def get_keystone_auth(self):
keystone_session = kssession.Session(verify=True)
if self.options['os_auth_token']:
kwargs = {
'token': self.options['os_auth_token'],
'auth_url': self.options['os_auth_url']
}
keystone_auth = generic.Token(**kwargs)
else:
project_id = self.options['os_project_id'] or self.options[
'os_tenant_id'] # noqa: E501
project_name = self.options['os_project_name'] or self.options[
'os_tenant_name'] # noqa: E501
kwargs = {
'username': self.options['os_username'],
'user_id': self.options['os_user_id'],
'user_domain_id': self.options['os_user_domain_id'],
'user_domain_name': self.options['os_user_domain_name'],
'password': self.options['os_password'],
'auth_url': self.options['os_auth_url'],
'project_id': project_id,
'project_name': project_name,
'project_domain_id': self.options['os_project_domain_id'],
'project_domain_name': self.options['os_project_domain_name'],
}
keystone_auth = generic.Password(**kwargs)
return (keystone_session, keystone_auth)
def senlinclient(request):
auth = generic.Token(auth_url=getattr(settings, 'OPENSTACK_KEYSTONE_URL'),
token=request.user.token.id,
project_id=request.user.tenant_id)
session = ks_session.Session(auth=auth)
return senlin_client.Client(session=session,
region_name=request.user.services_region)
def _get_endpoint_from_keystone(self, cxt):
auth = auth_identity.Token(cfg.CONF.client.auth_url,
cxt.auth_token,
tenant_id=cxt.tenant)
sess = session.Session(auth=auth)
cli = keystone_client.Client(session=sess)
service_id_name_map = {}
for service in cli.services.list():
service_dict = service.to_dict()
service_id_name_map[service_dict['id']] = service_dict['name']
region_service_endpoint_map = {}
for endpoint in cli.endpoints.list():
endpoint_dict = endpoint.to_dict()
if endpoint_dict['interface'] != 'public':
continue
region_id = endpoint_dict['region']
service_id = endpoint_dict['service_id']
url = endpoint_dict['url']
service_name = service_id_name_map[service_id]
if region_id not in region_service_endpoint_map:
region_service_endpoint_map[region_id] = {}
region_service_endpoint_map[region_id][service_name] = url
return region_service_endpoint_map
def url_for(self, **kwargs):
keystone_session = self.context.keystone_session
def get_endpoint():
return keystone_session.get_endpoint(**kwargs)
# NOTE(jamielennox): use the session defined by the keystoneclient
# options as traditionally the token was always retrieved from
# keystoneclient.
try:
kwargs.setdefault('interface', kwargs.pop('endpoint_type'))
except KeyError:
pass
reg = self.context.region_name or cfg.CONF.region_name_for_services
kwargs.setdefault('region_name', reg)
url = None
try:
url = get_endpoint()
except exceptions.EmptyCatalog:
endpoint = keystone_session.get_endpoint(
None, interface=plugin.AUTH_INTERFACE)
token = keystone_session.get_token(None)
token_obj = generic.Token(endpoint, token)
auth_ref = token_obj.get_access(keystone_session)
if auth_ref.has_service_catalog():
self.context.reload_auth_plugin()
url = get_endpoint()
# NOTE(jamielennox): raising exception maintains compatibility with
# older keystoneclient service catalog searching.
if url is None:
raise exceptions.EndpointNotFound()
return url
def _get_user_keystone_session():
ctx = context.get_ctx()
auth = generic.Token(
auth_url=CONF.keystone_authtoken.auth_uri,
token=ctx.auth_token,
)
return session.Session(auth=auth, verify=False)
def client(request):
auth_url = base.url_for(request, 'identity')
token_kwargs = dict(
auth_url=auth_url,
token=request.user.token.id,
tenant_id=request.user.project_id,
tenant_name=request.user.project_name,
)
auth = generic.Token(**token_kwargs)
session = keystone_session.Session(auth=auth)
return designate.Client(session=session)
def get_session(auth_url, endpoint, domain_id, domain_name, project_id,
project_name, project_domain_name, project_domain_id, username,
user_id, password, user_domain_id, user_domain_name, token,
insecure, cacert, all_tenants=False, edit_managed=False):
