def __init__(self, context):
        # If a trust_id is specified in the context, we immediately
        # authenticate so we can populate the context with a trust token
        # otherwise, we delay client authentication until needed to avoid
        # unnecessary calls to keystone.
        #
        # Note that when you obtain a token using a trust, it cannot be
        # used to reauthenticate and get another token, so we have to
        # get a new trust-token even if context.auth_token is set.
        #
        # - context.auth_url is expected to contain a versioned keystone
        #   path, we will work with either a v2.0 or v3 path
        self.context = context
        self._client = None
        self._admin_client = None

        if self.context.auth_url:
            self.endpoint = self.context.auth_url.replace('v2.0', 'v3')
        else:
            # Import auth_token to have keystone_authtoken settings setup.
            importutils.import_module('keystonemiddleware.auth_token')
            self.endpoint = cfg.CONF.keystone_authtoken.auth_uri.replace(
                'v2.0', 'v3')

        if self.context.trust_id:
            # Create a client with the specified trust_id, this
            # populates self.context.auth_token with a trust-scoped token
            self._client = self._v3_client_init()
Example #2
0
    def __init__(self, context):
        # If a trust_id is specified in the context, we immediately
        # authenticate so we can populate the context with a trust token
        # otherwise, we delay client authentication until needed to avoid
        # unnecessary calls to keystone.
        #
        # Note that when you obtain a token using a trust, it cannot be
        # used to reauthenticate and get another token, so we have to
        # get a new trust-token even if context.auth_token is set.
        #
        # - context.auth_url is expected to contain a versioned keystone
        #   path, we will work with either a v2.0 or v3 path
        self.context = context
        self._client = None
        self._admin_client = None

        if self.context.auth_url:
            self.v3_endpoint = self.context.auth_url.replace('v2.0', 'v3')
        else:
            # Import auth_token to have keystone_authtoken settings setup.
            importutils.import_module('keystoneclient.middleware.auth_token')
            self.v3_endpoint = cfg.CONF.keystone_authtoken.auth_uri.replace(
                'v2.0', 'v3')

        if self.context.trust_id:
            # Create a client with the specified trust_id, this
            # populates self.context.auth_token with a trust-scoped token
            self._client = self._v3_client_init()
Example #3
0
    def before(self, state):
        if not CONF.get('enable_authentication'):
            return
        # Skip authentication for public endpoints
        if AUTH.is_endpoint_public(state.request.path):
            return

        headers = state.request.headers
        user_id = headers.get('X-User-Id')
        if user_id is None:
            LOG.debug("X-User-Id header was not found in the request")
            raise Exception('Not authorized')

        roles = self._get_roles(state.request)

        project_id = headers.get('X-Project-Id')
        user_name = headers.get('X-User-Name', '')
        tenant_name = headers.get('X-Project')

        domain = headers.get('X-Domain-Name')
        project_domain_id = headers.get('X-Project-Domain-Id', '')
        user_domain_id = headers.get('X-User-Domain-Id', '')
        password = headers.get('X-Password', '')

        # Get the auth token
        try:
            recv_auth_token = headers.get('X-Auth-Token',
                                          headers.get(
                                              'X-Storage-Token'))
        except ValueError:
            LOG.debug("No auth token found in the request.")
            raise Exception('Not authorized')
        auth_url = headers.get('X-Auth-Url')
        if auth_url is None:
            importutils.import_module('keystonemiddleware.auth_token')
            auth_url = cfg.CONF.keystone_authtoken.auth_uri

