def _v3_client_init(self): client = kc_v3.Client(session=self.session, connect_retries=cfg.CONF.client_retry_limit, region_name=self.auth_region_name) if hasattr(self.context.auth_plugin, 'get_access'): # NOTE(jamielennox): get_access returns the current token without # reauthenticating if it's present and valid. try: auth_ref = self.context.auth_plugin.get_access(self.session) except ks_exception.Unauthorized: LOG.error("Keystone client authentication failed") raise exception.AuthorizationFailure() if self.context.trust_id: # Sanity check if not auth_ref.trust_scoped: LOG.error("trust token re-scoping failed!") raise exception.AuthorizationFailure() # Sanity check that impersonation is effective if self.context.trustor_user_id != auth_ref.user_id: LOG.error("Trust impersonation failed") raise exception.AuthorizationFailure() return client
def _v2_client_init(self): kwargs = { 'auth_url': self.context.auth_url, 'endpoint': self.context.auth_url, 'region_name': cfg.CONF.region_name_for_services } if self.context.region_name is not None: kwargs['region_name'] = self.context.region_name auth_kwargs = {} # Note try trust_id first, as we can't reuse auth_token in that case if self.context.trust_id is not None: # We got a trust_id, so we use the admin credentials # to authenticate, then re-scope the token to the # trust impersonating the trustor user. # Note that this currently requires the trustor tenant_id # to be passed to the authenticate(), unlike the v3 call kwargs.update(self._service_admin_creds()) auth_kwargs['trust_id'] = self.context.trust_id auth_kwargs['tenant_id'] = self.context.tenant_id elif self.context.auth_token is not None: kwargs['tenant_name'] = self.context.tenant kwargs['token'] = self.context.auth_token elif self.context.password is not None: kwargs['username'] = self.context.username kwargs['password'] = self.context.password kwargs['tenant_name'] = self.context.tenant kwargs['tenant_id'] = self.context.tenant_id else: LOG.error( _LE("Keystone v2 API connection failed, no password " "or auth_token!")) raise exception.AuthorizationFailure() kwargs['cacert'] = self._get_client_option('ca_file') kwargs['insecure'] = self._get_client_option('insecure') kwargs['cert'] = self._get_client_option('cert_file') kwargs['key'] = self._get_client_option('key_file') client = kc.Client(**kwargs) client.authenticate(**auth_kwargs) # If we are authenticating with a trust auth_kwargs are set, so set # the context auth_token with the re-scoped trust token if auth_kwargs: # Sanity check if not client.auth_ref.trust_scoped: LOG.error(_LE("v2 trust token re-scoping failed!")) raise exception.AuthorizationFailure() # All OK so update the context with the token self.context.auth_token = client.auth_ref.auth_token self.context.auth_url = kwargs.get('auth_url') # Ensure the v2 API we're using is not impacted by keystone # bug #1239303, otherwise we can't trust the user_id if self.context.trustor_user_id != client.auth_ref.user_id: LOG.error( _LE("Trust impersonation failed, bug #1239303 " "suspected, you may need a newer keystone")) raise exception.AuthorizationFailure() return client
def _v3_client_init(self): kwargs = {'auth_url': self.v3_endpoint, 'endpoint': self.v3_endpoint} # Note try trust_id first, as we can't reuse auth_token in that case if self.context.trust_id is not None: # We got a trust_id, so we use the admin credentials # to authenticate with the trust_id so we can use the # trust impersonating the trustor user. kwargs.update(self._service_admin_creds()) kwargs['trust_id'] = self.context.trust_id kwargs.pop('project_name') elif self.context.auth_token_info is not None: # The auth_ref version must be set according to the token version if 'access' in self.context.auth_token_info: kwargs['auth_ref'] = copy.deepcopy( self.context.auth_token_info['access']) kwargs['auth_ref']['version'] = 'v2.0' kwargs['auth_ref']['token']['id'] = self.context.auth_token elif 'token' in self.context.auth_token_info: