def make_session(opts, **kwargs): """Create our base session using simple auth from ksc plugins The arguments required in opts varies depending on the auth plugin that is used. This example assumes Identity v2 will be used and selects token auth if both os_url and os_token have been provided, otherwise it uses password. :param Namespace opts: A parser options Namespace containing the authentication options to be used :param dict kwargs: Additional options passed directly to Session constructor """ # If no auth type is named by the user, select one based on # the supplied options auth_plugin_name = auth.select_auth_plugin(opts) (auth_plugin, auth_params) = auth.build_auth_params( auth_plugin_name, opts, ) auth_p = auth_plugin.load_from_options(**auth_params) session = ksc_session.Session(auth=auth_p, **kwargs) return session
def make_session(opts, **kwargs): """Create our base session using simple auth from ksc plugins The arguments required in opts varies depending on the auth plugin that is used. This example assumes Identity v2 will be used and selects token auth if both os_url and os_token have been provided, otherwise it uses password. :param Namespace opts: A parser options Namespace containing the authentication options to be used :param dict kwargs: Additional options passed directly to Session constructor """ # If no auth type is named by the user, select one based on # the supplied options auth_plugin_name = auth.select_auth_plugin(opts) (auth_plugin, auth_params) = auth.build_auth_params(auth_plugin_name, opts) auth_p = auth_plugin.load_from_options(**auth_params) session = ks_session.Session(auth=auth_p, **kwargs) return session
def __make_session(self, opts, **kwargs): """Create our base session using simple auth from ksc plugins The arguments required in opts varies depending on the auth plugin that is used. This example assumes Identity v2 will be used and selects token auth if both os_url and os_token have been provided, otherwise it uses password. :param opts: A parser options containing the authentication options to be used :param dict kwargs: Additional options passed directly to Session constructor """ cc = cloud_config.OpenStackConfig() cloud = cc.get_one_cloud(argparse=opts) # init OS plugin list auth.get_plugin_list() auth_plugin_name = auth.select_auth_plugin(cloud) (auth_plugin, auth_params) = auth.build_auth_params( auth_plugin_name, cloud, ) auth_plugin = auth_plugin.load_from_options(**auth_params) session = keystone_session.Session( auth=auth_plugin, **kwargs ) return (session, auth_plugin)
def setup_auth(self): """Set up authentication This is deferred until authentication is actually attempted because it gets in the way of things that do not require auth. """ # If no auth type is named by the user, select one based on # the supplied options self.auth_plugin_name = auth.select_auth_plugin(self._cli_options) # Basic option checking to avoid unhelpful error messages auth.check_valid_auth_options(self._cli_options, self.auth_plugin_name) # Horrible hack alert...must handle prompt for null password if # password auth is requested. if (self.auth_plugin_name.endswith('password') and not self._cli_options.os_password): self._cli_options.os_password = self._pw_callback() (auth_plugin, self._auth_params) = auth.build_auth_params( self.auth_plugin_name, self._cli_options, ) default_domain = self._cli_options.os_default_domain # NOTE(stevemar): If PROJECT_DOMAIN_ID or PROJECT_DOMAIN_NAME is # present, then do not change the behaviour. Otherwise, set the # PROJECT_DOMAIN_ID to 'OS_DEFAULT_DOMAIN' for better usability. if (self._api_version.get('identity') == '3' and not self._auth_params.get('project_domain_id') and not self._auth_params.get('project_domain_name')): self._auth_params['project_domain_id'] = default_domain # NOTE(stevemar): If USER_DOMAIN_ID or USER_DOMAIN_NAME is present, # then do not change the behaviour. Otherwise, set the USER_DOMAIN_ID # to 'OS_DEFAULT_DOMAIN' for better usability. if (self._api_version.get('identity') == '3' and self.auth_plugin_name.endswith('password') and not self._auth_params.get('user_domain_id') and not self._auth_params.get('user_domain_name')): self._auth_params['user_domain_id'] = default_domain # For compatibility until all clients can be updated if 'project_name' in self._auth_params: self._project_name = self._auth_params['project_name'] elif 'tenant_name' in self._auth_params: self._project_name = self._auth_params['tenant_name'] LOG.info('Using auth plugin: %s' % self.auth_plugin_name) self.auth = auth_plugin.load_from_options(**self._auth_params) # needed by SAML authentication request_session = requests.session() self.session = session.Session( auth=self.auth, session=request_session, verify=self._verify, ) return
