tenant = self._find_or_create( items=self.keystone.tenants.list(), key=lambda t: t.name == 'demo', create=lambda: self.keystone.tenants.create( tenant_name="demo", description="Demo for testing manila", enabled=True)) # find or create the demo user demo_user = self._find_or_create( items=self.keystone.users.list(), key=lambda u: u.name == 'demo', create=lambda: self.keystone.users.create( name='demo', password='******', tenant_id=tenant.id)) # find the admin role # already be created - if not, then this will fail later. admin_role = self._find_or_create( items=self.keystone.roles.list(), key=lambda r: r.name.lower() == 'admin', create=lambda: None) # grant the role if it isn't already created. # now grant the creator role to the demo user. self._find_or_create( items=self.keystone.roles.roles_for_user(demo_user, tenant=tenant), key=lambda r: r.name.lower() == admin_role.name.lower(), create=lambda: self.keystone.roles.add_user_role( demo_user, admin_role, tenant=tenant)) # now we can finally get the manila client and create the secret keystone_ep = self.keystone.service_catalog.url_for( service_type='identity', endpoint_type='publicURL') auth = keystone_identity.v2.Password(username=demo_user.name, password='******', tenant_name=tenant.name, auth_url=keystone_ep) else: # find or create the 'default' domain domain = self._find_or_create( items=self.keystone.domains.list(), key=lambda u: u.name == 'default', create=lambda: self.keystone.domains.create( "default", description="domain for manila testing", enabled=True)) # find or create the 'demo' user demo_user = self._find_or_create( items=self.keystone.users.list(domain=domain.id), key=lambda u: u.name == 'demo', create=lambda: self.keystone.users.create( 'demo', domain=domain.id, description="Demo user for manila tests", enabled=True, email="*****@*****.**", password="******")) # find or create the 'demo' project demo_project = self._find_or_create( items=self.keystone.projects.list(domain=domain.id), key=lambda x: x.name == 'demo', create=lambda: self.keystone.projects.create( 'demo', domain=domain.id, description='manila testing project', enabled=True)) # create the role for the user - needs to be admin so that the # secret can be deleted - note there is only one admin role, and it # should already be created - if not, then this will fail later. admin_role = self._find_or_create( items=self.keystone.roles.list(), key=lambda r: r.name.lower() == 'admin', create=lambda: None) # now grant the creator role to the demo user. try: self.keystone.roles.check(role=admin_role, user=demo_user, project=demo_project) except keystoneclient.exceptions.NotFound: # create it if it isn't found self.keystone.roles.grant(role=admin_role, user=demo_user, project=demo_project) # now we can finally get the manila client and create the secret keystone_ep = self.keystone.service_catalog.url_for( service_type='identity', endpoint_type='publicURL') auth = keystone_identity.v3.Password( user_domain_name=domain.name, username=demo_user.name, password='******', project_domain_name=domain.name, project_name=demo_project.name, auth_url=keystone_ep) # Now we carry on with common v2 and v3 code sess = keystone_session.Session(auth=auth) # Authenticate admin with manila endpoint manila_ep = self.keystone.service_catalog.url_for( service_type='key-manager', endpoint_type='publicURL') manila = manila_client.Client(session=sess, endpoint=manila_ep) # now create the secret. my_secret = manila.secrets.create() my_secret.name = u'Random plain text password' my_secret.payload = u'password' my_secret_ref = my_secret.store() assert (my_secret_ref is not None) # and now delete the secret my_secret.delete() u.log.debug('OK')
def getKeystoneSession(config, project): return keystonesession.Session( auth=keystoneauth.Password(auth_url=config['nova_api_url'], username=config['username'], password=config['password'], tenant_name=project))
def test_not_found(self): session = client_session.Session() self.stub_url('GET', status_code=404) self.assertRaises(exceptions.NotFound, session.get, self.TEST_URL)
def setUp(self): super(GenericAuthPluginTests, self).setUp() self.auth = GenericPlugin() self.session = session.Session(auth=self.auth)
def test_server_error(self): session = client_session.Session() self.stub_url('GET', status_code=500) self.assertRaises(exceptions.InternalServerError, session.get, self.TEST_URL)
