def _build_auth_details(self): #keystone self._authn_token = None if cfg.CONF.auth_strategy == 'keystone': #Keystone SSL Support self._ksinsecure=cfg.CONF.keystone_authtoken.insecure kscertfile=cfg.CONF.keystone_authtoken.certfile kskeyfile=cfg.CONF.keystone_authtoken.keyfile kscafile=cfg.CONF.keystone_authtoken.cafile self._use_ks_certs=False if kscertfile and kskeyfile and kscafile \ and cfg.CONF.keystone_authtoken.auth_protocol == _DEFAULT_SECURE_SERVER_CONNECT: certs=[kscertfile, kskeyfile, kscafile] self._kscertbundle=cfgmutils.getCertKeyCaBundle(_DEFAULT_KS_CERT_BUNDLE,certs) self._use_ks_certs=True #API Server SSL support self._apiusessl=cfg.CONF.APISERVER.use_ssl self._apiinsecure=cfg.CONF.APISERVER.insecure apicertfile=cfg.CONF.APISERVER.certfile apikeyfile=cfg.CONF.APISERVER.keyfile apicafile=cfg.CONF.APISERVER.cafile if self._apiusessl: self._apiserverconnect=_DEFAULT_SECURE_SERVER_CONNECT else: self._apiserverconnect=_DEFAULT_SERVER_CONNECT self._use_api_certs=False if apicertfile and apikeyfile and apicafile and self._apiusessl: certs=[apicertfile, apikeyfile, apicafile] self._apicertbundle=cfgmutils.getCertKeyCaBundle(_DEFAULT_API_CERT_BUNDLE,certs) self._use_api_certs=True
def _build_auth_details(self): # keystone self._authn_token = None if cfg.CONF.auth_strategy == "keystone": kcfg = cfg.CONF.keystone_authtoken body = '{"auth":{"passwordCredentials":{' body += ' "username": "******",' % (kcfg.admin_user) body += ' "password": "******"},' % (kcfg.admin_password) body += ' "tenantName":"%s"}}' % (kcfg.admin_tenant_name) self._authn_body = body self._authn_token = cfg.CONF.keystone_authtoken.admin_token self._keystone_url = "%s://%s:%s%s" % ( cfg.CONF.keystone_authtoken.auth_protocol, cfg.CONF.keystone_authtoken.auth_host, cfg.CONF.keystone_authtoken.auth_port, "/v2.0/tokens", ) # Keystone SSL Support self._ksinsecure = cfg.CONF.keystone_authtoken.insecure kscertfile = cfg.CONF.keystone_authtoken.certfile kskeyfile = cfg.CONF.keystone_authtoken.keyfile kscafile = cfg.CONF.keystone_authtoken.cafile self._use_ks_certs = False if ( kscertfile and kskeyfile and kscafile and cfg.CONF.keystone_authtoken.auth_protocol == _DEFAULT_SECURE_SERVER_CONNECT ): certs = [kscertfile, kskeyfile, kscafile] self._kscertbundle = cfgmutils.getCertKeyCaBundle(_DEFAULT_KS_CERT_BUNDLE, certs) self._use_ks_certs = True # API Server SSL support self._apiusessl = cfg.CONF.APISERVER.use_ssl self._apiinsecure = cfg.CONF.APISERVER.insecure apicertfile = cfg.CONF.APISERVER.certfile apikeyfile = cfg.CONF.APISERVER.keyfile apicafile = cfg.CONF.APISERVER.cafile if self._apiusessl: self._apiserverconnect = _DEFAULT_SECURE_SERVER_CONNECT else: self._apiserverconnect = _DEFAULT_SERVER_CONNECT self._use_api_certs = False if apicertfile and apikeyfile and apicafile and self._apiusessl: certs = [apicertfile, apikeyfile, apicafile] self._apicertbundle = cfgmutils.getCertKeyCaBundle(_DEFAULT_API_CERT_BUNDLE, certs) self._use_api_certs = True
def _build_auth_details(self): #keystone self._authn_token = None if cfg.CONF.auth_strategy == 'keystone': kcfg = cfg.CONF.keystone_authtoken body = '{"auth":{"passwordCredentials":{' body += ' "username": "******",' % (kcfg.admin_user) body += ' "password": "******"},' % (kcfg.admin_password) body += ' "tenantName":"%s"}}' % (kcfg.admin_tenant_name) self._authn_body = body self._authn_token = cfg.CONF.keystone_authtoken.admin_token self._keystone_url = "%s://%s:%s%s" % ( cfg.CONF.keystone_authtoken.auth_protocol, cfg.CONF.keystone_authtoken.auth_host, cfg.CONF.keystone_authtoken.auth_port, "/v2.0/tokens") #Keystone SSL Support self._ksinsecure = cfg.CONF.keystone_authtoken.insecure kscertfile = cfg.CONF.keystone_authtoken.certfile kskeyfile = cfg.CONF.keystone_authtoken.keyfile kscafile = cfg.CONF.keystone_authtoken.cafile self._use_ks_certs = False if (cfg.CONF.keystone_authtoken.auth_protocol == _DEFAULT_SECURE_SERVER_CONNECT and kscafile): certs = [kscafile] if kscertfile and kskeyfile: certs = [kscertfile, kskeyfile, kscafile] self._kscertbundle = cfgmutils.getCertKeyCaBundle( _DEFAULT_KS_CERT_BUNDLE, certs) self._use_ks_certs = True #API Server SSL support self._apiusessl = cfg.CONF.APISERVER.use_ssl self._apiinsecure = cfg.CONF.APISERVER.insecure apicertfile = cfg.CONF.APISERVER.certfile apikeyfile = cfg.CONF.APISERVER.keyfile apicafile = cfg.CONF.APISERVER.cafile if self._apiusessl: self._apiserverconnect = _DEFAULT_SECURE_SERVER_CONNECT else: self._apiserverconnect = _DEFAULT_SERVER_CONNECT self._use_api_certs = False if self._apiusessl and apicafile: certs = [apicafile] if apicertfile and apikeyfile: certs = [apicertfile, apikeyfile, apicafile] self._apicertbundle = cfgmutils.getCertKeyCaBundle( _DEFAULT_API_CERT_BUNDLE, certs) self._use_api_certs = True
def __init__(self, server_mgr, args): _kscertbundle='' if args.auth_protocol == 'https' and args.cafile: certs=[args.cafile] if args.keyfile and args.certfile: certs=[args.certfile, args.keyfile, args.cafile] _kscertbundle=cfgmutils.getCertKeyCaBundle(_DEFAULT_KS_CERT_BUNDLE,certs) identity_uri = '%s://%s:%s' % (args.auth_protocol, args.auth_host, args.auth_port) self._conf_info = { 'auth_host': args.auth_host, 'auth_port': args.auth_port, 'auth_protocol': args.auth_protocol, 'admin_user': args.admin_user, 'admin_password': args.admin_password, 'admin_tenant_name': args.admin_tenant_name, 'admin_port': args.admin_port, 'max_requests': args.max_requests, 'region_name': args.region_name, 'insecure': args.insecure, 'identity_uri': identity_uri, } try: if 'v3' in args.auth_url: self._conf_info['auth_version'] = 'v3.0' self._conf_info['auth_type'] = 'password' self._conf_info['auth_url'] = args.auth_url self._conf_info['user_domain_name'] = args.admin_user_domain_name self._conf_info['project_domain_name'] = args.project_domain_name self._conf_info['project_name'] = args.admin_tenant_name self._conf_info['username'] = args.admin_user self._conf_info['password'] = args.admin_password self._conf_info['auth_uri'] = args.auth_url except AttributeError: pass if _kscertbundle: self._conf_info['cafile'] = _kscertbundle self._server_mgr = server_mgr self._auth_method = args.auth self._auth_middleware = None self._mt_rbac = server_mgr.is_rbac_enabled() self._auth_needed = server_mgr.is_auth_needed() if not self._auth_method: return if self._auth_method != 'keystone': raise UnknownAuthMethod() # map keystone id to users. Needed for quantum plugin because contrail # plugin doesn't have access to user token and ends up sending admin # admin token along with user-id and role self._ks_users = {} # configure memcache if enabled if self._auth_needed and 'memcache_servers' in args: self._conf_info[ 'memcached_servers'] = args.memcache_servers.split(',') if 'token_cache_time' in args: self._conf_info['token_cache_time'] = args.token_cache_time
def verify(self): # bundle created already return bundle if self._verify: return self._verify if self._cacert: certs = [self._cacert] certbundle = os.path.join('/var/lib/contrail', DiscoveryClient._DEFAULT_CERT_BUNDLE) self._verify = utils.getCertKeyCaBundle(certbundle, certs) return self._verify
def __init__(self, server_mgr, args): _kscertbundle='' if args.auth_protocol == 'https' and args.cafile: certs=[args.cafile] if args.keyfile and args.certfile: certs=[args.certfile, args.keyfile, args.cafile] _kscertbundle=cfgmutils.getCertKeyCaBundle(_DEFAULT_KS_CERT_BUNDLE,certs) identity_uri = '%s://%s:%s' % (args.auth_protocol, args.auth_host, args.auth_port) self._conf_info = { 'auth_host': args.auth_host, 'auth_port': args.auth_port, 'auth_protocol': args.auth_protocol, 'admin_user': args.admin_user, 'admin_password': args.admin_password, 'admin_tenant_name': args.admin_tenant_name, 'admin_port': args.admin_port, 'max_requests': args.max_requests, 'region_name': args.region_name, 'insecure':args.insecure, 'identity_uri': identity_uri, } try: if 'v3' in args.auth_url: self._conf_info['auth_version'] = 'v3.0' self._conf_info['auth_uri'] = args.auth_url except AttributeError: pass if _kscertbundle: self._conf_info['cafile'] = _kscertbundle self._server_mgr = server_mgr self._auth_method = args.auth self._auth_middleware = None self._mt_rbac = server_mgr.is_rbac_enabled() self._multi_tenancy = server_mgr.is_multi_tenancy_set() if not self._auth_method: return if self._auth_method != 'keystone': raise UnknownAuthMethod() # map keystone id to users. Needed for quantum plugin because contrail # plugin doesn't have access to user token and ends up sending admin # admin token along with user-id and role self._ks_users = {} # configure memcache if enabled if self._multi_tenancy and 'memcache_servers' in args: self._conf_info[ 'memcached_servers'] = args.memcache_servers.split(',') if 'token_cache_time' in args: self._conf_info['token_cache_time'] = args.token_cache_time
def _build_auth_details(self): #keystone self._authn_token = None if cfg.CONF.auth_strategy == 'keystone': #Keystone SSL Support self._ksinsecure = cfg.CONF.keystone_authtoken.insecure kscertfile = cfg.CONF.keystone_authtoken.certfile kskeyfile = cfg.CONF.keystone_authtoken.keyfile kscafile = cfg.CONF.keystone_authtoken.cafile self._use_ks_certs = False if kscertfile and kskeyfile and kscafile \ and cfg.CONF.keystone_authtoken.auth_protocol == _DEFAULT_SECURE_SERVER_CONNECT: certs = [kscertfile, kskeyfile, kscafile] self._kscertbundle = cfgmutils.getCertKeyCaBundle( _DEFAULT_KS_CERT_BUNDLE, certs) self._use_ks_certs = True #API Server SSL support self._apiusessl = cfg.CONF.APISERVER.use_ssl self._apiinsecure = cfg.CONF.APISERVER.insecure apicertfile = cfg.CONF.APISERVER.certfile apikeyfile = cfg.CONF.APISERVER.keyfile apicafile = cfg.CONF.APISERVER.cafile if self._apiusessl: self._apiserverconnect = _DEFAULT_SECURE_SERVER_CONNECT else: self._apiserverconnect = _DEFAULT_SERVER_CONNECT self._use_api_certs = False if apicertfile and apikeyfile and apicafile and self._apiusessl: certs = [apicertfile, apikeyfile, apicafile] self._apicertbundle = cfgmutils.getCertKeyCaBundle( _DEFAULT_API_CERT_BUNDLE, certs) self._use_api_certs = True