def __init__(self, auth_options, api_version=None, verify=True): # If no plugin is named by the user, select one based on # the supplied options if not auth_options.os_auth_plugin: auth_options.os_auth_plugin = auth.select_auth_plugin(auth_options) self._auth_plugin = auth_options.os_auth_plugin self._url = auth_options.os_url self._auth_params = auth.build_auth_params(auth_options) self._region_name = auth_options.os_region_name self._api_version = api_version self.timing = auth_options.timing # For compatibility until all clients can be updated if 'project_name' in self._auth_params: self._project_name = self._auth_params['project_name'] elif 'tenant_name' in self._auth_params: self._project_name = self._auth_params['tenant_name'] # verify is the Requests-compatible form self._verify = verify # also store in the form used by the legacy client libs self._cacert = None if isinstance(verify, bool): self._insecure = not verify else: self._cacert = verify self._insecure = False # Get logging from root logger root_logger = logging.getLogger('') LOG.setLevel(root_logger.getEffectiveLevel()) LOG.debug('Using auth plugin: %s' % self._auth_plugin) auth_plugin = base.get_plugin_class(self._auth_plugin) self.auth = auth_plugin.load_from_options(**self._auth_params) # needed by SAML authentication request_session = requests.session() self.session = session.Session( auth=self.auth, session=request_session, verify=verify, ) self.auth_ref = None if 'token' not in self._auth_params: LOG.debug("Get service catalog") self.auth_ref = self.auth.get_auth_ref(self.session) return
def __init__( self, auth_options, api_version=None, verify=True, pw_func=None, ): """Set up a ClientManager :param auth_options: Options collected from the command-line, environment, or wherever :param api_version: Dict of API versions: key is API name, value is the version :param verify: TLS certificate verification; may be a boolean to enable or disable server certificate verification, or a filename of a CA certificate bundle to be used in verification (implies True) :param pw_func: Callback function for asking the user for a password. The function takes an optional string for the prompt ('Password: '******'password') and not auth_options.os_password): auth_options.os_password = pw_func() (auth_plugin, self._auth_params) = auth.build_auth_params( self.auth_plugin_name, auth_options, ) self._url = auth_options.os_url self._region_name = auth_options.os_region_name self._api_version = api_version self._auth_ref = None self.timing = auth_options.timing # For compatibility until all clients can be updated if 'project_name' in self._auth_params: self._project_name = self._auth_params['project_name'] elif 'tenant_name' in self._auth_params: self._project_name = self._auth_params['tenant_name'] # verify is the Requests-compatible form self._verify = verify # also store in the form used by the legacy client libs self._cacert = None if isinstance(verify, bool): self._insecure = not verify else: self._cacert = verify self._insecure = False # Get logging from root logger root_logger = logging.getLogger('') LOG.setLevel(root_logger.getEffectiveLevel()) LOG.info('Using auth plugin: %s' % self.auth_plugin_name) self.auth = auth_plugin.load_from_options(**self._auth_params) # needed by SAML authentication request_session = requests.session() self.session = session.Session( auth=self.auth, session=request_session, verify=verify, ) return
def setup_auth(self, required_scope=True): """Set up authentication :param required_scope: indicate whether a scoped token is required This is deferred until authentication is actually attempted because it gets in the way of things that do not require auth. """ if self._auth_setup_completed: return # If no auth type is named by the user, select one based on # the supplied options self.auth_plugin_name = auth.select_auth_plugin(self._cli_options) # Basic option checking to avoid unhelpful error messages auth.check_valid_auth_options(self._cli_options, self.auth_plugin_name, required_scope=required_scope) # Horrible hack alert...must handle prompt for null password if # password auth is requested. if (self.auth_plugin_name.endswith('password') and not self._cli_options.auth.get('password')): self._cli_options.auth['password'] = self._pw_callback() (auth_plugin, self._auth_params) = auth.build_auth_params( self.auth_plugin_name, self._cli_options, ) # TODO(mordred): This is a usability improvement that's broadly useful # We should port it back up into os-client-config. default_domain = self._cli_options.default_domain # NOTE(stevemar): If PROJECT_DOMAIN_ID or PROJECT_DOMAIN_NAME is # present, then do not change the behaviour. Otherwise, set the # PROJECT_DOMAIN_ID to 'OS_DEFAULT_DOMAIN' for better usability. if (self._api_version.get('identity') == '3' and self.auth_plugin_name.endswith('password') and not self._auth_params.get('project_domain_id') and not self.auth_plugin_name.startswith('v2') and not self._auth_params.get('project_domain_name')): self._auth_params['project_domain_id'] = default_domain # NOTE(stevemar): If USER_DOMAIN_ID or USER_DOMAIN_NAME is present, # then do