        auth_token_info = state.request.environ.get('keystone.token_info')
        identity_status = headers.get('X-Identity-Status')
        if identity_status == 'Confirmed':
            ctx = context.RequestContext(auth_token=recv_auth_token,
                                         auth_token_info=auth_token_info,
                                         user=user_id,
                                         tenant=project_id,
                                         domain=domain,
                                         user_domain=user_domain_id,
                                         project_domain=project_domain_id,
                                         user_name=user_name,
                                         roles=roles,
                                         auth_url=auth_url,
                                         password=password,
                                         tenant_name=tenant_name)
            state.request.security_context = ctx
        else:
            LOG.debug("The provided identity is not confirmed.")
            raise Exception('Not authorized. Identity not confirmed.')
        return
Example #4
0
 def _service_admin_creds(self):
     # Import auth_token to have keystone_authtoken settings setup.
     importutils.import_module('keystonemiddleware.auth_token')
     creds = {
         'username': cfg.CONF.keystone_authtoken.admin_user,
         'password': cfg.CONF.keystone_authtoken.admin_password,
         'auth_url': self.endpoint,
         'endpoint': self.endpoint,
         'project_name': cfg.CONF.keystone_authtoken.admin_tenant_name}
     return creds
Example #5
0
 def _barbican_admin_init(self):
     # Import auth_token to have keystone_authtoken settings setup.
     importutils.import_module('keystoneclient.middleware.auth_token')
     keystone = barbicanauth.KeystoneAuthV2(
         auth_url=cfg.CONF.keystone_authtoken.auth_uri,
         username=cfg.CONF.keystone_authtoken.admin_user,
         password=cfg.CONF.keystone_authtoken.admin_password,
         tenant_name=cfg.CONF.keystone_authtoken.admin_tenant_name)
     return barbicanclient.Client(auth_plugin=keystone,
                                  insecure=self.insecure)
 def _barbican_admin_init(self):
     # Import auth_token to have keystone_authtoken settings setup.
     importutils.import_module('keystonemiddleware.auth_token')
     auth = identity.v2.Password(
         auth_url=cfg.CONF.keystone_authtoken.auth_uri,
         username=cfg.CONF.keystone_authtoken.admin_user,
         password=cfg.CONF.keystone_authtoken.admin_password,
         tenant_name=cfg.CONF.keystone_authtoken.admin_tenant_name)
     sess = session.Session(auth=auth, verify=self.verify)
     return barbicanclient.Client(session=sess)
 def _barbican_admin_init(self):
     # Import auth_token to have keystone_authtoken settings setup.
     importutils.import_module('keystonemiddleware.auth_token')
     auth = identity.v2.Password(
         auth_url=cfg.CONF.keystone_authtoken.auth_uri,
         username=cfg.CONF.keystone_authtoken.admin_user,
         password=cfg.CONF.keystone_authtoken.admin_password,
         tenant_name=cfg.CONF.keystone_authtoken.admin_tenant_name)
     sess = session.Session(auth=auth, verify=self.verify)
     return barbicanclient.Client(session=sess)
Example #8
0
 def _service_admin_creds(self):
     # Import auth_token to have keystone_authtoken settings setup.
     importutils.import_module('keystonemiddleware.auth_token')
     creds = {
         'username': cfg.CONF.keystone_authtoken.admin_user,
         'password': cfg.CONF.keystone_authtoken.admin_password,
         'auth_url': self.endpoint,
         'endpoint': self.endpoint,
         'project_name': cfg.CONF.keystone_authtoken.admin_tenant_name
     }
     return creds
Example #9
0
    def before(self, state):
        if not CONF.get('enable_authentication'):
            return
        # Do not proceed for triggers as they use non authenticated service
        regexp = re.compile('^/v[0-9]+/public/')
        if regexp.match(state.request.path):
            return

        headers = state.request.headers
        user_id = headers.get('X-User-Id')
        if user_id is None:
            LOG.debug("X-User-Id header was not found in the request")
            raise Exception('Not authorized')

        roles = self._get_roles(state.request)

        project_id = headers.get('X-Project-Id')
        user_name = headers.get('X-User-Name', '')

        domain = headers.get('X-Domain-Name')
        project_domain_id = headers.get('X-Project-Domain-Id', '')
        user_domain_id = headers.get('X-User-Domain-Id', '')

