def make_session(opts, **kwargs):
"""Create our base session using simple auth from ksc plugins
The arguments required in opts varies depending on the auth plugin
that is used. This example assumes Identity v2 will be used
and selects token auth if both os_url and os_token have been
provided, otherwise it uses password.
:param Namespace opts:
A parser options Namespace containing the authentication
options to be used
:param dict kwargs:
Additional options passed directly to Session constructor
"""
# If no auth type is named by the user, select one based on
# the supplied options
auth_plugin_name = auth.select_auth_plugin(opts)
(auth_plugin, auth_params) = auth.build_auth_params(
auth_plugin_name,
opts,
)
auth_p = auth_plugin.load_from_options(**auth_params)
session = ksc_session.Session(auth=auth_p, **kwargs)
return session
def make_session(opts, **kwargs):
"""Create our base session using simple auth from ksc plugins
The arguments required in opts varies depending on the auth plugin
that is used. This example assumes Identity v2 will be used
and selects token auth if both os_url and os_token have been
provided, otherwise it uses password.
:param Namespace opts:
A parser options Namespace containing the authentication
options to be used
:param dict kwargs:
Additional options passed directly to Session constructor
"""
# If no auth type is named by the user, select one based on
# the supplied options
auth_plugin_name = auth.select_auth_plugin(opts)
(auth_plugin, auth_params) = auth.build_auth_params(auth_plugin_name, opts)
auth_p = auth_plugin.load_from_options(**auth_params)
session = ks_session.Session(auth=auth_p, **kwargs)
return session
def __make_session(self, opts, **kwargs):
"""Create our base session using simple auth from ksc plugins
The arguments required in opts varies depending on the auth plugin
that is used. This example assumes Identity v2 will be used
and selects token auth if both os_url and os_token have been
provided, otherwise it uses password.
:param opts:
A parser options containing the authentication
options to be used
:param dict kwargs:
Additional options passed directly to Session constructor
"""
cc = cloud_config.OpenStackConfig()
cloud = cc.get_one_cloud(argparse=opts)
# init OS plugin list
auth.get_plugin_list()
auth_plugin_name = auth.select_auth_plugin(cloud)
(auth_plugin, auth_params) = auth.build_auth_params(
auth_plugin_name,
cloud,
)
auth_plugin = auth_plugin.load_from_options(**auth_params)
session = keystone_session.Session(
auth=auth_plugin,
**kwargs
)
return (session, auth_plugin)
def setup_auth(self):
"""Set up authentication
This is deferred until authentication is actually attempted because
it gets in the way of things that do not require auth.
"""
# If no auth type is named by the user, select one based on
# the supplied options
self.auth_plugin_name = auth.select_auth_plugin(self._cli_options)
# Basic option checking to avoid unhelpful error messages
auth.check_valid_auth_options(self._cli_options, self.auth_plugin_name)
# Horrible hack alert...must handle prompt for null password if
# password auth is requested.
if (self.auth_plugin_name.endswith('password')
and not self._cli_options.os_password):
self._cli_options.os_password = self._pw_callback()
(auth_plugin, self._auth_params) = auth.build_auth_params(
self.auth_plugin_name,
self._cli_options,
)
default_domain = self._cli_options.os_default_domain
# NOTE(stevemar): If PROJECT_DOMAIN_ID or PROJECT_DOMAIN_NAME is
# present, then do not change the behaviour. Otherwise, set the
# PROJECT_DOMAIN_ID to 'OS_DEFAULT_DOMAIN' for better usability.
if (self._api_version.get('identity') == '3'
and not self._auth_params.get('project_domain_id')
and not self._auth_params.get('project_domain_name')):