# NOTE: all_tenants and edit_managed are here for backwards compat
# reasons, do not add additional modifiers here.
session = ks_session.Session()
# Build + Attach Authentication Plugin
auth_args = {
'auth_url': auth_url,
'domain_id': domain_id,
'domain_name': domain_name,
'project_id': project_id,
'project_name': project_name,
'project_domain_name': project_domain_name,
'project_domain_id': project_domain_id,
}
if token and endpoint:
session.auth = token_endpoint.Token(endpoint, token)
elif token:
auth_args.update({
'token': token
})
session.auth = generic.Token(**auth_args)
else:
auth_args.update({
'username': username,
'user_id': user_id,
'password': password,
'user_domain_id': user_domain_id,
'user_domain_name': user_domain_name,
})
session.auth = generic.Password(**auth_args)
# SSL/TLS Server Cert Verification
if insecure is True:
session.verify = False
else:
session.verify = cacert
# NOTE: all_tenants and edit_managed are here for backwards compat
# reasons, do not add additional modifiers here.
session.all_tenants = all_tenants
session.edit_managed = edit_managed
return session
def _get_auth(api_key=None,
auth_token=None,
auth_url=None,
project_domain_id=None,
project_domain_name=None,
project_id=None,
project_name=None,
user_domain_id=None,
user_domain_name=None,
user_id=None,
username=None,
**kwargs):
if project_name and project_id:
project_name = None
LOG.warning("Only one of project_name or project_id should be set,"
"project_name will be ignored")
if username and user_id:
username = None
LOG.warning("Only one of username or user_id should be set,"
"username will be ignored")
auth = {}
if auth_token:
auth = auth_plugin.Token(auth_url=auth_url,
project_domain_id=project_domain_id,
project_domain_name=project_domain_name,
project_id=project_id,
project_name=project_name,
token=auth_token)
elif api_key and (username or user_id):
auth = auth_plugin.Password(
auth_url=auth_url,
password=api_key,
project_domain_id=project_domain_id,
project_domain_name=project_domain_name,
project_id=project_id,
project_name=project_name,
user_domain_id=user_domain_id,
user_domain_name=user_domain_name,
user_id=user_id,
username=username)
return auth
def get_client(self):
"""
This function is based, with minor changes, on the official OpenStack
Heat client's shell implementation. Specifically,
python-heatclient/heatclient/shell.py.
"""
keystone_session = kssession.Session(verify=True)
if self.options['os_auth_token']:
kwargs = {
'token': self.options['os_auth_token'],
'auth_url': self.options['os_auth_url']
}
keystone_auth = generic.Token(**kwargs)
else:
project_id = self.options['os_project_id'] or self.options[
'os_tenant_id'] # noqa: E501
project_name = self.options['os_project_name'] or self.options[
'os_tenant_name'] # noqa: E501
kwargs = {
'username': self.options['os_username'],
'user_id': self.options['os_user_id'],
'user_domain_id': self.options['os_user_domain_id'],
'user_domain_name': self.options['os_user_domain_name'],
'password': self.options['os_password'],
'auth_url': self.options['os_auth_url'],
'project_id': project_id,
'project_name': project_name,
'project_domain_id': self.options['os_project_domain_id'],
'project_domain_name': self.options['os_project_domain_name'],
}
keystone_auth = generic.Password(**kwargs)
kwargs = {
'auth_url': self.options['os_auth_url'],
'session': keystone_session,
'auth': keystone_auth,
'service_type': self.service_type,
'endpoint_type': self.endpoint_type,
'region_name': self.options['os_region_name'],
'username': self.options['os_username'],
'password': self.options['os_password']
}
return heat_client.Client(self.api_version, **kwargs)
def get_client(self):
keystone_session = kssession.Session(verify=True)
if self.options['os_auth_token']:
kwargs = {
'token': self.options['os_auth_token'],
'auth_url': self.options['os_auth_url']
}
keystone_auth = generic.Token(**kwargs)
else:
project_id = self.options['os_project_id'] or self.options[
'os_tenant_id'] # noqa: E501
project_name = self.options['os_project_name'] or self.options[
'os_tenant_name'] # noqa: E501
kwargs = {
'username': self.options['os_username'],
'user_id': self.options['os_user_id'],
'user_domain_id': self.options['os_user_domain_id'],
'user_domain_name': self.options['os_user_domain_name'],
'password': self.options['os_password'],
'auth_url': self.options['os_auth_url'],
'project_id': project_id,
'project_name': project_name,
'project_domain_id': self.options['os_project_domain_id'],
'project_domain_name': self.options['os_project_domain_name'],
}
keystone_auth = generic.Password(**kwargs)
return nova_client.Client(
self.api_version,
self.options['os_username'],
self.options['os_password'],
project_id=self.options['os_project_id'],
project_name=self.options['os_project_name'],
user_id=self.options['os_user_id'],
auth_url=self.options['os_auth_url'],
region_name=self.options['os_region_name'],
