def get_client(token=None, context=None, auth_from_config=False):
"""Retrieve a neutron client connection.
:param context: request context,
instance of ironic.common.context.RequestContext
:param auth_from_config: (boolean) When True, use auth values from
conf parameters
:returns: A neutron client.
"""
if not context:
context = ironic_context.RequestContext(auth_token=token)
session = _get_neutron_session()
service_auth = keystone.get_auth('neutron')
endpoint = keystone.get_endpoint('neutron',
session=session,
auth=service_auth)
user_auth = None
if (not auth_from_config and CONF.neutron.auth_type != 'none'
and context.auth_token):
user_auth = keystone.get_service_auth(context, endpoint, service_auth)
sess = keystone.get_session('neutron',
timeout=CONF.neutron.timeout,
auth=user_auth or service_auth)
conn = openstack.connection.Connection(session=sess, oslo_conf=CONF)
return conn.global_request(context.global_id).network
def get_client(token=None, context=None):
if not context:
context = ironic_context.RequestContext(auth_token=token)
# NOTE(pas-ha) neutronclient supports passing both session
# and the auth to client separately, makes things easier
session = _get_neutron_session()
service_auth = keystone.get_auth('neutron')
# TODO(pas-ha) remove in Rocky, always simply load from config
# 'noauth' then would correspond to 'auth_type=none' and
# 'endpoint_override'
adapter_params = {}
if (CONF.neutron.auth_strategy == 'noauth'
and CONF.neutron.auth_type is None):
CONF.set_override('auth_type', 'none', group='neutron')
if not CONF.neutron.endpoint_override:
adapter_params['endpoint_override'] = (CONF.neutron.url
or DEFAULT_NEUTRON_URL)
else:
if CONF.neutron.url and not CONF.neutron.endpoint_override:
adapter_params['endpoint_override'] = CONF.neutron.url
adapter = keystone.get_adapter('neutron', session=session,
auth=service_auth, **adapter_params)
endpoint = adapter.get_endpoint()
user_auth = None
if CONF.neutron.auth_type != 'none' and context.auth_token:
user_auth = keystone.get_service_auth(context, endpoint, service_auth)
return clientv20.Client(session=session,
auth=user_auth or service_auth,
endpoint_override=endpoint,
retries=CONF.neutron.retries,
global_request_id=context.global_id,
timeout=CONF.neutron.request_timeout)
def wrapper(self, *args, **kwargs):
"""Wrapper around methods calls.
:param image_href: href that describes the location of an image
"""
if self.client:
return func(self, *args, **kwargs)
global _GLANCE_SESSION
if not _GLANCE_SESSION:
_GLANCE_SESSION = keystone.get_session('glance')
# NOTE(pas-ha) glanceclient uses Adapter-based SessionClient,
# so we can pass session and auth separately, makes things easier
service_auth = keystone.get_auth('glance')
self.endpoint = keystone.get_endpoint('glance',
session=_GLANCE_SESSION,
auth=service_auth)
user_auth = None
# NOTE(pas-ha) our ContextHook removes context.auth_token in noauth
# case, so when ironic is in noauth but glance is not, we will not
# enter the next if-block and use auth from [glance] config section
if self.context.auth_token:
user_auth = keystone.get_service_auth(self.context, self.endpoint,
service_auth)
self.client = client.Client(2,
session=_GLANCE_SESSION,
auth=user_auth or service_auth,
endpoint_override=self.endpoint,
global_request_id=self.context.global_id)
return func(self, *args, **kwargs)
def get_client(context):
"""Get a cinder client connection.
:param context: request context,
instance of ironic.common.context.RequestContext
:returns: A cinder client.