self._auth_params['project_domain_id'] = default_domain
# NOTE(stevemar): If USER_DOMAIN_ID or USER_DOMAIN_NAME is present,
# then do not change the behaviour. Otherwise, set the USER_DOMAIN_ID
# to 'OS_DEFAULT_DOMAIN' for better usability.
if (self._api_version.get('identity') == '3'
and self.auth_plugin_name.endswith('password')
and not self._auth_params.get('user_domain_id')
and not self._auth_params.get('user_domain_name')):
self._auth_params['user_domain_id'] = default_domain
# For compatibility until all clients can be updated
if 'project_name' in self._auth_params:
self._project_name = self._auth_params['project_name']
elif 'tenant_name' in self._auth_params:
self._project_name = self._auth_params['tenant_name']
LOG.info('Using auth plugin: %s' % self.auth_plugin_name)
self.auth = auth_plugin.load_from_options(**self._auth_params)
# needed by SAML authentication
request_session = requests.session()
self.session = session.Session(
auth=self.auth,
session=request_session,
verify=self._verify,
)
return
def setup_auth(self):
"""Set up authentication
This is deferred until authentication is actually attempted because
it gets in the way of things that do not require auth.
"""
# If no auth type is named by the user, select one based on
# the supplied options
self.auth_plugin_name = auth.select_auth_plugin(self._cli_options)
# Basic option checking to avoid unhelpful error messages
auth.check_valid_auth_options(self._cli_options, self.auth_plugin_name)
# Horrible hack alert...must handle prompt for null password if
# password auth is requested.
if (self.auth_plugin_name.endswith('password') and
not self._cli_options.os_password):
self._cli_options.os_password = self._pw_callback()
(auth_plugin, self._auth_params) = auth.build_auth_params(
self.auth_plugin_name,
self._cli_options,
)
default_domain = self._cli_options.os_default_domain
# NOTE(stevemar): If PROJECT_DOMAIN_ID or PROJECT_DOMAIN_NAME is
# present, then do not change the behaviour. Otherwise, set the
# PROJECT_DOMAIN_ID to 'OS_DEFAULT_DOMAIN' for better usability.
if (self._api_version.get('identity') == '3' and
not self._auth_params.get('project_domain_id') and
not self._auth_params.get('project_domain_name')):
self._auth_params['project_domain_id'] = default_domain
# NOTE(stevemar): If USER_DOMAIN_ID or USER_DOMAIN_NAME is present,
# then do not change the behaviour. Otherwise, set the USER_DOMAIN_ID
# to 'OS_DEFAULT_DOMAIN' for better usability.
if (self._api_version.get('identity') == '3' and
self.auth_plugin_name.endswith('password') and
not self._auth_params.get('user_domain_id') and
not self._auth_params.get('user_domain_name')):
self._auth_params['user_domain_id'] = default_domain
# For compatibility until all clients can be updated
if 'project_name' in self._auth_params:
self._project_name = self._auth_params['project_name']
elif 'tenant_name' in self._auth_params:
self._project_name = self._auth_params['tenant_name']
LOG.info('Using auth plugin: %s' % self.auth_plugin_name)
self.auth = auth_plugin.load_from_options(**self._auth_params)
# needed by SAML authentication
request_session = requests.session()
self.session = session.Session(
auth=self.auth,
session=request_session,
verify=self._verify,
)
return
def __init__(self, auth_options, api_version=None, verify=True):
# If no plugin is named by the user, select one based on
# the supplied options
if not auth_options.os_auth_plugin:
auth_options.os_auth_plugin = auth.select_auth_plugin(auth_options)
self._auth_plugin = auth_options.os_auth_plugin
self._url = auth_options.os_url
self._auth_params = auth.build_auth_params(auth_options)
self._region_name = auth_options.os_region_name
self._api_version = api_version
self.timing = auth_options.timing
# For compatibility until all clients can be updated
if 'project_name' in self._auth_params:
self._project_name = self._auth_params['project_name']
elif 'tenant_name' in self._auth_params:
self._project_name = self._auth_params['tenant_name']
# verify is the Requests-compatible form
self._verify = verify
# also store in the form used by the legacy client libs
self._cacert = None
if isinstance(verify, bool):
self._insecure = not verify
else:
self._cacert = verify
self._insecure = False
# Get logging from root logger
root_logger = logging.getLogger('')
