def _build_auth_details(self):
#keystone
self._authn_token = None
if cfg.CONF.auth_strategy == 'keystone':
#Keystone SSL Support
self._ksinsecure=cfg.CONF.keystone_authtoken.insecure
kscertfile=cfg.CONF.keystone_authtoken.certfile
kskeyfile=cfg.CONF.keystone_authtoken.keyfile
kscafile=cfg.CONF.keystone_authtoken.cafile
self._use_ks_certs=False
if kscertfile and kskeyfile and kscafile \
and cfg.CONF.keystone_authtoken.auth_protocol == _DEFAULT_SECURE_SERVER_CONNECT:
certs=[kscertfile, kskeyfile, kscafile]
self._kscertbundle=cfgmutils.getCertKeyCaBundle(_DEFAULT_KS_CERT_BUNDLE,certs)
self._use_ks_certs=True
#API Server SSL support
self._apiusessl=cfg.CONF.APISERVER.use_ssl
self._apiinsecure=cfg.CONF.APISERVER.insecure
apicertfile=cfg.CONF.APISERVER.certfile
apikeyfile=cfg.CONF.APISERVER.keyfile
apicafile=cfg.CONF.APISERVER.cafile
if self._apiusessl:
self._apiserverconnect=_DEFAULT_SECURE_SERVER_CONNECT
else:
self._apiserverconnect=_DEFAULT_SERVER_CONNECT
self._use_api_certs=False
if apicertfile and apikeyfile and apicafile and self._apiusessl:
certs=[apicertfile, apikeyfile, apicafile]
self._apicertbundle=cfgmutils.getCertKeyCaBundle(_DEFAULT_API_CERT_BUNDLE,certs)
self._use_api_certs=True
def _build_auth_details(self):
# keystone
self._authn_token = None
if cfg.CONF.auth_strategy == "keystone":
kcfg = cfg.CONF.keystone_authtoken
body = '{"auth":{"passwordCredentials":{'
body += ' "username": "******",' % (kcfg.admin_user)
body += ' "password": "******"},' % (kcfg.admin_password)
body += ' "tenantName":"%s"}}' % (kcfg.admin_tenant_name)
self._authn_body = body
self._authn_token = cfg.CONF.keystone_authtoken.admin_token
self._keystone_url = "%s://%s:%s%s" % (
cfg.CONF.keystone_authtoken.auth_protocol,
cfg.CONF.keystone_authtoken.auth_host,
cfg.CONF.keystone_authtoken.auth_port,
"/v2.0/tokens",
)
# Keystone SSL Support
self._ksinsecure = cfg.CONF.keystone_authtoken.insecure
kscertfile = cfg.CONF.keystone_authtoken.certfile
kskeyfile = cfg.CONF.keystone_authtoken.keyfile
kscafile = cfg.CONF.keystone_authtoken.cafile
self._use_ks_certs = False
if (
kscertfile
and kskeyfile
and kscafile
and cfg.CONF.keystone_authtoken.auth_protocol == _DEFAULT_SECURE_SERVER_CONNECT
):
certs = [kscertfile, kskeyfile, kscafile]
self._kscertbundle = cfgmutils.getCertKeyCaBundle(_DEFAULT_KS_CERT_BUNDLE, certs)
self._use_ks_certs = True
# API Server SSL support
self._apiusessl = cfg.CONF.APISERVER.use_ssl
self._apiinsecure = cfg.CONF.APISERVER.insecure
apicertfile = cfg.CONF.APISERVER.certfile
apikeyfile = cfg.CONF.APISERVER.keyfile
apicafile = cfg.CONF.APISERVER.cafile
if self._apiusessl:
self._apiserverconnect = _DEFAULT_SECURE_SERVER_CONNECT
else:
self._apiserverconnect = _DEFAULT_SERVER_CONNECT
self._use_api_certs = False
if apicertfile and apikeyfile and apicafile and self._apiusessl:
certs = [apicertfile, apikeyfile, apicafile]
self._apicertbundle = cfgmutils.getCertKeyCaBundle(_DEFAULT_API_CERT_BUNDLE, certs)
self._use_api_certs = True
def _build_auth_details(self):
#keystone
self._authn_token = None
if cfg.CONF.auth_strategy == 'keystone':
kcfg = cfg.CONF.keystone_authtoken
body = '{"auth":{"passwordCredentials":{'
body += ' "username": "******",' % (kcfg.admin_user)
body += ' "password": "******"},' % (kcfg.admin_password)
body += ' "tenantName":"%s"}}' % (kcfg.admin_tenant_name)
self._authn_body = body
self._authn_token = cfg.CONF.keystone_authtoken.admin_token
self._keystone_url = "%s://%s:%s%s" % (
cfg.CONF.keystone_authtoken.auth_protocol,
cfg.CONF.keystone_authtoken.auth_host,
cfg.CONF.keystone_authtoken.auth_port, "/v2.0/tokens")
#Keystone SSL Support
self._ksinsecure = cfg.CONF.keystone_authtoken.insecure
kscertfile = cfg.CONF.keystone_authtoken.certfile
kskeyfile = cfg.CONF.keystone_authtoken.keyfile
kscafile = cfg.CONF.keystone_authtoken.cafile
self._use_ks_certs = False
if (cfg.CONF.keystone_authtoken.auth_protocol
== _DEFAULT_SECURE_SERVER_CONNECT and kscafile):
certs = [kscafile]
if kscertfile and kskeyfile:
certs = [kscertfile, kskeyfile, kscafile]
self._kscertbundle = cfgmutils.getCertKeyCaBundle(
_DEFAULT_KS_CERT_BUNDLE, certs)
self._use_ks_certs = True
#API Server SSL support
self._apiusessl = cfg.CONF.APISERVER.use_ssl
self._apiinsecure = cfg.CONF.APISERVER.insecure
apicertfile = cfg.CONF.APISERVER.certfile
apikeyfile = cfg.CONF.APISERVER.keyfile
apicafile = cfg.CONF.APISERVER.cafile
if self._apiusessl:
self._apiserverconnect = _DEFAULT_SECURE_SERVER_CONNECT
else:
self._apiserverconnect = _DEFAULT_SERVER_CONNECT
self._use_api_certs = False
if self._apiusessl and apicafile:
certs = [apicafile]
if apicertfile and apikeyfile:
certs = [apicertfile, apikeyfile, apicafile]
self._apicertbundle = cfgmutils.getCertKeyCaBundle(
_DEFAULT_API_CERT_BUNDLE, certs)
self._use_api_certs = True
def __init__(self, server_mgr, args):
_kscertbundle=''
if args.auth_protocol == 'https' and args.cafile:
certs=[args.cafile]
if args.keyfile and args.certfile:
certs=[args.certfile, args.keyfile, args.cafile]
_kscertbundle=cfgmutils.getCertKeyCaBundle(_DEFAULT_KS_CERT_BUNDLE,certs)
identity_uri = '%s://%s:%s' % (args.auth_protocol, args.auth_host, args.auth_port)
self._conf_info = {
'auth_host': args.auth_host,
'auth_port': args.auth_port,
'auth_protocol': args.auth_protocol,
'admin_user': args.admin_user,
'admin_password': args.admin_password,
'admin_tenant_name': args.admin_tenant_name,
'admin_port': args.admin_port,
'max_requests': args.max_requests,
'region_name': args.region_name,
'insecure': args.insecure,
'identity_uri': identity_uri,
}
try:
if 'v3' in args.auth_url:
self._conf_info['auth_version'] = 'v3.0'
self._conf_info['auth_type'] = 'password'
self._conf_info['auth_url'] = args.auth_url
self._conf_info['user_domain_name'] = args.admin_user_domain_name
self._conf_info['project_domain_name'] = args.project_domain_name
self._conf_info['project_name'] = args.admin_tenant_name
self._conf_info['username'] = args.admin_user
self._conf_info['password'] = args.admin_password
self._conf_info['auth_uri'] = args.auth_url
except AttributeError:
pass
if _kscertbundle:
self._conf_info['cafile'] = _kscertbundle
self._server_mgr = server_mgr
self._auth_method = args.auth
self._auth_middleware = None
self._mt_rbac = server_mgr.is_rbac_enabled()
self._auth_needed = server_mgr.is_auth_needed()
if not self._auth_method:
return
if self._auth_method != 'keystone':
raise UnknownAuthMethod()
# map keystone id to users. Needed for quantum plugin because contrail
# plugin doesn't have access to user token and ends up sending admin
# admin token along with user-id and role
self._ks_users = {}
# configure memcache if enabled
if self._auth_needed and 'memcache_servers' in args:
self._conf_info[
'memcached_servers'] = args.memcache_servers.split(',')
if 'token_cache_time' in args:
self._conf_info['token_cache_time'] = args.token_cache_time
def verify(self):
# bundle created already return bundle
if self._verify:
return self._verify
if self._cacert:
certs = [self._cacert]
certbundle = os.path.join('/var/lib/contrail',
DiscoveryClient._DEFAULT_CERT_BUNDLE)
self._verify = utils.getCertKeyCaBundle(certbundle, certs)
return self._verify
def __init__(self, server_mgr, args):
_kscertbundle=''
if args.auth_protocol == 'https' and args.cafile:
certs=[args.cafile]
if args.keyfile and args.certfile:
certs=[args.certfile, args.keyfile, args.cafile]
_kscertbundle=cfgmutils.getCertKeyCaBundle(_DEFAULT_KS_CERT_BUNDLE,certs)
identity_uri = '%s://%s:%s' % (args.auth_protocol, args.auth_host, args.auth_port)
self._conf_info = {
'auth_host': args.auth_host,
'auth_port': args.auth_port,
'auth_protocol': args.auth_protocol,
'admin_user': args.admin_user,
'admin_password': args.admin_password,
'admin_tenant_name': args.admin_tenant_name,
'admin_port': args.admin_port,
'max_requests': args.max_requests,
'region_name': args.region_name,
'insecure':args.insecure,
'identity_uri': identity_uri,
}
try:
if 'v3' in args.auth_url:
self._conf_info['auth_version'] = 'v3.0'
self._conf_info['auth_uri'] = args.auth_url
except AttributeError:
pass
if _kscertbundle:
self._conf_info['cafile'] = _kscertbundle
self._server_mgr = server_mgr
self._auth_method = args.auth
self._auth_middleware = None
self._mt_rbac = server_mgr.is_rbac_enabled()
self._multi_tenancy = server_mgr.is_multi_tenancy_set()
if not self._auth_method:
return
if self._auth_method != 'keystone':
raise UnknownAuthMethod()
# map keystone id to users. Needed for quantum plugin because contrail
# plugin doesn't have access to user token and ends up sending admin
# admin token along with user-id and role
self._ks_users = {}
# configure memcache if enabled
if self._multi_tenancy and 'memcache_servers' in args:
self._conf_info[
'memcached_servers'] = args.memcache_servers.split(',')
if 'token_cache_time' in args:
self._conf_info['token_cache_time'] = args.token_cache_time
def _build_auth_details(self):
#keystone
self._authn_token = None
if cfg.CONF.auth_strategy == 'keystone':
#Keystone SSL Support
self._ksinsecure = cfg.CONF.keystone_authtoken.insecure
kscertfile = cfg.CONF.keystone_authtoken.certfile
kskeyfile = cfg.CONF.keystone_authtoken.keyfile
kscafile = cfg.CONF.keystone_authtoken.cafile
self._use_ks_certs = False
if kscertfile and kskeyfile and kscafile \
and cfg.CONF.keystone_authtoken.auth_protocol == _DEFAULT_SECURE_SERVER_CONNECT:
certs = [kscertfile, kskeyfile, kscafile]
self._kscertbundle = cfgmutils.getCertKeyCaBundle(
_DEFAULT_KS_CERT_BUNDLE, certs)
self._use_ks_certs = True
#API Server SSL support
self._apiusessl = cfg.CONF.APISERVER.use_ssl
self._apiinsecure = cfg.CONF.APISERVER.insecure
apicertfile = cfg.CONF.APISERVER.certfile
apikeyfile = cfg.CONF.APISERVER.keyfile
apicafile = cfg.CONF.APISERVER.cafile
if self._apiusessl:
self._apiserverconnect = _DEFAULT_SECURE_SERVER_CONNECT
else:
self._apiserverconnect = _DEFAULT_SERVER_CONNECT
self._use_api_certs = False
if apicertfile and apikeyfile and apicafile and self._apiusessl:
certs = [apicertfile, apikeyfile, apicafile]
self._apicertbundle = cfgmutils.getCertKeyCaBundle(
_DEFAULT_API_CERT_BUNDLE, certs)
self._use_api_certs = True
def __init__(self, server_mgr, args):
_kscertbundle = ''
if args.certfile and args.keyfile and args.cafile \
and args.auth_protocol == 'https':
certs = [args.certfile, args.keyfile, args.cafile]
_kscertbundle = cfgmutils.getCertKeyCaBundle(
_DEFAULT_KS_CERT_BUNDLE, certs)