"""
service_auth = keystone.get_auth('cinder')
session = _get_cinder_session()
# TODO(pas-ha) remove in Rocky
adapter_opts = {}
# NOTE(pas-ha) new option must always win if set
if CONF.cinder.url and not CONF.cinder.endpoint_override:
adapter_opts['endpoint_override'] = CONF.cinder.url
adapter = keystone.get_adapter('cinder', session=session,
auth=service_auth, **adapter_opts)
# TODO(pas-ha) use versioned endpoint data to select required
# cinder api version
cinder_url = adapter.get_endpoint()
# TODO(pas-ha) investigate possibility of passing a user context here,
# similar to what neutron/glance-related code does
# NOTE(pas-ha) cinderclient has both 'connect_retries' (passed to
# ksa.Adapter) and 'retries' (used in its subclass of ksa.Adapter) options.
# The first governs retries on establishing the HTTP connection,
# the second governs retries on OverLimit exceptions from API.
# The description of [cinder]/retries fits the first,
# so this is what we pass.
return client.Client(session=session, auth=service_auth,
endpoint_override=cinder_url,
connect_retries=CONF.cinder.retries,
global_request_id=context.global_id)
def get_ironic_api_url():
"""Resolve Ironic API endpoint
either from config of from Keystone catalog.
"""
adapter_opts = {'session': _get_ironic_session()}
# NOTE(pas-ha) force 'none' auth plugin for noauth mode
if CONF.auth_strategy != 'keystone':
CONF.set_override('auth_type', 'none', group='service_catalog')
adapter_opts['auth'] = keystone.get_auth('service_catalog')
# TODO(pas-ha) remove in Rocky
# NOTE(pas-ha) if both set, the new options win
if CONF.conductor.api_url and not CONF.service_catalog.endpoint_override:
adapter_opts['endpoint_override'] = CONF.conductor.api_url
try:
ironic_api = keystone.get_endpoint('service_catalog', **adapter_opts)
except (exception.KeystoneFailure, exception.CatalogNotFound,
exception.KeystoneUnauthorized) as e:
raise exception.InvalidParameterValue(
_("Couldn't get the URL of the Ironic API service from the "
"configuration file or keystone catalog. Keystone error: "
"%s") % str(e))
# NOTE: we should strip '/' from the end because it might be used in
# hardcoded ramdisk script
ironic_api = ironic_api.rstrip('/')
return ironic_api
def get_client(context):
"""Get a cinder client connection.
:param context: request context,
instance of ironic.common.context.RequestContext
:returns: A cinder client.
"""
service_auth = keystone.get_auth('cinder')
session = _get_cinder_session()
# TODO(pas-ha) remove in Rocky
adapter_opts = {}
# NOTE(pas-ha) new option must always win if set
if CONF.cinder.url and not CONF.cinder.endpoint_override:
adapter_opts['endpoint_override'] = CONF.cinder.url
if CONF.keystone.region_name and not CONF.cinder.region_name:
adapter_opts['region_name'] = CONF.keystone.region_name
adapter = keystone.get_adapter('cinder', session=session,
auth=service_auth, **adapter_opts)
# TODO(pas-ha) use versioned endpoint data to select required
# cinder api version
cinder_url = adapter.get_endpoint()
# TODO(pas-ha) investigate possibility of passing a user context here,
# similar to what neutron/glance-related code does
# NOTE(pas-ha) cinderclient has both 'connect_retries' (passed to
# ksa.Adapter) and 'retries' (used in its subclass of ksa.Adapter) options.
# The first governs retries on establishing the HTTP connection,
# the second governs retries on OverLimit exceptions from API.
# The description of [cinder]/retries fits the first,
# so this is what we pass.
return client.Client(session=session, auth=service_auth,
endpoint_override=cinder_url,
connect_retries=CONF.cinder.retries,
global_request_id=context.global_id)
def _get_session():
global _SESSION
if _SESSION is None:
kwargs = {}
auth_strategy = json_rpc.auth_strategy()
if auth_strategy != 'keystone':
auth_type = 'none' if auth_strategy == 'noauth' else auth_strategy
CONF.set_default('auth_type', auth_type, group='json_rpc')
# Deprecated, remove in W
if auth_strategy == 'http_basic':
if CONF.json_rpc.http_basic_username:
kwargs['username'] = CONF.json_rpc.http_basic_username
if CONF.json_rpc.http_basic_password:
kwargs['password'] = CONF.json_rpc.http_basic_password
auth = keystone.get_auth('json_rpc', **kwargs)
session = keystone.get_session('json_rpc', auth=auth)
headers = {'Content-Type': 'application/json'}
# Adds options like connect_retries
_SESSION = keystone.get_adapter('json_rpc',
session=session,
additional_headers=headers)
return _SESSION
def _get_api_server_iterator():
"""Return iterator over shuffled API servers.