def main(): argparser = argparse.ArgumentParser() argparser.add_argument('--debug', help='Turn on debug logging', action='store_true') argparser.add_argument( '--project', default='admin-monitoring', help='Set project to test creation for', ) argparser.add_argument( '--keyfile', default='', help='Path to SSH key file for verification', ) argparser.add_argument( '--user', default='', help='Set username (Expected to be the same across all backends)', ) argparser.add_argument( '--prepend', default='test-create', help='String to add to beginning of instance names', ) argparser.add_argument( '--max-pool', default=1, type=int, help='Allow this many instances', ) argparser.add_argument('--preserve-leaks', help='Never delete failed VMs', action='store_true') argparser.add_argument( '--keystone-url', default="http://cloudcontrol1003.wikimedia.org:35357/v3", help='Auth url for token and service discovery', ) argparser.add_argument( '--interval', default=600, type=int, help='Seconds delay for daemon (default: 600 [10m])', ) argparser.add_argument( '--creation-timeout', default=180, type=int, help='Allow this long for creation to succeed.', ) argparser.add_argument( '--ssh-timeout', default=180, type=int, help='Allow this long for SSH to succeed.', ) argparser.add_argument( '--puppet-timeout', default=120, type=int, help='Allow this long for Puppet to succeed.', ) argparser.add_argument( '--deletion-timeout', default=120, type=int, help='Allow this long for delete to succeed.', ) argparser.add_argument( '--image', default='debian-8.10-jessie', help='Image to use', ) argparser.add_argument( '--flavor', default='m1.small', help='Flavor to use', ) argparser.add_argument('--skip-puppet', help='Turn off Puppet validation', action='store_true') argparser.add_argument('--skip-dns', help='Turn off DNS validation', action='store_true') argparser.add_argument( '--dns-resolvers', help='Comma separated list of nameservers', default='208.80.154.143,208.80.154.24', ) argparser.add_argument('--skip-ssh', help='Turn off basic SSH validation', action='store_true') argparser.add_argument('--pause-for-deletion', help='Wait for user input before deletion', action='store_true') argparser.add_argument('--skip-deletion', help='Leave instance behind', action='store_true') argparser.add_argument( '--virthost', default=None, help='Specify a particular host to launch on, e.g. labvirt1001. Default' 'behavior is to use the standard scheduling pool.', ) argparser.add_argument( '--adhoc-command', default='', help='Specify a command over SSH prior to deletion', ) argparser.add_argument( '--network', default='', help='Specify a Neutron network for VMs', ) argparser.add_argument( '--statsd', default='statsd.eqiad.wmnet', help='Send statistics to statsd endpoint', ) args = argparser.parse_args() logging.basicConfig(format='%(asctime)s %(levelname)s %(message)s', level=logging.DEBUG if args.debug else logging.INFO) if args.adhoc_command and args.skip_ssh: logging.error("cannot skip SSH with adhoc command specified") sys.exit(1) try: with open(args.keyfile, 'r') as f: f.read() except: logging.error("keyfile {} cannot be read".format(args.keyfile)) sys.exit(1) pw = os.environ.get('OS_PASSWORD') region = os.environ.get('OS_REGION_NAME') user = os.environ.get('OS_USERNAME') or args.user project = os.environ.get('OS_PROJECT_ID') or args.project if not all([user, pw, project]): logging.error('Set username and password environment variables') sys.exit(1) def stat(metric, value): metric_prepend = 'servers.{}.nova'.format(socket.gethostname()) submit_stat(args.statsd, 8125, metric_prepend, metric, value) while True: loop_start = round(time.time(), 2) auth = generic.Password(auth_url=args.keystone_url, username=user, password=pw, user_domain_name='Default', project_domain_name='Default', project_name=project) sess = keystone_session.Session(auth=auth) nova_conn = nova_client.Client('2', session=sess, region_name=region) prepend = args.prepend epoch = int(time.time()) name = '{}-{}'.format(prepend, epoch) exist = nova_conn.servers.list() logging.debug(exist) prependinstances = [ server for server in exist if server.human_id.startswith(prepend) ] pexist_count = len(prependinstances) stat('instances.count', pexist_count) stat('instances.max', args.max_pool) # If we're pushing up against