self._conf_info = {
'auth_host': args.auth_host,
'auth_port': args.auth_port,
'auth_protocol': args.auth_protocol,
'admin_user': args.admin_user,
'admin_password': args.admin_password,
'admin_tenant_name': args.admin_tenant_name,
'admin_port': args.admin_port,
'max_requests': args.max_requests,
'insecure': args.insecure,
}
if _kscertbundle:
self._conf_info['cafile'] = _kscertbundle
self._server_mgr = server_mgr
self._auth_method = args.auth
self._auth_token = None
self._auth_middleware = None
self._mt_rbac = args.multi_tenancy_with_rbac
self._multi_tenancy = args.multi_tenancy or args.multi_tenancy_with_rbac
if not self._auth_method:
return
if self._auth_method != 'keystone':
raise UnknownAuthMethod()
# map keystone id to users. Needed for quantum plugin because contrail
# plugin doesn't have access to user token and ends up sending admin
# admin token along with user-id and role
self._ks_users = {}
# configure memcache if enabled
if self._multi_tenancy and 'memcache_servers' in args:
self._conf_info['memcache_servers'] = args.memcache_servers.split(
',')
if 'token_cache_time' in args:
self._conf_info['token_cache_time'] = args.token_cache_time
def __init__(self, server_mgr, args):
_kscertbundle=''
if args.certfile and args.keyfile and args.cafile \
and args.auth_protocol == 'https':
certs=[args.certfile, args.keyfile, args.cafile]
_kscertbundle=cfgmutils.getCertKeyCaBundle(_DEFAULT_KS_CERT_BUNDLE,certs)
self._conf_info = {
'auth_host': args.auth_host,
'auth_port': args.auth_port,
'auth_protocol': args.auth_protocol,
'admin_user': args.admin_user,
'admin_password': args.admin_password,
'admin_tenant_name': args.admin_tenant_name,
'admin_port': args.admin_port,
'max_requests': args.max_requests,
'insecure':args.insecure,
}
if _kscertbundle:
self._conf_info['cafile'] = _kscertbundle
self._server_mgr = server_mgr
self._auth_method = args.auth
self._auth_token = None
self._auth_middleware = None
self._mt_rbac = args.multi_tenancy_with_rbac
self._multi_tenancy = args.multi_tenancy or args.multi_tenancy_with_rbac
if not self._auth_method:
return
if self._auth_method != 'keystone':
raise UnknownAuthMethod()
# map keystone id to users. Needed for quantum plugin because contrail
# plugin doesn't have access to user token and ends up sending admin
# admin token along with user-id and role
self._ks_users = {}
# configure memcache if enabled
if self._multi_tenancy and 'memcache_servers' in args:
self._conf_info[
'memcache_servers'] = args.memcache_servers.split(',')
if 'token_cache_time' in args:
self._conf_info['token_cache_time'] = args.token_cache_time
def __init__(
self,
username=None,
password=None,
tenant_name=None,
api_server_host=None,
api_server_port=None,
api_server_url=None,
conf_file=None,
user_info=None,
auth_token=None,
auth_host=None,
auth_port=None,
auth_protocol=None,
auth_url=None,
auth_type=None,
wait_for_connect=False,
api_server_use_ssl=False,
domain_name=None,
exclude_hrefs=None,
):
# TODO allow for username/password to be present in creds file
self._obj_serializer = self._obj_serializer_diff
for object_type, resource_type in all_resource_type_tuples:
for oper_str in ("_create", "_read", "_update", "_delete", "s_list", "_get_default_id"):
method = getattr(self, "_object%s" % (oper_str))
bound_method = functools.partial(method, resource_type)
functools.update_wrapper(bound_method, method)
if oper_str == "_get_default_id":
setattr(self, "get_default_%s_id" % (object_type), bound_method)
else:
setattr(self, "%s%s" % (object_type, oper_str), bound_method)
cfg_parser = ConfigParser.ConfigParser()
try:
cfg_parser.read(conf_file or "/etc/contrail/vnc_api_lib.ini")
except Exception as e:
logger = logging.getLogger(__name__)
logger.warn("Exception: %s", str(e))
self._api_connect_protocol = VncApi._DEFAULT_API_SERVER_CONNECT
# API server SSL Support
use_ssl = api_server_use_ssl
if isinstance(api_server_use_ssl, basestring):
use_ssl = api_server_use_ssl.lower() == "true"
if use_ssl:
self._api_connect_protocol = VncApi._DEFAULT_API_SERVER_SSL_CONNECT
# keystone
self._authn_type = auth_type or _read_cfg(cfg_parser, "auth", "AUTHN_TYPE", self._DEFAULT_AUTHN_TYPE)
if self._authn_type == "keystone":
self._authn_protocol = auth_protocol or _read_cfg(
cfg_parser, "auth", "AUTHN_PROTOCOL", self._DEFAULT_AUTHN_PROTOCOL
)
self._authn_server = auth_host or _read_cfg(cfg_parser, "auth", "AUTHN_SERVER", self._DEFAULT_AUTHN_SERVER)
self._authn_port = auth_port or _read_cfg(cfg_parser, "auth", "AUTHN_PORT", self._DEFAULT_AUTHN_PORT)
self._authn_url = auth_url or _read_cfg(cfg_parser, "auth", "AUTHN_URL", self._DEFAULT_AUTHN_URL)
self._username = username or _read_cfg(cfg_parser, "auth", "AUTHN_USER", self._DEFAULT_AUTHN_USER)
self._password = password or _read_cfg(cfg_parser, "auth", "AUTHN_PASSWORD", self._DEFAULT_AUTHN_PASSWORD)
self._tenant_name = tenant_name or _read_cfg(cfg_parser, "auth", "AUTHN_TENANT", self._DEFAULT_AUTHN_TENANT)
self._domain_name = domain_name or _read_cfg(cfg_parser, "auth", "AUTHN_DOMAIN", self._DEFAULT_DOMAIN_ID)
# contrail-api SSL support
try:
self._apiinsecure = cfg_parser.getboolean("global", "insecure")
except (AttributeError, ConfigParser.NoOptionError, ConfigParser.NoSectionError):
self._apiinsecure = False
apicertfile = _read_cfg(cfg_parser, "global", "certfile", "")
apikeyfile = _read_cfg(cfg_parser, "global", "keyfile", "")
apicafile = _read_cfg(cfg_parser, "global", "cafile", "")
self._use_api_certs = False
if api_server_use_ssl:
certs = []
if apicafile:
certs.append(apicafile)
if apicertfile:
certs.append(apicertfile)
if apikeyfile:
certs.append(apikeyfile)
if certs:
self._apicertbundle = utils.getCertKeyCaBundle(VncApi._DEFAULT_API_CERT_BUNDLE, certs)
self._use_api_certs = True
# keystone SSL support
try:
self._ksinsecure = cfg_parser.getboolean("auth", "insecure")
except (AttributeError, ConfigParser.NoOptionError, ConfigParser.NoSectionError):
self._ksinsecure = False
kscertfile = _read_cfg(cfg_parser, "auth", "certfile", "")
kskeyfile = _read_cfg(cfg_parser, "auth", "keyfile", "")
kscafile = _read_cfg(cfg_parser, "auth", "cafile", "")
self._use_ks_certs = False
if self._authn_protocol == "https":
certs = []
if kscafile:
certs.append(kscafile)
if kscertfile:
certs.append(kscertfile)
if kskeyfile:
certs.append(kskeyfile)
if certs:
self._kscertbundle = utils.getCertKeyCaBundle(VncApi._DEFAULT_KS_CERT_BUNDLE, certs)
self._use_ks_certs = True
if "v2" in self._authn_url:
self._authn_body = (
'{"auth":{"passwordCredentials":{'
+ '"username": "******",' % (self._username)
+ ' "password": "******"},' % (self._password)
+ ' "tenantName":"%s"}}' % (self._tenant_name)
)
else:
self._authn_body = (
'{"auth":{"identity":{'
+ '"methods": ["password"],'
+ ' "password":{'
+ ' "user":{'
+ ' "name": "%s",' % (self._username)
+ ' "domain": { "name": "%s" },' % (self._domain_name)
+ ' "password": "******"' % (self._password)
+ "}"
+ "}"
+ "},"
+ ' "scope":{'
+ ' "project":{'
+ ' "domain": { "name": "%s" },' % (self._domain_name)
+ ' "name": "%s"' % (self._tenant_name)
+ "}"
+ "}"
+ "}"
+ "}"
)
self._user_info = user_info
if not api_server_host:
self._web_host = _read_cfg(cfg_parser, "global", "WEB_SERVER", self._DEFAULT_WEB_SERVER)
else:
self._web_host = api_server_host
if not api_server_port:
self._web_port = _read_cfg(cfg_parser, "global", "WEB_PORT", self._DEFAULT_WEB_PORT)
else:
self._web_port = api_server_port
self._max_pools = int(_read_cfg(cfg_parser, "global", "MAX_POOLS", self._DEFAULT_MAX_POOLS))
self._max_conns_per_pool = int(
_read_cfg(cfg_parser, "global", "MAX_CONNS_PER_POOL", self._DEFAULT_MAX_CONNS_PER_POOL)
)
self._curl_logging = False
if _read_cfg(cfg_parser, "global", "curl_log", False):
self._curl_logging = True
self._curl_logger = _cfg_curl_logging(_read_cfg(cfg_parser, "global", "curl_log", False))
# Where client's view of world begins
if not api_server_url:
self._base_url = _read_cfg(cfg_parser, "global", "BASE_URL", self._DEFAULT_BASE_URL)
else:
self._base_url = api_server_url
# Where server says its root is when _base_url is fetched
self._srv_root_url = None
# Type-independent actions offered by server
self._action_uri = ActionUriDict(self)
self._headers = self._DEFAULT_HEADERS.copy()
self._headers[rest.hdr_client_tenant()] = self._tenant_name
self._auth_token_input = False
self._auth_token = None
if auth_token:
self._auth_token = auth_token
self._auth_token_input = True
self._headers["X-AUTH-TOKEN"] = self._auth_token
# user information for quantum
if self._user_info:
if "user_id" in self._user_info:
self._headers["X-API-USER-ID"] = self._user_info["user_id"]
if "user" in self._user_info:
self._headers["X-API-USER"] = self._user_info["user"]
if "role" in self._user_info:
self.set_user_roles([self._user_info["role"]])
self._exclude_hrefs = exclude_hrefs
self._create_api_server_session()
retry_count = 6
while retry_count:
try:
homepage = self._request(rest.OP_GET, self._base_url, retry_on_error=False)
self._parse_homepage(homepage)
except ServiceUnavailableError as e:
logger = logging.getLogger(__name__)
logger.warn("Exception: %s", str(e))
if wait_for_connect:
# Retry connect infinitely when http retcode 503
continue
elif retry_count:
# Retry connect 60 times when http retcode 503
retry_count -= 1
time.sleep(1)
else:
# connected succesfully
break
def __init__(self, server_mgr, args):
self.args = args
_kscertbundle = ''
if args.auth_protocol == 'https' and args.cafile:
certs = [args.cafile]
if args.keyfile and args.certfile:
certs = [args.certfile, args.keyfile, args.cafile]
_kscertbundle = cfgmutils.getCertKeyCaBundle(
_DEFAULT_KS_CERT_BUNDLE, certs)
self._conf_info = {
'admin_port': args.admin_port,
'max_requests': args.max_requests,
'region_name': args.region_name,
'insecure': args.insecure,
'signing_dir': args.signing_dir,
}
if args.auth_url:
auth_url = args.auth_url
else:
auth_url = '%s://%s:%s/%s' % (args.auth_protocol, args.auth_host,
args.auth_port, _DEFAULT_KS_VERSION)
if 'v2.0' in auth_url.split('/'):
identity_uri = '%s://%s:%s' % (args.auth_protocol, args.auth_host,
args.auth_port)
self._conf_info.update({
'auth_host': args.auth_host,
'auth_port': args.auth_port,
'auth_protocol': args.auth_protocol,
'admin_user': args.admin_user,
'admin_password': args.admin_password,
'admin_tenant_name': args.admin_tenant_name,
'identity_uri': identity_uri
})
else:
self._conf_info.update({
'auth_type': args.auth_type,
'auth_url': auth_url,
