def get_keystone_auth(self): keystone_session = kssession.Session(verify=True) if self.options['os_auth_token']: kwargs = { 'token': self.options['os_auth_token'], 'auth_url': self.options['os_auth_url'] } keystone_auth = generic.Token(**kwargs) else: project_id = self.options['os_project_id'] or self.options[ 'os_tenant_id'] # noqa: E501 project_name = self.options['os_project_name'] or self.options[ 'os_tenant_name'] # noqa: E501 kwargs = { 'username': self.options['os_username'], 'user_id': self.options['os_user_id'], 'user_domain_id': self.options['os_user_domain_id'], 'user_domain_name': self.options['os_user_domain_name'], 'password': self.options['os_password'], 'auth_url': self.options['os_auth_url'], 'project_id': project_id, 'project_name': project_name, 'project_domain_id': self.options['os_project_domain_id'], 'project_domain_name': self.options['os_project_domain_name'], } keystone_auth = generic.Password(**kwargs) return (keystone_session, keystone_auth)
def senlinclient(request): auth = generic.Token(auth_url=getattr(settings, 'OPENSTACK_KEYSTONE_URL'), token=request.user.token.id, project_id=request.user.tenant_id) session = ks_session.Session(auth=auth) return senlin_client.Client(session=session, region_name=request.user.services_region)
def _get_endpoint_from_keystone(self, cxt): auth = auth_identity.Token(cfg.CONF.client.auth_url, cxt.auth_token, tenant_id=cxt.tenant) sess = session.Session(auth=auth) cli = keystone_client.Client(session=sess) service_id_name_map = {} for service in cli.services.list(): service_dict = service.to_dict() service_id_name_map[service_dict['id']] = service_dict['name'] region_service_endpoint_map = {} for endpoint in cli.endpoints.list(): endpoint_dict = endpoint.to_dict() if endpoint_dict['interface'] != 'public': continue region_id = endpoint_dict['region'] service_id = endpoint_dict['service_id'] url = endpoint_dict['url'] service_name = service_id_name_map[service_id] if region_id not in region_service_endpoint_map: region_service_endpoint_map[region_id] = {} region_service_endpoint_map[region_id][service_name] = url return region_service_endpoint_map
def url_for(self, **kwargs): keystone_session = self.context.keystone_session def get_endpoint(): return keystone_session.get_endpoint(**kwargs) # NOTE(jamielennox): use the session defined by the keystoneclient # options as traditionally the token was always retrieved from # keystoneclient. try: kwargs.setdefault('interface', kwargs.pop('endpoint_type')) except KeyError: pass reg = self.context.region_name or cfg.CONF.region_name_for_services kwargs.setdefault('region_name', reg) url = None try: url = get_endpoint() except exceptions.EmptyCatalog: endpoint = keystone_session.get_endpoint( None, interface=plugin.AUTH_INTERFACE) token = keystone_session.get_token(None) token_obj = generic.Token(endpoint, token) auth_ref = token_obj.get_access(keystone_session) if auth_ref.has_service_catalog(): self.context.reload_auth_plugin() url = get_endpoint() # NOTE(jamielennox): raising exception maintains compatibility with # older keystoneclient service catalog searching. if url is None: raise exceptions.EndpointNotFound() return url
def _get_user_keystone_session(): ctx = context.get_ctx() auth = generic.Token( auth_url=CONF.keystone_authtoken.auth_uri, token=ctx.auth_token, ) return session.Session(auth=auth, verify=False)
def client(request): auth_url = base.url_for(request, 'identity') token_kwargs = dict( auth_url=auth_url, token=request.user.token.id, tenant_id=request.user.project_id, tenant_name=request.user.project_name, ) auth = generic.Token(**token_kwargs) session = keystone_session.Session(auth=auth) return designate.Client(session=session)
def get_session(auth_url, endpoint, domain_id, domain_name, project_id, project_name, project_domain_name, project_domain_id, username, user_id, password, user_domain_id, user_domain_name, token, insecure, cacert, all_tenants=False, edit_managed=False): # NOTE: all_tenants and edit_managed are here for backwards compat # reasons, do not add additional modifiers here. session = ks_session.Session() # Build + Attach Authentication Plugin auth_args = { 'auth_url': auth_url, 'domain_id': domain_id, 'domain_name': domain_name, 'project_id': project_id, 'project_name': project_name, 'project_domain_name': project_domain_name, 'project_domain_id': project_domain_id, } if token and endpoint: session.auth = token_endpoint.Token(endpoint, token) elif token: auth_args.update({ 'token': token }) session.auth = generic.Token(**auth_args) else: auth_args.update({ 'username': username, 'user_id': user_id, 'password': password, 'user_domain_id': user_domain_id, 'user_domain_name': user_domain_name, }) session.auth = generic.Password(**auth_args) # SSL/TLS Server Cert Verification if insecure is True: session.verify = False else: session.verify = cacert # NOTE: all_tenants and edit_managed are here for backwards compat # reasons, do not add additional modifiers here. session.all_tenants = all_tenants session.edit_managed = edit_managed return session