max_pool, delete the oldest server if not args.preserve_leaks and pexist_count >= args.max_pool - 1: logging.warning("There are {} leaked instances with prepend {}; " "cleaning up".format(pexist_count, prepend)) servers = sorted(prependinstances, key=lambda server: server.human_id) servers[0].delete() if pexist_count >= args.max_pool: # If the cleanup in the last two cycles didn't get us anywhere, # best to just bail out so we stop trampling on the API. logging.error( "max server(s) with prepend {} -- skipping creation".format( prepend)) continue cimage = nova_conn.images.find(name=args.image) cflavor = nova_conn.flavors.find(name=args.flavor) try: vc, server = verify_create(nova_conn, name, cimage, cflavor, args.creation_timeout, args.network, args.virthost) stat('verify.creation', vc) if 'public' in server.addresses: addr = server.addresses['public'][0]['addr'] if not addr.startswith('10.'): raise Exception("Bad address of {}".format(addr)) else: addr = server.addresses['lan-flat-cloudinstances2b'][0]['addr'] if not addr.startswith('172.'): raise Exception("Bad address of {}".format(addr)) if not args.skip_dns: host = '{}.{}.eqiad.wmnet'.format(server.name, server.tenant_id) dnsd = args.dns_resolvers.split(',') vdns = verify_dns(host, dnsd, timeout=2.0) stat('verify.dns', vdns) if not args.skip_ssh: vs = verify_ssh(addr, user, args.keyfile, args.ssh_timeout) stat('verify.ssh', vs) if args.adhoc_command: sshout = run_remote(addr, user, args.keyfile, args.adhoc_command, debug=args.debug) logging.debug(sshout) if not args.skip_puppet: ps, puppetrun = verify_puppet(addr, user, args.keyfile, args.puppet_timeout) stat('verify.puppet', ps) categories = ['changes', 'events', 'resources', 'time'] for d in categories: for k, v in puppetrun[d].iteritems(): stat('puppet.{}.{}'.format(d, k), v) if args.pause_for_deletion: logging.info("Pausing for deletion") get_verify('continue with deletion', 'Not a valid response', ['y']) if not args.skip_deletion: vd = verify_deletion(nova_conn, server, args.deletion_timeout) if not args.pause_for_deletion: stat('verify.deletion', vd) loop_end = time.time() stat('verify.fullstack', round(loop_end - loop_start, 2)) if not args.interval: return stat('verify.success', 1) except: logging.exception("{} failed, leaking".format(name)) stat('verify.success', 0) time.sleep(args.interval)
def test_basic_get(self): session = client_session.Session() self.setup_redirects() resp = session.get(self.REDIRECT_CHAIN[-2]) self.assertResponse(resp)
help='datacenter for operations, to calculate FQDNs. Default is eqiad', default="eqiad" ) args = argparser.parse_args() config = ScriptConfig(args.datacenter, args.destination, args.mysql_password, args.nova_db_server, args.nova_db) logging.basicConfig(format="%(filename)s: %(levelname)s: %(message)s", level=logging.INFO, stream=sys.stdout) sshargs = ["ssh", "-i", "/root/.ssh/compute-hosts-key", "nova@%s" % config.destination_fqdn, "true"] r = subprocess.call(sshargs) if r: logging.error("remote execution failed; this whole enterprise is doomed.") exit(1) auth = generic.Password( auth_url=args.nova_url, username=args.nova_user, password=args.nova_pass, user_domain_name='Default', project_domain_name='Default', project_name='admin') session = keystone_session.Session(auth=auth) instance = NovaInstance(session, args.instanceid, region=args.region) instance.migrate(config) logging.shutdown()
def test_redirect_forever(self): session = client_session.Session(redirect=True) self.setup_redirects() resp = session.get(self.REDIRECT_CHAIN[0]) self.assertResponse(resp) self.assertTrue(len(resp.history), len(self.REDIRECT_CHAIN))
def new_client(self): self.session = session.Session() self.session.auth = v2.Password(self.identity_url, 'xx', 'xx') return v3client.Client(session=self.session)
def test_service_url_raises_if_no_auth_plugin(self): sess = client_session.Session() self.assertRaises(exceptions.MissingAuthPlugin, sess.get, '/path', endpoint_filter={'service_type': 'compute', 'interface': 'public'})
def get_keystone_session(): cred = get_keystone_creds() auth = v3.Password(**cred) return ksc_session.Session(auth=auth)
def test_user_and_project_id(self): auth = AuthPlugin() sess = client_session.Session(auth=auth) self.assertEqual(auth.TEST_USER_ID, sess.get_user_id()) self.assertEqual(auth.TEST_PROJECT_ID, sess.get_project_id())