Shuffle a list of CONF.glance.glance_api_servers and return an iterator
that will cycle through the list, looping around to the beginning if
necessary.
If CONF.glance.glance_api_servers isn't set, we fall back to using this
as the server: CONF.glance.glance_host:CONF.glance.glance_port.
If CONF.glance.glance_host is also not set, fetch the endpoint from the
service catalog.
:returns: iterator that cycles (indefinitely) over shuffled glance API
servers.
"""
api_servers = []
if not CONF.glance.glance_api_servers and not CONF.glance.glance_host:
session = keystone.get_session('glance',
auth=keystone.get_auth('glance'))
api_servers = [keystone.get_service_url(session, service_type='image',
endpoint_type='public')]
else:
configured_servers = (CONF.glance.glance_api_servers or
['%s:%s' % (CONF.glance.glance_host,
CONF.glance.glance_port)])
for api_server in configured_servers:
if '//' not in api_server:
api_server = '%s://%s' % (CONF.glance.glance_protocol,
api_server)
api_servers.append(api_server)
random.shuffle(api_servers)
return itertools.cycle(api_servers)
def get_client(token=None, context=None):
if not context:
context = ironic_context.RequestContext(auth_token=token)
# NOTE(pas-ha) neutronclient supports passing both session
# and the auth to client separately, makes things easier
session = _get_neutron_session()
service_auth = keystone.get_auth('neutron')
# TODO(pas-ha) remove in Rocky, always simply load from config
# 'noauth' then would correspond to 'auth_type=none' and
# 'endpoint_override'
adapter_params = {}
if (CONF.neutron.auth_strategy == 'noauth'
and CONF.neutron.auth_type is None):
CONF.set_override('auth_type', 'none', group='neutron')
if not CONF.neutron.endpoint_override:
adapter_params['endpoint_override'] = (CONF.neutron.url
or DEFAULT_NEUTRON_URL)
else:
if CONF.neutron.url and not CONF.neutron.endpoint_override:
adapter_params['endpoint_override'] = CONF.neutron.url
adapter = keystone.get_adapter('neutron', session=session,
auth=service_auth, **adapter_params)
endpoint = adapter.get_endpoint()
user_auth = None
if CONF.neutron.auth_type != 'none' and context.auth_token:
user_auth = keystone.get_service_auth(context, endpoint, service_auth)
return clientv20.Client(session=session,
auth=user_auth or service_auth,
endpoint_override=endpoint,
retries=CONF.neutron.retries,
global_request_id=context.global_id)
def _get_api_server_iterator():
"""Return iterator over shuffled API servers.
Shuffle a list of CONF.glance.glance_api_servers and return an iterator
that will cycle through the list, looping around to the beginning if
necessary.
If CONF.glance.glance_api_servers isn't set, fetch the endpoint from the
service catalog.
:returns: iterator that cycles (indefinitely) over shuffled glance API
servers.
"""
api_servers = []
if not CONF.glance.glance_api_servers:
session = keystone.get_session('glance',
auth=keystone.get_auth('glance'))
api_servers = [
keystone.get_service_url(session,
service_type='image',
endpoint_type='public')
]
else:
api_servers = random.sample(CONF.glance.glance_api_servers,
len(CONF.glance.glance_api_servers))
return itertools.cycle(api_servers)
def _get_session():
global _SESSION
if _SESSION is None:
auth_strategy = json_rpc.auth_strategy()
if auth_strategy == 'keystone':
auth = keystone.get_auth('json_rpc')
else:
auth = None
session = keystone.get_session('json_rpc', auth=auth)
headers = {'Content-Type': 'application/json'}
if auth_strategy == 'http_basic':
token = '{}:{}'.format(
CONF.json_rpc.http_basic_username,
CONF.json_rpc.http_basic_password).encode('utf-8')
encoded = base64.b64encode(token).decode('utf-8')
headers['Authorization'] = 'Basic {}'.format(encoded)
# Adds options like connect_retries
_SESSION = keystone.get_adapter('json_rpc',
session=session,
additional_headers=headers)
return _SESSION
def wrapper(self, *args, **kwargs):
"""Wrapper around methods calls.