def __init__(self, server_mgr, args): _kscertbundle = '' if args.certfile and args.keyfile and args.cafile \ and args.auth_protocol == 'https': certs = [args.certfile, args.keyfile, args.cafile] _kscertbundle = cfgmutils.getCertKeyCaBundle( _DEFAULT_KS_CERT_BUNDLE, certs) self._conf_info = { 'auth_host': args.auth_host, 'auth_port': args.auth_port, 'auth_protocol': args.auth_protocol, 'admin_user': args.admin_user, 'admin_password': args.admin_password, 'admin_tenant_name': args.admin_tenant_name, 'admin_port': args.admin_port, 'max_requests': args.max_requests, 'insecure': args.insecure, } if _kscertbundle: self._conf_info['cafile'] = _kscertbundle self._server_mgr = server_mgr self._auth_method = args.auth self._auth_token = None self._auth_middleware = None self._mt_rbac = args.multi_tenancy_with_rbac self._multi_tenancy = args.multi_tenancy or args.multi_tenancy_with_rbac if not self._auth_method: return if self._auth_method != 'keystone': raise UnknownAuthMethod() # map keystone id to users. Needed for quantum plugin because contrail # plugin doesn't have access to user token and ends up sending admin # admin token along with user-id and role self._ks_users = {} # configure memcache if enabled if self._multi_tenancy and 'memcache_servers' in args: self._conf_info['memcache_servers'] = args.memcache_servers.split( ',') if 'token_cache_time' in args: self._conf_info['token_cache_time'] = args.token_cache_time
def __init__(self, server_mgr, args): _kscertbundle='' if args.certfile and args.keyfile and args.cafile \ and args.auth_protocol == 'https': certs=[args.certfile, args.keyfile, args.cafile] _kscertbundle=cfgmutils.getCertKeyCaBundle(_DEFAULT_KS_CERT_BUNDLE,certs) self._conf_info = { 'auth_host': args.auth_host, 'auth_port': args.auth_port, 'auth_protocol': args.auth_protocol, 'admin_user': args.admin_user, 'admin_password': args.admin_password, 'admin_tenant_name': args.admin_tenant_name, 'admin_port': args.admin_port, 'max_requests': args.max_requests, 'insecure':args.insecure, } if _kscertbundle: self._conf_info['cafile'] = _kscertbundle self._server_mgr = server_mgr self._auth_method = args.auth self._auth_token = None self._auth_middleware = None self._mt_rbac = args.multi_tenancy_with_rbac self._multi_tenancy = args.multi_tenancy or args.multi_tenancy_with_rbac if not self._auth_method: return if self._auth_method != 'keystone': raise UnknownAuthMethod() # map keystone id to users. Needed for quantum plugin because contrail # plugin doesn't have access to user token and ends up sending admin # admin token along with user-id and role self._ks_users = {} # configure memcache if enabled if self._multi_tenancy and 'memcache_servers' in args: self._conf_info[ 'memcache_servers'] = args.memcache_servers.split(',') if 'token_cache_time' in args: self._conf_info['token_cache_time'] = args.token_cache_time
def __init__( self, username=None, password=None, tenant_name=None, api_server_host=None, api_server_port=None, api_server_url=None, conf_file=None, user_info=None, auth_token=None, auth_host=None, auth_port=None, auth_protocol=None, auth_url=None, auth_type=None, wait_for_connect=False, api_server_use_ssl=False, domain_name=None, exclude_hrefs=None, ): # TODO allow for username/password to be present in creds file self._obj_serializer = self._obj_serializer_diff for object_type, resource_type in all_resource_type_tuples: for oper_str in ("_create", "_read", "_update", "_delete", "s_list", "_get_default_id"): method = getattr(self, "_object%s" % (oper_str)) bound_method = functools.partial(method, resource_type) functools.update_wrapper(bound_method, method) if oper_str == "_get_default_id": setattr(self, "get_default_%s_id" % (object_type), bound_method) else: setattr(self, "%s%s" % (object_type, oper_str), bound_method) cfg_parser = ConfigParser.ConfigParser() try: cfg_parser.read(conf_file or "/etc/contrail/vnc_api_lib.ini") except Exception as e: logger = logging.getLogger(__name__) logger.warn("Exception: %s", str(e)) self._api_connect_protocol = VncApi._DEFAULT_API_SERVER_CONNECT # API server SSL Support use_ssl = api_server_use_ssl if isinstance(api_server_use_ssl, basestring): use_ssl = api_server_use_ssl.lower() == "true" if use_ssl: self._api_connect_protocol = VncApi._DEFAULT_API_SERVER_SSL_CONNECT # keystone self._authn_type = auth_type or _read_cfg(cfg_parser, "auth", "AUTHN_TYPE", self._DEFAULT_AUTHN_TYPE) if self._authn_type == "keystone": self._authn_protocol = auth_protocol or _read_cfg( cfg_parser, "auth", "AUTHN_PROTOCOL", self._DEFAULT_AUTHN_PROTOCOL ) self._authn_server = auth_host or _read_cfg(cfg_parser, "auth", "AUTHN_SERVER", self._DEFAULT_AUTHN_SERVER) self._authn_port = auth_port or _read_cfg(cfg_parser, "auth", "AUTHN_PORT", self._DEFAULT_AUTHN_PORT) self._authn_url = auth_url or _read_cfg(cfg_parser, "auth", "AUTHN_URL", self._DEFAULT_AUTHN_URL) self._username = username or _read_cfg(cfg_parser, "auth", "AUTHN_USER", self._DEFAULT_AUTHN_USER) self._password = password or _read_cfg(cfg_parser, "auth", "AUTHN_PASSWORD", self._DEFAULT_AUTHN_PASSWORD) self._tenant_name = tenant_name or _read_cfg(cfg_parser, "auth", "AUTHN_TENANT", self._DEFAULT_AUTHN_TENANT) self._domain_name = domain_name or _read_cfg(cfg_parser, "auth", "AUTHN_DOMAIN", self._DEFAULT_DOMAIN_ID) # contrail-api SSL support try: self._apiinsecure = cfg_parser.getboolean("global", "insecure") except (AttributeError, ConfigParser.NoOptionError, ConfigParser.NoSectionError): self._apiinsecure = False apicertfile = _read_cfg(cfg_parser, "global", "certfile", "") apikeyfile = _read_cfg(cfg_parser, "global", "keyfile", "") apicafile = _read_cfg(cfg_parser, "global", "cafile", "") self._use_api_certs = False if api_server_use_ssl: certs = [] if apicafile: certs.append(apicafile) if apicertfile: certs.append(apicertfile) if apikeyfile: certs.append(apikeyfile) if certs: self._apicertbundle = utils.getCertKeyCaBundle(VncApi._DEFAULT_API_CERT_BUNDLE, certs) self._use_api_certs = True # keystone SSL support try: self._ksinsecure = cfg_parser.getboolean("auth", "insecure") except (AttributeError, ConfigParser.NoOptionError, ConfigParser.NoSectionError): self._ksinsecure = False kscertfile = _read_cfg(cfg_parser, "auth", "certfile", "") kskeyfile = _read_cfg(cfg_parser, "auth", "keyfile", "") kscafile = _read_cfg(cfg_parser, "auth", "cafile", "") self._use_ks_certs = False if self._authn_protocol == "https": certs = [] if kscafile: certs.append(kscafile) if kscertfile: certs.append(kscertfile) if kskeyfile: certs.append(kskeyfile) if certs: self._kscertbundle = utils.getCertKeyCaBundle(VncApi._DEFAULT_KS_CERT_BUNDLE, certs) self._use_ks_certs = True if "v2" in self._authn_url: self._authn_body = ( '{"auth":{"passwordCredentials":{' + '"username": "******",' % (self._username) + ' "password": "******"},' % (self._password) + ' "tenantName":"%s"}}' % (self._tenant_name) ) else: self._authn_body = ( '{"auth":{"identity":{' + '"methods": ["password"],' + ' "password":{' + ' "user":{' + ' "name": "%s",' % (self._username) + ' "domain": { "name": "%s" },' % (self._domain_name) + ' "password": "******"' % (self._password) + "}" + "}" + "}," + ' "scope":{' + ' "project":{' + ' "domain": { "name": "%s" },' % (self._domain_name) + ' "name": "%s"' % (self._tenant_name) + "}" + "}" + "}" + "}" ) self._user_info = user_info if not api_server_host: self._web_host = _read_cfg(cfg_parser, "global", "WEB_SERVER", self._DEFAULT_WEB_SERVER) else: self._web_host = api_server_host if not api_server_port: self._web_port = _read_cfg(cfg_parser, "global", "WEB_PORT", self._DEFAULT_WEB_PORT) else: self._web_port = api_server_port self._max_pools = int(_read_cfg(cfg_parser, "global", "MAX_POOLS", self._DEFAULT_MAX_POOLS)) self._max_conns_per_pool = int( _read_cfg(cfg_parser, "global", "MAX_CONNS_PER_POOL", self._DEFAULT_MAX_CONNS_PER_POOL) ) self._curl_logging = False if _read_cfg(cfg_parser, "global", "curl_log", False): self._curl_logging = True self._curl_logger = _cfg_curl_logging(_read_cfg(cfg_parser, "global", "curl_log", False)) # Where client's view of world begins if not api_server_url: self._base_url = _read_cfg(cfg_parser, "global", "BASE_URL", self._DEFAULT_BASE_URL) else: self._base_url = api_server_url # Where server says its root is when _base_url is fetched self._srv_root_url = None # Type-independent actions offered by server self._action_uri = ActionUriDict(self) self._headers = self._DEFAULT_HEADERS.copy() self._headers[rest.hdr_client_tenant()] = self._tenant_name self._auth_token_input = False self._auth_token = None if auth_token: self._auth_token = auth_token self._auth_token_input = True self._headers["X-AUTH-TOKEN"] = self._auth_token # user information for quantum if self._user_info: if "user_id" in self._user_info: self._headers["X-API-USER-ID"] = self._user_info["user_id"] if "user" in self._user_info: self._headers["X-API-USER"] = self._user_info["user"] if "role" in self._user_info: self.set_user_roles([self._user_info["role"]]) self._exclude_hrefs = exclude_hrefs self._create_api_server_session() retry_count = 6 while retry_count: try: homepage = self._request(rest.OP_GET, self._base_url, retry_on_error=False) self._parse_homepage(homepage) except ServiceUnavailableError as e: logger = logging.getLogger(__name__) logger.warn("Exception: %s", str(e)) if wait_for_connect: # Retry connect infinitely when http retcode 503 continue elif retry_count: # Retry connect 60 times when http retcode 503 retry_count -= 1 time.sleep(1) else: # connected succesfully break