'username': args.admin_user,
'password': args.admin_password,
})
# Add user domain info
self._conf_info.update(**cfgmutils.get_user_domain_kwargs(args))
# Get project scope auth params
scope_kwargs = cfgmutils.get_project_scope_kwargs(args)
if not scope_kwargs:
# Default to domain scoped auth
scope_kwargs = cfgmutils.get_domain_scope_kwargs(args)
self._conf_info.update(**scope_kwargs)
if _kscertbundle:
self._conf_info['cafile'] = _kscertbundle
self._server_mgr = server_mgr
self._auth_method = args.auth
self._auth_middleware = None
self._mt_rbac = server_mgr.is_rbac_enabled()
self._auth_needed = server_mgr.is_auth_needed()
if not self._auth_method:
return
if self._auth_method != 'keystone':
raise UnknownAuthMethod()
# map keystone id to users. Needed for quantum plugin because contrail
# plugin doesn't have access to user token and ends up sending admin
# admin token along with user-id and role
self._ks_users = {}
# configure memcache if enabled
if self._auth_needed and 'memcache_servers' in args:
self._conf_info['memcached_servers'] = args.memcache_servers.split(
',')
if 'token_cache_time' in args:
self._conf_info['token_cache_time'] = args.token_cache_time
self._user_auth_middleware = None
self._hdr_from_token_auth_middleware = None
def fill_keystone_opts(obj, conf_sections):
obj._auth_user = conf_sections.get('KEYSTONE', 'admin_user')
obj._auth_passwd = conf_sections.get('KEYSTONE', 'admin_password')
obj._admin_token = conf_sections.get('KEYSTONE', 'admin_token')
obj._admin_tenant = conf_sections.get('KEYSTONE', 'admin_tenant_name')
try:
obj._keystone_sync_on_demand = conf_sections.getboolean('KEYSTONE',
'keystone_sync_on_demand')
except ConfigParser.NoOptionError:
obj._keystone_sync_on_demand = True
try:
obj._insecure = conf_sections.getboolean('KEYSTONE', 'insecure')
except ConfigParser.NoOptionError:
obj._insecure = True
try:
obj._certfile = conf_sections.get('KEYSTONE', 'certfile')
except ConfigParser.NoOptionError:
obj._certfile = ''
try:
obj._keyfile = conf_sections.get('KEYSTONE', 'keyfile')
except ConfigParser.NoOptionError:
obj._keyfile = ''
try:
obj._cafile= conf_sections.get('KEYSTONE', 'cafile')
except ConfigParser.NoOptionError:
obj._cafile = ''
obj._kscertbundle=''
obj._use_certs=False
if obj._certfile and obj._keyfile and obj._cafile:
certs=[obj._certfile,obj._keyfile,obj._cafile]
obj._kscertbundle=cfgmutils.getCertKeyCaBundle(_DEFAULT_KS_CERT_BUNDLE,certs)
obj._use_certs=True
try:
obj._auth_url = conf_sections.get('KEYSTONE', 'auth_url')
except ConfigParser.NoOptionError:
# deprecated knobs - for backward compat
obj._auth_proto = conf_sections.get('KEYSTONE', 'auth_protocol')
obj._auth_host = conf_sections.get('KEYSTONE', 'auth_host')
obj._auth_port = conf_sections.get('KEYSTONE', 'auth_port')
obj._auth_url = "%s://%s:%s/v2.0" % (obj._auth_proto, obj._auth_host,
obj._auth_port)
try:
obj._err_file = conf_sections.get('DEFAULTS', 'trace_file')
except ConfigParser.NoOptionError:
obj._err_file = '/var/log/contrail/vnc_openstack.err'
try:
# Duration between polls to keystone to find deleted projects
resync_interval = conf_sections.get('DEFAULTS',
'keystone_resync_interval_secs')
except ConfigParser.NoOptionError:
resync_interval = '60'
obj._resync_interval_secs = int(resync_interval)
try:
# Number of workers used to process keystone project resyncing
resync_workers = conf_sections.get('DEFAULTS',
'keystone_resync_workers')
except ConfigParser.NoOptionError:
resync_workers = '10'
obj._resync_number_workers = int(resync_workers)
try:
# If new project with same name as an orphan project
# (gone in keystone, present in # contrail with resources within)
# is encountered,
# a. proceed with unique ified name (new_unique_fqn)
# b. refuse to sync (new_fail)
# c. cascade delete (TODO)
resync_mode = conf_sections.get('DEFAULTS',
'keystone_resync_stale_mode')
except ConfigParser.NoOptionError:
resync_mode = 'new_unique_fqn'
obj._resync_stale_mode = resync_mode
try:
# Get the domain_id for keystone v3
obj._domain_id = conf_sections.get('KEYSTONE', 'admin_domain_id')
except ConfigParser.NoOptionError:
obj._domain_id = 'default'
try:
# Get the user_domain_name for keystone v3
obj._user_domain_name = conf_sections.get('KEYSTONE', 'admin_user_domain_name')
except ConfigParser.NoOptionError:
obj._user_domain_name = 'Default'
try:
# Get the project_domain_name for keystone v3
obj._project_domain_name = conf_sections.get('KEYSTONE', 'project_domain_name')
except ConfigParser.NoOptionError:
obj._project_domain_name = None
try:
# Get the project_name for keystone v3
obj._project_name = conf_sections.get('KEYSTONE', 'project_name')
except ConfigParser.NoOptionError:
obj._project_name = obj._admin_tenant
try:
# Get the endpoint_type
obj._endpoint_type = conf_sections.get('KEYSTONE', 'endpoint_type')
except ConfigParser.NoOptionError:
obj._endpoint_type = None
def __init__(self, username=None, password=None, tenant_name=None,
api_server_host='127.0.0.1', api_server_port='8082',
api_server_url=None, conf_file=None, user_info=None,
auth_token=None, auth_host=None, auth_port=None,
auth_protocol = None, auth_url=None, auth_type=None,
wait_for_connect=False, api_server_use_ssl=False,
domain_name=None):
# TODO allow for username/password to be present in creds file
self._obj_serializer = self._obj_serializer_diff
for object_type, resource_type in all_resource_type_tuples:
for oper_str in ('_create', '_read', '_update', '_delete',
's_list', '_get_default_id'):
method = getattr(self, '_object%s' %(oper_str))
bound_method = functools.partial(method, resource_type)
functools.update_wrapper(bound_method, method)
if oper_str == '_get_default_id':
setattr(self, 'get_default_%s_id' % (object_type),
bound_method)
else:
setattr(self, '%s%s' %(object_type, oper_str),
bound_method)
cfg_parser = ConfigParser.ConfigParser()
try:
cfg_parser.read(conf_file or
"/etc/contrail/vnc_api_lib.ini")
except Exception as e:
logger = logging.getLogger(__name__)
logger.warn("Exception: %s", str(e))
self._api_connect_protocol = VncApi._DEFAULT_API_SERVER_CONNECT
# API server SSL Support
use_ssl = api_server_use_ssl
if isinstance(api_server_use_ssl, basestring):
use_ssl = (api_server_use_ssl.lower() == 'true')
if use_ssl:
self._api_connect_protocol = VncApi._DEFAULT_API_SERVER_SSL_CONNECT
# keystone
self._authn_type = auth_type or \
_read_cfg(cfg_parser, 'auth', 'AUTHN_TYPE',
self._DEFAULT_AUTHN_TYPE)
if self._authn_type == 'keystone':
self._authn_protocol = auth_protocol or \
_read_cfg(cfg_parser, 'auth', 'AUTHN_PROTOCOL',
self._DEFAULT_AUTHN_PROTOCOL)
self._authn_server = auth_host or \
_read_cfg(cfg_parser, 'auth', 'AUTHN_SERVER',
self._DEFAULT_AUTHN_SERVER)
self._authn_port = auth_port or \
_read_cfg(cfg_parser, 'auth', 'AUTHN_PORT',
self._DEFAULT_AUTHN_PORT)
self._authn_url = auth_url or \
_read_cfg(cfg_parser, 'auth', 'AUTHN_URL',
self._DEFAULT_AUTHN_URL)
self._username = username or \
_read_cfg(cfg_parser, 'auth', 'AUTHN_USER',
self._DEFAULT_AUTHN_USER)
self._password = password or \
_read_cfg(cfg_parser, 'auth', 'AUTHN_PASSWORD',
self._DEFAULT_AUTHN_PASSWORD)
self._tenant_name = tenant_name or \
_read_cfg(cfg_parser, 'auth', 'AUTHN_TENANT',
self._DEFAULT_AUTHN_TENANT)
self._domain_name = domain_name or \
_read_cfg(cfg_parser, 'auth', 'AUTHN_DOMAIN',
self._DEFAULT_DOMAIN_ID)
#contrail-api SSL support
try:
self._apiinsecure = cfg_parser.getboolean('global','insecure')
except (AttributeError,
ConfigParser.NoOptionError,
ConfigParser.NoSectionError):
self._apiinsecure = False
apicertfile=_read_cfg(cfg_parser,'global','certfile','')
apikeyfile=_read_cfg(cfg_parser,'global','keyfile','')
apicafile=_read_cfg(cfg_parser,'global','cafile','')
self._use_api_certs=False
if apicertfile and apikeyfile \
and apicafile and api_server_use_ssl:
certs=[apicertfile, apikeyfile, apicafile]
self._apicertbundle=utils.getCertKeyCaBundle(VncApi._DEFAULT_API_CERT_BUNDLE,certs)
self._use_api_certs=True
# keystone SSL support
try:
self._ksinsecure = cfg_parser.getboolean('auth', 'insecure')
except (AttributeError,
ConfigParser.NoOptionError,
ConfigParser.NoSectionError):
self._ksinsecure = False
kscertfile=_read_cfg(cfg_parser,'auth','certfile','')
kskeyfile=_read_cfg(cfg_parser,'auth','keyfile','')
kscafile=_read_cfg(cfg_parser,'auth','cafile','')
self._use_ks_certs=False
if kscertfile and kskeyfile and kscafile \
and self._authn_protocol == 'https':
certs=[kscertfile, kskeyfile, kscafile]
self._kscertbundle=utils.getCertKeyCaBundle(VncApi._DEFAULT_KS_CERT_BUNDLE,certs)
self._use_ks_certs=True
if 'v2' in self._authn_url:
self._authn_body = \
'{"auth":{"passwordCredentials":{' + \
'"username": "******",' % (self._username) + \
' "password": "******"},' % (self._password) + \
' "tenantName":"%s"}}' % (self._tenant_name)
else:
self._authn_body = \
'{"auth":{"identity":{' + \
'"methods": ["password"],' + \
' "password":{' + \
' "user":{' + \
' "name": "%s",' % (self._username) + \
' "domain": { "name": "%s" },' % (self._domain_name) + \
' "password": "******"' % (self._password) + \
'}' + \
'}' + \
'},' + \
' "scope":{' + \
' "project":{' + \
' "domain": { "name": "%s" },' % (self._domain_name) + \
' "name": "%s"' % (self._tenant_name) + \
'}' + \
'}' + \
'}' + \
'}'
self._user_info = user_info
if not api_server_host:
self._web_host = _read_cfg(cfg_parser, 'global', 'WEB_SERVER',
self._DEFAULT_WEB_SERVER)
else:
self._web_host = api_server_host
if not api_server_port:
self._web_port = _read_cfg(cfg_parser, 'global', 'WEB_PORT',
self._DEFAULT_WEB_PORT)
else:
self._web_port = api_server_port
self._max_pools = int(_read_cfg(
cfg_parser, 'global', 'MAX_POOLS',
self._DEFAULT_MAX_POOLS))
self._max_conns_per_pool = int(_read_cfg(
cfg_parser, 'global', 'MAX_CONNS_PER_POOL',
self._DEFAULT_MAX_CONNS_PER_POOL))
self._curl_logging = False
if _read_cfg(cfg_parser, 'global', 'curl_log', False):
self._curl_logging = True
self._curl_logger=_cfg_curl_logging(_read_cfg(cfg_parser,'global','curl_log',False))
# Where client's view of world begins
if not api_server_url:
self._base_url = _read_cfg(cfg_parser, 'global', 'BASE_URL',
self._DEFAULT_BASE_URL)
else:
self._base_url = api_server_url
# Where server says its root is when _base_url is fetched
self._srv_root_url = None
# Type-independent actions offered by server
self._action_uri = ActionUriDict(self)
self._headers = self._DEFAULT_HEADERS.copy()