kwargs['auth_ref'] = copy.deepcopy( self.context.auth_token_info['token']) kwargs['auth_ref']['version'] = 'v3' kwargs['auth_ref']['auth_token'] = self.context.auth_token else: LOG.error(_LE('Unknown version in auth_token_info')) raise exception.AuthorizationFailure( _('Unknown token version')) elif self.context.auth_token is not None: kwargs['token'] = self.context.auth_token kwargs['project_id'] = self.context.tenant_id elif self.context.password is not None: kwargs['username'] = self.context.username kwargs['password'] = self.context.password kwargs['project_id'] = self.context.tenant_id else: LOG.error( _LE("Keystone v3 API connection failed, no password " "trust or auth_token!")) raise exception.AuthorizationFailure() kwargs.update(self._ssl_options()) client = kc_v3.Client(**kwargs) # If auth_ref has already be specified via auth_token_info, don't # authenticate as we want to reuse, rather than request a new token if 'auth_ref' not in kwargs: client.authenticate() # If we are authenticating with a trust set the context auth_token # with the trust scoped token if 'trust_id' in kwargs: # Sanity check if not client.auth_ref.trust_scoped: LOG.error(_LE("trust token re-scoping failed!")) raise exception.AuthorizationFailure() # Sanity check that impersonation is effective if self.context.trustor_user_id != client.auth_ref.user_id: LOG.error(_LE("Trust impersonation failed")) raise exception.AuthorizationFailure() return client
def _v3_client_init(self): if self.context.auth_url: v3_endpoint = self.context.auth_url.replace('v2.0', 'v3') else: # Import auth_token to have keystone_authtoken settings setup. importutils.import_module('keystoneclient.middleware.auth_token') v3_endpoint = self.conf.keystone_authtoken.auth_uri.replace( 'v2.0', 'v3') kwargs = {'auth_url': v3_endpoint, 'endpoint': v3_endpoint} # Note try trust_id first, as we can't reuse auth_token in that case if self.context.trust_id is not None: # We got a trust_id, so we use the admin credentials # to authenticate with the trust_id so we can use the # trust impersonating the trustor user. kwargs.update(self._service_admin_creds()) kwargs['trust_id'] = self.context.trust_id elif self.context.auth_token is not None: kwargs['project_name'] = self.context.tenant kwargs['token'] = self.context.auth_token elif self.context.password is not None: kwargs['username'] = self.context.username kwargs['password'] = self.context.password kwargs['project_name'] = self.context.tenant kwargs['project_id'] = self.context.tenant_id else: logger.error( _("Keystone v3 API connection failed, no password " "trust or auth_token!")) raise exception.AuthorizationFailure() kwargs['cacert'] = self._get_client_option('ca_file') kwargs['insecure'] = self._get_client_option('insecure') kwargs['cert'] = self._get_client_option('cert_file') kwargs['key'] = self._get_client_option('key_file') client_v3 = kc_v3.Client(**kwargs) client_v3.authenticate() # If we are authenticating with a trust set the context auth_token # with the trust scoped token if 'trust_id' in kwargs: # Sanity check if not client_v3.auth_ref.trust_scoped: logger.error(_("trust token re-scoping failed!")) raise exception.AuthorizationFailure() # All OK so update the context with the token self.context.auth_token = client_v3.auth_ref.auth_token self.context.auth_url = kwargs.get('auth_url') # Sanity check that impersonation is effective if self.context.trustor_user_id != client_v3.auth_ref.user_id: logger.error("Trust impersonation failed") raise exception.AuthorizationFailure() return client_v3
def domain_admin_auth(self): if not self._domain_admin_auth: # Note we must specify the domain when getting the token # as only a domain scoped token can create projects in the domain if self._stack_domain_is_id: auth_kwargs = { 'domain_id': self.stack_domain, 'user_domain_id': self.stack_domain } else: auth_kwargs = { 'domain_name': self.stack_domain, 'user_domain_name': self.stack_domain } auth = kc_auth_v3.Password(username=self.domain_admin_user, password=self.domain_admin_password, auth_url=self.v3_endpoint, **auth_kwargs) # NOTE(jamielennox): just do something to ensure a valid token try: auth.get_token(self.session) except kc_exception.Unauthorized: LOG.error(_LE("Domain admin client authentication failed")) raise exception.AuthorizationFailure() self._domain_admin_auth = auth return self._domain_admin_auth