def _get_auth(api_key=None, auth_token=None, auth_url=None, project_domain_id=None, project_domain_name=None, project_id=None, project_name=None, user_domain_id=None, user_domain_name=None, user_id=None, username=None, **kwargs): if project_name and project_id: project_name = None LOG.warning("Only one of project_name or project_id should be set," "project_name will be ignored") if username and user_id: username = None LOG.warning("Only one of username or user_id should be set," "username will be ignored") auth = {} if auth_token: auth = auth_plugin.Token(auth_url=auth_url, project_domain_id=project_domain_id, project_domain_name=project_domain_name, project_id=project_id, project_name=project_name, token=auth_token) elif api_key and (username or user_id): auth = auth_plugin.Password( auth_url=auth_url, password=api_key, project_domain_id=project_domain_id, project_domain_name=project_domain_name, project_id=project_id, project_name=project_name, user_domain_id=user_domain_id, user_domain_name=user_domain_name, user_id=user_id, username=username) return auth
def get_client(self): """ This function is based, with minor changes, on the official OpenStack Heat client's shell implementation. Specifically, python-heatclient/heatclient/shell.py. """ keystone_session = kssession.Session(verify=True) if self.options['os_auth_token']: kwargs = { 'token': self.options['os_auth_token'], 'auth_url': self.options['os_auth_url'] } keystone_auth = generic.Token(**kwargs) else: project_id = self.options['os_project_id'] or self.options[ 'os_tenant_id'] # noqa: E501 project_name = self.options['os_project_name'] or self.options[ 'os_tenant_name'] # noqa: E501 kwargs = { 'username': self.options['os_username'], 'user_id': self.options['os_user_id'], 'user_domain_id': self.options['os_user_domain_id'], 'user_domain_name': self.options['os_user_domain_name'], 'password': self.options['os_password'], 'auth_url': self.options['os_auth_url'], 'project_id': project_id, 'project_name': project_name, 'project_domain_id': self.options['os_project_domain_id'], 'project_domain_name': self.options['os_project_domain_name'], } keystone_auth = generic.Password(**kwargs) kwargs = { 'auth_url': self.options['os_auth_url'], 'session': keystone_session, 'auth': keystone_auth, 'service_type': self.service_type, 'endpoint_type': self.endpoint_type, 'region_name': self.options['os_region_name'], 'username': self.options['os_username'], 'password': self.options['os_password'] } return heat_client.Client(self.api_version, **kwargs)
def get_client(self): keystone_session = kssession.Session(verify=True) if self.options['os_auth_token']: kwargs = { 'token': self.options['os_auth_token'], 'auth_url': self.options['os_auth_url'] } keystone_auth = generic.Token(**kwargs) else: project_id = self.options['os_project_id'] or self.options[ 'os_tenant_id'] # noqa: E501 project_name = self.options['os_project_name'] or self.options[ 'os_tenant_name'] # noqa: E501 kwargs = { 'username': self.options['os_username'], 'user_id': self.options['os_user_id'], 'user_domain_id': self.options['os_user_domain_id'], 'user_domain_name': self.options['os_user_domain_name'], 'password': self.options['os_password'], 'auth_url': self.options['os_auth_url'], 'project_id': project_id, 'project_name': project_name, 'project_domain_id': self.options['os_project_domain_id'], 'project_domain_name': self.options['os_project_domain_name'], } keystone_auth = generic.Password(**kwargs) return nova_client.Client( self.api_version, self.options['os_username'], self.options['os_password'], project_id=self.options['os_project_id'], project_name=self.options['os_project_name'], user_id=self.options['os_user_id'], auth_url=self.options['os_auth_url'], region_name=self.options['os_region_name'], endpoint_type=self.endpoint_type, service_type=self.service_type, session=keystone_session, auth=keystone_auth, project_domain_id=self.options['os_project_domain_id'], project_domain_name=self.options['os_project_domain_name'], user_domain_id=self.options['os_user_domain_id'], user_domain_name=self.options['os_user_domain_name'])
