def _v3_client_init(self):
client = kc_v3.Client(session=self.session,
auth=self.context.auth_plugin,
interface='public')
if hasattr(self.context.auth_plugin, 'get_access'):
# NOTE(jamielennox): get_access returns the current token without
# reauthenticating if it's present and valid.
try:
auth_ref = self.context.auth_plugin.get_access(self.session)
except kc_exception.Unauthorized:
LOG.error(_LE("Keystone client authentication failed"))
raise exception.AuthorizationFailure()
if self.context.trust_id:
# Sanity check
if not auth_ref.trust_scoped:
LOG.error(_LE("trust token re-scoping failed!"))
raise exception.AuthorizationFailure()
# Sanity check that impersonation is effective
if self.context.trustor_user_id != auth_ref.user_id:
LOG.error(_LE("Trust impersonation failed"))
raise exception.AuthorizationFailure()
return client
def _get_token(self, creds, method='token', admin_token_info=None):
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
if method == self.ASSUME_ROLE:
admin_token_id = self.admin_token()
headers.update({
"X-Auth-Token": admin_token_id
})
creds_json = json.dumps(creds)
response = requests.post(self.client.auth_url + '/auth/tokens',
data=creds_json,
headers=headers,
verify=False)
token_id = None
try:
token_id = response.headers['X-Subject-Token']
LOG.info(_LI("IAM authentication successful."))
except (AttributeError, KeyError):
LOG.info(_LI("IAM authentication failure."))
raise exception.AuthorizationFailure()
return token_id
def stack_domain_id(self):
if not self._stack_domain_id:
try:
access = self.domain_admin_auth.get_access(self.session)
except kc_exception.Unauthorized:
LOG.error(_LE("Keystone client authentication failed"))
raise exception.AuthorizationFailure()
self._stack_domain_id = access.domain_id
return self._stack_domain_id
def admin_client(self):
if not self._admin_client:
# Create admin client connection to v3 API
admin_creds = self._service_admin_creds()
admin_creds.update(self._ssl_options())
c = kc_v3.Client(**admin_creds)
if c.authenticate():
self._admin_client = c
else:
LOG.error(_LE("Admin client authentication failed"))
raise exception.AuthorizationFailure()
return self._admin_client
def domain_admin_auth(self):
if not self._domain_admin_auth:
# Note we must specify the domain when getting the token
# as only a domain scoped token can create projects in the domain
auth = kc_auth_v3.Password(username=self.domain_admin_user,
password=self.domain_admin_password,
auth_url=self.v3_endpoint,
domain_id=self._stack_domain_id,
domain_name=self.stack_domain_name,
user_domain_id=self._stack_domain_id,
user_domain_name=self.stack_domain_name)
# NOTE(jamielennox): just do something to ensure a valid token
try:
auth.get_token(self.session)
except kc_exception.Unauthorized:
LOG.error(_LE("Domain admin client authentication failed"))
raise exception.AuthorizationFailure()
self._domain_admin_auth = auth
return self._domain_admin_auth
def create_trust_context(self):
"""Create a trust using the trustor identity in the current context.
The trust is created with the trustee as the heat service user.
If the current context already contains a trust_id, we do nothing
and return the current context.
Returns a context containing the new trust_id.
"""
if self.context.trust_id:
return self.context
# We need the service admin user ID (not name), as the trustor user
# can't lookup the ID in keystoneclient unless they're admin
# workaround this by getting the user_id from admin_client
try:
trustee_user_id = self.context.trusts_auth_plugin.get_user_id(
self.session)
except kc_exception.Unauthorized:
LOG.error(_LE("Domain admin client authentication failed"))
raise exception.AuthorizationFailure()
trustor_user_id = self.context.auth_plugin.get_user_id(self.session)
trustor_proj_id = self.context.auth_plugin.get_project_id(self.session)
# inherit the roles of the trustor, unless set trusts_delegated_roles
if cfg.CONF.trusts_delegated_roles:
roles = cfg.CONF.trusts_delegated_roles
else:
roles = self.context.roles
matching_roles = [rol for rol in self.context.roles if rol in roles]
if 0 == len(matching_roles):
matching_roles = cfg.CONF.trusts_delegated_roles
LOG.error("the user can not be trust role %s" % self.context.roles)
trust_client = (self.admin_client
if cfg.CONF.FusionSphere.pubcloud else self.client)
try:
trust = trust_client.trusts.create(trustor_user=trustor_user_id,
trustee_user=trustee_user_id,
project=trustor_proj_id,
impersonation=True,
role_names=matching_roles)
except kc_exception.NotFound:
LOG.debug("Failed to find roles %s for user %s"
% (roles, trustor_user_id))
raise exception.MissingCredentialError(
required=_("roles %s") % roles)
except kc_exception.EmptyCatalog:
base_url = self.v3_endpoint + '/OS-TRUST'
LOG.debug("The service catalog is empty, use %s to create trusts"
% base_url)
trust = self.client.trusts.create(trustor_user=trustor_user_id,
trustee_user=trustee_user_id,
project=trustor_proj_id,
impersonation=True,
role_names=matching_roles,
base_url=base_url)
context_data = self.context.to_dict()
context_data['overwrite'] = False
trust_context = context.RequestContext.from_dict(context_data)
trust_context.trust_id = trust.id
trust_context.trustor_user_id = trustor_user_id
return trust_context