def __init__(self, server_mgr, args): self.args = args _kscertbundle = '' if args.auth_protocol == 'https' and args.cafile: certs = [args.cafile] if args.keyfile and args.certfile: certs = [args.certfile, args.keyfile, args.cafile] _kscertbundle = cfgmutils.getCertKeyCaBundle( _DEFAULT_KS_CERT_BUNDLE, certs) self._conf_info = { 'admin_port': args.admin_port, 'max_requests': args.max_requests, 'region_name': args.region_name, 'insecure': args.insecure, 'signing_dir': args.signing_dir, } if args.auth_url: auth_url = args.auth_url else: auth_url = '%s://%s:%s/%s' % (args.auth_protocol, args.auth_host, args.auth_port, _DEFAULT_KS_VERSION) if 'v2.0' in auth_url.split('/'): identity_uri = '%s://%s:%s' % (args.auth_protocol, args.auth_host, args.auth_port) self._conf_info.update({ 'auth_host': args.auth_host, 'auth_port': args.auth_port, 'auth_protocol': args.auth_protocol, 'admin_user': args.admin_user, 'admin_password': args.admin_password, 'admin_tenant_name': args.admin_tenant_name, 'identity_uri': identity_uri }) else: self._conf_info.update({ 'auth_type': args.auth_type, 'auth_url': auth_url, 'username': args.admin_user, 'password': args.admin_password, }) # Add user domain info self._conf_info.update(**cfgmutils.get_user_domain_kwargs(args)) # Get project scope auth params scope_kwargs = cfgmutils.get_project_scope_kwargs(args) if not scope_kwargs: # Default to domain scoped auth scope_kwargs = cfgmutils.get_domain_scope_kwargs(args) self._conf_info.update(**scope_kwargs) if _kscertbundle: self._conf_info['cafile'] = _kscertbundle self._server_mgr = server_mgr self._auth_method = args.auth self._auth_middleware = None self._mt_rbac = server_mgr.is_rbac_enabled() self._auth_needed = server_mgr.is_auth_needed() if not self._auth_method: return if self._auth_method != 'keystone': raise UnknownAuthMethod() # map keystone id to users. Needed for quantum plugin because contrail # plugin doesn't have access to user token and ends up sending admin # admin token along with user-id and role self._ks_users = {} # configure memcache if enabled if self._auth_needed and 'memcache_servers' in args: self._conf_info['memcached_servers'] = args.memcache_servers.split( ',') if 'token_cache_time' in args: self._conf_info['token_cache_time'] = args.token_cache_time self._user_auth_middleware = None self._hdr_from_token_auth_middleware = None
def fill_keystone_opts(obj, conf_sections): obj._auth_user = conf_sections.get('KEYSTONE', 'admin_user') obj._auth_passwd = conf_sections.get('KEYSTONE', 'admin_password') obj._admin_token = conf_sections.get('KEYSTONE', 'admin_token') obj._admin_tenant = conf_sections.get('KEYSTONE', 'admin_tenant_name') try: obj._keystone_sync_on_demand = conf_sections.getboolean('KEYSTONE', 'keystone_sync_on_demand') except ConfigParser.NoOptionError: obj._keystone_sync_on_demand = True try: obj._insecure = conf_sections.getboolean('KEYSTONE', 'insecure') except ConfigParser.NoOptionError: obj._insecure = True try: obj._certfile = conf_sections.get('KEYSTONE', 'certfile') except ConfigParser.NoOptionError: obj._certfile = '' try: obj._keyfile = conf_sections.get('KEYSTONE', 'keyfile') except ConfigParser.NoOptionError: obj._keyfile = '' try: obj._cafile= conf_sections.get('KEYSTONE', 'cafile') except ConfigParser.NoOptionError: obj._cafile = '' obj._kscertbundle='' obj._use_certs=False if obj._certfile and obj._keyfile and obj._cafile: certs=[obj._certfile,obj._keyfile,obj._cafile] obj._kscertbundle=cfgmutils.getCertKeyCaBundle(_DEFAULT_KS_CERT_BUNDLE,certs) obj._use_certs=True try: obj._auth_url = conf_sections.get('KEYSTONE', 'auth_url') except ConfigParser.NoOptionError: # deprecated knobs - for backward compat obj._auth_proto = conf_sections.get('KEYSTONE', 'auth_protocol') obj._auth_host = conf_sections.get('KEYSTONE', 'auth_host') obj._auth_port = conf_sections.get('KEYSTONE', 'auth_port') obj._auth_url = "%s://%s:%s/v2.0" % (obj._auth_proto, obj._auth_host, obj._auth_port) try: obj._err_file = conf_sections.get('DEFAULTS', 'trace_file') except ConfigParser.NoOptionError: obj._err_file = '/var/log/contrail/vnc_openstack.err' try: # Duration between polls to keystone to find deleted projects resync_interval = conf_sections.get('DEFAULTS', 'keystone_resync_interval_secs') except ConfigParser.NoOptionError: resync_interval = '60' obj._resync_interval_secs = int(resync_interval) try: # Number of workers used to process keystone project resyncing resync_workers = conf_sections.get('DEFAULTS', 'keystone_resync_workers') except ConfigParser.NoOptionError: resync_workers = '10' obj._resync_number_workers = int(resync_workers) try: # If new project with same name as an orphan project # (gone in keystone, present in # contrail with resources within) # is encountered, # a. proceed with unique ified name (new_unique_fqn) # b. refuse to sync (new_fail) # c. cascade delete (TODO) resync_mode = conf_sections.get('DEFAULTS', 'keystone_resync_stale_mode') except ConfigParser.NoOptionError: resync_mode = 'new_unique_fqn' obj._resync_stale_mode = resync_mode try: # Get the domain_id for keystone v3 obj._domain_id = conf_sections.get('KEYSTONE', 'admin_domain_id') except ConfigParser.NoOptionError: obj._domain_id = 'default' try: # Get the user_domain_name for keystone v3 obj._user_domain_name = conf_sections.get('KEYSTONE', 'admin_user_domain_name') except ConfigParser.NoOptionError: obj._user_domain_name = 'Default' try: # Get the project_domain_name for keystone v3 obj._project_domain_name = conf_sections.get('KEYSTONE', 'project_domain_name') except ConfigParser.NoOptionError: obj._project_domain_name = None try: # Get the project_name for keystone v3 obj._project_name = conf_sections.get('KEYSTONE', 'project_name') except ConfigParser.NoOptionError: obj._project_name = obj._admin_tenant try: # Get the endpoint_type obj._endpoint_type = conf_sections.get('KEYSTONE', 'endpoint_type') except ConfigParser.NoOptionError: obj._endpoint_type = None
def __init__(self, username=None, password=None, tenant_name=None, api_server_host='127.0.0.1', api_server_port='8082', api_server_url=None, conf_file=None, user_info=None, auth_token=None, auth_host=None, auth_port=None, auth_protocol = None, auth_url=None, auth_type=None, wait_for_connect=False, api_server_use_ssl=False, domain_name=None): # TODO allow for username/password to be present in creds file self._obj_serializer = self._obj_serializer_diff for object_type, resource_type in all_resource_type_tuples: for oper_str in ('_create', '_read', '_update', '_delete', 's_list', '_get_default_id'): method = getattr(self, '_object%s' %(oper_str)) bound_method = functools.partial(method, resource_type) functools.update_wrapper(bound_method, method) if oper_str == '_get_default_id': setattr(self, 'get_default_%s_id' % (object_type), bound_method) else: setattr(self, '%s%s' %(object_type, oper_str), bound_method) cfg_parser = ConfigParser.ConfigParser() try: cfg_parser.read(conf_file or "/etc/contrail/vnc_api_lib.ini") except Exception as e: logger = logging.getLogger(__name__) logger.warn("Exception: %s", str(e)) self._api_connect_protocol = VncApi._DEFAULT_API_SERVER_CONNECT # API server SSL Support use_ssl = api_server_use_ssl if isinstance(api_server_use_ssl, basestring): use_ssl = (api_server_use_ssl.lower() == 'true') if use_ssl: self._api_connect_protocol = VncApi._DEFAULT_API_SERVER_SSL_CONNECT # keystone self._authn_type = auth_type or \ _read_cfg(cfg_parser, 'auth', 'AUTHN_TYPE', self._DEFAULT_AUTHN_TYPE) if self._authn_type == 'keystone': self._authn_protocol = auth_protocol or \ _read_cfg(cfg_parser, 'auth', 'AUTHN_PROTOCOL', self._DEFAULT_AUTHN_PROTOCOL) self._authn_server = auth_host or \ _read_cfg(cfg_parser, 'auth', 'AUTHN_SERVER', self._DEFAULT_AUTHN_SERVER) self._authn_port = auth_port or \ _read_cfg(cfg_parser, 'auth', 'AUTHN_PORT', self._DEFAULT_AUTHN_PORT) self._authn_url = auth_url or \ _read_cfg(cfg_parser, 'auth', 'AUTHN_URL', self._DEFAULT_AUTHN_URL) self._username = username or \ _read_cfg(cfg_parser, 'auth', 'AUTHN_USER', self._DEFAULT_AUTHN_USER) self._password = password or \ _read_cfg(cfg_parser, 'auth', 'AUTHN_PASSWORD', self._DEFAULT_AUTHN_PASSWORD) self._tenant_name = tenant_name or \ _read_cfg(cfg_parser, 'auth', 'AUTHN_TENANT', self._DEFAULT_AUTHN_TENANT) self._domain_name = domain_name or \ _read_cfg(cfg_parser, 'auth', 'AUTHN_DOMAIN', self._DEFAULT_DOMAIN_ID) #contrail-api SSL support try: self._apiinsecure = cfg_parser.getboolean('global','insecure') except (AttributeError, ConfigParser.NoOptionError, ConfigParser.NoSectionError): self._apiinsecure = False apicertfile=_read_cfg(cfg_parser,'global','certfile','') apikeyfile=_read_cfg(cfg_parser,'global','keyfile','') apicafile=_read_cfg(cfg_parser,'global','cafile','') self._use_api_certs=False if apicertfile and apikeyfile \ and apicafile and api_server_use_ssl: certs=[apicertfile, apikeyfile, apicafile] self._apicertbundle=utils.getCertKeyCaBundle(VncApi._DEFAULT_API_CERT_BUNDLE,certs) self._use_api_certs=True # keystone SSL support try: self._ksinsecure = cfg_parser.getboolean('auth', 'insecure') except (AttributeError, ConfigParser.NoOptionError, ConfigParser.NoSectionError): self._ksinsecure = False kscertfile=_read_cfg(cfg_parser,'auth','certfile','') kskeyfile=_read_cfg(cfg_parser,'auth','keyfile','') kscafile=_read_cfg(cfg_parser,'auth','cafile','') self._use_ks_certs=False if kscertfile and kskeyfile and kscafile \ and self._authn_protocol == 'https': certs=[kscertfile, kskeyfile, kscafile] self._kscertbundle=utils.getCertKeyCaBundle(VncApi._DEFAULT_KS_CERT_BUNDLE,certs) self._use_ks_certs=True if 'v2' in self._authn_url: self._authn_body = \ '{"auth":{"passwordCredentials":{' + \ '"username": "******",' % (self._username) + \ ' "password": "******"},' % (self._password) + \ ' "tenantName":"%s"}}' % (self._tenant_name) else: self._authn_body = \ '{"auth":{"identity":{' + \ '"methods": ["password"],' + \ ' "password":{' + \ ' "user":{' + \ ' "name": "%s",' % (self._username) + \ ' "domain": { "name": "%s" },' % (self._domain_name) + \ ' "password": "******"' % (self._password) + \ '}' + \ '}' + \ '},' + \ ' "scope":{' + \ ' "project":{' + \ ' "domain": { "name": "%s" },' % (self._domain_name) + \ ' "name": "%s"' % (self._tenant_name) + \ '}' + \ '}' + \ '}' + \ '}' self._user_info = user_info if not api_server_host: self._web_host = _read_cfg(cfg_parser, 'global', 'WEB_SERVER', self._DEFAULT_WEB_SERVER) else: self._web_host = api_server_host if not api_server_port: self._web_port = _read_cfg(cfg_parser, 'global', 'WEB_PORT', self._DEFAULT_WEB_PORT) else: self._web_port = api_server_port self._max_pools = int(_read_cfg( cfg_parser, 'global', 'MAX_POOLS', self._DEFAULT_MAX_POOLS)) self._max_conns_per_pool = int(_read_cfg( cfg_parser, 'global', 'MAX_CONNS_PER_POOL', self._DEFAULT_MAX_CONNS_PER_POOL)) self._curl_logging = False if _read_cfg(cfg_parser, 'global', 'curl_log', False): self._curl_logging = True self._curl_logger=_cfg_curl_logging(_read_cfg(cfg_parser,'global','curl_log',False)) # Where client's view of world begins if not api_server_url: self._base_url = _read_cfg(cfg_parser, 'global', 'BASE_URL', self._DEFAULT_BASE_URL) else: self._base_url = api_server_url # Where server says its root is when _base_url is fetched self._srv_root_url = None # Type-independent actions offered by server self._action_uri = ActionUriDict(self) self._headers = self._DEFAULT_HEADERS.copy() self._headers[rest.hdr_client_tenant()] = self._tenant_name self._auth_token_input = False self._auth_token = None if auth_token: self._auth_token = auth_token self._auth_token_input = True self._headers['X-AUTH-TOKEN'] = self._auth_token # user information for quantum if self._user_info: if 'user_id' in self._user_info: self._headers['X-API-USER-ID'] = self._user_info['user_id'] if 'user' in self._user_info: self._headers['X-API-USER'] = self._user_info['user'] if 'role' in self._user_info: self.set_user_roles([self._user_info['role']]) #self._http = HTTPClient(self._web_host, self._web_port, # network_timeout = 300) self._create_api_server_session() retry_count = 6 while retry_count: try: homepage = self._request(rest.OP_GET, self._base_url, retry_on_error=False) self._parse_homepage(homepage) except ServiceUnavailableError as e: logger = logging.getLogger(__name__) logger.warn("Exception: %s", str(e)) if wait_for_connect: # Retry connect infinitely when http retcode 503 continue elif retry_count: # Retry connect 60 times when http retcode 503 retry_count -= 1 time.sleep(1) else: # connected succesfully break