def _get_auth(api_key=None, auth_token=None, auth_url=None, project_domain_id=None, project_domain_name=None, project_id=None, project_name=None, user_domain_id=None, user_domain_name=None, user_id=None, username=None, **kwargs): if project_name and project_id: raise RuntimeError( 'Only one of project_name or project_id should be set') if username and user_id: raise RuntimeError('Only one of username or user_id should be set') auth = {} if auth_token: auth = auth_plugin.Token(auth_url=auth_url, project_domain_id=project_domain_id, project_domain_name=project_domain_name, project_id=project_id, project_name=project_name, token=auth_token) elif api_key and (username or user_id): auth = auth_plugin.Password( auth_url=auth_url, password=api_key, project_domain_id=project_domain_id, project_domain_name=project_domain_name, project_id=project_id, project_name=project_name, user_domain_id=user_domain_id, user_domain_name=user_domain_name, user_id=user_id, username=username) return auth
def get_auth_session(auth_url, username, project_name, password=None, auth_token=None, cacert=None): if auth_token: auth = ks_id.Token(auth_url=auth_url, token=auth_token, project_name=project_name, project_domain_id='default') else: auth = ks_id.Password(auth_url=auth_url, username=username, password=password, project_name=project_name, user_domain_id='default', project_domain_id='default') return session.Session(auth=auth, verify=cacert)
def get_session(auth_url, endpoint, domain_id, domain_name, project_id, project_name, project_domain_name, project_domain_id, username, user_id, password, user_domain_id, user_domain_name, token, insecure, cacert): session = ks_session.Session() # Build + Attach Authentication Plugin auth_args = { 'auth_url': auth_url, 'domain_id': domain_id, 'domain_name': domain_name, 'project_id': project_id, 'project_name': project_name, 'project_domain_name': project_domain_name, 'project_domain_id': project_domain_id, } if token and endpoint: session.auth = token_endpoint.Token(endpoint, token) elif token: auth_args.update({'token': token}) session.auth = generic.Token(**auth_args) else: auth_args.update({ 'username': username, 'user_id': user_id, 'password': password, 'user_domain_id': user_domain_id, 'user_domain_name': user_domain_name, }) session.auth = generic.Password(**auth_args) # SSL/TLS Server Cert Verification if insecure is True: session.verify = False else: session.verify = cacert return session
def get_auth_session(auth_variables): auth_url = auth_variables.get('auth_url') username = auth_variables.get('username') project_name = auth_variables.get('project_name') auth_token = auth_variables.get('os_auth_token') password = auth_variables.get('password') cacert = auth_variables.get('cacert') timeout = auth_variables.get('timeout') if auth_token: auth = ks_id.Token(auth_url=auth_url, token=auth_token, project_name=project_name, project_domain_id='default') else: auth = ks_id.Password(auth_url=auth_url, username=username, password=password, project_name=project_name, user_domain_id='default', project_domain_id='default') return ks_session.Session(auth=auth, verify=cacert, timeout=timeout)
def authenticate(dcmanager_url=None, username=None, api_key=None, project_name=None, auth_url=None, project_id=None, endpoint_type='publicURL', service_type='dcmanager', auth_token=None, user_id=None, session=None, cacert=None, insecure=False, **kwargs): """Get token, project_id, user_id and Endpoint.""" if project_name and project_id: raise RuntimeError('Only project name or project id should be set') if username and user_id: raise RuntimeError('Only user name or user id should be set') user_domain_name = kwargs.get('user_domain_name') user_domain_id = kwargs.get('user_domain_id') project_domain_name = kwargs.get('project_domain_name') project_domain_id = kwargs.get('project_domain_id') if session is None: if auth_token: auth = auth_plugin.Token(auth_url=auth_url, token=auth_token, project_id=project_id, project_name=project_name, project_domain_name=project_domain_name, project_domain_id=project_domain_id, cacert=cacert, insecure=insecure) elif api_key and (username or user_id): auth = auth_plugin.Password( auth_url=auth_url, username=username, user_id=user_id, password=api_key, project_id=project_id, project_name=project_name, user_domain_name=user_domain_name, user_domain_id=user_domain_id, project_domain_name=project_domain_name, project_domain_id=project_domain_id) else: raise RuntimeError('You must either provide a valid token or' 'a password (api_key) and a user.') if auth: session = ks_session.Session(auth=auth) if session: token = session.get_token() project_id = session.get_project_id() user_id = session.get_user_id() if not dcmanager_url: dcmanager_url = session.get_endpoint(service_type=service_type, interface=endpoint_type) return dcmanager_url, token, project_id, user_id
