def _get_ks_client(self): kwargs = {'auth_url': self.auth_url, 'endpoint': self.auth_url} if self.context.trust_id: kwargs.update(self._get_admin_credentials()) kwargs['trust_id'] = self.context.trust_id kwargs.pop('project_name') elif self.context.auth_token_info: kwargs['token'] = self.context.auth_token if self._is_v2_valid(self.context.auth_token_info): LOG.warning('Keystone v2 is deprecated.') kwargs['auth_ref'] = self.context.auth_token_info['access'] kwargs['auth_ref']['version'] = 'v2.0' elif self._is_v3_valid(self.context.auth_token_info): kwargs['auth_ref'] = self.context.auth_token_info['token'] kwargs['auth_ref']['version'] = 'v3' else: LOG.error(_LE('Unknown version in auth_token_info')) raise exception.AuthorizationFailure() elif self.context.auth_token: kwargs['token'] = self.context.auth_token else: LOG.error(_LE('Keystone v3 API conntection failed, no password ' 'trust or auth_token')) raise exception.AuthorizationFailure() return kc_v3.Client(**kwargs)
def _v3_client_init(self): kwargs = {'auth_url': self.v3_endpoint, 'endpoint': self.v3_endpoint} # Note try trust_id first, as we can't reuse auth_token in that case if self.context.trust_id is not None: # We got a trust_id, so we use the admin credentials # to authenticate with the trust_id so we can use the # trust impersonating the trustor user. kwargs.update(self._service_admin_creds()) kwargs['trust_id'] = self.context.trust_id kwargs.pop('project_name') elif self.context.auth_token_info is not None: # The auth_ref version must be set according to the token version if 'access' in self.context.auth_token_info: kwargs['auth_ref'] = copy.deepcopy( self.context.auth_token_info['access']) kwargs['auth_ref']['version'] = 'v2.0' kwargs['auth_ref']['token']['id'] = self.context.auth_token elif 'token' in self.context.auth_token_info: kwargs['auth_ref'] = copy.deepcopy( self.context.auth_token_info['token']) kwargs['auth_ref']['version'] = 'v3' kwargs['auth_ref']['auth_token'] = self.context.auth_token else: LOG.error(_LE("Unknown version in auth_token_info")) raise exception.AuthorizationFailure() elif self.context.auth_token is not None: kwargs['token'] = self.context.auth_token kwargs['project_id'] = self.context.project_id else: LOG.error( _LE("Keystone v3 API connection failed, no password " "trust or auth_token!")) raise exception.AuthorizationFailure() client = kc_v3.Client(**kwargs) if 'auth_ref' not in kwargs: client.authenticate() # If we are authenticating with a trust set the context auth_token # with the trust scoped token if 'trust_id' in kwargs: # Sanity check if not client.auth_ref.trust_scoped: LOG.error(_LE("trust token re-scoping failed!")) raise exception.AuthorizationFailure() # All OK so update the context with the token self.context.auth_token = client.auth_ref.auth_token self.context.auth_url = self.v3_endpoint self.context.user = client.auth_ref.user_id self.context.project_id = client.auth_ref.project_id self.context.user_name = client.auth_ref.username return client
def _get_auth(self): if self.context.is_admin: try: auth = ka_loading.load_auth_from_conf_options( CONF, ksconf.CFG_GROUP) except ka_exception.MissingRequiredOptions: auth = self._get_legacy_auth() elif self.context.auth_token_info: access_info = ka_access.create(body=self.context.auth_token_info, auth_token=self.context.auth_token) auth = ka_access_plugin.AccessInfoPlugin(access_info) elif self.context.auth_token: auth = ka_v3.Token(auth_url=self.auth_url, token=self.context.auth_token) elif self.context.trust_id: auth_info = { 'auth_url': self.auth_url, 'username': self.context.user_name, 'password': self.context.password, 'user_domain_id': self.context.user_domain_id, 'user_domain_name': self.context.user_domain_name, 'trust_id': self.context.trust_id } auth = ka_v3.Password(**auth_info) else: LOG.error( _LE('Keystone API connection failed: no password, ' 'trust_id or token found.')) raise exception.AuthorizationFailure() return auth
def admin_client(self): if not self._admin_client: # Create admin client connection to v3 API admin_creds = self._service_admin_creds() c = kc_v3.Client(**admin_creds) if c.authenticate(): self._admin_client = c else: LOG.error(_LE("Admin client authentication failed")) raise exception.AuthorizationFailure() return self._admin_client
def trustee_domain_id(self): if not self._trustee_domain_id: try: access = self.domain_admin_auth.get_access( self.domain_admin_session) except kc_exception.Unauthorized: LOG.error(_LE("Keystone client authentication failed")) raise exception.AuthorizationFailure() self._trustee_domain_id = access.domain_id return self._trustee_domain_id
def trustee_domain_id(self): if not self._trustee_domain_id: try: access = self.domain_admin_auth.get_access( self.domain_admin_session) except kc_exception.Unauthorized: msg = _LE("Keystone client authentication failed") LOG.error(msg) raise exception.AuthorizationFailure(client='keystone', message='reason: %s' % msg) self._trustee_domain_id = access.domain_id return self._trustee_domain_id
def test_AuthorizationFailure(self): self.assertRaises( exception.AuthorizationFailure, lambda: self.raise_(exception.AuthorizationFailure()))