self._headers[rest.hdr_client_tenant()] = self._tenant_name
self._auth_token_input = False
self._auth_token = None
if auth_token:
self._auth_token = auth_token
self._auth_token_input = True
self._headers['X-AUTH-TOKEN'] = self._auth_token
# user information for quantum
if self._user_info:
if 'user_id' in self._user_info:
self._headers['X-API-USER-ID'] = self._user_info['user_id']
if 'user' in self._user_info:
self._headers['X-API-USER'] = self._user_info['user']
if 'role' in self._user_info:
self.set_user_roles([self._user_info['role']])
#self._http = HTTPClient(self._web_host, self._web_port,
# network_timeout = 300)
self._create_api_server_session()
retry_count = 6
while retry_count:
try:
homepage = self._request(rest.OP_GET, self._base_url,
retry_on_error=False)
self._parse_homepage(homepage)
except ServiceUnavailableError as e:
logger = logging.getLogger(__name__)
logger.warn("Exception: %s", str(e))
if wait_for_connect:
# Retry connect infinitely when http retcode 503
continue
elif retry_count:
# Retry connect 60 times when http retcode 503
retry_count -= 1
time.sleep(1)
else:
# connected succesfully
break
def fill_keystone_opts(obj, conf_sections):
obj._auth_user = conf_sections.get("KEYSTONE", "admin_user")
obj._auth_passwd = conf_sections.get("KEYSTONE", "admin_password")
obj._admin_token = conf_sections.get("KEYSTONE", "admin_token")
obj._admin_tenant = conf_sections.get("KEYSTONE", "admin_tenant_name")
try:
obj._keystone_sync_on_demand = conf_sections.getboolean("KEYSTONE", "keystone_sync_on_demand")
except ConfigParser.NoOptionError:
obj._keystone_sync_on_demand = True
try:
obj._insecure = conf_sections.getboolean("KEYSTONE", "insecure")
except ConfigParser.NoOptionError:
obj._insecure = True
try:
obj._certfile = conf_sections.get("KEYSTONE", "certfile")
except ConfigParser.NoOptionError:
obj._certfile = ""
try:
obj._keyfile = conf_sections.get("KEYSTONE", "keyfile")
except ConfigParser.NoOptionError:
obj._keyfile = ""
try:
obj._cafile = conf_sections.get("KEYSTONE", "cafile")
except ConfigParser.NoOptionError:
obj._cafile = ""
obj._kscertbundle = ""
obj._use_certs = False
if obj._certfile and obj._keyfile and obj._cafile:
certs = [obj._certfile, obj._keyfile, obj._cafile]
obj._kscertbundle = cfgmutils.getCertKeyCaBundle(_DEFAULT_KS_CERT_BUNDLE, certs)
obj._use_certs = True
try:
obj._auth_url = conf_sections.get("KEYSTONE", "auth_url")
except ConfigParser.NoOptionError:
# deprecated knobs - for backward compat
obj._auth_proto = conf_sections.get("KEYSTONE", "auth_protocol")
obj._auth_host = conf_sections.get("KEYSTONE", "auth_host")
obj._auth_port = conf_sections.get("KEYSTONE", "auth_port")
obj._auth_url = "%s://%s:%s/v2.0" % (obj._auth_proto, obj._auth_host, obj._auth_port)
try:
obj._err_file = conf_sections.get("DEFAULTS", "trace_file")
except ConfigParser.NoOptionError:
obj._err_file = "/var/log/contrail/vnc_openstack.err"
try:
# Duration between polls to keystone to find deleted projects
resync_interval = conf_sections.get("DEFAULTS", "keystone_resync_interval_secs")
except ConfigParser.NoOptionError:
resync_interval = "60"
obj._resync_interval_secs = int(resync_interval)
try:
# Number of workers used to process keystone project resyncing
resync_workers = conf_sections.get("DEFAULTS", "keystone_resync_workers")
except ConfigParser.NoOptionError:
resync_workers = "10"
obj._resync_number_workers = int(resync_workers)
try:
# Get the domain_id for keystone v3
obj._domain_id = conf_sections.get("KEYSTONE", "admin_domain_id")
except ConfigParser.NoOptionError:
obj._domain_id = "default"
try:
# Get the user_domain_name for keystone v3
obj._user_domain_name = conf_sections.get("KEYSTONE", "admin_user_domain_name")
except ConfigParser.NoOptionError:
obj._user_domain_name = "Default"
try:
# Get the project_domain_name for keystone v3
obj._project_domain_name = conf_sections.get("KEYSTONE", "project_domain_name")
except ConfigParser.NoOptionError:
obj._project_domain_name = None
try:
# Get the project_name for keystone v3
obj._project_name = conf_sections.get("KEYSTONE", "project_name")
except ConfigParser.NoOptionError:
obj._project_name = obj._admin_tenant
try:
# Get the endpoint_type
obj._endpoint_type = conf_sections.get("KEYSTONE", "endpoint_type")
except ConfigParser.NoOptionError:
obj._endpoint_type = None
def fill_keystone_opts(obj, conf_sections):
obj._auth_user = conf_sections.get('KEYSTONE', 'admin_user')
obj._auth_passwd = conf_sections.get('KEYSTONE', 'admin_password')
obj._admin_token = conf_sections.get('KEYSTONE', 'admin_token')
obj._admin_tenant = conf_sections.get('KEYSTONE', 'admin_tenant_name')
try:
obj._contrail_vcenter_mode = conf_sections.get('DEFAULTS', "contrail_vcenter_mode")
except ConfigParser.NoOptionError:
obj._contrail_vcenter_mode = None
try:
obj._keystone_sync_on_demand = conf_sections.getboolean('KEYSTONE',
'keystone_sync_on_demand')
except ConfigParser.NoOptionError:
obj._keystone_sync_on_demand = True
try:
obj._insecure = conf_sections.getboolean('KEYSTONE', 'insecure')
except ConfigParser.NoOptionError:
obj._insecure = True
try:
obj._certfile = conf_sections.get('KEYSTONE', 'certfile')
except ConfigParser.NoOptionError:
obj._certfile = ''
try:
obj._keyfile = conf_sections.get('KEYSTONE', 'keyfile')
except ConfigParser.NoOptionError:
obj._keyfile = ''
try:
obj._cafile= conf_sections.get('KEYSTONE', 'cafile')
except ConfigParser.NoOptionError:
obj._cafile = ''
obj._kscertbundle=''
obj._use_certs=False
if obj._certfile and obj._keyfile and obj._cafile:
certs=[obj._certfile,obj._keyfile,obj._cafile]
obj._kscertbundle=cfgmutils.getCertKeyCaBundle(_DEFAULT_KS_CERT_BUNDLE,certs)
obj._use_certs=True
try:
obj._auth_url = conf_sections.get('KEYSTONE', 'auth_url')
except ConfigParser.NoOptionError:
# deprecated knobs - for backward compat
obj._auth_proto = conf_sections.get('KEYSTONE', 'auth_protocol')
obj._auth_host = conf_sections.get('KEYSTONE', 'auth_host')
obj._auth_port = conf_sections.get('KEYSTONE', 'auth_port')
obj._auth_url = "%s://%s:%s/v2.0" % (obj._auth_proto, obj._auth_host,
obj._auth_port)
try:
obj._err_file = conf_sections.get('DEFAULTS', 'trace_file')
except ConfigParser.NoOptionError:
obj._err_file = '/var/log/contrail/vnc_openstack.err'
try:
# Duration between polls to keystone to find deleted projects
resync_interval = conf_sections.get('DEFAULTS',
'keystone_resync_interval_secs')
except ConfigParser.NoOptionError:
resync_interval = '60'
obj._resync_interval_secs = int(resync_interval)
try:
# Number of workers used to process keystone project resyncing
resync_workers = conf_sections.get('DEFAULTS',
'keystone_resync_workers')
except ConfigParser.NoOptionError:
resync_workers = '10'
obj._resync_number_workers = int(resync_workers)
try:
# Get the domain_id for keystone v3
obj._domain_id = conf_sections.get('KEYSTONE', 'admin_domain_id')
except ConfigParser.NoOptionError:
obj._domain_id = 'default'
try:
# Get the user_domain_name for keystone v3
obj._user_domain_name = conf_sections.get('KEYSTONE', 'admin_user_domain_name')
except ConfigParser.NoOptionError:
obj._user_domain_name = 'Default'
try:
# Get the project_domain_name for keystone v3
obj._project_domain_name = conf_sections.get('KEYSTONE', 'project_domain_name')
except ConfigParser.NoOptionError:
obj._project_domain_name = 'Default'
try:
# Get the project_name for keystone v3
obj._project_name = conf_sections.get('KEYSTONE', 'project_name')
except ConfigParser.NoOptionError:
obj._project_name = obj._admin_tenant
try:
# Get the endpoint_type
obj._endpoint_type = conf_sections.get('KEYSTONE', 'endpoint_type')
except ConfigParser.NoOptionError:
obj._endpoint_type = None
def _build_auth_details(self):
#keystone
self._authn_token = None
if cfg.CONF.auth_strategy == 'keystone':
kcfg = cfg.CONF.keystone_authtoken
#Keystone SSL Support
self._ksinsecure=kcfg.insecure
kscertfile=kcfg.certfile
kskeyfile=kcfg.keyfile
kscafile=kcfg.cafile
self._use_ks_certs = False
if (cfg.CONF.keystone_authtoken.auth_protocol ==
_DEFAULT_SECURE_SERVER_CONNECT and kscafile):
certs = [kscafile]
if kscertfile and kskeyfile:
certs = [kscertfile, kskeyfile, kscafile]
self._kscertbundle = cfgmutils.getCertKeyCaBundle(
_DEFAULT_KS_CERT_BUNDLE,certs)
self._use_ks_certs = True
auth_uri = kcfg.auth_uri or ''
try:
auth_type = kcfg.auth_type
except cfg.NoSuchOptError:
auth_type = None
auth_version = kcfg.auth_version
self.ks_sess = None
if ('v2.0' in auth_uri.split('/') or
auth_version == 'v2.0' or
not auth_type):
body = '{"auth":{"passwordCredentials":{'
body += ' "username": "******",' % (kcfg.admin_user)
body += ' "password": "******"},' % (kcfg.admin_password)
body += ' "tenantName":"%s"}}' % (kcfg.admin_tenant_name)
self._authn_body = body
self._authn_token = cfg.CONF.keystone_authtoken.admin_token
try:
auth_token_url = cfg.CONF.APISERVER.auth_token_url
except cfg.NoSuchOptError:
auth_token_url = None
if auth_token_url:
self._keystone_url = auth_token_url
else:
self._keystone_url = "%s://%s:%s%s" % (
cfg.CONF.keystone_authtoken.auth_protocol,
cfg.CONF.keystone_authtoken.auth_host,
cfg.CONF.keystone_authtoken.auth_port,
"/v2.0/tokens")
else:
from keystoneauth1 import session
from keystoneauth1 import loading as ks_loading
self.auth_plugin = ks_loading.load_auth_from_conf_options(
cfg.CONF, 'keystone_authtoken')
if self._ksinsecure:
self.ks_sess = session.Session(auth=self.auth_plugin, verify=False)
elif not self._ksinsecure and self._use_ks_certs:
self.ks_sess = session.Session(auth=self.auth_plugin,
verify=self._kscertbundle)
else:
self.ks_sess = session.Session(auth=self.auth_plugin)
#API Server SSL support
self._apiusessl=cfg.CONF.APISERVER.use_ssl
self._apiinsecure=cfg.CONF.APISERVER.insecure
apicertfile=cfg.CONF.APISERVER.certfile
apikeyfile=cfg.CONF.APISERVER.keyfile
apicafile=cfg.CONF.APISERVER.cafile
if self._apiusessl:
self._apiserverconnect=_DEFAULT_SECURE_SERVER_CONNECT
else:
self._apiserverconnect=_DEFAULT_SERVER_CONNECT
self._use_api_certs = False
if self._apiusessl and apicafile:
certs = [apicafile]
if apicertfile and apikeyfile:
certs = [apicertfile, apikeyfile, apicafile]
self._apicertbundle = cfgmutils.getCertKeyCaBundle(
_DEFAULT_API_CERT_BUNDLE,certs)
self._use_api_certs = True
def __init__(self, username=None, password=None, tenant_name=None,
api_server_host=None, api_server_port=None,
api_server_url=None, conf_file=None, user_info=None,
auth_token=None, auth_host=None, auth_port=None,