def main(self, argv): # Parse args once to find version parser = self.get_base_parser() (options, args) = parser.parse_known_args(argv) self._setup_logging(options.debug) self._setup_verbose(options.verbose) # build available subcommands based on version api_version = options.heat_api_version subcommand_parser = self.get_subcommand_parser(api_version) self.parser = subcommand_parser # Handle top-level --help/-h before attempting to parse # a command off the command line if not args and options.help or not argv: self.do_help(options) return 0 # Parse args again and call whatever callback was selected args = subcommand_parser.parse_args(argv) # Short-circuit and deal with help command right away. if args.func == self.do_help: self.do_help(args) return 0 elif args.func == self.do_bash_completion: self.do_bash_completion(args) return 0 if not args.os_username and not args.os_auth_token: raise exc.CommandError( _("You must provide a username via either " "--os-username or env[OS_USERNAME] " "or a token via --os-auth-token or " "env[OS_AUTH_TOKEN]")) if not args.os_password and not args.os_auth_token: raise exc.CommandError( _("You must provide a password via either " "--os-password or env[OS_PASSWORD] " "or a token via --os-auth-token or " "env[OS_AUTH_TOKEN]")) if args.os_no_client_auth: if not args.heat_url: raise exc.CommandError( _("If you specify --os-no-client-auth " "you must also specify a Heat API " "URL via either --heat-url or " "env[HEAT_URL]")) else: # Tenant/project name or ID is needed to make keystoneclient # retrieve a service catalog, it's not required if # os_no_client_auth is specified, neither is the auth URL if not (args.os_tenant_id or args.os_tenant_name or args.os_project_id or args.os_project_name): raise exc.CommandError( _("You must provide a tenant id via either " "--os-tenant-id or env[OS_TENANT_ID] or a tenant name " "via either --os-tenant-name or env[OS_TENANT_NAME] " "or a project id via either --os-project-id or " "env[OS_PROJECT_ID] or a project name via " "either --os-project-name or env[OS_PROJECT_NAME]")) if not args.os_auth_url: raise exc.CommandError( _("You must provide an auth url via " "either --os-auth-url or via " "env[OS_AUTH_URL]")) kwargs = { 'insecure': args.insecure, 'cacert': args.os_cacert, 'cert': args.os_cert, 'key': args.os_key, 'timeout': args.api_timeout } service_type = args.os_service_type or 'orchestration' if args.os_no_client_auth: # Do not use session since no_client_auth means using heat to # to authenticate kwargs = { 'username': args.os_username, 'password': args.os_password, 'auth_url': args.os_auth_url, 'token': args.os_auth_token, 'include_pass': args.include_password, 'insecure': args.insecure, 'timeout': args.api_timeout, 'endpoint': args.heat_url } else: keystone_session = self._get_keystone_session(**kwargs) endpoint_type = args.os_endpoint_type or 'publicURL' if args.os_auth_token: kwargs = { 'token': args.os_auth_token, 'auth_url': args.os_auth_url } keystone_auth = generic.Token(**kwargs) else: project_id = args.os_project_id or args.os_tenant_id project_name = args.os_project_name or args.os_tenant_name kwargs = { 'username': args.os_username, 'user_id': args.os_user_id, 'user_domain_id': args.os_user_domain_id, 'user_domain_name': args.os_user_domain_name, 'password': args.os_password, 'auth_url': args.os_auth_url, 'project_id': project_id, 'project_name': project_name, 'project_domain_id': args.os_project_domain_id, 'project_domain_name': args.os_project_domain_name, } keystone_auth = generic.Password(**kwargs) kwargs = { 'auth_url': args.os_auth_url, 'session': keystone_session, 'auth': keystone_auth, 'service_type': service_type, 'endpoint_type': endpoint_type, 'region_name': args.os_region_name, 'username': args.os_username, 'password': args.os_password, 'include_pass': args.include_password, 'endpoint_override': args.heat_url, } client = heat_client.Client(api_version, **kwargs) profile = osprofiler_profiler and options.profile if profile: osprofiler_profiler.init(options.profile) args.func(client, args) if profile: trace_id = osprofiler_profiler.get().get_base_id() print(_("Trace ID: %s") % trace_id) print( _("To display trace use next command:\n" "osprofiler trace show --html %s ") % trace_id)