        # Get the auth token
        try:
            recv_auth_token = headers.get('X-Auth-Token',
                                          headers.get(
                                              'X-Storage-Token'))
        except ValueError:
            LOG.debug("No auth token found in the request.")
            raise Exception('Not authorized')
        auth_url = headers.get('X-Auth-Url')
        if auth_url is None:
            importutils.import_module('keystoneclient.middleware.auth_token')
            auth_url = cfg.CONF.keystone_authtoken.auth_uri

        auth_token_info = state.request.environ.get('keystone.token_info')
        identity_status = headers.get('X-Identity-Status')
        if identity_status == 'Confirmed':
            ctx = context.RequestContext(auth_token=recv_auth_token,
                                         auth_token_info=auth_token_info,
                                         user=user_id,
                                         tenant=project_id,
                                         domain=domain,
                                         user_domain=user_domain_id,
                                         project_domain=project_domain_id,
                                         user_name=user_name,
                                         roles=roles,
                                         auth_url=auth_url)
            state.request.security_context = ctx
        else:
            LOG.debug("The provided identity is not confirmed.")
            raise Exception('Not authorized. Identity not confirmed.')
        return
Example #10
0
def _get_impl():
    """Delay import of rpc_backend until configuration is loaded."""
    global _RPCIMPL
    if _RPCIMPL is None:
        try:
            _RPCIMPL = importutils.import_module(CONF.rpc_backend)
        except ImportError:
            # For backwards compatibility with older nova config.
            impl = CONF.rpc_backend.replace('nova.rpc',
                                            'nova.openstack.common.rpc')
            _RPCIMPL = importutils.import_module(impl)
    return _RPCIMPL
Example #11
0
    def before(self, state):
        if not CONF.get('enable_authentication'):
            return
        # Do not proceed for triggers as they use non authenticated service
        regexp = re.compile('^/v[0-9]+/public/')
        if regexp.match(state.request.path):
            return

        headers = state.request.headers
        user_id = headers.get('X-User-Id')
        if user_id is None:
            LOG.debug("X-User-Id header was not found in the request")
            raise Exception('Not authorized')

        roles = self._get_roles(state.request)

        project_id = headers.get('X-Project-Id')
        user_name = headers.get('X-User-Name', '')

        domain = headers.get('X-Domain-Name')
        project_domain_id = headers.get('X-Project-Domain-Id', '')
        user_domain_id = headers.get('X-User-Domain-Id', '')

        # Get the auth token
        try:
            recv_auth_token = headers.get('X-Auth-Token',
                                          headers.get('X-Storage-Token'))
        except ValueError:
            LOG.debug("No auth token found in the request.")
            raise Exception('Not authorized')
        auth_url = headers.get('X-Auth-Url')
        if auth_url is None:
            importutils.import_module('keystoneclient.middleware.auth_token')
            auth_url = cfg.CONF.keystone_authtoken.auth_uri