auth_protocol = None, auth_url=None, auth_type=None,
wait_for_connect=False, api_server_use_ssl=False,
domain_name=None):
# TODO allow for username/password to be present in creds file
self._obj_serializer = self._obj_serializer_diff
for object_type, resource_type in all_resource_type_tuples:
for oper_str in ('_create', '_read', '_update', '_delete',
's_list', '_get_default_id'):
method = getattr(self, '_object%s' %(oper_str))
bound_method = functools.partial(method, resource_type)
functools.update_wrapper(bound_method, method)
if oper_str == '_get_default_id':
setattr(self, 'get_default_%s_id' % (object_type),
bound_method)
else:
setattr(self, '%s%s' %(object_type, oper_str),
bound_method)
cfg_parser = ConfigParser.ConfigParser()
try:
cfg_parser.read(conf_file or
"/etc/contrail/vnc_api_lib.ini")
except Exception as e:
logger = logging.getLogger(__name__)
logger.warn("Exception: %s", str(e))
self._api_connect_protocol = VncApi._DEFAULT_API_SERVER_CONNECT
# API server SSL Support
use_ssl = api_server_use_ssl
if isinstance(api_server_use_ssl, basestring):
use_ssl = (api_server_use_ssl.lower() == 'true')
if use_ssl:
self._api_connect_protocol = VncApi._DEFAULT_API_SERVER_SSL_CONNECT
# keystone
self._authn_type = auth_type or \
_read_cfg(cfg_parser, 'auth', 'AUTHN_TYPE',
self._DEFAULT_AUTHN_TYPE)
if self._authn_type == 'keystone':
self._authn_protocol = auth_protocol or \
_read_cfg(cfg_parser, 'auth', 'AUTHN_PROTOCOL',
self._DEFAULT_AUTHN_PROTOCOL)
self._authn_server = auth_host or \
_read_cfg(cfg_parser, 'auth', 'AUTHN_SERVER',
self._DEFAULT_AUTHN_SERVER)
self._authn_port = auth_port or \
_read_cfg(cfg_parser, 'auth', 'AUTHN_PORT',
self._DEFAULT_AUTHN_PORT)
self._authn_url = auth_url or \
_read_cfg(cfg_parser, 'auth', 'AUTHN_URL',
self._DEFAULT_AUTHN_URL)
self._username = username or \
_read_cfg(cfg_parser, 'auth', 'AUTHN_USER',
self._DEFAULT_AUTHN_USER)
self._password = password or \
_read_cfg(cfg_parser, 'auth', 'AUTHN_PASSWORD',
self._DEFAULT_AUTHN_PASSWORD)
self._tenant_name = tenant_name or \
_read_cfg(cfg_parser, 'auth', 'AUTHN_TENANT',
self._DEFAULT_AUTHN_TENANT)
self._domain_name = domain_name or \
_read_cfg(cfg_parser, 'auth', 'AUTHN_DOMAIN',
self._DEFAULT_DOMAIN_ID)
#contrail-api SSL support
try:
self._apiinsecure = cfg_parser.getboolean('global','insecure')
except (AttributeError,
ConfigParser.NoOptionError,
ConfigParser.NoSectionError):
self._apiinsecure = False
apicertfile=_read_cfg(cfg_parser,'global','certfile','')
apikeyfile=_read_cfg(cfg_parser,'global','keyfile','')
apicafile=_read_cfg(cfg_parser,'global','cafile','')
self._use_api_certs=False
if apicertfile and apikeyfile \
and apicafile and api_server_use_ssl:
certs=[apicertfile, apikeyfile, apicafile]
self._apicertbundle=utils.getCertKeyCaBundle(VncApi._DEFAULT_API_CERT_BUNDLE,certs)
self._use_api_certs=True
# keystone SSL support
try:
self._ksinsecure = cfg_parser.getboolean('auth', 'insecure')
except (AttributeError,
ConfigParser.NoOptionError,
ConfigParser.NoSectionError):
self._ksinsecure = False
kscertfile=_read_cfg(cfg_parser,'auth','certfile','')
kskeyfile=_read_cfg(cfg_parser,'auth','keyfile','')
kscafile=_read_cfg(cfg_parser,'auth','cafile','')
self._use_ks_certs=False
if kscertfile and kskeyfile and kscafile \
and self._authn_protocol == 'https':
certs=[kscertfile, kskeyfile, kscafile]
self._kscertbundle=utils.getCertKeyCaBundle(VncApi._DEFAULT_KS_CERT_BUNDLE,certs)
self._use_ks_certs=True
if 'v2' in self._authn_url:
self._authn_body = \
'{"auth":{"passwordCredentials":{' + \
'"username": "******",' % (self._username) + \
' "password": "******"},' % (self._password) + \
' "tenantName":"%s"}}' % (self._tenant_name)
else:
self._authn_body = \
'{"auth":{"identity":{' + \
'"methods": ["password"],' + \
' "password":{' + \
' "user":{' + \
' "name": "%s",' % (self._username) + \
' "domain": { "id": "%s" },' % (self._domain_name) + \
' "password": "******"' % (self._password) + \
'}' + \
'}' + \
'},' + \
' "scope":{' + \
' "project":{' + \
' "domain": { "id": "%s" },' % (self._domain_name) + \
' "name": "%s"' % (self._username) + \
'}' + \
'}' + \
'}' + \
'}'
self._user_info = user_info
if not api_server_host:
self._web_host = _read_cfg(cfg_parser, 'global', 'WEB_SERVER',
self._DEFAULT_WEB_SERVER)
else:
self._web_host = api_server_host
if not api_server_port:
self._web_port = _read_cfg(cfg_parser, 'global', 'WEB_PORT',
self._DEFAULT_WEB_PORT)
else:
self._web_port = api_server_port
self._max_pools = int(_read_cfg(
cfg_parser, 'global', 'MAX_POOLS',
self._DEFAULT_MAX_POOLS))
self._max_conns_per_pool = int(_read_cfg(
cfg_parser, 'global', 'MAX_CONNS_PER_POOL',
self._DEFAULT_MAX_CONNS_PER_POOL))
self._curl_logging = False
if _read_cfg(cfg_parser, 'global', 'curl_log', False):
self._curl_logging=True
self._curl_logger=_cfg_curl_logging(_read_cfg(cfg_parser,'global','curl_log',False))
# Where client's view of world begins
if not api_server_url:
self._base_url = _read_cfg(cfg_parser, 'global', 'BASE_URL',
self._DEFAULT_BASE_URL)
else:
self._base_url = api_server_url
# Where server says its root is when _base_url is fetched
self._srv_root_url = None
# Type-independent actions offered by server
self._action_uri = ActionUriDict(self)
self._headers = self._DEFAULT_HEADERS.copy()
self._headers[rest.hdr_client_tenant()] = self._tenant_name
self._auth_token_input = False
self._auth_token = None
if auth_token:
self._auth_token = auth_token
self._auth_token_input = True
self._headers['X-AUTH-TOKEN'] = self._auth_token
# user information for quantum
if self._user_info:
if 'user_id' in self._user_info:
self._headers['X-API-USER-ID'] = self._user_info['user_id']
if 'user' in self._user_info:
self._headers['X-API-USER'] = self._user_info['user']
if 'role' in self._user_info:
self.set_user_roles([self._user_info['role']])
#self._http = HTTPClient(self._web_host, self._web_port,
# network_timeout = 300)
self._create_api_server_session()
retry_count = 6
while retry_count:
try:
homepage = self._request(rest.OP_GET, self._base_url,
retry_on_error=False)
self._parse_homepage(homepage)
except ServiceUnavailableError as e:
logger = logging.getLogger(__name__)
logger.warn("Exception: %s", str(e))
if wait_for_connect:
# Retry connect infinitely when http retcode 503
continue
elif retry_count:
# Retry connect 60 times when http retcode 503
retry_count -= 1
time.sleep(1)
else:
# connected succesfully
break
def fill_keystone_opts(obj, conf_sections):
obj._auth_user = conf_sections.get('KEYSTONE', 'admin_user')
obj._auth_passwd = conf_sections.get('KEYSTONE', 'admin_password')
obj._admin_token = conf_sections.get('KEYSTONE', 'admin_token')
obj._admin_tenant = conf_sections.get('KEYSTONE', 'admin_tenant_name')
try:
obj._keystone_sync_on_demand = conf_sections.getboolean(
'KEYSTONE', 'keystone_sync_on_demand')
except ConfigParser.NoOptionError:
obj._keystone_sync_on_demand = True
try:
obj._insecure = conf_sections.getboolean('KEYSTONE', 'insecure')
except ConfigParser.NoOptionError:
obj._insecure = True
try:
obj._certfile = conf_sections.get('KEYSTONE', 'certfile')
except ConfigParser.NoOptionError:
obj._certfile = ''
try:
obj._keyfile = conf_sections.get('KEYSTONE', 'keyfile')
except ConfigParser.NoOptionError:
obj._keyfile = ''
try:
obj._cafile = conf_sections.get('KEYSTONE', 'cafile')
except ConfigParser.NoOptionError:
obj._cafile = ''
obj._kscertbundle = ''
obj._use_certs = False
if obj._cafile:
certs = [obj._cafile]
if obj._keyfile and obj._certfile:
certs = [obj._certfile, obj._keyfile, obj._cafile]
obj._kscertbundle = cfgmutils.getCertKeyCaBundle(
_DEFAULT_KS_CERT_BUNDLE, certs)
obj._use_certs = True
try:
obj._auth_url = conf_sections.get('KEYSTONE', 'auth_url')
except ConfigParser.NoOptionError:
# deprecated knobs - for backward compat
obj._auth_proto = conf_sections.get('KEYSTONE', 'auth_protocol')
obj._auth_host = conf_sections.get('KEYSTONE', 'auth_host')
obj._auth_port = conf_sections.get('KEYSTONE', 'auth_port')
obj._auth_url = "%s://%s:%s/v2.0" % (obj._auth_proto, obj._auth_host,
obj._auth_port)
try:
obj._err_file = conf_sections.get('DEFAULTS', 'trace_file')
except ConfigParser.NoOptionError:
obj._err_file = '/var/log/contrail/vnc_openstack.err'
try:
# Duration between polls to keystone to find deleted projects
resync_interval = conf_sections.get('DEFAULTS',
'keystone_resync_interval_secs')
except ConfigParser.NoOptionError:
resync_interval = '60'
obj._resync_interval_secs = float(resync_interval)
try:
# Number of workers used to process keystone project resyncing
resync_workers = conf_sections.get('DEFAULTS',
'keystone_resync_workers')
except ConfigParser.NoOptionError:
resync_workers = '10'
obj._resync_number_workers = int(resync_workers)
try:
# If new project with same name as an orphan project
# (gone in keystone, present in # contrail with resources within)
# is encountered,
# a. proceed with unique ified name (new_unique_fqn)
# b. refuse to sync (new_fail)
# c. cascade delete (TODO)
resync_mode = conf_sections.get('DEFAULTS',
'keystone_resync_stale_mode')
except ConfigParser.NoOptionError:
resync_mode = 'new_unique_fqn'
obj._resync_stale_mode = resync_mode
try:
# Get the domain_id for keystone v3
obj._domain_id = conf_sections.get('KEYSTONE', 'admin_domain_id')
except ConfigParser.NoOptionError:
obj._domain_id = 'default'
try:
# Get the user_domain_name for keystone v3
obj._user_domain_name = conf_sections.get('KEYSTONE',
'admin_user_domain_name')
except ConfigParser.NoOptionError:
obj._user_domain_name = 'Default'
try:
# Get the project_domain_name for keystone v3
obj._project_domain_name = conf_sections.get('KEYSTONE',
'project_domain_name')
except ConfigParser.NoOptionError:
obj._project_domain_name = 'Default'
try:
# Get the project_name for keystone v3
obj._project_name = conf_sections.get('KEYSTONE', 'project_name')
except ConfigParser.NoOptionError:
obj._project_name = obj._admin_tenant
try:
# Get the endpoint_type
obj._endpoint_type = conf_sections.get('KEYSTONE', 'endpoint_type')
except ConfigParser.NoOptionError:
obj._endpoint_type = None
def configure_test_env(contrail_fab_path='/opt/contrail/utils', test_dir='/contrail-test'):
"""
Configure test environment by creating sanity_params.ini and sanity_testbed.json files
"""
print "Configuring test environment"
sys.path.insert(0, contrail_fab_path)
from fabfile.config import testbed
from fabfile.utils.host import get_openstack_internal_vip, \