def fill_keystone_opts(obj, conf_sections): obj._auth_user = conf_sections.get("KEYSTONE", "admin_user") obj._auth_passwd = conf_sections.get("KEYSTONE", "admin_password") obj._admin_token = conf_sections.get("KEYSTONE", "admin_token") obj._admin_tenant = conf_sections.get("KEYSTONE", "admin_tenant_name") try: obj._keystone_sync_on_demand = conf_sections.getboolean("KEYSTONE", "keystone_sync_on_demand") except ConfigParser.NoOptionError: obj._keystone_sync_on_demand = True try: obj._insecure = conf_sections.getboolean("KEYSTONE", "insecure") except ConfigParser.NoOptionError: obj._insecure = True try: obj._certfile = conf_sections.get("KEYSTONE", "certfile") except ConfigParser.NoOptionError: obj._certfile = "" try: obj._keyfile = conf_sections.get("KEYSTONE", "keyfile") except ConfigParser.NoOptionError: obj._keyfile = "" try: obj._cafile = conf_sections.get("KEYSTONE", "cafile") except ConfigParser.NoOptionError: obj._cafile = "" obj._kscertbundle = "" obj._use_certs = False if obj._certfile and obj._keyfile and obj._cafile: certs = [obj._certfile, obj._keyfile, obj._cafile] obj._kscertbundle = cfgmutils.getCertKeyCaBundle(_DEFAULT_KS_CERT_BUNDLE, certs) obj._use_certs = True try: obj._auth_url = conf_sections.get("KEYSTONE", "auth_url") except ConfigParser.NoOptionError: # deprecated knobs - for backward compat obj._auth_proto = conf_sections.get("KEYSTONE", "auth_protocol") obj._auth_host = conf_sections.get("KEYSTONE", "auth_host") obj._auth_port = conf_sections.get("KEYSTONE", "auth_port") obj._auth_url = "%s://%s:%s/v2.0" % (obj._auth_proto, obj._auth_host, obj._auth_port) try: obj._err_file = conf_sections.get("DEFAULTS", "trace_file") except ConfigParser.NoOptionError: obj._err_file = "/var/log/contrail/vnc_openstack.err" try: # Duration between polls to keystone to find deleted projects resync_interval = conf_sections.get("DEFAULTS", "keystone_resync_interval_secs") except ConfigParser.NoOptionError: resync_interval = "60" obj._resync_interval_secs = int(resync_interval) try: # Number of workers used to process keystone project resyncing resync_workers = conf_sections.get("DEFAULTS", "keystone_resync_workers") except ConfigParser.NoOptionError: resync_workers = "10" obj._resync_number_workers = int(resync_workers) try: # Get the domain_id for keystone v3 obj._domain_id = conf_sections.get("KEYSTONE", "admin_domain_id") except ConfigParser.NoOptionError: obj._domain_id = "default" try: # Get the user_domain_name for keystone v3 obj._user_domain_name = conf_sections.get("KEYSTONE", "admin_user_domain_name") except ConfigParser.NoOptionError: obj._user_domain_name = "Default" try: # Get the project_domain_name for keystone v3 obj._project_domain_name = conf_sections.get("KEYSTONE", "project_domain_name") except ConfigParser.NoOptionError: obj._project_domain_name = None try: # Get the project_name for keystone v3 obj._project_name = conf_sections.get("KEYSTONE", "project_name") except ConfigParser.NoOptionError: obj._project_name = obj._admin_tenant try: # Get the endpoint_type obj._endpoint_type = conf_sections.get("KEYSTONE", "endpoint_type") except ConfigParser.NoOptionError: obj._endpoint_type = None
def fill_keystone_opts(obj, conf_sections): obj._auth_user = conf_sections.get('KEYSTONE', 'admin_user') obj._auth_passwd = conf_sections.get('KEYSTONE', 'admin_password') obj._admin_token = conf_sections.get('KEYSTONE', 'admin_token') obj._admin_tenant = conf_sections.get('KEYSTONE', 'admin_tenant_name') try: obj._contrail_vcenter_mode = conf_sections.get('DEFAULTS', "contrail_vcenter_mode") except ConfigParser.NoOptionError: obj._contrail_vcenter_mode = None try: obj._keystone_sync_on_demand = conf_sections.getboolean('KEYSTONE', 'keystone_sync_on_demand') except ConfigParser.NoOptionError: obj._keystone_sync_on_demand = True try: obj._insecure = conf_sections.getboolean('KEYSTONE', 'insecure') except ConfigParser.NoOptionError: obj._insecure = True try: obj._certfile = conf_sections.get('KEYSTONE', 'certfile') except ConfigParser.NoOptionError: obj._certfile = '' try: obj._keyfile = conf_sections.get('KEYSTONE', 'keyfile') except ConfigParser.NoOptionError: obj._keyfile = '' try: obj._cafile= conf_sections.get('KEYSTONE', 'cafile') except ConfigParser.NoOptionError: obj._cafile = '' obj._kscertbundle='' obj._use_certs=False if obj._certfile and obj._keyfile and obj._cafile: certs=[obj._certfile,obj._keyfile,obj._cafile] obj._kscertbundle=cfgmutils.getCertKeyCaBundle(_DEFAULT_KS_CERT_BUNDLE,certs) obj._use_certs=True try: obj._auth_url = conf_sections.get('KEYSTONE', 'auth_url') except ConfigParser.NoOptionError: # deprecated knobs - for backward compat obj._auth_proto = conf_sections.get('KEYSTONE', 'auth_protocol') obj._auth_host = conf_sections.get('KEYSTONE', 'auth_host') obj._auth_port = conf_sections.get('KEYSTONE', 'auth_port') obj._auth_url = "%s://%s:%s/v2.0" % (obj._auth_proto, obj._auth_host, obj._auth_port) try: obj._err_file = conf_sections.get('DEFAULTS', 'trace_file') except ConfigParser.NoOptionError: obj._err_file = '/var/log/contrail/vnc_openstack.err' try: # Duration between polls to keystone to find deleted projects resync_interval = conf_sections.get('DEFAULTS', 'keystone_resync_interval_secs') except ConfigParser.NoOptionError: resync_interval = '60' obj._resync_interval_secs = int(resync_interval) try: # Number of workers used to process keystone project resyncing resync_workers = conf_sections.get('DEFAULTS', 'keystone_resync_workers') except ConfigParser.NoOptionError: resync_workers = '10' obj._resync_number_workers = int(resync_workers) try: # Get the domain_id for keystone v3 obj._domain_id = conf_sections.get('KEYSTONE', 'admin_domain_id') except ConfigParser.NoOptionError: obj._domain_id = 'default' try: # Get the user_domain_name for keystone v3 obj._user_domain_name = conf_sections.get('KEYSTONE', 'admin_user_domain_name') except ConfigParser.NoOptionError: obj._user_domain_name = 'Default' try: # Get the project_domain_name for keystone v3 obj._project_domain_name = conf_sections.get('KEYSTONE', 'project_domain_name') except ConfigParser.NoOptionError: obj._project_domain_name = 'Default' try: # Get the project_name for keystone v3 obj._project_name = conf_sections.get('KEYSTONE', 'project_name') except ConfigParser.NoOptionError: obj._project_name = obj._admin_tenant try: # Get the endpoint_type obj._endpoint_type = conf_sections.get('KEYSTONE', 'endpoint_type') except ConfigParser.NoOptionError: obj._endpoint_type = None
def _build_auth_details(self): #keystone self._authn_token = None if cfg.CONF.auth_strategy == 'keystone': kcfg = cfg.CONF.keystone_authtoken #Keystone SSL Support self._ksinsecure=kcfg.insecure kscertfile=kcfg.certfile kskeyfile=kcfg.keyfile kscafile=kcfg.cafile self._use_ks_certs = False if (cfg.CONF.keystone_authtoken.auth_protocol == _DEFAULT_SECURE_SERVER_CONNECT and kscafile): certs = [kscafile] if kscertfile and kskeyfile: certs = [kscertfile, kskeyfile, kscafile] self._kscertbundle = cfgmutils.getCertKeyCaBundle( _DEFAULT_KS_CERT_BUNDLE,certs) self._use_ks_certs = True auth_uri = kcfg.auth_uri or '' try: auth_type = kcfg.auth_type except cfg.NoSuchOptError: auth_type = None auth_version = kcfg.auth_version self.ks_sess = None if ('v2.0' in auth_uri.split('/') or auth_version == 'v2.0' or not auth_type): body = '{"auth":{"passwordCredentials":{' body += ' "username": "******",' % (kcfg.admin_user) body += ' "password": "******"},' % (kcfg.admin_password) body += ' "tenantName":"%s"}}' % (kcfg.admin_tenant_name) self._authn_body = body self._authn_token = cfg.CONF.keystone_authtoken.admin_token try: auth_token_url = cfg.CONF.APISERVER.auth_token_url except cfg.NoSuchOptError: auth_token_url = None if auth_token_url: self._keystone_url = auth_token_url else: self._keystone_url = "%s://%s:%s%s" % ( cfg.CONF.keystone_authtoken.auth_protocol, cfg.CONF.keystone_authtoken.auth_host, cfg.CONF.keystone_authtoken.auth_port, "/v2.0/tokens") else: from keystoneauth1 import session from keystoneauth1 import loading as ks_loading self.auth_plugin = ks_loading.load_auth_from_conf_options( cfg.CONF, 'keystone_authtoken') if self._ksinsecure: self.ks_sess = session.Session(auth=self.auth_plugin, verify=False) elif not self._ksinsecure and self._use_ks_certs: self.ks_sess = session.Session(auth=self.auth_plugin, verify=self._kscertbundle) else: self.ks_sess = session.Session(auth=self.auth_plugin) #API Server SSL support self._apiusessl=cfg.CONF.APISERVER.use_ssl self._apiinsecure=cfg.CONF.APISERVER.insecure apicertfile=cfg.CONF.APISERVER.certfile apikeyfile=cfg.CONF.APISERVER.keyfile apicafile=cfg.CONF.APISERVER.cafile if self._apiusessl: self._apiserverconnect=_DEFAULT_SECURE_SERVER_CONNECT else: self._apiserverconnect=_DEFAULT_SERVER_CONNECT self._use_api_certs = False if self._apiusessl and apicafile: certs = [apicafile] if apicertfile and apikeyfile: certs = [apicertfile, apikeyfile, apicafile] self._apicertbundle = cfgmutils.getCertKeyCaBundle( _DEFAULT_API_CERT_BUNDLE,certs) self._use_api_certs = True