def create_trust_context(self): """Create a trust using the trustor identity in the current context. The trust is created with the trustee as the heat service user. If the current context already contains a trust_id, we do nothing and return the current context. Returns a context containing the new trust_id. """ if self.context.trust_id: return self.context # We need the service admin user ID (not name), as the trustor user # can't lookup the ID in keystoneclient unless they're admin # workaround this by getting the user_id from admin_client try: trustee_user_id = self.context.trusts_auth_plugin.get_user_id( self.session) except ks_exception.Unauthorized: LOG.error("Domain admin client authentication failed") raise exception.AuthorizationFailure() trustor_user_id = self.context.auth_plugin.get_user_id(self.session) trustor_proj_id = self.context.auth_plugin.get_project_id(self.session) role_kw = {} # inherit the roles of the trustor, unless set trusts_delegated_roles if cfg.CONF.trusts_delegated_roles: role_kw['role_names'] = cfg.CONF.trusts_delegated_roles else: token_info = self.context.auth_token_info if token_info and token_info.get('token', {}).get('roles'): role_kw['role_ids'] = [ r['id'] for r in token_info['token']['roles'] ] else: role_kw['role_names'] = self.context.roles allow_redelegation = (cfg.CONF.reauthentication_auth_method == 'trusts' and cfg.CONF.allow_trusts_redelegation) try: trust = self.client.trusts.create( trustor_user=trustor_user_id, trustee_user=trustee_user_id, project=trustor_proj_id, impersonation=True, allow_redelegation=allow_redelegation, **role_kw) except ks_exception.NotFound: LOG.debug("Failed to find roles %s for user %s" % (role_kw, trustor_user_id)) raise exception.MissingCredentialError(required=_("roles %s") % role_kw) context_data = self.context.to_dict() context_data['overwrite'] = False trust_context = context.RequestContext.from_dict(context_data) trust_context.trust_id = trust.id trust_context.trustor_user_id = trustor_user_id return trust_context
def _v3_client_init(self): kwargs = {} if self.context.auth_token is not None: kwargs['project_name'] = self.context.tenant kwargs['token'] = self.context.auth_token kwargs['auth_url'] = self.context.auth_url.replace('v2.0', 'v3') kwargs['endpoint'] = kwargs['auth_url'] elif self.context.trust_id is not None: # We got a trust_id, so we use the admin credentials and get a # Token back impersonating the trustor user kwargs.update(self._service_admin_creds(api_version=3)) kwargs['trust_id'] = self.context.trust_id elif self.context.password is not None: kwargs['username'] = self.context.username kwargs['password'] = self.context.password kwargs['project_name'] = self.context.tenant kwargs['project_id'] = self.context.tenant_id kwargs['auth_url'] = self.context.auth_url.replace('v2.0', 'v3') kwargs['endpoint'] = kwargs['auth_url'] else: logger.error( _("Keystone v3 API connection failed, no password " "or auth_token!")) raise exception.AuthorizationFailure() kwargs['cacert'] = self._get_client_option('ca_file') kwargs['insecure'] = self._get_client_option('insecure') kwargs['cert'] = self._get_client_option('cert_file') kwargs['key'] = self._get_client_option('key_file') client = kc_v3.Client(**kwargs) # Have to explicitly authenticate() or client.auth_ref is None client.authenticate() return client