get_control_host_string, get_authserver_ip, get_admin_tenant_name, \
get_authserver_port, get_env_passwords, get_authserver_credentials, \
get_vcenter_ip, get_vcenter_port, get_vcenter_username, \
get_vcenter_password, get_vcenter_datacenter, get_vcenter_compute, \
get_authserver_protocol, get_region_name, get_contrail_internal_vip, \
get_openstack_external_vip, get_contrail_external_vip, \
get_apiserver_protocol, get_apiserver_certfile, get_apiserver_keyfile, \
get_apiserver_cafile, get_keystone_insecure_flag, \
get_apiserver_insecure_flag, get_keystone_certfile, get_keystone_keyfile, \
get_keystone_cafile, get_keystone_version
from fabfile.utils.multitenancy import get_mt_enable
from fabfile.utils.interface import get_data_ip
from fabfile.tasks.install import update_config_option, update_js_config
from fabfile.utils.fabos import get_as_sudo
logger = contrail_logging.getLogger(__name__)
def validate_and_copy_file(filename, source_host):
with settings(host_string='%s' %(source_host),
warn_only=True, abort_on_prompts=False):
if exists(filename):
filedir = os.path.dirname(filename)
if not os.path.exists(filedir):
os.makedirs(filedir)
get_as_sudo(filename, filename)
return filename
return ""
cfgm_host = env.roledefs['cfgm'][0]
auth_protocol = get_authserver_protocol()
try:
auth_server_ip = get_authserver_ip()
except Exception:
auth_server_ip = None
auth_server_port = get_authserver_port()
api_auth_protocol = get_apiserver_protocol()
if api_auth_protocol == 'https':
api_certfile = validate_and_copy_file(get_apiserver_certfile(), cfgm_host)
api_keyfile = validate_and_copy_file(get_apiserver_keyfile(), cfgm_host)
api_cafile = validate_and_copy_file(get_apiserver_cafile(), cfgm_host)
api_insecure_flag = get_apiserver_insecure_flag()
else:
api_certfile = ""
api_keyfile = ""
api_cafile = ""
api_insecure_flag = True
cert_dir = os.path.dirname(api_certfile)
if auth_protocol == 'https':
keystone_cafile = validate_and_copy_file(cert_dir + '/' +\
os.path.basename(get_keystone_cafile()), cfgm_host)
keystone_certfile = validate_and_copy_file(cert_dir + '/' +\
os.path.basename(get_keystone_certfile()), cfgm_host)
keystone_keyfile = keystone_certfile
keystone_insecure_flag = istrue(os.getenv('OS_INSECURE', \
get_keystone_insecure_flag()))
else:
keystone_certfile = ""
keystone_keyfile = ""
keystone_cafile = ""
keystone_insecure_flag = True
with settings(warn_only=True), hide('everything'):
with lcd(contrail_fab_path):
if local('git branch').succeeded:
fab_revision = local('git log --format="%H" -n 1', capture=True)
else:
with settings(host_string=cfgm_host), hide('everything'):
fab_revision = run('cat /opt/contrail/contrail_packages/VERSION')
with lcd(test_dir):
if local('git branch').succeeded:
revision = local('git log --format="%H" -n 1', capture=True)
else:
with settings(host_string=cfgm_host), hide('everything'):
revision = run('cat /opt/contrail/contrail_packages/VERSION')
sanity_testbed_dict = {
'hosts': [],
'vgw': [],
'esxi_vms':[],
'vcenter_servers':[],
'hosts_ipmi': [],
'tor':[],
'sriov':[],
'dpdk':[],
'ns_agilio_vrouter':[],
}
sample_ini_file = test_dir + '/' + 'sanity_params.ini.sample'
with open(sample_ini_file, 'r') as fd_sample_ini:
contents_sample_ini = fd_sample_ini.read()
sanity_ini_templ = string.Template(contents_sample_ini)
if not getattr(env, 'test', None):
env.test={}
containers = env.test.get('containers')
traffic_data = env.test.get('traffic_data')
ixia_linux_host_ip = get_value_of_key(traffic_data, 'ixia_linux_host_ip')
ixia_host_ip = get_value_of_key(traffic_data, 'ixia_host_ip')
spirent_linux_host_ip = get_value_of_key(traffic_data, 'spirent_linux_host_ip')
ixia_linux_username = get_value_of_key(traffic_data, 'ixia_linux_username')
ixia_linux_password = get_value_of_key(traffic_data, 'ixia_linux_password')
spirent_linux_username = get_value_of_key(traffic_data, 'spirent_linux_username')
spirent_linux_password = get_value_of_key(traffic_data, 'spirent_linux_password')
if env.get('orchestrator', 'openstack') == 'openstack':
with settings(host_string = env.roledefs['openstack'][0]), hide('everything'):
openstack_host_name = run("hostname")
with settings(host_string = env.roledefs['cfgm'][0]), hide('everything'):
cfgm_host_name = run("hostname")
control_host_names = []
for control_host in env.roledefs['control']:
with settings(host_string = control_host), hide('everything'):
host_name = run("hostname")
control_host_names.append(host_name)
cassandra_host_names = []
if 'database' in env.roledefs.keys():
for cassandra_host in env.roledefs['database']:
with settings(host_string = cassandra_host), hide('everything'):
host_name = run("hostname")
cassandra_host_names.append(host_name)
keystone_version = get_keystone_version()
internal_vip = get_openstack_internal_vip()
external_vip = get_openstack_external_vip()
contrail_internal_vip = get_contrail_internal_vip()
contrail_external_vip = get_contrail_external_vip()
multi_role_test = False
for host_string in env.roledefs['all']:
if host_string in env.roledefs.get('test',[]):
for role in env.roledefs.iterkeys():
if role in ['test','all']:
continue
if host_string in env.roledefs.get(role,[]):
multi_role_test=True
break
if not multi_role_test:
continue
host_ip = host_string.split('@')[1]
with settings(host_string = host_string), hide('everything'):
try:
host_name = run("hostname")
host_fqname = run("hostname -f")
except:
logger.warn('Unable to login to %s'%host_ip)
continue
host_dict = {}
host_dict['ip'] = host_ip
host_dict['data-ip']= get_data_ip(host_string)[0]
if host_dict['data-ip'] == host_string.split('@')[1]:
host_dict['data-ip'] = get_data_ip(host_string)[0]
host_dict['control-ip']= get_control_host_string(host_string).split('@')[1]
host_dict['name'] = host_name
host_dict['fqname'] = host_fqname
host_dict['username'] = host_string.split('@')[0]
host_dict['password'] =get_env_passwords(host_string)
host_dict['roles'] = []
if env.get('qos', {}):
if host_string in env.qos.keys():
role_dict = env.qos[host_string]
host_dict['qos'] = role_dict
if env.get('qos_niantic', {}):
if host_string in env.qos_niantic.keys():
role_dict = env.qos_niantic[host_string]
host_dict['qos_niantic'] = role_dict
if host_string in env.roledefs['openstack']:
role_dict = {'type': 'openstack', 'params': {'cfgm': cfgm_host_name}}
role_dict['container'] = get_container_name(containers, host_string, 'openstack')
host_dict['roles'].append(role_dict)
if host_string in env.roledefs['cfgm']:
role_dict = {'type': 'cfgm', 'params': {'collector': host_name, 'cassandra': ' '.join(cassandra_host_names)}}
role_dict['container'] = get_container_name(containers, host_string, 'controller')
if env.get('orchestrator', 'openstack') == 'openstack':
role_dict['openstack'] = openstack_host_name
host_dict['roles'].append(role_dict)
if host_string in env.roledefs['control']:
role_dict = {'type': 'bgp', 'params': {'collector': cfgm_host_name, 'cfgm': cfgm_host_name}}
role_dict['container'] = get_container_name(containers, host_string, 'controller')
host_dict['roles'].append(role_dict)
if 'database' in env.roledefs.keys() and host_string in env.roledefs['database']:
role_dict = { 'type': 'database', 'params': {'cassandra': ' '.join(cassandra_host_names)} }
role_dict['container'] = get_container_name(containers, host_string, 'analyticsdb')
host_dict['roles'].append(role_dict)
if not env.roledefs.get('compute'):
env.roledefs['compute'] = []
if host_string in env.roledefs['compute']:
role_dict = {'type': 'compute', 'params': {'collector': cfgm_host_name, 'cfgm': cfgm_host_name}}
role_dict['container'] = get_container_name(containers, host_string, 'agent')
role_dict['params']['bgp'] = []
if len(env.roledefs['control']) == 1:
role_dict['params']['bgp'] = control_host_names
else:
for control_node in control_host_names:
role_dict['params']['bgp'].append(control_node)
# role_dict['params']['bgp'].extend(control_host_names[randrange(len(env.roledefs['control']))])
host_dict['roles'].append(role_dict)
if host_string in env.roledefs.get('lb',[]):
role_dict = {'type': 'lb', 'params': {'lb': host_name}}
role_dict['container'] = get_container_name(containers, host_string, 'lb')
host_dict['roles'].append(role_dict)
if 'collector' in env.roledefs.keys() and host_string in env.roledefs['collector']:
role_dict = { 'type': 'collector', 'params': {'cassandra': ' '.join(cassandra_host_names)} }
role_dict['container'] = get_container_name(containers, host_string, 'analytics')
host_dict['roles'].append(role_dict)
if 'webui' in env.roledefs.keys() and host_string in env.roledefs['webui']:
role_dict = { 'type': 'webui', 'params': {'cfgm': cfgm_host_name} }
role_dict['container'] = get_container_name(containers, host_string, 'controller')
host_dict['roles'].append(role_dict)
# Kube managers
if 'contrail-kubernetes' in env.roledefs.keys() and \
host_string in env.roledefs['contrail-kubernetes']:
role_dict = { 'type': 'contrail-kubernetes', 'params': {} }
role_dict['container'] = get_container_name(containers,
host_string, 'contrail-kube-manager')
host_dict['roles'].append(role_dict)
sanity_testbed_dict['hosts'].append(host_dict)
if env.has_key('vgw'): sanity_testbed_dict['vgw'].append(env.vgw)
#get sriov info
if env.has_key('sriov'):
sanity_testbed_dict['sriov'].append(env.sriov)
#get dpdk info
if env.has_key('dpdk'):
sanity_testbed_dict['dpdk'].append(env.dpdk)
#get k8s info
sanity_testbed_dict['kubernetes'] = env.get('kubernetes', {})
#get ns_agilio_vrouter info
if env.has_key('ns_agilio_vrouter'):
sanity_testbed_dict['ns_agilio_vrouter'].append(env.ns_agilio_vrouter)
# Read ToR config
sanity_tor_dict = {}
if env.has_key('tor_agent'):
sanity_testbed_dict['tor_agent'] = env.tor_agent
# Read any tor-host config
if env.has_key('tor_hosts'):
sanity_testbed_dict['tor_hosts'] = env.tor_hosts
if env.has_key('xmpp_auth_enable'):
sanity_testbed_dict['xmpp_auth_enable'] = env.xmpp_auth_enable
if env.has_key('xmpp_dns_auth_enable'):
sanity_testbed_dict['xmpp_dns_auth_enable'] = env.xmpp_dns_auth_enable
if env.has_key('metadata_ssl_enable'):
sanity_testbed_dict['metadata_ssl_enable'] = env.metadata_ssl_enable
if env.has_key('dm_mx'):
sanity_testbed_dict['dm_mx'] = env.dm_mx
# Read any MX config (as physical_router )
if env.has_key('physical_routers'):
sanity_testbed_dict['physical_routers'] = env.physical_routers
esxi_hosts = getattr(testbed, 'esxi_hosts', None)
if esxi_hosts:
for esxi in esxi_hosts:
host_dict = {}
host_dict['ip'] = esxi_hosts[esxi]['ip']
host_dict['data-ip'] = host_dict['ip']
host_dict['control-ip'] = host_dict['ip']
host_dict['name'] = esxi
host_dict['username'] = esxi_hosts[esxi]['username']
host_dict['password'] = esxi_hosts[esxi]['password']
#Its used for vcenter only mode provosioning for contrail-vm
#Its not needed for vcenter_gateway mode, hence might not be there in testbed.py
if 'contrail_vm' in esxi_hosts[esxi]:
host_dict['contrail_vm'] = esxi_hosts[esxi]['contrail_vm']['host']
host_dict['roles'] = []
host_dict['type'] = 'esxi'
sanity_testbed_dict['hosts'].append(host_dict)
sanity_testbed_dict['esxi_vms'].append(host_dict)
vcenter_servers = env.get('vcenter_servers')
if vcenter_servers:
for vcenter in vcenter_servers:
sanity_testbed_dict['vcenter_servers'].append(vcenter_servers[vcenter])
orch = getattr(env, 'orchestrator', 'openstack')
deployer = getattr(env, 'deployer', 'openstack')
#get other orchestrators (vcenter etc) info if any
slave_orch = None
if env.has_key('other_orchestrators'):
sanity_testbed_dict['other_orchestrators'] = env.other_orchestrators
for k,v in env.other_orchestrators.items():
if v['type'] == 'vcenter':
slave_orch = 'vcenter'
# get host ipmi list
if env.has_key('hosts_ipmi'):
sanity_testbed_dict['hosts_ipmi'].append(env.hosts_ipmi)
# Setting slave orch to k8s when key present
if env.has_key('kubernetes'):
if sanity_testbed_dict['kubernetes']['mode'] == 'nested':
slave_orch = 'kubernetes'
# generate json file and copy to cfgm
sanity_testbed_json = json.dumps(sanity_testbed_dict)
stack_user = os.getenv('STACK_USER', env.get('stack_user', env.test.get('stack_user', '')))
stack_password = os.getenv('STACK_PASSWORD',
env.test.get('stack_password',''))
stack_tenant = os.getenv('STACK_TENANT', env.get('stack_tenant',
env.test.get('stack_tenant', '')))
stack_domain = os.getenv('STACK_DOMAIN',
env.get('stack_domain', env.test.get('stack_domain', '')))
use_project_scoped_token = env.test.get('use_project_scoped_token', '')
if not env.has_key('domain_isolation'):
env.domain_isolation = False
if not env.has_key('cloud_admin_domain'):
env.cloud_admin_domain = 'Default'
if not env.has_key('cloud_admin_user'):
env.cloud_admin_user = '******'
if not env.has_key('cloud_admin_password'):
env.cloud_admin_password = env.get('openstack_admin_password')
domain_isolation = os.getenv('DOMAIN_ISOLATION',
env.test.get('domain_isolation', env.domain_isolation))
cloud_admin_domain = os.getenv('CLOUD_ADMIN_DOMAIN',
env.test.get('cloud_admin_domain', env.cloud_admin_domain))
cloud_admin_user = os.getenv('CLOUD_ADMIN_USER',
env.test.get('cloud_admin_user', env.cloud_admin_user))
cloud_admin_password = os.getenv('CLOUD_ADMIN_PASSWORD',
env.test.get('cloud_admin_password', env.cloud_admin_password))
tenant_isolation = os.getenv('TENANT_ISOLATION',
env.test.get('tenant_isolation', ''))
stop_on_fail = env.get('stop_on_fail', False)
mail_to = os.getenv('MAIL_TO', env.test.get('mail_to', ''))
log_scenario = env.get('log_scenario', 'Sanity')
stack_region_name = get_region_name()
admin_user, admin_password = get_authserver_credentials()
if orch == 'kubernetes':
admin_tenant = 'default'
else:
admin_tenant = get_admin_tenant_name()
# Few hardcoded variables for sanity environment
# can be removed once we move to python3 and configparser
webserver_host = os.getenv('WEBSERVER_HOST',
env.test.get('webserver_host',''))
webserver_user = os.getenv('WEBSERVER_USER',
env.test.get('webserver_user', ''))
webserver_password = os.getenv('WEBSERVER_PASSWORD',
env.test.get('webserver_password', ''))
webserver_log_path = os.getenv('WEBSERVER_LOG_PATH',
env.test.get('webserver_log_path', '/var/www/contrail-test-ci/logs/'))
webserver_report_path = os.getenv('WEBSERVER_REPORT_PATH',
env.test.get('webserver_report_path', '/var/www/contrail-test-ci/reports/'))
webroot = os.getenv('WEBROOT', env.test.get('webroot', 'contrail-test-ci'))
mail_server = os.getenv('MAIL_SERVER', env.test.get('mail_server', ''))
mail_port = os.getenv('MAIL_PORT', env.test.get('mail_port', '25'))
fip_pool_name = os.getenv('FIP_POOL_NAME',
env.test.get('fip_pool_name', 'floating-ip-pool'))
public_virtual_network = os.getenv('PUBLIC_VIRTUAL_NETWORK',
env.test.get('public_virtual_network', 'public'))
public_tenant_name = os.getenv('PUBLIC_TENANT_NAME',
env.test.get('public_tenant_name', 'admin'))
fixture_cleanup = os.getenv('FIXTURE_CLEANUP',
env.test.get('fixture_cleanup', 'yes'))
generate_html_report = os.getenv('GENERATE_HTML_REPORT',
env.test.get('generate_html_report', 'True'))
keypair_name = os.getenv('KEYPAIR_NAME',
env.test.get('keypair_name', 'contrail_key'))
mail_sender = os.getenv('MAIL_SENDER', env.test.get('mail_sender', '*****@*****.**'))
discovery_ip = os.getenv('DISCOVERY_IP', env.test.get('discovery_ip', ''))
config_api_ip = os.getenv('CONFIG_API_IP', env.test.get('config_api_ip', ''))
analytics_api_ip = os.getenv('ANALYTICS_API_IP',
env.test.get('analytics_api_ip', ''))
discovery_port = os.getenv('DISCOVERY_PORT',
env.test.get('discovery_port', ''))
config_api_port = os.getenv('CONFIG_API_PORT',
env.test.get('config_api_port', ''))
analytics_api_port = os.getenv('ANALYTICS_API_PORT',
env.test.get('analytics_api_port', ''))
control_port = os.getenv('CONTROL_PORT', env.test.get('control_port', ''))
dns_port = os.getenv('DNS_PORT', env.test.get('dns_port', ''))
agent_port = os.getenv('AGENT_PORT', env.test.get('agent_port', ''))
user_isolation = os.getenv('USER_ISOLATION',
env.test.get('user_isolation', False if stack_user else True))
neutron_username = os.getenv('NEUTRON_USERNAME',
env.test.get('neutron_username', None))
availability_zone = os.getenv('AVAILABILITY_ZONE',
env.test.get('availability_zone', None))
ci_flavor = os.getenv('CI_FLAVOR', env.test.get('ci_flavor', None))
kube_config_file = env.test.get('kube_config_file',
'/etc/kubernetes/admin.conf')
openshift_src_config_file = env.test.get('openshift_src_config_file',
'/root/.kube/config')
use_devicemanager_for_md5 = getattr(testbed, 'use_devicemanager_for_md5', False)
router_asn = getattr(testbed, 'router_asn', '')
public_vn_rtgt = getattr(testbed, 'public_vn_rtgt', '')
public_vn_subnet = getattr(testbed, 'public_vn_subnet', '')
ext_routers = getattr(testbed, 'ext_routers', '')
router_info = str(ext_routers)
fabric_gw = getattr(testbed, 'fabric_gw', '')
fabric_gw_info = str(fabric_gw)
test_verify_on_setup = getattr(env, 'test_verify_on_setup', True)
webui = getattr(testbed, 'webui', False)
horizon = getattr(testbed, 'horizon', False)
ui_config = getattr(testbed, 'ui_config', False)
ui_browser = getattr(testbed, 'ui_browser', False)
if not env.has_key('openstack'):
env.openstack = {}
if not env.has_key('cfgm'):
env.cfgm = {}
config_amqp_ip = env.openstack.get('amqp_host', '')
if config_amqp_ip:
config_amqp_ips = [config_amqp_ip]
else:
config_amqp_ips = []
# If amqp details are in env.cfgm as well, use that
config_amqp_port = env.cfgm.get('amqp_port', '5672')
config_amqp_ips = env.cfgm.get('amqp_hosts', config_amqp_ips)
key_filename = env.get('key_filename', '')
pubkey_filename = env.get('pubkey_filename', '')
vcenter_dc = ''
if orch == 'vcenter' or slave_orch== 'vcenter':
public_tenant_name='vCenter'
if env.has_key('vcenter_servers'):
if env.vcenter_servers:
for vc in env.vcenter_servers:
for dc in env.vcenter_servers[vc]['datacenters']:
vcenter_dc = dc
#global controller
gc_host_mgmt = getattr(testbed, 'gc_host_mgmt', '')
gc_host_control_data = getattr(testbed, 'gc_host_control_data', '')
gc_user_name = getattr(testbed, 'gc_user_name', '')
gc_user_pwd = getattr(testbed, 'gc_user_pwd', '')
keystone_password = getattr(testbed, 'keystone_password', '')
sanity_params = sanity_ini_templ.safe_substitute(
{'__testbed_json_file__' : 'sanity_testbed.json',
'__keystone_version__' : keystone_version,
'__use_project_scoped_token__': use_project_scoped_token,
'__nova_keypair_name__' : keypair_name,
'__orch__' : orch,
'__deployer__' : deployer,
'__admin_user__' : admin_user,
'__admin_password__' : admin_password,
'__admin_tenant__' : admin_tenant,
'__domain_isolation__' : domain_isolation,
'__cloud_admin_domain__' : cloud_admin_domain,
'__cloud_admin_user__' : cloud_admin_user,
'__cloud_admin_password__': cloud_admin_password,
'__tenant_isolation__' : tenant_isolation,
'__stack_user__' : stack_user,
'__stack_password__' : stack_password,
'__auth_ip__' : auth_server_ip,
'__auth_port__' : auth_server_port,
'__auth_protocol__' : auth_protocol,
'__stack_region_name__' : stack_region_name,
'__stack_tenant__' : stack_tenant,
'__stack_domain__' : stack_domain,
'__multi_tenancy__' : get_mt_enable(),
'__address_family__' : get_address_family(),
'__log_scenario__' : log_scenario,
'__generate_html_report__': generate_html_report,
'__fixture_cleanup__' : fixture_cleanup,
'__key_filename__' : key_filename,
'__pubkey_filename__' : pubkey_filename,
'__webserver__' : webserver_host,
'__webserver_user__' : webserver_user,
'__webserver_password__' : webserver_password,
'__webserver_log_dir__' : webserver_log_path,
'__webserver_report_dir__': webserver_report_path,
'__webroot__' : webroot,
'__mail_server__' : mail_server,
'__mail_port__' : mail_port,
'__sender_mail_id__' : mail_sender,
'__receiver_mail_id__' : mail_to,
'__http_proxy__' : env.get('http_proxy', ''),
'__ui_browser__' : ui_browser,
'__ui_config__' : ui_config,
'__horizon__' : horizon,
'__webui__' : webui,
'__devstack__' : False,
'__public_vn_rtgt__' : public_vn_rtgt,
'__router_asn__' : router_asn,
'__router_name_ip_tuples__': router_info,
'__fabric_gw_name_ip_tuple__': fabric_gw_info,
'__public_vn_name__' : fip_pool_name,
'__public_virtual_network__':public_virtual_network,
'__public_tenant_name__' :public_tenant_name,
'__public_vn_subnet__' : public_vn_subnet,
'__test_revision__' : revision,
'__fab_revision__' : fab_revision,
'__test_verify_on_setup__': test_verify_on_setup,
'__stop_on_fail__' : stop_on_fail,
'__ha_setup__' : getattr(testbed, 'ha_setup', ''),
'__ipmi_username__' : getattr(testbed, 'ipmi_username', ''),
'__ipmi_password__' : getattr(testbed, 'ipmi_password', ''),
'__contrail_internal_vip__' : contrail_internal_vip,
'__contrail_external_vip__' : contrail_external_vip,
'__internal_vip__' : internal_vip,
'__external_vip__' : external_vip,
'__vcenter_dc__' : vcenter_dc,
'__vcenter_server__' : get_vcenter_ip(),
'__vcenter_port__' : get_vcenter_port(),