def __init__(self, username=None, password=None, tenant_name=None, api_server_host=None, api_server_port=None, api_server_url=None, conf_file=None, user_info=None, auth_token=None, auth_host=None, auth_port=None, auth_protocol = None, auth_url=None, auth_type=None, wait_for_connect=False, api_server_use_ssl=False, domain_name=None): # TODO allow for username/password to be present in creds file self._obj_serializer = self._obj_serializer_diff for object_type, resource_type in all_resource_type_tuples: for oper_str in ('_create', '_read', '_update', '_delete', 's_list', '_get_default_id'): method = getattr(self, '_object%s' %(oper_str)) bound_method = functools.partial(method, resource_type) functools.update_wrapper(bound_method, method) if oper_str == '_get_default_id': setattr(self, 'get_default_%s_id' % (object_type), bound_method) else: setattr(self, '%s%s' %(object_type, oper_str), bound_method) cfg_parser = ConfigParser.ConfigParser() try: cfg_parser.read(conf_file or "/etc/contrail/vnc_api_lib.ini") except Exception as e: logger = logging.getLogger(__name__) logger.warn("Exception: %s", str(e)) self._api_connect_protocol = VncApi._DEFAULT_API_SERVER_CONNECT # API server SSL Support use_ssl = api_server_use_ssl if isinstance(api_server_use_ssl, basestring): use_ssl = (api_server_use_ssl.lower() == 'true') if use_ssl: self._api_connect_protocol = VncApi._DEFAULT_API_SERVER_SSL_CONNECT # keystone self._authn_type = auth_type or \ _read_cfg(cfg_parser, 'auth', 'AUTHN_TYPE', self._DEFAULT_AUTHN_TYPE) if self._authn_type == 'keystone': self._authn_protocol = auth_protocol or \ _read_cfg(cfg_parser, 'auth', 'AUTHN_PROTOCOL', self._DEFAULT_AUTHN_PROTOCOL) self._authn_server = auth_host or \ _read_cfg(cfg_parser, 'auth', 'AUTHN_SERVER', self._DEFAULT_AUTHN_SERVER) self._authn_port = auth_port or \ _read_cfg(cfg_parser, 'auth', 'AUTHN_PORT', self._DEFAULT_AUTHN_PORT) self._authn_url = auth_url or \ _read_cfg(cfg_parser, 'auth', 'AUTHN_URL', self._DEFAULT_AUTHN_URL) self._username = username or \ _read_cfg(cfg_parser, 'auth', 'AUTHN_USER', self._DEFAULT_AUTHN_USER) self._password = password or \ _read_cfg(cfg_parser, 'auth', 'AUTHN_PASSWORD', self._DEFAULT_AUTHN_PASSWORD) self._tenant_name = tenant_name or \ _read_cfg(cfg_parser, 'auth', 'AUTHN_TENANT', self._DEFAULT_AUTHN_TENANT) self._domain_name = domain_name or \ _read_cfg(cfg_parser, 'auth', 'AUTHN_DOMAIN', self._DEFAULT_DOMAIN_ID) #contrail-api SSL support try: self._apiinsecure = cfg_parser.getboolean('global','insecure') except (AttributeError, ConfigParser.NoOptionError, ConfigParser.NoSectionError): self._apiinsecure = False apicertfile=_read_cfg(cfg_parser,'global','certfile','') apikeyfile=_read_cfg(cfg_parser,'global','keyfile','') apicafile=_read_cfg(cfg_parser,'global','cafile','') self._use_api_certs=False if apicertfile and apikeyfile \ and apicafile and api_server_use_ssl: certs=[apicertfile, apikeyfile, apicafile] self._apicertbundle=utils.getCertKeyCaBundle(VncApi._DEFAULT_API_CERT_BUNDLE,certs) self._use_api_certs=True # keystone SSL support try: self._ksinsecure = cfg_parser.getboolean('auth', 'insecure') except (AttributeError, ConfigParser.NoOptionError, ConfigParser.NoSectionError): self._ksinsecure = False kscertfile=_read_cfg(cfg_parser,'auth','certfile','') kskeyfile=_read_cfg(cfg_parser,'auth','keyfile','') kscafile=_read_cfg(cfg_parser,'auth','cafile','') self._use_ks_certs=False if kscertfile and kskeyfile and kscafile \ and self._authn_protocol == 'https': certs=[kscertfile, kskeyfile, kscafile] self._kscertbundle=utils.getCertKeyCaBundle(VncApi._DEFAULT_KS_CERT_BUNDLE,certs) self._use_ks_certs=True if 'v2' in self._authn_url: self._authn_body = \ '{"auth":{"passwordCredentials":{' + \ '"username": "******",' % (self._username) + \ ' "password": "******"},' % (self._password) + \ ' "tenantName":"%s"}}' % (self._tenant_name) else: self._authn_body = \ '{"auth":{"identity":{' + \ '"methods": ["password"],' + \ ' "password":{' + \ ' "user":{' + \ ' "name": "%s",' % (self._username) + \ ' "domain": { "id": "%s" },' % (self._domain_name) + \ ' "password": "******"' % (self._password) + \ '}' + \ '}' + \ '},' + \ ' "scope":{' + \ ' "project":{' + \ ' "domain": { "id": "%s" },' % (self._domain_name) + \ ' "name": "%s"' % (self._username) + \ '}' + \ '}' + \ '}' + \ '}' self._user_info = user_info if not api_server_host: self._web_host = _read_cfg(cfg_parser, 'global', 'WEB_SERVER', self._DEFAULT_WEB_SERVER) else: self._web_host = api_server_host if not api_server_port: self._web_port = _read_cfg(cfg_parser, 'global', 'WEB_PORT', self._DEFAULT_WEB_PORT) else: self._web_port = api_server_port self._max_pools = int(_read_cfg( cfg_parser, 'global', 'MAX_POOLS', self._DEFAULT_MAX_POOLS)) self._max_conns_per_pool = int(_read_cfg( cfg_parser, 'global', 'MAX_CONNS_PER_POOL', self._DEFAULT_MAX_CONNS_PER_POOL)) self._curl_logging = False if _read_cfg(cfg_parser, 'global', 'curl_log', False): self._curl_logging=True self._curl_logger=_cfg_curl_logging(_read_cfg(cfg_parser,'global','curl_log',False)) # Where client's view of world begins if not api_server_url: self._base_url = _read_cfg(cfg_parser, 'global', 'BASE_URL', self._DEFAULT_BASE_URL) else: self._base_url = api_server_url # Where server says its root is when _base_url is fetched self._srv_root_url = None # Type-independent actions offered by server self._action_uri = ActionUriDict(self) self._headers = self._DEFAULT_HEADERS.copy() self._headers[rest.hdr_client_tenant()] = self._tenant_name self._auth_token_input = False self._auth_token = None if auth_token: self._auth_token = auth_token self._auth_token_input = True self._headers['X-AUTH-TOKEN'] = self._auth_token # user information for quantum if self._user_info: if 'user_id' in self._user_info: self._headers['X-API-USER-ID'] = self._user_info['user_id'] if 'user' in self._user_info: self._headers['X-API-USER'] = self._user_info['user'] if 'role' in self._user_info: self.set_user_roles([self._user_info['role']]) #self._http = HTTPClient(self._web_host, self._web_port, # network_timeout = 300) self._create_api_server_session() retry_count = 6 while retry_count: try: homepage = self._request(rest.OP_GET, self._base_url, retry_on_error=False) self._parse_homepage(homepage) except ServiceUnavailableError as e: logger = logging.getLogger(__name__) logger.warn("Exception: %s", str(e)) if wait_for_connect: # Retry connect infinitely when http retcode 503 continue elif retry_count: # Retry connect 60 times when http retcode 503 retry_count -= 1 time.sleep(1) else: # connected succesfully break
def fill_keystone_opts(obj, conf_sections): obj._auth_user = conf_sections.get('KEYSTONE', 'admin_user') obj._auth_passwd = conf_sections.get('KEYSTONE', 'admin_password') obj._admin_token = conf_sections.get('KEYSTONE', 'admin_token') obj._admin_tenant = conf_sections.get('KEYSTONE', 'admin_tenant_name') try: obj._keystone_sync_on_demand = conf_sections.getboolean( 'KEYSTONE', 'keystone_sync_on_demand') except ConfigParser.NoOptionError: obj._keystone_sync_on_demand = True try: obj._insecure = conf_sections.getboolean('KEYSTONE', 'insecure') except ConfigParser.NoOptionError: obj._insecure = True try: obj._certfile = conf_sections.get('KEYSTONE', 'certfile') except ConfigParser.NoOptionError: obj._certfile = '' try: obj._keyfile = conf_sections.get('KEYSTONE', 'keyfile') except ConfigParser.NoOptionError: obj._keyfile = '' try: obj._cafile = conf_sections.get('KEYSTONE', 'cafile') except ConfigParser.NoOptionError: obj._cafile = '' obj._kscertbundle = '' obj._use_certs = False if obj._cafile: certs = [obj._cafile] if obj._keyfile and obj._certfile: certs = [obj._certfile, obj._keyfile, obj._cafile] obj._kscertbundle = cfgmutils.getCertKeyCaBundle( _DEFAULT_KS_CERT_BUNDLE, certs) obj._use_certs = True try: obj._auth_url = conf_sections.get('KEYSTONE', 'auth_url') except ConfigParser.NoOptionError: # deprecated knobs - for backward compat obj._auth_proto = conf_sections.get('KEYSTONE', 'auth_protocol') obj._auth_host = conf_sections.get('KEYSTONE', 'auth_host') obj._auth_port = conf_sections.get('KEYSTONE', 'auth_port') obj._auth_url = "%s://%s:%s/v2.0" % (obj._auth_proto, obj._auth_host, obj._auth_port) try: obj._err_file = conf_sections.get('DEFAULTS', 'trace_file') except ConfigParser.NoOptionError: obj._err_file = '/var/log/contrail/vnc_openstack.err' try: # Duration between polls to keystone to find deleted projects resync_interval = conf_sections.get('DEFAULTS', 'keystone_resync_interval_secs') except ConfigParser.NoOptionError: resync_interval = '60' obj._resync_interval_secs = float(resync_interval) try: # Number of workers used to process keystone project resyncing resync_workers = conf_sections.get('DEFAULTS', 'keystone_resync_workers') except ConfigParser.NoOptionError: resync_workers = '10' obj._resync_number_workers = int(resync_workers) try: # If new project with same name as an orphan project # (gone in keystone, present in # contrail with resources within) # is encountered, # a. proceed with unique ified name (new_unique_fqn) # b. refuse to sync (new_fail) # c. cascade delete (TODO) resync_mode = conf_sections.get('DEFAULTS', 'keystone_resync_stale_mode') except ConfigParser.NoOptionError: resync_mode = 'new_unique_fqn' obj._resync_stale_mode = resync_mode try: # Get the domain_id for keystone v3 obj._domain_id = conf_sections.get('KEYSTONE', 'admin_domain_id') except ConfigParser.NoOptionError: obj._domain_id = 'default' try: # Get the user_domain_name for keystone v3 obj._user_domain_name = conf_sections.get('KEYSTONE', 'admin_user_domain_name') except ConfigParser.NoOptionError: obj._user_domain_name = 'Default' try: # Get the project_domain_name for keystone v3 obj._project_domain_name = conf_sections.get('KEYSTONE', 'project_domain_name') except ConfigParser.NoOptionError: obj._project_domain_name = 'Default' try: # Get the project_name for keystone v3 obj._project_name = conf_sections.get('KEYSTONE', 'project_name') except ConfigParser.NoOptionError: obj._project_name = obj._admin_tenant try: # Get the endpoint_type obj._endpoint_type = conf_sections.get('KEYSTONE', 'endpoint_type') except ConfigParser.NoOptionError: obj._endpoint_type = None