        auth_token_info = state.request.environ.get('keystone.token_info')
        identity_status = headers.get('X-Identity-Status')
        if identity_status == 'Confirmed':
            ctx = context.RequestContext(auth_token=recv_auth_token,
                                         auth_token_info=auth_token_info,
                                         user=user_id,
                                         tenant=project_id,
                                         domain=domain,
                                         user_domain=user_domain_id,
                                         project_domain=project_domain_id,
                                         user_name=user_name,
                                         roles=roles,
                                         auth_url=auth_url)
            state.request.security_context = ctx
        else:
            LOG.debug("The provided identity is not confirmed.")
            raise Exception('Not authorized. Identity not confirmed.')
        return
Example #12
0
def _get_impl():
    """Delay import of rpc_backend until configuration is loaded."""
    global _RPCIMPL
    if _RPCIMPL is None:
        try:
            _RPCIMPL = importutils.import_module(CONF.rpc_backend)
        except ImportError:
            # For backwards compatibility with older nova config.
            impl = CONF.rpc_backend.replace('nova.rpc',
                                            'nova.openstack.common.rpc')
            _RPCIMPL = importutils.import_module(impl)
    return _RPCIMPL
Example #13
0
def load():
    """Ensure that the object model is initialized."""
    registry.clear()
    backend_name = CONF.database.backend
    backend_path = _BACKEND_MAPPING.get(backend_name, backend_name)
    backend_mod = importutils.import_module(backend_path)
    backend_mod.load()
Example #14
0
def load():
    """Ensure that the object model is initialized."""
    registry.clear()
    backend_name = CONF.database.backend
    backend_path = _BACKEND_MAPPING.get(backend_name, backend_name)
    backend_mod = importutils.import_module(backend_path)
    backend_mod.load()
Example #15
0
File: api.py Project: alex/solum
 def __init__(self, backend_mapping=None):
     if backend_mapping is None:
         backend_mapping = {}
     backend_name = CONF.database.backend
     # Import the untranslated name if we don't have a
     # mapping.
     backend_path = backend_mapping.get(backend_name, backend_name)
     backend_mod = importutils.import_module(backend_path)
     self.__backend = backend_mod.get_backend()
Example #16
0
 def __init__(self, backend_mapping=None):
     if backend_mapping is None:
         backend_mapping = {}
     backend_name = CONF.database.backend
     # Import the untranslated name if we don't have a
     # mapping.
     backend_path = backend_mapping.get(backend_name, backend_name)
     backend_mod = importutils.import_module(backend_path)
     self.__backend = backend_mod.get_backend()
Example #17
0
def _import_module(mod_str):
    try:
        if mod_str.startswith('bin.'):
            imp.load_source(mod_str[4:], os.path.join('bin', mod_str[4:]))
            return sys.modules[mod_str[4:]]
        else:
            return importutils.import_module(mod_str)
    except Exception as e:
        sys.stderr.write("Error importing module %s: %s\n" % (mod_str, str(e)))
        return None
Example #18
0
def _import_module(mod_str):
    try:
        if mod_str.startswith('bin.'):
            imp.load_source(mod_str[4:], os.path.join('bin', mod_str[4:]))
            return sys.modules[mod_str[4:]]
        else:
            return importutils.import_module(mod_str)
    except Exception as e:
        sys.stderr.write("Error importing module %s: %s\n" % (mod_str, str(e)))
        return None
Example #19
0
def _import_module(mod_str):
    try:
        if mod_str.startswith("bin."):
            imp.load_source(mod_str[4:], os.path.join("bin", mod_str[4:]))
            return sys.modules[mod_str[4:]]
        else:
            return importutils.import_module(mod_str)
    except ImportError as ie:
        sys.stderr.write("%s\n" % str(ie))
        return None
    except Exception:
        return None
Example #20
0
def _get_drivers():
    """Instantiate, cache, and return drivers based on the CONF."""
    global _drivers
    if _drivers is None:
        _drivers = {}
        for notification_driver in CONF.notification_driver:
            try:
                driver = importutils.import_module(notification_driver)
                _drivers[notification_driver] = driver
            except ImportError:
                LOG.exception(_("Failed to load notifier %s. "
                                "These notifications will not be sent.") %
                              notification_driver)
    return _drivers.values()
Example #21
0
def deserialize_remote_exception(conf, data):
    failure = jsonutils.loads(str(data))

    trace = failure.get('tb', [])
    message = failure.get('message', "") + "\n" + "\n".join(trace)
    name = failure.get('class')
    module = failure.get('module')