endpoint_type=self.endpoint_type,
service_type=self.service_type,
session=keystone_session,
auth=keystone_auth,
project_domain_id=self.options['os_project_domain_id'],
project_domain_name=self.options['os_project_domain_name'],
user_domain_id=self.options['os_user_domain_id'],
user_domain_name=self.options['os_user_domain_name'])
def _get_auth(api_key=None,
auth_token=None,
auth_url=None,
project_domain_id=None,
project_domain_name=None,
project_id=None,
project_name=None,
user_domain_id=None,
user_domain_name=None,
user_id=None,
username=None,
**kwargs):
if project_name and project_id:
raise RuntimeError(
'Only one of project_name or project_id should be set')
if username and user_id:
raise RuntimeError('Only one of username or user_id should be set')
auth = {}
if auth_token:
auth = auth_plugin.Token(auth_url=auth_url,
project_domain_id=project_domain_id,
project_domain_name=project_domain_name,
project_id=project_id,
project_name=project_name,
token=auth_token)
elif api_key and (username or user_id):
auth = auth_plugin.Password(
auth_url=auth_url,
password=api_key,
project_domain_id=project_domain_id,
project_domain_name=project_domain_name,
project_id=project_id,
project_name=project_name,
user_domain_id=user_domain_id,
user_domain_name=user_domain_name,
user_id=user_id,
username=username)
return auth
def get_auth_session(auth_url,
username,
project_name,
password=None,
auth_token=None,
cacert=None):
if auth_token:
auth = ks_id.Token(auth_url=auth_url,
token=auth_token,
project_name=project_name,
project_domain_id='default')
else:
auth = ks_id.Password(auth_url=auth_url,
username=username,
password=password,
project_name=project_name,
user_domain_id='default',
project_domain_id='default')
return session.Session(auth=auth, verify=cacert)
def get_session(auth_url, endpoint, domain_id, domain_name, project_id,
project_name, project_domain_name, project_domain_id, username,
user_id, password, user_domain_id, user_domain_name, token,
insecure, cacert):
session = ks_session.Session()
# Build + Attach Authentication Plugin
auth_args = {
'auth_url': auth_url,
'domain_id': domain_id,
'domain_name': domain_name,
'project_id': project_id,
'project_name': project_name,
'project_domain_name': project_domain_name,
'project_domain_id': project_domain_id,
}
if token and endpoint:
session.auth = token_endpoint.Token(endpoint, token)
elif token:
auth_args.update({'token': token})
session.auth = generic.Token(**auth_args)
else:
auth_args.update({
'username': username,
'user_id': user_id,
'password': password,
'user_domain_id': user_domain_id,
'user_domain_name': user_domain_name,
})
session.auth = generic.Password(**auth_args)
# SSL/TLS Server Cert Verification
if insecure is True:
session.verify = False
else:
session.verify = cacert
return session
def get_auth_session(auth_variables):
auth_url = auth_variables.get('auth_url')
username = auth_variables.get('username')
project_name = auth_variables.get('project_name')
auth_token = auth_variables.get('os_auth_token')
password = auth_variables.get('password')
cacert = auth_variables.get('cacert')
timeout = auth_variables.get('timeout')
if auth_token:
auth = ks_id.Token(auth_url=auth_url,
token=auth_token,
project_name=project_name,
project_domain_id='default')
else:
auth = ks_id.Password(auth_url=auth_url,
username=username,
password=password,
project_name=project_name,
user_domain_id='default',
project_domain_id='default')
return ks_session.Session(auth=auth, verify=cacert, timeout=timeout)
def authenticate(dcmanager_url=None,
username=None,
api_key=None,
project_name=None,
auth_url=None,
project_id=None,
endpoint_type='publicURL',
service_type='dcmanager',
auth_token=None,
user_id=None,
session=None,
cacert=None,
insecure=False,
**kwargs):
"""Get token, project_id, user_id and Endpoint."""
if project_name and project_id:
raise RuntimeError('Only project name or project id should be set')
if username and user_id:
raise RuntimeError('Only user name or user id should be set')
user_domain_name = kwargs.get('user_domain_name')
user_domain_id = kwargs.get('user_domain_id')
project_domain_name = kwargs.get('project_domain_name')
project_domain_id = kwargs.get('project_domain_id')
if session is None:
if auth_token:
auth = auth_plugin.Token(auth_url=auth_url,
token=auth_token,
project_id=project_id,
project_name=project_name,
project_domain_name=project_domain_name,
project_domain_id=project_domain_id,
cacert=cacert,
insecure=insecure)
elif api_key and (username or user_id):
auth = auth_plugin.Password(
auth_url=auth_url,
username=username,
user_id=user_id,
password=api_key,
project_id=project_id,
project_name=project_name,
user_domain_name=user_domain_name,
user_domain_id=user_domain_id,
project_domain_name=project_domain_name,
project_domain_id=project_domain_id)
else:
raise RuntimeError('You must either provide a valid token or'
'a password (api_key) and a user.')
