def _get_ks_client(self):
kwargs = {'auth_url': self.auth_url,
'endpoint': self.auth_url}
if self.context.trust_id:
kwargs.update(self._get_admin_credentials())
kwargs['trust_id'] = self.context.trust_id
kwargs.pop('project_name')
elif self.context.auth_token_info:
kwargs['token'] = self.context.auth_token
if self._is_v2_valid(self.context.auth_token_info):
LOG.warning('Keystone v2 is deprecated.')
kwargs['auth_ref'] = self.context.auth_token_info['access']
kwargs['auth_ref']['version'] = 'v2.0'
elif self._is_v3_valid(self.context.auth_token_info):
kwargs['auth_ref'] = self.context.auth_token_info['token']
kwargs['auth_ref']['version'] = 'v3'
else:
LOG.error(_LE('Unknown version in auth_token_info'))
raise exception.AuthorizationFailure()
elif self.context.auth_token:
kwargs['token'] = self.context.auth_token
else:
LOG.error(_LE('Keystone v3 API conntection failed, no password '
'trust or auth_token'))
raise exception.AuthorizationFailure()
return kc_v3.Client(**kwargs)
def _v3_client_init(self):
kwargs = {'auth_url': self.v3_endpoint, 'endpoint': self.v3_endpoint}
# Note try trust_id first, as we can't reuse auth_token in that case
if self.context.trust_id is not None:
# We got a trust_id, so we use the admin credentials
# to authenticate with the trust_id so we can use the
# trust impersonating the trustor user.
kwargs.update(self._service_admin_creds())
kwargs['trust_id'] = self.context.trust_id
kwargs.pop('project_name')
elif self.context.auth_token_info is not None:
# The auth_ref version must be set according to the token version
if 'access' in self.context.auth_token_info:
kwargs['auth_ref'] = copy.deepcopy(
self.context.auth_token_info['access'])
kwargs['auth_ref']['version'] = 'v2.0'
kwargs['auth_ref']['token']['id'] = self.context.auth_token
elif 'token' in self.context.auth_token_info:
kwargs['auth_ref'] = copy.deepcopy(
self.context.auth_token_info['token'])
kwargs['auth_ref']['version'] = 'v3'
kwargs['auth_ref']['auth_token'] = self.context.auth_token
else:
LOG.error(_LE("Unknown version in auth_token_info"))
raise exception.AuthorizationFailure()
elif self.context.auth_token is not None:
kwargs['token'] = self.context.auth_token
kwargs['project_id'] = self.context.project_id
else:
LOG.error(
_LE("Keystone v3 API connection failed, no password "
"trust or auth_token!"))
raise exception.AuthorizationFailure()
client = kc_v3.Client(**kwargs)
if 'auth_ref' not in kwargs:
client.authenticate()
# If we are authenticating with a trust set the context auth_token
# with the trust scoped token
if 'trust_id' in kwargs:
# Sanity check
if not client.auth_ref.trust_scoped:
LOG.error(_LE("trust token re-scoping failed!"))
raise exception.AuthorizationFailure()
# All OK so update the context with the token
self.context.auth_token = client.auth_ref.auth_token
self.context.auth_url = self.v3_endpoint
self.context.user = client.auth_ref.user_id
self.context.project_id = client.auth_ref.project_id
self.context.user_name = client.auth_ref.username
return client
def _get_auth(self):
if self.context.is_admin:
try:
auth = ka_loading.load_auth_from_conf_options(
CONF, ksconf.CFG_GROUP)
except ka_exception.MissingRequiredOptions:
auth = self._get_legacy_auth()
elif self.context.auth_token_info:
access_info = ka_access.create(body=self.context.auth_token_info,
auth_token=self.context.auth_token)
auth = ka_access_plugin.AccessInfoPlugin(access_info)
elif self.context.auth_token:
auth = ka_v3.Token(auth_url=self.auth_url,
token=self.context.auth_token)
elif self.context.trust_id:
auth_info = {
'auth_url': self.auth_url,
'username': self.context.user_name,
'password': self.context.password,
'user_domain_id': self.context.user_domain_id,
'user_domain_name': self.context.user_domain_name,
'trust_id': self.context.trust_id
}
auth = ka_v3.Password(**auth_info)
else:
LOG.error(
_LE('Keystone API connection failed: no password, '
'trust_id or token found.'))
raise exception.AuthorizationFailure()
return auth
def admin_client(self):
if not self._admin_client:
# Create admin client connection to v3 API
admin_creds = self._service_admin_creds()
c = kc_v3.Client(**admin_creds)
if c.authenticate():
self._admin_client = c
else:
LOG.error(_LE("Admin client authentication failed"))
raise exception.AuthorizationFailure()
return self._admin_client
def trustee_domain_id(self):
if not self._trustee_domain_id:
try:
access = self.domain_admin_auth.get_access(
self.domain_admin_session)
except kc_exception.Unauthorized:
LOG.error(_LE("Keystone client authentication failed"))
raise exception.AuthorizationFailure()
self._trustee_domain_id = access.domain_id
return self._trustee_domain_id
def trustee_domain_id(self):
if not self._trustee_domain_id:
try:
access = self.domain_admin_auth.get_access(
self.domain_admin_session)
except kc_exception.Unauthorized:
msg = _LE("Keystone client authentication failed")
LOG.error(msg)
raise exception.AuthorizationFailure(client='keystone',
message='reason: %s' %
msg)
self._trustee_domain_id = access.domain_id
return self._trustee_domain_id
def test_AuthorizationFailure(self):
self.assertRaises(
exception.AuthorizationFailure,
lambda: self.raise_(exception.AuthorizationFailure()))