:param image_href: href that describes the location of an image
"""
if self.client:
return func(self, *args, **kwargs)
# TODO(pas-ha) remove in Rocky
session_params = {}
if CONF.glance.glance_api_insecure and not CONF.glance.insecure:
session_params['insecure'] = CONF.glance.glance_api_insecure
if CONF.glance.glance_cafile and not CONF.glance.cafile:
session_params['cacert'] = CONF.glance.glance_cafile
# NOTE(pas-ha) glanceclient uses Adapter-based SessionClient,
# so we can pass session and auth separately, makes things easier
session = _get_glance_session(**session_params)
# TODO(pas-ha) remove in Rocky
# NOTE(pas-ha) new option must win if configured
if (CONF.glance.glance_api_servers
and not CONF.glance.endpoint_override):
# NOTE(pas-ha) all the 2 methods have image_href as the first
# positional arg, but check in kwargs too
image_href = args[0] if args else kwargs.get('image_href')
url = service_utils.get_glance_api_server(image_href)
CONF.set_override('endpoint_override', url, group='glance')
# TODO(pas-ha) remove in Rocky
if CONF.glance.auth_strategy == 'noauth':
CONF.set_override('auth_type', 'none', group='glance')
service_auth = keystone.get_auth('glance')
# TODO(pas-ha) remove in Rocky
adapter_params = {}
if CONF.keystone.region_name and not CONF.glance.region_name:
adapter_params['region_name'] = CONF.keystone.region_name
adapter = keystone.get_adapter('glance',
session=session,
auth=service_auth,
**adapter_params)
self.endpoint = adapter.get_endpoint()
user_auth = None
# NOTE(pas-ha) our ContextHook removes context.auth_token in noauth
# case, so when ironic is in noauth but glance is not, we will not
# enter the next if-block and use auth from [glance] config section
if self.context.auth_token:
user_auth = keystone.get_service_auth(self.context, self.endpoint,
service_auth)
self.client = client.Client(self.version,
session=session,
auth=user_auth or service_auth,
endpoint_override=self.endpoint,
global_request_id=self.context.global_id)
return func(self, *args, **kwargs)
def _get_inspector_session():
if CONF.auth_strategy != 'keystone':
return
global _INSPECTOR_SESSION
if not _INSPECTOR_SESSION:
_INSPECTOR_SESSION = keystone.get_session(
'inspector', auth=keystone.get_auth('inspector'))
return _INSPECTOR_SESSION
def _get_nova_adapter():
global _NOVA_ADAPTER
if not _NOVA_ADAPTER:
_NOVA_ADAPTER = keystone.get_adapter(
'nova',
session=keystone.get_session('nova'),
auth=keystone.get_auth('nova'),
version=NOVA_API_VERSION)
return _NOVA_ADAPTER
def _get_inspector_session():
if CONF.auth_strategy != 'keystone':
return
global _INSPECTOR_SESSION
if not _INSPECTOR_SESSION:
_INSPECTOR_SESSION = keystone.get_session(
'inspector', auth=keystone.get_auth('inspector'))
return _INSPECTOR_SESSION
def _get_inspector_session(**kwargs):
global _INSPECTOR_SESSION
if not _INSPECTOR_SESSION:
if CONF.auth_strategy != 'keystone':
# NOTE(dtantsur): using set_default instead of set_override because
# the native keystoneauth option must have priority.
CONF.set_default('auth_type', 'none', group='inspector')
service_auth = keystone.get_auth('inspector')
_INSPECTOR_SESSION = keystone.get_session('inspector',
auth=service_auth,
**kwargs)
return _INSPECTOR_SESSION
def wrapper(self, *args, **kwargs):
"""Wrapper around methods calls.