def _create_auth_plugin(self): if self.auth_token_info: access_info = access.create(body=self.auth_token_info, auth_token=self.auth_token) return access_plugin.AccessInfoPlugin( auth_ref=access_info, auth_url=self.keystone_v3_endpoint) if self.password: # Never trust the password. Refer to keyring LOG.info("Re-determining password from keyring") self.password = keyring.get_password('CGCS', self.username) # TIS user_domain_id is blank. Use user_domain_name to lookup user user_domain_name = cfg.CONF.user_domain_name return generic.Password(username=self.username, password=self.password, project_id=self.tenant_id, user_domain_id=self.user_domain, user_domain_name=user_domain_name, auth_url=self.keystone_v3_endpoint) if self.auth_token: # FIXME(jamielennox): This is broken but consistent. If you # only have a token but don't load a service catalog then # url_for wont work. Stub with the keystone endpoint so at # least it might be right. return token_endpoint.Token(endpoint=self.keystone_v3_endpoint, token=self.auth_token) LOG.error("Keystone API connection failed, no password " "trust or auth_token!") raise exception.AuthorizationFailure()
def _create_auth_plugin(self): if self.auth_token_info: access_info = access.create(body=self.auth_token_info, auth_token=self.auth_token) return access_plugin.AccessInfoPlugin( auth_ref=access_info, auth_url=self.keystone_v3_endpoint) if self.auth_token: # FIXME(jamielennox): This is broken but consistent. If you # only have a token but don't load a service catalog then # url_for wont work. Stub with the keystone endpoint so at # least it might be right. return token_endpoint.Token(endpoint=self.keystone_v3_endpoint, token=self.auth_token) if self.password: return generic.Password(username=self.username, password=self.password, project_id=self.tenant_id, user_domain_id=self.user_domain, auth_url=self.keystone_v3_endpoint) LOG.error( _LE("Keystone API connection failed, no password " "trust or auth_token!")) raise exception.AuthorizationFailure()
def _create_auth_plugin(self): if self.trust_id: importutils.import_module('keystonemiddleware.auth_token') username = cfg.CONF.keystone_authtoken.admin_user password = cfg.CONF.keystone_authtoken.admin_password return v3.Password(username=username, password=password, user_domain_id='default', auth_url=self._keystone_v3_endpoint, trust_id=self.trust_id) if self.auth_token_info: auth_ref = access.AccessInfo.factory(body=self.auth_token_info, auth_token=self.auth_token) return _AccessInfoPlugin(self._keystone_v3_endpoint, auth_ref) if self.auth_token: # FIXME(jamielennox): This is broken but consistent. If you # only have a token but don't load a service catalog then # url_for wont work. Stub with the keystone endpoint so at # least it might be right. return token_endpoint.Token(endpoint=self._keystone_v3_endpoint, token=self.auth_token) if self.password: return v3.Password(username=self.username, password=self.password, project_id=self.tenant_id, user_domain_id='default', auth_url=self._keystone_v3_endpoint) LOG.error(_LE("Keystone v3 API connection failed, no password " "trust or auth_token!")) raise exception.AuthorizationFailure()
def _v2_client_init(self): kwargs = {'auth_url': self.context.auth_url} auth_kwargs = {} # Note try trust_id first, as we can't reuse auth_token in that case if self.context.trust_id is not None: # We got a trust_id, so we use the admin credentials # to authenticate, then re-scope the token to the # trust impersonating the trustor user. # Note that this currently requires the trustor tenant_id # to be passed to the authenticate(), unlike the v3 call kwargs.update(self._service_admin_creds(api_version=2)) auth_kwargs['trust_id'] = self.context.trust_id auth_kwargs['tenant_id'] = self.context.tenant_id elif self.context.auth_token is not None: kwargs['tenant_name'] = self.context.tenant kwargs['token'] = self.context.auth_token elif self.context.password is not None: kwargs['username'] = self.context.username kwargs['password'] = self.context.password kwargs['tenant_name'] = self.context.tenant kwargs['tenant_id'] = self.context.tenant_id else: logger.error( _("Keystone v2 API connection failed, no password " "or auth_token!")) raise exception.AuthorizationFailure() kwargs['cacert'] = self._get_client_option('ca_file') kwargs['insecure'] = self._get_client_option('insecure') kwargs['cert'] = self._get_client_option('cert_file') kwargs['key'] = self._get_client_option('key_file') client_v2 = kc.Client(**kwargs) client_v2.authenticate(**auth_kwargs) # If we are authenticating with a trust auth_kwargs are set, so set # the context auth_token with the re-scoped trust token if auth_kwargs: # Sanity check if not client_v2.auth_ref.trust_scoped: logger.error(_("v2 trust token re-scoping failed!")) raise exception.AuthorizationFailure() # All OK so update the context with the token self.context.auth_token = client_v2.auth_ref.auth_token self.context.auth_url = kwargs.get('auth_url') return client_v2