    # NOTE(ameade): We DO NOT want to allow just any module to be imported, in
    # order to prevent arbitrary code execution.
    if module not in conf.allowed_rpc_exception_modules:
        return RemoteError(name, failure.get('message'), trace)

    try:
        mod = importutils.import_module(module)
        klass = getattr(mod, name)
        if not issubclass(klass, Exception):
            raise TypeError("Can only deserialize Exceptions")

        failure = klass(*failure.get('args', []), **failure.get('kwargs', {}))
    except (AttributeError, TypeError, ImportError):
        return RemoteError(name, failure.get('message'), trace)

    ex_type = type(failure)
    str_override = lambda self: message
    new_ex_type = type(ex_type.__name__ + _REMOTE_POSTFIX, (ex_type, ), {
        '__str__': str_override,
        '__unicode__': str_override
    })
    new_ex_type.__module__ = '%s%s' % (module, _REMOTE_POSTFIX)
    try:
        # NOTE(ameade): Dynamically create a new exception type and swap it in
        # as the new type for the exception. This only works on user defined
        # Exceptions and not core python exceptions. This is important because
        # we cannot necessarily change an exception message so we must override
        # the __str__ method.
        failure.__class__ = new_ex_type
    except TypeError:
        # NOTE(ameade): If a core exception then just add the traceback to the
        # first exception argument.
        failure.args = (message, ) + failure.args[1:]
    return failure
Example #22
0
def deserialize_remote_exception(conf, data):
    failure = jsonutils.loads(str(data))

    trace = failure.get('tb', [])
    message = failure.get('message', "") + "\n" + "\n".join(trace)
    name = failure.get('class')
    module = failure.get('module')

    # NOTE(ameade): We DO NOT want to allow just any module to be imported, in
    # order to prevent arbitrary code execution.
    if module not in conf.allowed_rpc_exception_modules:
        return RemoteError(name, failure.get('message'), trace)

    try:
        mod = importutils.import_module(module)
        klass = getattr(mod, name)
        if not issubclass(klass, Exception):
            raise TypeError("Can only deserialize Exceptions")

        failure = klass(*failure.get('args', []), **failure.get('kwargs', {}))
    except (AttributeError, TypeError, ImportError):
        return RemoteError(name, failure.get('message'), trace)

    ex_type = type(failure)
    str_override = lambda self: message
    new_ex_type = type(ex_type.__name__ + _REMOTE_POSTFIX, (ex_type,),
                       {'__str__': str_override, '__unicode__': str_override})
    new_ex_type.__module__ = '%s%s' % (module, _REMOTE_POSTFIX)
    try:
        # NOTE(ameade): Dynamically create a new exception type and swap it in
        # as the new type for the exception. This only works on user defined
        # Exceptions and not core python exceptions. This is important because
        # we cannot necessarily change an exception message so we must override
        # the __str__ method.
        failure.__class__ = new_ex_type
    except TypeError:
        # NOTE(ameade): If a core exception then just add the traceback to the
        # first exception argument.
        failure.args = (message,) + failure.args[1:]
    return failure
Example #23
0
 def __get_backend(self):
     """Get the actual backend.  May be a module or an instance of
     a class.  Doesn't matter to us.  We do this synchronized as it's
     possible multiple greenthreads started very quickly trying to do
     DB calls and eventlet can switch threads before self.__backend gets
     assigned.
     """
     if self.__backend:
         # Another thread assigned it
         return self.__backend
     backend_name = CONF.database.backend
     self.__use_tpool = CONF.database.use_tpool
     if self.__use_tpool:
         from eventlet import tpool
         self.__tpool = tpool
     # Import the untranslated name if we don't have a
     # mapping.
     backend_path = self.__backend_mapping.get(backend_name,
                                               backend_name)
     backend_mod = importutils.import_module(backend_path)
     self.__backend = backend_mod.get_backend()
     return self.__backend
Example #24
0
def load():
    base.reset_obj_classes()
    backend_name = CONF.database.backend
    backend_path = _BACKEND_MAPPING.get(backend_name, backend_name)
    backend_mod = importutils.import_module(backend_path)
    backend_mod.load()
Example #25
0
def load():
    base.reset_obj_classes()
    backend_name = CONF.database.backend
    backend_path = _BACKEND_MAPPING.get(backend_name, backend_name)
    backend_mod = importutils.import_module(backend_path)
    backend_mod.load()