LOG.setLevel(root_logger.getEffectiveLevel())
LOG.debug('Using auth plugin: %s' % self._auth_plugin)
auth_plugin = base.get_plugin_class(self._auth_plugin)
self.auth = auth_plugin.load_from_options(**self._auth_params)
# needed by SAML authentication
request_session = requests.session()
self.session = session.Session(
auth=self.auth,
session=request_session,
verify=verify,
)
self.auth_ref = None
if 'token' not in self._auth_params:
LOG.debug("Get service catalog")
self.auth_ref = self.auth.get_auth_ref(self.session)
return
def __init__(self, auth_options, api_version=None, verify=True):
# If no plugin is named by the user, select one based on
# the supplied options
if not auth_options.os_auth_plugin:
auth_options.os_auth_plugin = auth.select_auth_plugin(auth_options)
self._auth_plugin = auth_options.os_auth_plugin
self._url = auth_options.os_url
self._auth_params = auth.build_auth_params(auth_options)
self._region_name = auth_options.os_region_name
self._api_version = api_version
self.timing = auth_options.timing
# For compatibility until all clients can be updated
if 'project_name' in self._auth_params:
self._project_name = self._auth_params['project_name']
elif 'tenant_name' in self._auth_params:
self._project_name = self._auth_params['tenant_name']
# verify is the Requests-compatible form
self._verify = verify
# also store in the form used by the legacy client libs
self._cacert = None
if isinstance(verify, bool):
self._insecure = not verify
else:
self._cacert = verify
self._insecure = False
# Get logging from root logger
root_logger = logging.getLogger('')
LOG.setLevel(root_logger.getEffectiveLevel())
LOG.debug('Using auth plugin: %s' % self._auth_plugin)
auth_plugin = base.get_plugin_class(self._auth_plugin)
self.auth = auth_plugin.load_from_options(**self._auth_params)
# needed by SAML authentication
request_session = requests.session()
self.session = session.Session(
auth=self.auth,
session=request_session,
verify=verify,
)
self.auth_ref = None
if 'token' not in self._auth_params:
LOG.debug("Get service catalog")
self.auth_ref = self.auth.get_auth_ref(self.session)
return
def __init__(
self,
auth_options,
api_version=None,
verify=True,
pw_func=None,
):
"""Set up a ClientManager
:param auth_options:
Options collected from the command-line, environment, or wherever
:param api_version:
Dict of API versions: key is API name, value is the version
:param verify:
TLS certificate verification; may be a boolean to enable or disable
server certificate verification, or a filename of a CA certificate
bundle to be used in verification (implies True)
:param pw_func:
Callback function for asking the user for a password. The function
takes an optional string for the prompt ('Password: '******'password') and
not auth_options.os_password):
auth_options.os_password = pw_func()
(auth_plugin, self._auth_params) = auth.build_auth_params(
self.auth_plugin_name,
auth_options,
)
self._url = auth_options.os_url
self._region_name = auth_options.os_region_name
self._api_version = api_version
self._auth_ref = None
self.timing = auth_options.timing
# For compatibility until all clients can be updated
if 'project_name' in self._auth_params:
self._project_name = self._auth_params['project_name']
elif 'tenant_name' in self._auth_params:
self._project_name = self._auth_params['tenant_name']
# verify is the Requests-compatible form
self._verify = verify
# also store in the form used by the legacy client libs
self._cacert = None
if isinstance(verify, bool):
self._insecure = not verify
else:
self._cacert = verify
self._insecure = False
# Get logging from root logger
root_logger = logging.getLogger('')
LOG.setLevel(root_logger.getEffectiveLevel())
LOG.info('Using auth plugin: %s' % self.auth_plugin_name)
self.auth = auth_plugin.load_from_options(**self._auth_params)
# needed by SAML authentication
request_session = requests.session()
self.session = session.Session(
auth=self.auth,
session=request_session,
verify=verify,
)
return
def setup_auth(self, required_scope=True):
"""Set up authentication
:param required_scope: indicate whether a scoped token is required
This is deferred until authentication is actually attempted because
it gets in the way of things that do not require auth.