def _v3_client_init(self): kwargs = { 'auth_url': self.v3_endpoint, 'endpoint': self.v3_endpoint } # Note try trust_id first, as we can't reuse auth_token in that case if self.context.trust_id is not None: # We got a trust_id, so we use the admin credentials # to authenticate with the trust_id so we can use the # trust impersonating the trustor user. kwargs.update(self._service_admin_creds()) kwargs['trust_id'] = self.context.trust_id elif self.context.auth_token is not None: kwargs['project_name'] = self.context.tenant kwargs['token'] = self.context.auth_token elif self.context.password is not None: kwargs['username'] = self.context.username kwargs['password'] = self.context.password kwargs['project_name'] = self.context.tenant kwargs['project_id'] = self.context.tenant_id else: logger.error(_("Keystone v3 API connection failed, no password " "trust or auth_token!")) raise exception.AuthorizationFailure() kwargs.update(self._ssl_options()) client_v3 = kc_v3.Client(**kwargs) client_v3.authenticate() # If we are authenticating with a trust set the context auth_token # with the trust scoped token if 'trust_id' in kwargs: # Sanity check if not client_v3.auth_ref.trust_scoped: logger.error(_("trust token re-scoping failed!")) raise exception.AuthorizationFailure() # All OK so update the context with the token self.context.auth_token = client_v3.auth_ref.auth_token self.context.auth_url = kwargs.get('auth_url') # Sanity check that impersonation is effective if self.context.trustor_user_id != client_v3.auth_ref.user_id: logger.error("Trust impersonation failed") raise exception.AuthorizationFailure() return client_v3
def stack_domain_id(self): if not self._stack_domain_id: try: access = self.domain_admin_auth.get_access(self.session) except kc_exception.Unauthorized: LOG.error(_LE("Keystone client authentication failed")) raise exception.AuthorizationFailure() self._stack_domain_id = access.domain_id return self._stack_domain_id
def trusts_auth_plugin(self): if not self._trusts_auth_plugin: self._trusts_auth_plugin = ks_loading.load_auth_from_conf_options( cfg.CONF, TRUSTEE_CONF_GROUP, trust_id=self.trust_id) if not self._trusts_auth_plugin: LOG.error('Please add the trustee credentials you need ' 'to the %s section of your heat.conf file.', TRUSTEE_CONF_GROUP) raise exception.AuthorizationFailure() return self._trusts_auth_plugin
def keystone_v3_endpoint(self): if self.auth_url: return self.auth_url.replace('v2.0', 'v3') else: auth_uri = endpoint_utils.get_auth_uri() if auth_uri: return auth_uri else: LOG.error('Keystone API endpoint not provided. Set ' 'auth_uri in section [clients_keystone] ' 'of the configuration file.') raise exception.AuthorizationFailure()
def admin_client(self): if not self._admin_client: # Create admin client connection to v3 API admin_creds = self._service_admin_creds() admin_creds.update(self._ssl_options()) c = kc_v3.Client(**admin_creds) if c.authenticate(): self._admin_client = c else: logger.error("Admin client authentication failed") raise exception.AuthorizationFailure() return self._admin_client
def admin_client(self): if not self._admin_client: # Create admin client connection to v3 API admin_creds = self._service_admin_creds() admin_creds.update(self._ssl_options()) c = kc_v3.Client(**admin_creds) try: c.authenticate() self._admin_client = c except kc_exception.Unauthorized: LOG.error(_LE("Admin client authentication failed")) raise exception.AuthorizationFailure() return self._admin_client