:param image_href: href that describes the location of an image
"""
if self.client:
return func(self, *args, **kwargs)
# TODO(pas-ha) remove in Rocky
session_params = {}
if CONF.glance.glance_api_insecure and not CONF.glance.insecure:
session_params['insecure'] = CONF.glance.glance_api_insecure
if CONF.glance.glance_cafile and not CONF.glance.cafile:
session_params['cacert'] = CONF.glance.glance_cafile
# NOTE(pas-ha) glanceclient uses Adapter-based SessionClient,
# so we can pass session and auth separately, makes things easier
session = _get_glance_session(**session_params)
# TODO(pas-ha) remove in Rocky
# NOTE(pas-ha) new option must win if configured
if (CONF.glance.glance_api_servers
and not CONF.glance.endpoint_override):
# NOTE(pas-ha) all the 2 methods have image_href as the first
# positional arg, but check in kwargs too
image_href = args[0] if args else kwargs.get('image_href')
url = service_utils.get_glance_api_server(image_href)
CONF.set_override('endpoint_override', url, group='glance')
# TODO(pas-ha) remove in Rocky
if CONF.glance.auth_strategy == 'noauth':
CONF.set_override('auth_type', 'none', group='glance')
service_auth = keystone.get_auth('glance')
adapter_params = {}
adapter = keystone.get_adapter('glance', session=session,
auth=service_auth, **adapter_params)
self.endpoint = adapter.get_endpoint()
user_auth = None
# NOTE(pas-ha) our ContextHook removes context.auth_token in noauth
# case, so when ironic is in noauth but glance is not, we will not
# enter the next if-block and use auth from [glance] config section
if self.context.auth_token:
user_auth = keystone.get_service_auth(self.context, self.endpoint,
service_auth)
self.client = client.Client(2, session=session,
auth=user_auth or service_auth,
endpoint_override=self.endpoint,
global_request_id=self.context.global_id)
return func(self, *args, **kwargs)
def _get_session():
global _SESSION
if _SESSION is None:
if json_rpc.require_authentication():
auth = keystone.get_auth('json_rpc')
else:
auth = None
_SESSION = keystone.get_session('json_rpc', auth=auth)
_SESSION.headers = {'Content-Type': 'application/json'}
return _SESSION
def _get_session():
global _SESSION
if _SESSION is None:
if json_rpc.require_authentication():
auth = keystone.get_auth('json_rpc')
else:
auth = None
_SESSION = keystone.get_session('json_rpc', auth=auth)
_SESSION.headers = {
'Content-Type': 'application/json'
}
return _SESSION
def _get_session():
global _SESSION
if _SESSION is None:
if json_rpc.require_authentication():
auth = keystone.get_auth('json_rpc')
else:
auth = None
session = keystone.get_session('json_rpc', auth=auth)
session.headers = {'Content-Type': 'application/json'}
# Adds options like connect_retries
_SESSION = keystone.get_adapter('json_rpc', session=session)
return _SESSION
def get_client(token=None, context=None):
if not context:
context = ironic_context.RequestContext(auth_token=token)
# NOTE(pas-ha) neutronclient supports passing both session
# and the auth to client separately, makes things easier
session = _get_neutron_session()
service_auth = keystone.get_auth('neutron')
endpoint = keystone.get_endpoint('neutron', session=session,
auth=service_auth)
user_auth = None
if CONF.neutron.auth_type != 'none' and context.auth_token:
user_auth = keystone.get_service_auth(context, endpoint, service_auth)
return clientv20.Client(session=session,
auth=user_auth or service_auth,
endpoint_override=endpoint,
retries=CONF.neutron.retries,
global_request_id=context.global_id,
timeout=CONF.neutron.request_timeout)
def _get_client(context):
"""Helper to get inspector client instance."""