'__vcenter_username__' : get_vcenter_username(),
'__vcenter_password__' : get_vcenter_password(),
'__vcenter_datacenter__' : get_vcenter_datacenter(),
'__vcenter_compute__' : get_vcenter_compute(),
'__use_devicemanager_for_md5__' : use_devicemanager_for_md5,
'__discovery_port__' : discovery_port,
'__config_api_port__' : config_api_port,
'__analytics_api_port__' : analytics_api_port,
'__control_port__' : control_port,
'__dns_port__' : dns_port,
'__vrouter_agent_port__' : agent_port,
'__discovery_ip__' : discovery_ip,
'__config_api_ip__' : config_api_ip,
'__analytics_api_ip__' : analytics_api_ip,
'__user_isolation__' : user_isolation,
'__neutron_username__' : neutron_username,
'__availability_zone__' : availability_zone,
'__ci_flavor__' : ci_flavor,
'__config_amqp_ips__' : ','.join(config_amqp_ips),
'__config_amqp_port__' : config_amqp_port,
'__api_auth_protocol__' : api_auth_protocol,
'__api_certfile__' : api_certfile,
'__api_keyfile__' : api_keyfile,
'__api_cafile__' : api_cafile,
'__api_insecure_flag__' : api_insecure_flag,
'__keystone_certfile__' : keystone_certfile,
'__keystone_keyfile__' : keystone_keyfile,
'__keystone_cafile__' : keystone_cafile,
'__keystone_insecure_flag__': keystone_insecure_flag,
'__gc_host_mgmt__' : gc_host_mgmt,
'__gc_host_control_data__': gc_host_control_data,
'__gc_user_name__' : gc_user_name,
'__gc_user_pwd__' : gc_user_pwd,
'__keystone_password__' : keystone_password,
'__slave_orch__' : slave_orch,
'__ixia_linux_host_ip__' : ixia_linux_host_ip,
'__ixia_host_ip__' : ixia_host_ip,
'__spirent_linux_host_ip__': spirent_linux_host_ip,
'__ixia_linux_username__' : ixia_linux_username,
'__ixia_linux_password__' : ixia_linux_password,
'__spirent_linux_username__': spirent_linux_username,
'__spirent_linux_password__': spirent_linux_password,
})
ini_file = test_dir + '/' + 'sanity_params.ini'
testbed_json_file = test_dir + '/' + 'sanity_testbed.json'
with open(ini_file, 'w') as ini:
ini.write(sanity_params)
with open(testbed_json_file,'w') as tb:
tb.write(sanity_testbed_json)
# Create /etc/contrail/openstackrc
if not os.path.exists('/etc/contrail'):
os.makedirs('/etc/contrail')
keycertbundle = None
if keystone_cafile and keystone_keyfile and keystone_certfile:
bundle = '/tmp/keystonecertbundle.pem'
certs = [keystone_certfile, keystone_keyfile, keystone_cafile]
keycertbundle = utils.getCertKeyCaBundle(bundle, certs)
with open('/etc/contrail/openstackrc','w') as rc:
rc.write("export OS_USERNAME=%s\n" % admin_user)
rc.write("export OS_PASSWORD=%s\n" % admin_password)
rc.write("export OS_TENANT_NAME=%s\n" % admin_tenant)
rc.write("export OS_REGION_NAME=%s\n" % stack_region_name)
rc.write("export OS_AUTH_URL=%s://%s:%s/v2.0\n" % (auth_protocol,
auth_server_ip,
auth_server_port))
rc.write("export OS_CACERT=%s\n" % keycertbundle)
rc.write("export OS_CERT=%s\n" % keystone_certfile)
rc.write("export OS_KEY=%s\n" % keystone_keyfile)
rc.write("export OS_INSECURE=%s\n" % keystone_insecure_flag)
rc.write("export OS_NO_CACHE=1\n")
# Write vnc_api_lib.ini - this is required for vnc_api to connect to keystone
config = ConfigParser.ConfigParser()
config.optionxform = str
vnc_api_ini = '/etc/contrail/vnc_api_lib.ini'
if os.path.exists(vnc_api_ini):
config.read(vnc_api_ini)
if 'auth' not in config.sections():
config.add_section('auth')
config.set('auth','AUTHN_TYPE', 'keystone')
config.set('auth','AUTHN_PROTOCOL', auth_protocol)
config.set('auth','AUTHN_SERVER', auth_server_ip)
config.set('auth','AUTHN_PORT', auth_server_port)
if keystone_version == 'v3':
config.set('auth','AUTHN_URL', '/v3/auth/tokens')
else:
config.set('auth','AUTHN_URL', '/v2.0/tokens')
if api_auth_protocol == 'https':
if 'global' not in config.sections():
config.add_section('global')
config.set('global','certfile', api_certfile)
config.set('global','cafile', api_cafile)
config.set('global','keyfile', api_keyfile)
config.set('global','insecure',api_insecure_flag)
if auth_protocol == 'https':
if 'auth' not in config.sections():
config.add_section('auth')
config.set('auth','certfile', keystone_certfile)
config.set('auth','cafile', keystone_cafile)
config.set('auth','keyfile', keystone_keyfile)
config.set('auth','insecure', keystone_insecure_flag)
with open(vnc_api_ini,'w') as f:
config.write(f)
# Get kube config file to the testrunner node
if orch == 'kubernetes' or slave_orch == 'kubernetes':
if not os.path.exists(kube_config_file):
dir_name = os.path.dirname(kube_config_file)
if not os.path.exists(dir_name):
os.makedirs(dir_name)
with settings(host_string = env.kubernetes['master']):
if deployer == 'openshift' :
get(openshift_src_config_file, kube_config_file)
else:
get(kube_config_file, kube_config_file)
# If webui = True, in testbed, setup webui for sanity
if webui:
sku = get_build_sku(cfgm_host)
update_config_option('openstack', '/etc/keystone/keystone.conf',
'token', 'expiration',
'86400','keystone', sku)
update_js_config('webui', '/etc/contrail/config.global.js',
'contrail-webui', container=is_container_env)
def __init__(self, server_mgr, args):
self.args = args
_kscertbundle=''
if args.auth_protocol == 'https' and args.cafile:
certs=[args.cafile]
if args.keyfile and args.certfile:
certs=[args.certfile, args.keyfile, args.cafile]
_kscertbundle=cfgmutils.getCertKeyCaBundle(_DEFAULT_KS_CERT_BUNDLE,certs)
self._conf_info = {
'admin_port': args.admin_port,
'max_requests': args.max_requests,
'region_name': args.region_name,
'insecure': args.insecure,
'signing_dir': args.signing_dir,
}
if args.auth_url:
auth_url = args.auth_url
else:
auth_url = '%s://%s:%s/%s' % (
args.auth_protocol, args.auth_host, args.auth_port,
_DEFAULT_KS_VERSION)
if 'v2.0' in auth_url.split('/'):
identity_uri = '%s://%s:%s' % (
args.auth_protocol, args.auth_host, args.auth_port)
self._conf_info.update({
'auth_host': args.auth_host,
'auth_port': args.auth_port,
'auth_protocol': args.auth_protocol,
'admin_user': args.admin_user,
'admin_password': args.admin_password,
'admin_tenant_name': args.admin_tenant_name,
'identity_uri': identity_uri})
else:
self._conf_info.update({
'auth_type': args.auth_type,
'auth_url': auth_url,
'username': args.admin_user,
'password': args.admin_password,
})
# Add user domain info
self._conf_info.update(**cfgmutils.get_user_domain_kwargs(args))
# Get project scope auth params
scope_kwargs = cfgmutils.get_project_scope_kwargs(args)
if not scope_kwargs:
# Default to domain scoped auth
scope_kwargs = cfgmutils.get_domain_scope_kwargs(args)
self._conf_info.update(**scope_kwargs)
if _kscertbundle:
self._conf_info['cafile'] = _kscertbundle
self._server_mgr = server_mgr
self._auth_method = args.auth
self._auth_middleware = None
self._mt_rbac = server_mgr.is_rbac_enabled()
self._auth_needed = server_mgr.is_auth_needed()
if not self._auth_method:
return
if self._auth_method != 'keystone':
raise UnknownAuthMethod()
# map keystone id to users. Needed for quantum plugin because contrail
# plugin doesn't have access to user token and ends up sending admin
# admin token along with user-id and role
self._ks_users = {}
# configure memcache if enabled
if self._auth_needed and 'memcache_servers' in args:
self._conf_info[
'memcached_servers'] = args.memcache_servers.split(',')
if 'token_cache_time' in args:
self._conf_info['token_cache_time'] = args.token_cache_time
self._user_auth_middleware = None
self._hdr_from_token_auth_middleware = None
def fill_keystone_opts(obj, conf_sections):
obj._auth_user = conf_sections.get('KEYSTONE', 'admin_user')
obj._auth_passwd = conf_sections.get('KEYSTONE', 'admin_password')
obj._admin_token = conf_sections.get('KEYSTONE', 'admin_token')
obj._admin_tenant = conf_sections.get('KEYSTONE', 'admin_tenant_name')
try:
obj._keystone_sync_on_demand = conf_sections.getboolean('KEYSTONE',
'keystone_sync_on_demand')
except ConfigParser.NoOptionError:
obj._keystone_sync_on_demand = True
try:
obj._insecure = conf_sections.getboolean('KEYSTONE', 'insecure')
except ConfigParser.NoOptionError:
obj._insecure = True
try:
obj._certfile = conf_sections.get('KEYSTONE', 'certfile')
except ConfigParser.NoOptionError:
obj._certfile = ''
try:
obj._keyfile = conf_sections.get('KEYSTONE', 'keyfile')
except ConfigParser.NoOptionError:
obj._keyfile = ''
try:
obj._cafile= conf_sections.get('KEYSTONE', 'cafile')
except ConfigParser.NoOptionError:
obj._cafile = ''
obj._kscertbundle=''
obj._use_certs=False
if obj._certfile and obj._keyfile and obj._cafile:
certs=[obj._certfile,obj._keyfile,obj._cafile]
obj._kscertbundle=cfgmutils.getCertKeyCaBundle(_DEFAULT_KS_CERT_BUNDLE,certs)
obj._use_certs=True
try:
obj._auth_url = conf_sections.get('KEYSTONE', 'auth_url')
except ConfigParser.NoOptionError:
# deprecated knobs - for backward compat
obj._auth_proto = conf_sections.get('KEYSTONE', 'auth_protocol')
obj._auth_host = conf_sections.get('KEYSTONE', 'auth_host')
obj._auth_port = conf_sections.get('KEYSTONE', 'auth_port')
obj._auth_url = "%s://%s:%s/v2.0" % (obj._auth_proto, obj._auth_host,
obj._auth_port)
try:
obj._err_file = conf_sections.get('DEFAULTS', 'trace_file')
except ConfigParser.NoOptionError:
obj._err_file = '/var/log/contrail/vnc_openstack.err'
try:
# Duration between polls to keystone to find deleted projects
resync_interval = conf_sections.get('DEFAULTS',
'keystone_resync_interval_secs')
except ConfigParser.NoOptionError:
resync_interval = '60'
obj._resync_interval_secs = int(resync_interval)
try:
# Number of workers used to process keystone project resyncing
resync_workers = conf_sections.get('DEFAULTS',
'keystone_resync_workers')
except ConfigParser.NoOptionError:
resync_workers = '10'
obj._resync_number_workers = int(resync_workers)
try:
# Get the domain_id for keystone v3
obj._domain_id = conf_sections.get('KEYSTONE', 'admin_domain_id')
except ConfigParser.NoOptionError:
obj._domain_id = 'default'
try:
# Get the user_domain_name for keystone v3
obj._user_domain_name = conf_sections.get('KEYSTONE', 'admin_user_domain_name')
except ConfigParser.NoOptionError:
obj._user_domain_name = 'Default'
try:
# Get the project_domain_name for keystone v3
obj._project_domain_name = conf_sections.get('KEYSTONE', 'project_domain_name')
except ConfigParser.NoOptionError:
obj._project_domain_name = None
try:
# Get the project_name for keystone v3
obj._project_name = conf_sections.get('KEYSTONE', 'project_name')
except ConfigParser.NoOptionError:
obj._project_name = obj._admin_tenant