def configure_test_env(contrail_fab_path='/opt/contrail/utils', test_dir='/contrail-test'): """ Configure test environment by creating sanity_params.ini and sanity_testbed.json files """ print "Configuring test environment" sys.path.insert(0, contrail_fab_path) from fabfile.config import testbed from fabfile.utils.host import get_openstack_internal_vip, \ get_control_host_string, get_authserver_ip, get_admin_tenant_name, \ get_authserver_port, get_env_passwords, get_authserver_credentials, \ get_vcenter_ip, get_vcenter_port, get_vcenter_username, \ get_vcenter_password, get_vcenter_datacenter, get_vcenter_compute, \ get_authserver_protocol, get_region_name, get_contrail_internal_vip, \ get_openstack_external_vip, get_contrail_external_vip, \ get_apiserver_protocol, get_apiserver_certfile, get_apiserver_keyfile, \ get_apiserver_cafile, get_keystone_insecure_flag, \ get_apiserver_insecure_flag, get_keystone_certfile, get_keystone_keyfile, \ get_keystone_cafile, get_keystone_version from fabfile.utils.multitenancy import get_mt_enable from fabfile.utils.interface import get_data_ip from fabfile.tasks.install import update_config_option, update_js_config from fabfile.utils.fabos import get_as_sudo logger = contrail_logging.getLogger(__name__) def validate_and_copy_file(filename, source_host): with settings(host_string='%s' %(source_host), warn_only=True, abort_on_prompts=False): if exists(filename): filedir = os.path.dirname(filename) if not os.path.exists(filedir): os.makedirs(filedir) get_as_sudo(filename, filename) return filename return "" cfgm_host = env.roledefs['cfgm'][0] auth_protocol = get_authserver_protocol() try: auth_server_ip = get_authserver_ip() except Exception: auth_server_ip = None auth_server_port = get_authserver_port() api_auth_protocol = get_apiserver_protocol() if api_auth_protocol == 'https': api_certfile = validate_and_copy_file(get_apiserver_certfile(), cfgm_host) api_keyfile = validate_and_copy_file(get_apiserver_keyfile(), cfgm_host) api_cafile = validate_and_copy_file(get_apiserver_cafile(), cfgm_host) api_insecure_flag = get_apiserver_insecure_flag() else: api_certfile = "" api_keyfile = "" api_cafile = "" api_insecure_flag = True cert_dir = os.path.dirname(api_certfile) if auth_protocol == 'https': keystone_cafile = validate_and_copy_file(cert_dir + '/' +\ os.path.basename(get_keystone_cafile()), cfgm_host) keystone_certfile = validate_and_copy_file(cert_dir + '/' +\ os.path.basename(get_keystone_certfile()), cfgm_host) keystone_keyfile = keystone_certfile keystone_insecure_flag = istrue(os.getenv('OS_INSECURE', \ get_keystone_insecure_flag())) else: keystone_certfile = "" keystone_keyfile = "" keystone_cafile = "" keystone_insecure_flag = True with settings(warn_only=True), hide('everything'): with lcd(contrail_fab_path): if local('git branch').succeeded: fab_revision = local('git log --format="%H" -n 1', capture=True) else: with settings(host_string=cfgm_host), hide('everything'): fab_revision = run('cat /opt/contrail/contrail_packages/VERSION') with lcd(test_dir): if local('git branch').succeeded: revision = local('git log --format="%H" -n 1', capture=True) else: with settings(host_string=cfgm_host), hide('everything'): revision = run('cat /opt/contrail/contrail_packages/VERSION') sanity_testbed_dict = { 'hosts': [], 'vgw': [], 'esxi_vms':[], 'vcenter_servers':[], 'hosts_ipmi': [], 'tor':[], 'sriov':[], 'dpdk':[], 'ns_agilio_vrouter':[], } sample_ini_file = test_dir + '/' + 'sanity_params.ini.sample' with open(sample_ini_file, 'r') as fd_sample_ini: contents_sample_ini = fd_sample_ini.read() sanity_ini_templ = string.Template(contents_sample_ini) if not getattr(env, 'test', None): env.test={} containers = env.test.get('containers') traffic_data = env.test.get('traffic_data') ixia_linux_host_ip = get_value_of_key(traffic_data, 'ixia_linux_host_ip') ixia_host_ip = get_value_of_key(traffic_data, 'ixia_host_ip') spirent_linux_host_ip = get_value_of_key(traffic_data, 'spirent_linux_host_ip') ixia_linux_username = get_value_of_key(traffic_data, 'ixia_linux_username') ixia_linux_password = get_value_of_key(traffic_data, 'ixia_linux_password') spirent_linux_username = get_value_of_key(traffic_data, 'spirent_linux_username') spirent_linux_password = get_value_of_key(traffic_data, 'spirent_linux_password') if env.get('orchestrator', 'openstack') == 'openstack': with settings(host_string = env.roledefs['openstack'][0]), hide('everything'): openstack_host_name = run("hostname") with settings(host_string = env.roledefs['cfgm'][0]), hide('everything'): cfgm_host_name = run("hostname") control_host_names = [] for control_host in env.roledefs['control']: with settings(host_string = control_host), hide('everything'): host_name = run("hostname") control_host_names.append(host_name) cassandra_host_names = [] if 'database' in env.roledefs.keys(): for cassandra_host in env.roledefs['database']: with settings(host_string = cassandra_host), hide('everything'): host_name = run("hostname") cassandra_host_names.append(host_name) keystone_version = get_keystone_version() internal_vip = get_openstack_internal_vip() external_vip = get_openstack_external_vip() contrail_internal_vip = get_contrail_internal_vip() contrail_external_vip = get_contrail_external_vip() multi_role_test = False for host_string in env.roledefs['all']: if host_string in env.roledefs.get('test',[]): for role in env.roledefs.iterkeys(): if role in ['test','all']: continue if host_string in env.roledefs.get(role,[]): multi_role_test=True break if not multi_role_test: continue host_ip = host_string.split('@')[1] with settings(host_string = host_string), hide('everything'): try: host_name = run("hostname") host_fqname = run("hostname -f") except: logger.warn('Unable to login to %s'%host_ip) continue host_dict = {} host_dict['ip'] = host_ip host_dict['data-ip']= get_data_ip(host_string)[0] if host_dict['data-ip'] == host_string.split('@')[1]: host_dict['data-ip'] = get_data_ip(host_string)[0] host_dict['control-ip']= get_control_host_string(host_string).split('@')[1] host_dict['name'] = host_name host_dict['fqname'] = host_fqname host_dict['username'] = host_string.split('@')[0] host_dict['password'] =get_env_passwords(host_string) host_dict['roles'] = [] if env.get('qos', {}): if host_string in env.qos.keys(): role_dict = env.qos[host_string] host_dict['qos'] = role_dict if env.get('qos_niantic', {}): if host_string in env.qos_niantic.keys(): role_dict = env.qos_niantic[host_string] host_dict['qos_niantic'] = role_dict if host_string in env.roledefs['openstack']: role_dict = {'type': 'openstack', 'params': {'cfgm': cfgm_host_name}} role_dict['container'] = get_container_name(containers, host_string, 'openstack') host_dict['roles'].append(role_dict) if host_string in env.roledefs['cfgm']: role_dict = {'type': 'cfgm', 'params': {'collector': host_name, 'cassandra': ' '.join(cassandra_host_names)}} role_dict['container'] = get_container_name(containers, host_string, 'controller') if env.get('orchestrator', 'openstack') == 'openstack': role_dict['openstack'] = openstack_host_name host_dict['roles'].append(role_dict) if host_string in env.roledefs['control']: role_dict = {'type': 'bgp', 'params': {'collector': cfgm_host_name, 'cfgm': cfgm_host_name}} role_dict['container'] = get_container_name(containers, host_string, 'controller') host_dict['roles'].append(role_dict) if 'database' in env.roledefs.keys() and host_string in env.roledefs['database']: role_dict = { 'type': 'database', 'params': {'cassandra': ' '.join(cassandra_host_names)} } role_dict['container'] = get_container_name(containers, host_string, 'analyticsdb') host_dict['roles'].append(role_dict) if not env.roledefs.get('compute'): env.roledefs['compute'] = [] if host_string in env.roledefs['compute']: role_dict = {'type': 'compute', 'params': {'collector': cfgm_host_name, 'cfgm': cfgm_host_name}} role_dict['container'] = get_container_name(containers, host_string, 'agent') role_dict['params']['bgp'] = [] if len(env.roledefs['control']) == 1: role_dict['params']['bgp'] = control_host_names else: for control_node in control_host_names: role_dict['params']['bgp'].append(control_node) # role_dict['params']['bgp'].extend(control_host_names[randrange(len(env.roledefs['control']))]) host_dict['roles'].append(role_dict) if host_string in env.roledefs.get('lb',[]): role_dict = {'type': 'lb', 'params': {'lb': host_name}} role_dict['container'] = get_container_name(containers, host_string, 'lb') host_dict['roles'].append(role_dict) if 'collector' in env.roledefs.keys() and host_string in env.roledefs['collector']: role_dict = { 'type': 'collector', 'params': {'cassandra': ' '.join(cassandra_host_names)} } role_dict['container'] = get_container_name(containers, host_string, 'analytics') host_dict['roles'].append(role_dict) if 'webui' in env.roledefs.keys() and host_string in env.roledefs['webui']: role_dict = { 'type': 'webui', 'params': {'cfgm': cfgm_host_name} } role_dict['container'] = get_container_name(containers, host_string, 'controller') host_dict['roles'].append(role_dict) # Kube managers if 'contrail-kubernetes' in env.roledefs.keys() and \ host_string in env.roledefs['contrail-kubernetes']: role_dict = { 'type': 'contrail-kubernetes', 'params': {} } role_dict['container'] = get_container_name(containers, host_string, 'contrail-kube-manager') host_dict['roles'].append(role_dict) sanity_testbed_dict['hosts'].append(host_dict) if env.has_key('vgw'): sanity_testbed_dict['vgw'].append(env.vgw) #get sriov info if env.has_key('sriov'): sanity_testbed_dict['sriov'].append(env.sriov) #get dpdk info if env.has_key('dpdk'): sanity_testbed_dict['dpdk'].append(env.dpdk) #get k8s info sanity_testbed_dict['kubernetes'] = env.get('kubernetes', {}) #get ns_agilio_vrouter info if env.has_key('ns_agilio_vrouter'): sanity_testbed_dict['ns_agilio_vrouter'].append(env.ns_agilio_vrouter) # Read ToR config sanity_tor_dict = {} if env.has_key('tor_agent'): sanity_testbed_dict['tor_agent'] = env.tor_agent # Read any tor-host config if env.has_key('tor_hosts'): sanity_testbed_dict['tor_hosts'] = env.tor_hosts if env.has_key('xmpp_auth_enable'): sanity_testbed_dict['xmpp_auth_enable'] = env.xmpp_auth_enable if env.has_key('xmpp_dns_auth_enable'): sanity_testbed_dict['xmpp_dns_auth_enable'] = env.xmpp_dns_auth_enable if env.has_key('metadata_ssl_enable'): sanity_testbed_dict['metadata_ssl_enable'] = env.metadata_ssl_enable if env.has_key('dm_mx'): sanity_testbed_dict['dm_mx'] = env.dm_mx # Read any MX config (as physical_router ) if env.has_key('physical_routers'): sanity_testbed_dict['physical_routers'] = env.physical_routers esxi_hosts = getattr(testbed, 'esxi_hosts', None) if esxi_hosts: for esxi in esxi_hosts: host_dict = {} host_dict['ip'] = esxi_hosts[esxi]['ip'] host_dict['data-ip'] = host_dict['ip'] host_dict['control-ip'] = host_dict['ip'] host_dict['name'] = esxi host_dict['username'] = esxi_hosts[esxi]['username'] host_dict['password'] = esxi_hosts[esxi]['password'] #Its used for vcenter only mode provosioning for contrail-vm #Its not needed for vcenter_gateway mode, hence might not be there in testbed.py if 'contrail_vm' in esxi_hosts[esxi]: host_dict['contrail_vm'] = esxi_hosts[esxi]['contrail_vm']['host'] host_dict['roles'] = [] host_dict['type'] = 'esxi' sanity_testbed_dict['hosts'].append(host_dict) sanity_testbed_dict['esxi_vms'].append(host_dict) vcenter_servers = env.get('vcenter_servers') if vcenter_servers: for vcenter in vcenter_servers: sanity_testbed_dict['vcenter_servers'].append(vcenter_servers[vcenter]) orch = getattr(env, 'orchestrator', 'openstack') deployer = getattr(env, 'deployer', 'openstack') #get other orchestrators (vcenter etc) info if any slave_orch = None if env.has_key('other_orchestrators'): sanity_testbed_dict['other_orchestrators'] = env.other_orchestrators for k,v in env.other_orchestrators.items(): if v['type'] == 'vcenter': slave_orch = 'vcenter' # get host ipmi list if env.has_key('hosts_ipmi'): sanity_testbed_dict['hosts_ipmi'].append(env.hosts_ipmi) # Setting slave orch to k8s when key present if env.has_key('kubernetes'): if sanity_testbed_dict['kubernetes']['mode'] == 'nested': slave_orch = 'kubernetes' # generate json file and copy to cfgm sanity_testbed_json = json.dumps(sanity_testbed_dict) stack_user = os.getenv('STACK_USER', env.get('stack_user', env.test.get('stack_user', ''))) stack_password = os.getenv('STACK_PASSWORD', env.test.get('stack_password','')) stack_tenant = os.getenv('STACK_TENANT', env.get('stack_tenant', env.test.get('stack_tenant', ''))) stack_domain = os.getenv('STACK_DOMAIN', env.get('stack_domain', env.test.get('stack_domain', ''))) use_project_scoped_token = env.test.get('use_project_scoped_token', '') if not env.has_key('domain_isolation'): env.domain_isolation = False if not env.has_key('cloud_admin_domain'): env.cloud_admin_domain = 'Default' if not env.has_key('cloud_admin_user'): env.cloud_admin_user = '******' if not env.has_key('cloud_admin_password'): env.cloud_admin_password = env.get('openstack_admin_password') domain_isolation = os.getenv('DOMAIN_ISOLATION', env.test.get('domain_isolation', env.domain_isolation)) cloud_admin_domain = os.getenv('CLOUD_ADMIN_DOMAIN', env.test.get('cloud_admin_domain', env.cloud_admin_domain)) cloud_admin_user = os.getenv('CLOUD_ADMIN_USER', env.test.get('cloud_admin_user', env.cloud_admin_user)) cloud_admin_password = os.getenv('CLOUD_ADMIN_PASSWORD', env.test.get('cloud_admin_password', env.cloud_admin_password)) tenant_isolation = os.getenv('TENANT_ISOLATION', env.test.get('tenant_isolation', '')) stop_on_fail = env.get('stop_on_fail', False) mail_to = os.getenv('MAIL_TO', env.test.get('mail_to', '')) log_scenario = env.get('log_scenario', 'Sanity') stack_region_name = get_region_name() admin_user, admin_password = get_authserver_credentials() if orch == 'kubernetes': admin_tenant = 'default' else: admin_tenant = get_admin_tenant_name() # Few hardcoded variables for sanity environment # can be removed once we move to python3 and configparser webserver_host = os.getenv('WEBSERVER_HOST', env.test.get('webserver_host','')) webserver_user = os.getenv('WEBSERVER_USER', env.test.get('webserver_user', '')) webserver_password = os.getenv('WEBSERVER_PASSWORD', env.test.get('webserver_password', '')) webserver_log_path = os.getenv('WEBSERVER_LOG_PATH', env.test.get('webserver_log_path', '/var/www/contrail-test-ci/logs/')) webserver_report_path = os.getenv('WEBSERVER_REPORT_PATH', env.test.get('webserver_report_path', '/var/www/contrail-test-ci/reports/')) webroot = os.getenv('WEBROOT', env.test.get('webroot', 'contrail-test-ci')) mail_server = os.getenv('MAIL_SERVER', env.test.get('mail_server', '')) mail_port = os.getenv('MAIL_PORT', env.test.get('mail_port', '25')) fip_pool_name = os.getenv('FIP_POOL_NAME', env.test.get('fip_pool_name', 'floating-ip-pool')) public_virtual_network = os.getenv('PUBLIC_VIRTUAL_NETWORK', env.test.get('public_virtual_network', 'public')) public_tenant_name = os.getenv('PUBLIC_TENANT_NAME', env.test.get('public_tenant_name', 'admin')) fixture_cleanup = os.getenv('FIXTURE_CLEANUP', env.test.get('fixture_cleanup', 'yes')) generate_html_report = os.getenv('GENERATE_HTML_REPORT', env.test.get('generate_html_report', 'True')) keypair_name = os.getenv('KEYPAIR_NAME', env.test.get('keypair_name', 'contrail_key')) mail_sender = os.getenv('MAIL_SENDER', env.test.get('mail_sender', '*****@*****.**')) discovery_ip = os.getenv('DISCOVERY_IP', env.test.get('discovery_ip', '')) config_api_ip = os.getenv('CONFIG_API_IP', env.test.get('config_api_ip', '')) analytics_api_ip = os.getenv('ANALYTICS_API_IP', env.test.get('analytics_api_ip', '')) discovery_port = os.getenv('DISCOVERY_PORT', env.test.get('discovery_port', '')) config_api_port = os.getenv('CONFIG_API_PORT', env.test.get('config_api_port', '')) analytics_api_port = os.getenv('ANALYTICS_API_PORT', env.test.get('analytics_api_port', '')) control_port = os.getenv('CONTROL_PORT', env.test.get('control_port', '')) dns_port = os.getenv('DNS_PORT', env.test.get('dns_port', '')) agent_port = os.getenv('AGENT_PORT', env.test.get('agent_port', '')) user_isolation = os.getenv('USER_ISOLATION', env.test.get('user_isolation', False if stack_user else True)) neutron_username = os.getenv('NEUTRON_USERNAME', env.test.get('neutron_username', None)) availability_zone = os.getenv('AVAILABILITY_ZONE', env.test.get('availability_zone', None)) ci_flavor = os.getenv('CI_FLAVOR', env.test.get('ci_flavor', None)) kube_config_file = env.test.get('kube_config_file', '/etc/kubernetes/admin.conf') openshift_src_config_file = env.test.get('openshift_src_config_file', '/root/.kube/config') use_devicemanager_for_md5 = getattr(testbed, 'use_devicemanager_for_md5', False) router_asn = getattr(testbed, 'router_asn', '') public_vn_rtgt = getattr(testbed, 'public_vn_rtgt', '') public_vn_subnet = getattr(testbed, 'public_vn_subnet', '') ext_routers = getattr(testbed, 'ext_routers', '') router_info = str(ext_routers) fabric_gw = getattr(testbed, 'fabric_gw', '') fabric_gw_info = str(fabric_gw) test_verify_on_setup = getattr(env, 'test_verify_on_setup', True) webui = getattr(testbed, 'webui', False) horizon = getattr(testbed, 'horizon', False) ui_config = getattr(testbed, 'ui_config', False) ui_browser = getattr(testbed, 'ui_browser', False) if not env.has_key('openstack'): env.openstack = {} if not env.has_key('cfgm'): env.cfgm = {} config_amqp_ip = env.openstack.get('amqp_host', '') if config_amqp_ip: config_amqp_ips = [config_amqp_ip] else: config_amqp_ips = [] # If amqp details are in env.cfgm as well, use that config_amqp_port = env.cfgm.get('amqp_port', '5672') config_amqp_ips = env.cfgm.get('amqp_hosts', config_amqp_ips) key_filename = env.get('key_filename', '') pubkey_filename = env.get('pubkey_filename', '') vcenter_dc = '' if orch == 'vcenter' or slave_orch== 'vcenter': public_tenant_name='vCenter' if env.has_key('vcenter_servers'): if env.vcenter_servers: for vc in env.vcenter_servers: for dc in env.vcenter_servers[vc]['datacenters']: vcenter_dc = dc #global controller gc_host_mgmt = getattr(testbed, 'gc_host_mgmt', '') gc_host_control_data = getattr(testbed, 'gc_host_control_data', '') gc_user_name = getattr(testbed, 'gc_user_name', '') gc_user_pwd = getattr(testbed, 'gc_user_pwd', '') keystone_password = getattr(testbed, 'keystone_password', '') sanity_params = sanity_ini_templ.safe_substitute( {'__testbed_json_file__' : 'sanity_testbed.json', '__keystone_version__' : keystone_version, '__use_project_scoped_token__': use_project_scoped_token, '__nova_keypair_name__' : keypair_name, '__orch__' : orch, '__deployer__' : deployer, '__admin_user__' : admin_user, '__admin_password__' : admin_password, '__admin_tenant__' : admin_tenant, '__domain_isolation__' : domain_isolation, '__cloud_admin_domain__' : cloud_admin_domain, '__cloud_admin_user__' : cloud_admin_user, '__cloud_admin_password__': cloud_admin_password, '__tenant_isolation__' : tenant_isolation, '__stack_user__' : stack_user, '__stack_password__' : stack_password, '__auth_ip__' : auth_server_ip, '__auth_port__' : auth_server_port, '__auth_protocol__' : auth_protocol, '__stack_region_name__' : stack_region_name, '__stack_tenant__' : stack_tenant, '__stack_domain__' : stack_domain, '__multi_tenancy__' : get_mt_enable(), '__address_family__' : get_address_family(), '__log_scenario__' : log_scenario, '__generate_html_report__': generate_html_report, '__fixture_cleanup__' : fixture_cleanup, '__key_filename__' : key_filename, '__pubkey_filename__' : pubkey_filename, '__webserver__' : webserver_host, '__webserver_user__' : webserver_user, '__webserver_password__' : webserver_password, '__webserver_log_dir__' : webserver_log_path, '__webserver_report_dir__': webserver_report_path, '__webroot__' : webroot, '__mail_server__' : mail_server, '__mail_port__' : mail_port, '__sender_mail_id__' : mail_sender, '__receiver_mail_id__' : mail_to, '__http_proxy__' : env.get('http_proxy', ''), '__ui_browser__' : ui_browser, '__ui_config__' : ui_config, '__horizon__' : horizon, '__webui__' : webui, '__devstack__' : False, '__public_vn_rtgt__' : public_vn_rtgt, '__router_asn__' : router_asn, '__router_name_ip_tuples__': router_info, '__fabric_gw_name_ip_tuple__': fabric_gw_info, '__public_vn_name__' : fip_pool_name, '__public_virtual_network__':public_virtual_network, '__public_tenant_name__' :public_tenant_name, '__public_vn_subnet__' : public_vn_subnet, '__test_revision__' : revision, '__fab_revision__' : fab_revision, '__test_verify_on_setup__': test_verify_on_setup, '__stop_on_fail__' : stop_on_fail, '__ha_setup__' : getattr(testbed, 'ha_setup', ''), '__ipmi_username__' : getattr(testbed, 'ipmi_username', ''), '__ipmi_password__' : getattr(testbed, 