def authenticate(self, req, session=None): """Perform authentication via Keystone. :param req: Request dict containing list of parameters required for Keystone authentication. """ if not isinstance(req, dict): raise TypeError('The input "req" is not typeof dict.') session = session mistral_url = req.get('mistral_url') endpoint_type = req.get('endpoint_type', 'publicURL') service_type = req.get('service_type', 'workflowv2') auth_url = req.get('auth_url') username = req.get('username') user_id = req.get('user_id') api_key = req.get('api_key') auth_token = req.get('auth_token') project_name = req.get('project_name') project_id = req.get('project_id') region_name = req.get('region_name') user_domain_name = req.get('user_domain_name') user_domain_id = req.get('user_domain_id') project_domain_name = req.get('project_domain_name') project_domain_id = req.get('project_domain_id') target_auth_url = req.get('target_auth_url') target_username = req.get('target_username') target_user_id = req.get('target_user_id') target_api_key = req.get('target_api_key') target_auth_token = req.get('target_auth_token') target_project_name = req.get('target_project_name') target_project_id = req.get('target_project_id') target_user_domain_name = req.get('target_user_domain_name') target_user_domain_id = req.get('target_user_domain_id') target_project_domain_name = req.get('target_project_domain_name') target_project_domain_id = req.get('target_project_domain_id') if project_name and project_id: raise RuntimeError('Only project name or project id should be set') if username and user_id: raise RuntimeError('Only user name or user id should be set') auth_response = {} if not session: auth = None if auth_token: auth = auth_plugin.Token( auth_url=auth_url, token=auth_token, project_id=project_id, project_name=project_name, project_domain_name=project_domain_name, project_domain_id=project_domain_id) elif api_key and (username or user_id): auth = auth_plugin.Password( auth_url=auth_url, username=username, user_id=user_id, password=api_key, user_domain_name=user_domain_name, user_domain_id=user_domain_id, project_id=project_id, project_name=project_name, project_domain_name=project_domain_name, project_domain_id=project_domain_id) else: # NOTE(jaosorior): We don't crash here cause it's needed for # bash-completion to work. However, we do issue a warning to # the user so if the request doesn't work. It's because of # this. LOG.warning("You must either provide a valid token or " "a password (api_key) and a user.") if auth: session = ks_session.Session(auth=auth) if session: if not mistral_url: try: mistral_url = session.get_endpoint( service_type=service_type, endpoint_type=endpoint_type, region_name=region_name) except Exception: mistral_url = None auth_response['mistral_url'] = mistral_url auth_response['session'] = session if target_auth_url: if target_auth_token: target_auth = auth_plugin.Token( auth_url=target_auth_url, token=target_auth_token, project_id=target_project_id, project_name=target_project_name, project_domain_name=target_project_domain_name, project_domain_id=target_project_domain_id) elif target_api_key and (target_username or target_user_id): target_auth = auth_plugin.Password( auth_url=target_auth_url, username=target_username, user_id=target_user_id, password=target_api_key, user_domain_name=target_user_domain_name, user_domain_id=target_user_domain_id, project_id=target_project_id, project_name=target_project_name, project_domain_name=target_project_domain_name, project_domain_id=target_project_domain_id) else: raise RuntimeError("You must either provide a valid token or " "a password (target_api_key) and a user.") target_session = ks_session.Session(auth=target_auth) target_auth_headers = target_session.get_auth_headers() or {} # NOTE: (sharatss) The target_auth_token is required here so that # it can be passed as a separate header later. target_auth_token = target_auth_headers.get('X-Auth-Token') auth_response.update({ api.TARGET_AUTH_TOKEN: target_auth_token, api.TARGET_PROJECT_ID: target_session.get_project_id(), api.TARGET_USER_ID: target_session.get_user_id(), api.TARGET_AUTH_URI: target_auth_url, api.TARGET_SERVICE_CATALOG: jsonutils.dumps( target_auth.get_access( target_session).service_catalog.catalog) }) return auth_response