def __authenticate(self): pyrax.set_setting("identity_type", "keystone") pyrax.set_setting("auth_endpoint", self.context.auth_url) logger.info(_("Authenticating username:%s") % self.context.username) self.pyrax = pyrax.auth_with_token(self.context.auth_token, tenant_id=self.context.tenant_id, tenant_name=self.context.tenant, region=(cfg.CONF.region_name or None)) if not self.pyrax: raise exception.AuthorizationFailure("No services available.") logger.info( _("User %s authenticated successfully.") % self.context.username)
def create_trust_context(self): """Create a trust using the trustor identity in the current context. The trust is created with the trustee as the heat service user. If the current context already contains a trust_id, we do nothing and return the current context. Returns a context containing the new trust_id. """ if self.context.trust_id: return self.context # We need the service admin user ID (not name), as the trustor user # can't lookup the ID in keystoneclient unless they're admin # workaround this by getting the user_id from admin_client try: trustee_user_id = self.context.trusts_auth_plugin.get_user_id( self.session) except kc_exception.Unauthorized: LOG.error(_LE("Domain admin client authentication failed")) raise exception.AuthorizationFailure() trustor_user_id = self.context.auth_plugin.get_user_id(self.session) trustor_proj_id = self.context.auth_plugin.get_project_id(self.session) # inherit the roles of the trustor, unless set trusts_delegated_roles if cfg.CONF.trusts_delegated_roles: roles = cfg.CONF.trusts_delegated_roles else: roles = self.context.roles try: trust = self.client.trusts.create(trustor_user=trustor_user_id, trustee_user=trustee_user_id, project=trustor_proj_id, impersonation=True, role_names=roles) except kc_exception.NotFound: LOG.debug("Failed to find roles %s for user %s" % (roles, trustor_user_id)) raise exception.MissingCredentialError(required=_("roles %s") % roles) context_data = self.context.to_dict() context_data['overwrite'] = False trust_context = context.RequestContext.from_dict(context_data) trust_context.trust_id = trust.id trust_context.trustor_user_id = trustor_user_id return trust_context
def validate_auth_plugin(auth_plugin, keystone_session): """Validate if this auth_plugin is valid to use.""" try: auth_plugin.get_token(keystone_session) except Exception as e: # TODO(ricolin) Add heat document link for plugin information, # once we generated one. failure_reason = ("Failed to validate auth_plugin with error %s. " "Please make sure the credential you provide is " "correct. Also make sure the it is a valid Keystone " "auth plugin type and contain in your " "environment." % e) raise exception.AuthorizationFailure(failure_reason=failure_reason)
def domain_admin_client(self): if not self._domain_admin_client: # Create domain admin client connection to v3 API admin_creds = self._domain_admin_creds() admin_creds.update(self._ssl_options()) c = kc_v3.Client(**admin_creds) # Note we must specify the domain when getting the token # as only a domain scoped token can create projects in the domain if c.authenticate(domain_id=self.stack_domain_id): self._domain_admin_client = c else: LOG.error(_("Domain admin client authentication failed")) raise exception.AuthorizationFailure() return self._domain_admin_client
def __authenticate(self): # current implemenation shown below authenticates using # username and password. Need make it work with auth-token pyrax.set_setting("identity_type", "keystone") pyrax.set_setting("auth_endpoint", self.context.auth_url) logger.info("Authenticating with username:%s" % self.context.username) self.pyrax = pyrax.auth_with_token(self.context.auth_token, tenant_id=self.context.tenant_id, tenant_name=self.context.tenant, region=(cfg.CONF.region_name or None)) if not self.pyrax: raise exception.AuthorizationFailure("No services available.") logger.info("User %s authenticated successfully." % self.context.username)