def get_session(auth_url, endpoint, domain_id, domain_name, project_id, project_name, project_domain_name, project_domain_id, username, user_id, password, user_domain_id, user_domain_name, token, insecure, cacert, all_tenants=False, edit_managed=False): # NOTE: all_tenants and edit_managed are here for backwards compat # reasons, do not add additional modifiers here. session = ks_session.Session() # Build + Attach Authentication Plugin auth_args = { 'auth_url': auth_url, 'domain_id': domain_id, 'domain_name': domain_name, 'project_id': project_id, 'project_name': project_name, 'project_domain_name': project_domain_name, 'project_domain_id': project_domain_id, } if token and endpoint: session.auth = token_endpoint.Token(endpoint, token) elif token: auth_args.update({'token': token}) session.auth = generic.Token(**auth_args) else: auth_args.update({ 'username': username, 'user_id': user_id, 'password': password, 'user_domain_id': user_domain_id, 'user_domain_name': user_domain_name, }) session.auth = generic.Password(**auth_args) # SSL/TLS Server Cert Verification if insecure is True: session.verify = False else: session.verify = cacert # NOTE: all_tenants and edit_managed are here for backwards compat # reasons, do not add additional modifiers here. session.all_tenants = all_tenants session.edit_managed = edit_managed return session
def _create_session_client(self): auth = token_endpoint.Token(self.endpoint, self.token) sess = session.Session(auth=auth) return http.SessionClient(sess)
def get_insecure_session(self): session = self._sessions.get(SESSION_TYPE_INSECURE) if not session: session = keystone.Session(verify=False) self._set_session(SESSION_TYPE_INSECURE, session) return session
def setUp(self): super(TestObjectAPIv1, self).setUp() sess = session.Session() self.api = object_store.APIv1(session=sess, endpoint=FAKE_URL) self.requests_mock = self.useFixture(fixture.Fixture())
def __call__(self, req): request_id = common_context.generate_request_id() # NOTE(alevine) We need to calculate the hash here because # subsequent access to request modifies the req.body so the hash # calculation will yield invalid results. body_hash = hashlib.sha256(req.body).hexdigest() signature = self._get_signature(req) if not signature: msg = _("Signature not provided") return faults.ec2_error_response(request_id, "AuthFailure", msg, status=400) access = self._get_access(req) if not access: msg = _("Access key not provided") return faults.ec2_error_response(request_id, "AuthFailure", msg, status=400) if 'X-Amz-Signature' in req.params or 'Authorization' in req.headers: params = {} else: # Make a copy of args for authentication and signature verification params = dict(req.params) # Not part of authentication args params.pop('Signature', None) cred_dict = { 'access': access, 'signature': signature, 'host': req.host, 'verb': req.method, 'path': req.path, 'params': params, # python3 takes only keys fo json from headers object 'headers': {k: req.headers[k] for k in req.headers}, 'body_hash': body_hash } token_url = CONF.keystone_ec2_tokens_url if "ec2" in token_url: creds = {'ec2Credentials': cred_dict} else: creds = {'auth': {'OS-KSEC2:ec2Credentials': cred_dict}} creds_json = jsonutils.dumps(creds) headers = {'Content-Type': 'application/json'} response = requests.request('POST', token_url, data=creds_json, headers=headers) status_code = response.status_code if status_code != 200: msg = response.reason return faults.ec2_error_response(request_id, "AuthFailure", msg, status=status_code) try: auth_ref = keystone_access.AccessInfo.factory(resp=response, body=response.json()) except (NotImplementedError, KeyError): LOG.exception(_("Keystone failure")) msg = _("Failure communicating with keystone") return faults.ec2_error_response(request_id, "AuthFailure", msg, status=400) auth = keystone_identity_access.AccessInfoPlugin(auth_ref) session = keystone_session.Session(auth=auth) remote_address = req.remote_addr if CONF.use_forwarded_for: remote_address = req.headers.get('X-Forwarded-For', remote_address) ctxt = context.RequestContext(auth_ref.user_id, auth_ref.project_id, request_id=request_id, user_name=auth_ref.username, project_name=auth_ref.project_name, remote_address=remote_address, session=session, api_version=req.params.get('Version')) req.environ['ec2api.context'] = ctxt return self.application