"""
if self._auth_setup_completed:
return
# If no auth type is named by the user, select one based on
# the supplied options
self.auth_plugin_name = auth.select_auth_plugin(self._cli_options)
# Basic option checking to avoid unhelpful error messages
auth.check_valid_auth_options(self._cli_options,
self.auth_plugin_name,
required_scope=required_scope)
# Horrible hack alert...must handle prompt for null password if
# password auth is requested.
if (self.auth_plugin_name.endswith('password') and
not self._cli_options.auth.get('password')):
self._cli_options.auth['password'] = self._pw_callback()
(auth_plugin, self._auth_params) = auth.build_auth_params(
self.auth_plugin_name,
self._cli_options,
)
# TODO(mordred): This is a usability improvement that's broadly useful
# We should port it back up into os-client-config.
default_domain = self._cli_options.default_domain
# NOTE(stevemar): If PROJECT_DOMAIN_ID or PROJECT_DOMAIN_NAME is
# present, then do not change the behaviour. Otherwise, set the
# PROJECT_DOMAIN_ID to 'OS_DEFAULT_DOMAIN' for better usability.
if (self._api_version.get('identity') == '3' and
self.auth_plugin_name.endswith('password') and
not self._auth_params.get('project_domain_id') and
not self.auth_plugin_name.startswith('v2') and
not self._auth_params.get('project_domain_name')):
self._auth_params['project_domain_id'] = default_domain
# NOTE(stevemar): If USER_DOMAIN_ID or USER_DOMAIN_NAME is present,
# then do not change the behaviour. Otherwise, set the USER_DOMAIN_ID
# to 'OS_DEFAULT_DOMAIN' for better usability.
if (self._api_version.get('identity') == '3' and
self.auth_plugin_name.endswith('password') and
not self.auth_plugin_name.startswith('v2') and
not self._auth_params.get('user_domain_id') and
not self._auth_params.get('user_domain_name')):
self._auth_params['user_domain_id'] = default_domain
# NOTE(hieulq): If USER_DOMAIN_NAME, USER_DOMAIN_ID, PROJECT_DOMAIN_ID
# or PROJECT_DOMAIN_NAME is present and API_VERSION is 2.0, then
# ignore all domain related configs.
if (self._api_version.get('identity') == '2.0' and
self.auth_plugin_name.endswith('password')):
domain_props = ['project_domain_name', 'project_domain_id',
'user_domain_name', 'user_domain_id']
for prop in domain_props:
if self._auth_params.pop(prop, None) is not None:
LOG.warning("Ignoring domain related configs " +
prop + " because identity API version is 2.0")
# For compatibility until all clients can be updated
if 'project_name' in self._auth_params:
self._project_name = self._auth_params['project_name']
elif 'tenant_name' in self._auth_params:
self._project_name = self._auth_params['tenant_name']
LOG.info('Using auth plugin: %s', self.auth_plugin_name)
LOG.debug('Using parameters %s',
strutils.mask_password(self._auth_params))
self.auth = auth_plugin.load_from_options(**self._auth_params)
# needed by SAML authentication
request_session = requests.session()
self.session = osc_session.TimingSession(
auth=self.auth,
session=request_session,
verify=self._verify,
cert=self._cert,
user_agent=USER_AGENT,
)
self._auth_setup_completed = True
def setup_auth(self, required_scope=True):
"""Set up authentication
:param required_scope: indicate whether a scoped token is required
This is deferred until authentication is actually attempted because
it gets in the way of things that do not require auth.
"""
if self._auth_setup_completed:
return
# If no auth type is named by the user, select one based on
# the supplied options
self.auth_plugin_name = auth.select_auth_plugin(self._cli_options)
# Basic option checking to avoid unhelpful error messages
auth.check_valid_auth_options(self._cli_options,
self.auth_plugin_name,
required_scope=required_scope)
# Horrible hack alert...must handle prompt for null password if
# password auth is requested.
if (self.auth_plugin_name.endswith('password')
and not self._cli_options.auth.get('password')):
self._cli_options.auth['password'] = self._pw_callback()
(auth_plugin, self._auth_params) = auth.build_auth_params(
self.auth_plugin_name,
self._cli_options,
)