not change the behaviour. Otherwise, set the USER_DOMAIN_ID # to 'OS_DEFAULT_DOMAIN' for better usability. if (self._api_version.get('identity') == '3' and self.auth_plugin_name.endswith('password') and not self.auth_plugin_name.startswith('v2') and not self._auth_params.get('user_domain_id') and not self._auth_params.get('user_domain_name')): self._auth_params['user_domain_id'] = default_domain # NOTE(hieulq): If USER_DOMAIN_NAME, USER_DOMAIN_ID, PROJECT_DOMAIN_ID # or PROJECT_DOMAIN_NAME is present and API_VERSION is 2.0, then # ignore all domain related configs. if (self._api_version.get('identity') == '2.0' and self.auth_plugin_name.endswith('password')): domain_props = ['project_domain_name', 'project_domain_id', 'user_domain_name', 'user_domain_id'] for prop in domain_props: if self._auth_params.pop(prop, None) is not None: LOG.warning("Ignoring domain related configs " + prop + " because identity API version is 2.0") # For compatibility until all clients can be updated if 'project_name' in self._auth_params: self._project_name = self._auth_params['project_name'] elif 'tenant_name' in self._auth_params: self._project_name = self._auth_params['tenant_name'] LOG.info('Using auth plugin: %s', self.auth_plugin_name) LOG.debug('Using parameters %s', strutils.mask_password(self._auth_params)) self.auth = auth_plugin.load_from_options(**self._auth_params) # needed by SAML authentication request_session = requests.session() self.session = osc_session.TimingSession( auth=self.auth, session=request_session, verify=self._verify, cert=self._cert, user_agent=USER_AGENT, ) self._auth_setup_completed = True
def setup_auth(self, required_scope=True): """Set up authentication :param required_scope: indicate whether a scoped token is required This is deferred until authentication is actually attempted because it gets in the way of things that do not require auth. """ if self._auth_setup_completed: return # If no auth type is named by the user, select one based on # the supplied options self.auth_plugin_name = auth.select_auth_plugin(self._cli_options) # Basic option checking to avoid unhelpful error messages auth.check_valid_auth_options(self._cli_options, self.auth_plugin_name, required_scope=required_scope) # Horrible hack alert...must handle prompt for null password if # password auth is requested. if (self.auth_plugin_name.endswith('password') and not self._cli_options.auth.get('password')): self._cli_options.auth['password'] = self._pw_callback() (auth_plugin, self._auth_params) = auth.build_auth_params( self.auth_plugin_name, self._cli_options, ) # TODO(mordred): This is a usability improvement that's broadly useful # We should port it back up into os-client-config. default_domain = self._cli_options.default_domain # NOTE(stevemar): If PROJECT_DOMAIN_ID or PROJECT_DOMAIN_NAME is # present, then do not change the behaviour. Otherwise, set the # PROJECT_DOMAIN_ID to 'OS_DEFAULT_DOMAIN' for better usability. if (self._api_version.get('identity') == '3' and self.auth_plugin_name.endswith('password') and not self._auth_params.get('project_domain_id') and not self.auth_plugin_name.startswith('v2') and not self._auth_params.get('project_domain_name')): self._auth_params['project_domain_id'] = default_domain # NOTE(stevemar): If USER_DOMAIN_ID or USER_DOMAIN_NAME is present, # then do not change the behaviour. Otherwise, set the USER_DOMAIN_ID # to 'OS_DEFAULT_DOMAIN' for better usability. if (self._api_version.get('identity') == '3' and self.auth_plugin_name.endswith('password') and not self.auth_plugin_name.startswith('v2') and not self._auth_params.get('user_domain_id') and not self._auth_params.get('user_domain_name')): self._auth_params['user_domain_id'] = default_domain # NOTE(hieulq): If USER_DOMAIN_NAME, USER_DOMAIN_ID, PROJECT_DOMAIN_ID # or PROJECT_DOMAIN_NAME is present and API_VERSION is 2.0, then # ignore all domain related configs. if (self._api_version.get('identity') == '2.0' and self.auth_plugin_name.endswith('password')): domain_props = [ 'project_domain_name', 'project_domain_id', 'user_domain_name', 'user_domain_id' ] for prop in domain_props: if self._auth_params.pop(prop, None) is not None: LOG.warning("Ignoring domain related configs " + prop + " because identity API version is 2.0") # For compatibility until all clients can be updated if 'project_name' in self._auth_params: self._project_name = self._auth_params['project_name'] elif 'tenant_name' in self._auth_params: self._project_name = self._auth_params['tenant_name'] LOG.info('Using auth plugin: %s', self.auth_plugin_name) LOG.debug('Using parameters %s', strutils.mask_password(self._auth_params)) self.auth = auth_plugin.load_from_options(**self._auth_params) # needed by SAML authentication request_session = requests.session() self.session = osc_session.TimingSession( auth=self.auth, session=request_session, verify=self._verify, cert=self._cert, user_agent=USER_AGENT, ) self._auth_setup_completed = True