'ipmi_password', ''), '__contrail_internal_vip__' : contrail_internal_vip, '__contrail_external_vip__' : contrail_external_vip, '__internal_vip__' : internal_vip, '__external_vip__' : external_vip, '__vcenter_dc__' : vcenter_dc, '__vcenter_server__' : get_vcenter_ip(), '__vcenter_port__' : get_vcenter_port(), '__vcenter_username__' : get_vcenter_username(), '__vcenter_password__' : get_vcenter_password(), '__vcenter_datacenter__' : get_vcenter_datacenter(), '__vcenter_compute__' : get_vcenter_compute(), '__use_devicemanager_for_md5__' : use_devicemanager_for_md5, '__discovery_port__' : discovery_port, '__config_api_port__' : config_api_port, '__analytics_api_port__' : analytics_api_port, '__control_port__' : control_port, '__dns_port__' : dns_port, '__vrouter_agent_port__' : agent_port, '__discovery_ip__' : discovery_ip, '__config_api_ip__' : config_api_ip, '__analytics_api_ip__' : analytics_api_ip, '__user_isolation__' : user_isolation, '__neutron_username__' : neutron_username, '__availability_zone__' : availability_zone, '__ci_flavor__' : ci_flavor, '__config_amqp_ips__' : ','.join(config_amqp_ips), '__config_amqp_port__' : config_amqp_port, '__api_auth_protocol__' : api_auth_protocol, '__api_certfile__' : api_certfile, '__api_keyfile__' : api_keyfile, '__api_cafile__' : api_cafile, '__api_insecure_flag__' : api_insecure_flag, '__keystone_certfile__' : keystone_certfile, '__keystone_keyfile__' : keystone_keyfile, '__keystone_cafile__' : keystone_cafile, '__keystone_insecure_flag__': keystone_insecure_flag, '__gc_host_mgmt__' : gc_host_mgmt, '__gc_host_control_data__': gc_host_control_data, '__gc_user_name__' : gc_user_name, '__gc_user_pwd__' : gc_user_pwd, '__keystone_password__' : keystone_password, '__slave_orch__' : slave_orch, '__ixia_linux_host_ip__' : ixia_linux_host_ip, '__ixia_host_ip__' : ixia_host_ip, '__spirent_linux_host_ip__': spirent_linux_host_ip, '__ixia_linux_username__' : ixia_linux_username, '__ixia_linux_password__' : ixia_linux_password, '__spirent_linux_username__': spirent_linux_username, '__spirent_linux_password__': spirent_linux_password, }) ini_file = test_dir + '/' + 'sanity_params.ini' testbed_json_file = test_dir + '/' + 'sanity_testbed.json' with open(ini_file, 'w') as ini: ini.write(sanity_params) with open(testbed_json_file,'w') as tb: tb.write(sanity_testbed_json) # Create /etc/contrail/openstackrc if not os.path.exists('/etc/contrail'): os.makedirs('/etc/contrail') keycertbundle = None if keystone_cafile and keystone_keyfile and keystone_certfile: bundle = '/tmp/keystonecertbundle.pem' certs = [keystone_certfile, keystone_keyfile, keystone_cafile] keycertbundle = utils.getCertKeyCaBundle(bundle, certs) with open('/etc/contrail/openstackrc','w') as rc: rc.write("export OS_USERNAME=%s\n" % admin_user) rc.write("export OS_PASSWORD=%s\n" % admin_password) rc.write("export OS_TENANT_NAME=%s\n" % admin_tenant) rc.write("export OS_REGION_NAME=%s\n" % stack_region_name) rc.write("export OS_AUTH_URL=%s://%s:%s/v2.0\n" % (auth_protocol, auth_server_ip, auth_server_port)) rc.write("export OS_CACERT=%s\n" % keycertbundle) rc.write("export OS_CERT=%s\n" % keystone_certfile) rc.write("export OS_KEY=%s\n" % keystone_keyfile) rc.write("export OS_INSECURE=%s\n" % keystone_insecure_flag) rc.write("export OS_NO_CACHE=1\n") # Write vnc_api_lib.ini - this is required for vnc_api to connect to keystone config = ConfigParser.ConfigParser() config.optionxform = str vnc_api_ini = '/etc/contrail/vnc_api_lib.ini' if os.path.exists(vnc_api_ini): config.read(vnc_api_ini) if 'auth' not in config.sections(): config.add_section('auth') config.set('auth','AUTHN_TYPE', 'keystone') config.set('auth','AUTHN_PROTOCOL', auth_protocol) config.set('auth','AUTHN_SERVER', auth_server_ip) config.set('auth','AUTHN_PORT', auth_server_port) if keystone_version == 'v3': config.set('auth','AUTHN_URL', '/v3/auth/tokens') else: config.set('auth','AUTHN_URL', '/v2.0/tokens') if api_auth_protocol == 'https': if 'global' not in config.sections(): config.add_section('global') config.set('global','certfile', api_certfile) config.set('global','cafile', api_cafile) config.set('global','keyfile', api_keyfile) config.set('global','insecure',api_insecure_flag) if auth_protocol == 'https': if 'auth' not in config.sections(): config.add_section('auth') config.set('auth','certfile', keystone_certfile) config.set('auth','cafile', keystone_cafile) config.set('auth','keyfile', keystone_keyfile) config.set('auth','insecure', keystone_insecure_flag) with open(vnc_api_ini,'w') as f: config.write(f) # Get kube config file to the testrunner node if orch == 'kubernetes' or slave_orch == 'kubernetes': if not os.path.exists(kube_config_file): dir_name = os.path.dirname(kube_config_file) if not os.path.exists(dir_name): os.makedirs(dir_name) with settings(host_string = env.kubernetes['master']): if deployer == 'openshift' : get(openshift_src_config_file, kube_config_file) else: get(kube_config_file, kube_config_file) # If webui = True, in testbed, setup webui for sanity if webui: sku = get_build_sku(cfgm_host) update_config_option('openstack', '/etc/keystone/keystone.conf', 'token', 'expiration', '86400','keystone', sku) update_js_config('webui', '/etc/contrail/config.global.js', 'contrail-webui', container=is_container_env)
def __init__(self, server_mgr, args): self.args = args _kscertbundle='' if args.auth_protocol == 'https' and args.cafile: certs=[args.cafile] if args.keyfile and args.certfile: certs=[args.certfile, args.keyfile, args.cafile] _kscertbundle=cfgmutils.getCertKeyCaBundle(_DEFAULT_KS_CERT_BUNDLE,certs) self._conf_info = { 'admin_port': args.admin_port, 'max_requests': args.max_requests, 'region_name': args.region_name, 'insecure': args.insecure, 'signing_dir': args.signing_dir, } if args.auth_url: auth_url = args.auth_url else: auth_url = '%s://%s:%s/%s' % ( args.auth_protocol, args.auth_host, args.auth_port, _DEFAULT_KS_VERSION) if 'v2.0' in auth_url.split('/'): identity_uri = '%s://%s:%s' % ( args.auth_protocol, args.auth_host, args.auth_port) self._conf_info.update({ 'auth_host': args.auth_host, 'auth_port': args.auth_port, 'auth_protocol': args.auth_protocol, 'admin_user': args.admin_user, 'admin_password': args.admin_password, 'admin_tenant_name': args.admin_tenant_name, 'identity_uri': identity_uri}) else: self._conf_info.update({ 'auth_type': args.auth_type, 'auth_url': auth_url, 'username': args.admin_user, 'password': args.admin_password, }) # Add user domain info self._conf_info.update(**cfgmutils.get_user_domain_kwargs(args)) # Get project scope auth params scope_kwargs = cfgmutils.get_project_scope_kwargs(args) if not scope_kwargs: # Default to domain scoped auth scope_kwargs = cfgmutils.get_domain_scope_kwargs(args) self._conf_info.update(**scope_kwargs) if _kscertbundle: self._conf_info['cafile'] = _kscertbundle self._server_mgr = server_mgr self._auth_method = args.auth self._auth_middleware = None self._mt_rbac = server_mgr.is_rbac_enabled() self._auth_needed = server_mgr.is_auth_needed() if not self._auth_method: return if self._auth_method != 'keystone': raise UnknownAuthMethod() # map keystone id to users. Needed for quantum plugin because contrail # plugin doesn't have access to user token and ends up sending admin # admin token along with user-id and role self._ks_users = {} # configure memcache if enabled if self._auth_needed and 'memcache_servers' in args: self._conf_info[ 'memcached_servers'] = args.memcache_servers.split(',') if 'token_cache_time' in args: self._conf_info['token_cache_time'] = args.token_cache_time self._user_auth_middleware = None self._hdr_from_token_auth_middleware = None
def fill_keystone_opts(obj, conf_sections): obj._auth_user = conf_sections.get('KEYSTONE', 'admin_user') obj._auth_passwd = conf_sections.get('KEYSTONE', 'admin_password') obj._admin_token = conf_sections.get('KEYSTONE', 'admin_token') obj._admin_tenant = conf_sections.get('KEYSTONE', 'admin_tenant_name') try: obj._keystone_sync_on_demand = conf_sections.getboolean('KEYSTONE', 'keystone_sync_on_demand') except ConfigParser.NoOptionError: obj._keystone_sync_on_demand = True try: obj._insecure = conf_sections.getboolean('KEYSTONE', 'insecure') except ConfigParser.NoOptionError: obj._insecure = True try: obj._certfile = conf_sections.get('KEYSTONE', 'certfile') except ConfigParser.NoOptionError: obj._certfile = '' try: obj._keyfile = conf_sections.get('KEYSTONE', 'keyfile') except ConfigParser.NoOptionError: obj._keyfile = '' try: obj._cafile= conf_sections.get('KEYSTONE', 'cafile') except ConfigParser.NoOptionError: obj._cafile = '' obj._kscertbundle='' obj._use_certs=False if obj._certfile and obj._keyfile and obj._cafile: certs=[obj._certfile,obj._keyfile,obj._cafile] obj._kscertbundle=cfgmutils.getCertKeyCaBundle(_DEFAULT_KS_CERT_BUNDLE,certs) obj._use_certs=True try: obj._auth_url = conf_sections.get('KEYSTONE', 'auth_url') except ConfigParser.NoOptionError: # deprecated knobs - for backward compat obj._auth_proto = conf_sections.get('KEYSTONE', 'auth_protocol') obj._auth_host = conf_sections.get('KEYSTONE', 'auth_host') obj._auth_port = conf_sections.get('KEYSTONE', 'auth_port') obj._auth_url = "%s://%s:%s/v2.0" % (obj._auth_proto, obj._auth_host, obj._auth_port) try: obj._err_file = conf_sections.get('DEFAULTS', 'trace_file') except ConfigParser.NoOptionError: obj._err_file = '/var/log/contrail/vnc_openstack.err' try: # Duration between polls to keystone to find deleted projects resync_interval = conf_sections.get('DEFAULTS', 'keystone_resync_interval_secs') except ConfigParser.NoOptionError: resync_interval = '60' obj._resync_interval_secs = int(resync_interval) try: # Number of workers used to process keystone project resyncing resync_workers = conf_sections.get('DEFAULTS', 'keystone_resync_workers') except ConfigParser.NoOptionError: resync_workers = '10' obj._resync_number_workers = int(resync_workers) try: # Get the domain_id for keystone v3 obj._domain_id = conf_sections.get('KEYSTONE', 'admin_domain_id') except ConfigParser.NoOptionError: obj._domain_id = 'default' try: # Get the user_domain_name for keystone v3 obj._user_domain_name = conf_sections.get('KEYSTONE', 'admin_user_domain_name') except ConfigParser.NoOptionError: obj._user_domain_name = 'Default' try: # Get the project_domain_name for keystone v3 obj._project_domain_name = conf_sections.get('KEYSTONE', 'project_domain_name') except ConfigParser.NoOptionError: obj._project_domain_name = None try: # Get the project_name for keystone v3 obj._project_name = conf_sections.get('KEYSTONE', 'project_name') except ConfigParser.NoOptionError: obj._project_name = obj._admin_tenant