# TODO(mordred): This is a usability improvement that's broadly useful
# We should port it back up into os-client-config.
default_domain = self._cli_options.default_domain
# NOTE(stevemar): If PROJECT_DOMAIN_ID or PROJECT_DOMAIN_NAME is
# present, then do not change the behaviour. Otherwise, set the
# PROJECT_DOMAIN_ID to 'OS_DEFAULT_DOMAIN' for better usability.
if (self._api_version.get('identity') == '3'
and self.auth_plugin_name.endswith('password')
and not self._auth_params.get('project_domain_id')
and not self.auth_plugin_name.startswith('v2')
and not self._auth_params.get('project_domain_name')):
self._auth_params['project_domain_id'] = default_domain
# NOTE(stevemar): If USER_DOMAIN_ID or USER_DOMAIN_NAME is present,
# then do not change the behaviour. Otherwise, set the USER_DOMAIN_ID
# to 'OS_DEFAULT_DOMAIN' for better usability.
if (self._api_version.get('identity') == '3'
and self.auth_plugin_name.endswith('password')
and not self.auth_plugin_name.startswith('v2')
and not self._auth_params.get('user_domain_id')
and not self._auth_params.get('user_domain_name')):
self._auth_params['user_domain_id'] = default_domain
# NOTE(hieulq): If USER_DOMAIN_NAME, USER_DOMAIN_ID, PROJECT_DOMAIN_ID
# or PROJECT_DOMAIN_NAME is present and API_VERSION is 2.0, then
# ignore all domain related configs.
if (self._api_version.get('identity') == '2.0'
and self.auth_plugin_name.endswith('password')):
domain_props = [
'project_domain_name', 'project_domain_id', 'user_domain_name',
'user_domain_id'
]
for prop in domain_props:
if self._auth_params.pop(prop, None) is not None:
LOG.warning("Ignoring domain related configs " + prop +
" because identity API version is 2.0")
# For compatibility until all clients can be updated
if 'project_name' in self._auth_params:
self._project_name = self._auth_params['project_name']
elif 'tenant_name' in self._auth_params:
self._project_name = self._auth_params['tenant_name']
LOG.info('Using auth plugin: %s', self.auth_plugin_name)
LOG.debug('Using parameters %s',
strutils.mask_password(self._auth_params))
self.auth = auth_plugin.load_from_options(**self._auth_params)
# needed by SAML authentication
request_session = requests.session()
self.session = osc_session.TimingSession(
auth=self.auth,
session=request_session,
verify=self._verify,
cert=self._cert,
user_agent=USER_AGENT,
)
self._auth_setup_completed = True
def __init__(
self,
auth_options,
api_version=None,
verify=True,
pw_func=None,
):
"""Set up a ClientManager
:param auth_options:
Options collected from the command-line, environment, or wherever
:param api_version:
Dict of API versions: key is API name, value is the version
:param verify:
TLS certificate verification; may be a boolean to enable or disable
server certificate verification, or a filename of a CA certificate
bundle to be used in verification (implies True)
:param pw_func:
Callback function for asking the user for a password. The function
takes an optional string for the prompt ('Password: '******'password')
and not auth_options.os_password):
auth_options.os_password = pw_func()
(auth_plugin, self._auth_params) = auth.build_auth_params(
self.auth_plugin_name,
auth_options,
)
self._url = auth_options.os_url
self._region_name = auth_options.os_region_name
self._api_version = api_version
self._auth_ref = None
self.timing = auth_options.timing
# For compatibility until all clients can be updated
if 'project_name' in self._auth_params:
self._project_name = self._auth_params['project_name']
elif 'tenant_name' in self._auth_params:
self._project_name = self._auth_params['tenant_name']
# verify is the Requests-compatible form
self._verify = verify
# also store in the form used by the legacy client libs
self._cacert = None
if isinstance(verify, bool):
self._insecure = not verify
else:
self._cacert = verify
self._insecure = False
# Get logging from root logger
root_logger = logging.getLogger('')
LOG.setLevel(root_logger.getEffectiveLevel())
LOG.info('Using auth plugin: %s' % self.auth_plugin_name)
self.auth = auth_plugin.load_from_options(**self._auth_params)
# needed by SAML authentication
request_session = requests.session()
self.session = session.Session(
auth=self.auth,
session=request_session,
verify=verify,
)
return