def _authenticate(self): """Create an authenticated client context.""" self.pyrax = pyrax.create_context("rackspace") self.pyrax.auth_endpoint = self.context.auth_url LOG.info(_LI("Authenticating username: %s"), self.context.username) tenant = self.context.tenant_id tenant_name = self.context.tenant self.pyrax.auth_with_token(self.context.auth_token, tenant_id=tenant, tenant_name=tenant_name) if not self.pyrax.authenticated: LOG.warning(_LW("Pyrax Authentication Failed.")) raise exception.AuthorizationFailure() LOG.info(_LI("User %s authenticated successfully."), self.context.username)
def domain_admin_client(self): if not self._domain_admin_client: # Create domain admin client connection to v3 API admin_creds = self._domain_admin_creds() admin_creds.update(self._ssl_options()) c = kc_v3.Client(**admin_creds) # Note we must specify the domain when getting the token # as only a domain scoped token can create projects in the domain if self._stack_domain_is_id: auth_kwargs = {'domain_id': self.stack_domain} else: auth_kwargs = {'domain_name': self.stack_domain} try: c.authenticate(**auth_kwargs) self._domain_admin_client = c except kc_exception.Unauthorized: LOG.error(_LE("Domain admin client authentication failed")) raise exception.AuthorizationFailure() return self._domain_admin_client
def _v1_auth(self, token_url): creds = self.creds headers = {} headers['X-Auth-User'] = creds['username'] headers['X-Auth-Key'] = creds['password'] tenant = creds.get('tenant') if tenant: headers['X-Auth-Tenant'] = tenant resp, resp_body = self._do_request(token_url, 'GET', headers=headers) def _management_url(self, resp): for url_header in ('x-heat-management-url', 'x-server-management-url', 'x-heat'): try: return resp[url_header] except KeyError as e: not_found = e raise not_found if resp.status in (200, 204): try: self.management_url = _management_url(self, resp) self.auth_token = resp['x-auth-token'] except KeyError: raise exception.AuthorizationFailure() elif resp.status == 305: raise exception.AuthorizationRedirect(resp['location']) elif resp.status == 400: raise exception.AuthBadRequest(url=token_url) elif resp.status == 401: raise exception.NotAuthorized() elif resp.status == 404: raise exception.AuthUrlNotFound(url=token_url) else: raise Exception(_('Unexpected response: %s' % resp.status))
def keystone_v3_endpoint(self): if self.auth_url: auth_uri = self.auth_url.replace('v2.0', 'v3') else: # Look for the keystone auth_uri in the configuration. First we # check the [clients_keystone] section, and if it is not set we # look in [keystone_authtoken] if cfg.CONF.clients_keystone.auth_uri: discover = ks_discover.Discover( auth_url=cfg.CONF.clients_keystone.auth_uri) auth_uri = discover.url_for('3.0') else: # Import auth_token to have keystone_authtoken settings setup. importutils.import_module('keystonemiddleware.auth_token') if cfg.CONF.keystone_authtoken.auth_uri: auth_uri = cfg.CONF.keystone_authtoken.auth_uri.replace( 'v2.0', 'v3') else: LOG.error('Keystone API endpoint not provided. Set ' 'auth_uri in section [clients_keystone] ' 'of the configuration file.') raise exception.AuthorizationFailure() return auth_uri
def _create(self): """Create an authenticated CBD client.""" region = cfg.CONF.region_name_for_services.lower() if self.context.region_name: region = self.context.region_name.lower() LOG.info(_LI("CBD client authenticating username %s in region %s"), self.context.username, region) tenant = self.context.tenant_id username = self.context.username endpoint_uri = ("https://{region}.bigdata.api.rackspacecloud.com:443/" "v2/{tenant}".format(region=region, tenant=tenant)) try: return Lava(username=username, tenant_id=self.context.tenant_id, auth_url=self.context.auth_url, api_key=None, token=self.context.auth_token, region=region, endpoint=endpoint_uri, verify_ssl=False) except LavaError as exc: LOG.warn(_LW("CBD client authentication failed: %s."), exc) raise exception.AuthorizationFailure() LOG.info(_LI("CBD user %s authenticated successfully."), username)