# NOTE(pas-ha) remove in Rocky
if CONF.auth_strategy != 'keystone':
CONF.set_override('auth_type', 'none', group='inspector')
service_auth = keystone.get_auth('inspector')
session = _get_inspector_session(auth=service_auth)
adapter_params = {}
if CONF.inspector.service_url and not CONF.inspector.endpoint_override:
adapter_params['endpoint_override'] = CONF.inspector.service_url
inspector_url = keystone.get_endpoint('inspector', session=session,
**adapter_params)
# TODO(pas-ha) investigate possibility of passing user context here,
# similar to what neutron/glance-related code does
# NOTE(pas-ha) ironic-inspector-client has no Adaper-based
# SessionClient, so we'll resolve inspector API form adapter loaded
# form config options
# TODO(pas-ha) rewrite when inspectorclient is based on ksa Adapter,
# also add global_request_id to the call
return client.ClientV1(api_version=INSPECTOR_API_VERSION,
session=session,
inspector_url=inspector_url)
def _get_client(context):
"""Helper to get inspector client instance."""
# NOTE(pas-ha) remove in Rocky
if CONF.auth_strategy != 'keystone':
CONF.set_override('auth_type', 'none', group='inspector')
service_auth = keystone.get_auth('inspector')
session = _get_inspector_session(auth=service_auth)
adapter_params = {}
if CONF.inspector.service_url and not CONF.inspector.endpoint_override:
adapter_params['endpoint_override'] = CONF.inspector.service_url
adapter = keystone.get_adapter('inspector', session=session,
**adapter_params)
inspector_url = adapter.get_endpoint()
# TODO(pas-ha) investigate possibility of passing user context here,
# similar to what neutron/glance-related code does
# NOTE(pas-ha) ironic-inspector-client has no Adaper-based
# SessionClient, so we'll resolve inspector API form adapter loaded
# form config options
# TODO(pas-ha) rewrite when inspectorclient is based on ksa Adapter,
# also add global_request_id to the call
return client.ClientV1(api_version=INSPECTOR_API_VERSION,
session=session,
inspector_url=inspector_url)
def get_swift_session():
global _SWIFT_SESSION
if not _SWIFT_SESSION:
auth = keystone.get_auth('swift')
_SWIFT_SESSION = keystone.get_session('swift', auth=auth)
return _SWIFT_SESSION
def test_get_auth(self):
auth = keystone.get_auth(self.test_group)
self.assertEqual('http://127.0.0.1:9898', auth.auth_url)
def _get_glance_session():
global _GLANCE_SESSION
if not _GLANCE_SESSION:
auth = keystone.get_auth('glance')
_GLANCE_SESSION = keystone.get_session('glance', auth=auth)
return _GLANCE_SESSION
def test_get_auth(self):
auth = keystone.get_auth(self.test_group)
self.assertEqual('http://127.0.0.1:9898', auth.auth_url)
def _get_swift_session():
global _SWIFT_SESSION
if not _SWIFT_SESSION:
auth = keystone.get_auth('swift')
_SWIFT_SESSION = keystone.get_session('swift', auth=auth)
return _SWIFT_SESSION
def _get_cinder_session():
global _CINDER_SESSION
if not _CINDER_SESSION:
auth = keystone.get_auth('cinder')
_CINDER_SESSION = keystone.get_session('cinder', auth=auth)
return _CINDER_SESSION
def _get_neutron_session():
global _NEUTRON_SESSION
if not _NEUTRON_SESSION:
auth = keystone.get_auth('neutron')
_NEUTRON_SESSION = keystone.get_session('neutron', auth=auth)
return _NEUTRON_SESSION
def _get_cinder_session():
global _CINDER_SESSION
if not _CINDER_SESSION:
auth = keystone.get_auth('cinder')
_CINDER_SESSION = keystone.get_session('cinder', auth=auth)
return _CINDER_SESSION
def _get_glance_session():
global _GLANCE_SESSION
if not _GLANCE_SESSION:
auth = keystone.get_auth('glance')
_GLANCE_SESSION = keystone.get_session('glance', auth=auth)
return _GLANCE_SESSION