if auth:
session = ks_session.Session(auth=auth)
if session:
token = session.get_token()
project_id = session.get_project_id()
user_id = session.get_user_id()
if not dcmanager_url:
dcmanager_url = session.get_endpoint(service_type=service_type,
interface=endpoint_type)
return dcmanager_url, token, project_id, user_id
def main(self, argv):
# Parse args once to find version
parser = self.get_base_parser()
(options, args) = parser.parse_known_args(argv)
self._setup_logging(options.debug)
self._setup_verbose(options.verbose)
# build available subcommands based on version
api_version = options.heat_api_version
subcommand_parser = self.get_subcommand_parser(api_version)
self.parser = subcommand_parser
# Handle top-level --help/-h before attempting to parse
# a command off the command line
if not args and options.help or not argv:
self.do_help(options)
return 0
# Parse args again and call whatever callback was selected
args = subcommand_parser.parse_args(argv)
# Short-circuit and deal with help command right away.
if args.func == self.do_help:
self.do_help(args)
return 0
elif args.func == self.do_bash_completion:
self.do_bash_completion(args)
return 0
if not args.os_username and not args.os_auth_token:
raise exc.CommandError(
_("You must provide a username via either "
"--os-username or env[OS_USERNAME] "
"or a token via --os-auth-token or "
"env[OS_AUTH_TOKEN]"))
if not args.os_password and not args.os_auth_token:
raise exc.CommandError(
_("You must provide a password via either "
"--os-password or env[OS_PASSWORD] "
"or a token via --os-auth-token or "
"env[OS_AUTH_TOKEN]"))
if args.os_no_client_auth:
if not args.heat_url:
raise exc.CommandError(
_("If you specify --os-no-client-auth "
"you must also specify a Heat API "
"URL via either --heat-url or "
"env[HEAT_URL]"))
else:
# Tenant/project name or ID is needed to make keystoneclient
# retrieve a service catalog, it's not required if
# os_no_client_auth is specified, neither is the auth URL
if not (args.os_tenant_id or args.os_tenant_name
or args.os_project_id or args.os_project_name):
raise exc.CommandError(
_("You must provide a tenant id via either "
"--os-tenant-id or env[OS_TENANT_ID] or a tenant name "
"via either --os-tenant-name or env[OS_TENANT_NAME] "
"or a project id via either --os-project-id or "
"env[OS_PROJECT_ID] or a project name via "
"either --os-project-name or env[OS_PROJECT_NAME]"))
if not args.os_auth_url:
raise exc.CommandError(
_("You must provide an auth url via "
"either --os-auth-url or via "
"env[OS_AUTH_URL]"))
kwargs = {
'insecure': args.insecure,
'cacert': args.os_cacert,
'cert': args.os_cert,
'key': args.os_key,
'timeout': args.api_timeout
}
service_type = args.os_service_type or 'orchestration'
if args.os_no_client_auth:
# Do not use session since no_client_auth means using heat to
# to authenticate
kwargs = {
'username': args.os_username,
'password': args.os_password,
'auth_url': args.os_auth_url,
'token': args.os_auth_token,
'include_pass': args.include_password,
'insecure': args.insecure,
'timeout': args.api_timeout,
'endpoint': args.heat_url
}
else:
keystone_session = self._get_keystone_session(**kwargs)
endpoint_type = args.os_endpoint_type or 'publicURL'
if args.os_auth_token:
kwargs = {
'token': args.os_auth_token,
'auth_url': args.os_auth_url
}
keystone_auth = generic.Token(**kwargs)
else:
project_id = args.os_project_id or args.os_tenant_id
project_name = args.os_project_name or args.os_tenant_name
kwargs = {
'username': args.os_username,
'user_id': args.os_user_id,
'user_domain_id': args.os_user_domain_id,
'user_domain_name': args.os_user_domain_name,
'password': args.os_password,
'auth_url': args.os_auth_url,
'project_id': project_id,
'project_name': project_name,
'project_domain_id': args.os_project_domain_id,
'project_domain_name': args.os_project_domain_name,
}
keystone_auth = generic.Password(**kwargs)
kwargs = {
'auth_url': args.os_auth_url,
'session': keystone_session,
'auth': keystone_auth,
'service_type': service_type,
'endpoint_type': endpoint_type,
'region_name': args.os_region_name,
'username': args.os_username,
'password': args.os_password,
'include_pass': args.include_password,
'endpoint_override': args.heat_url,
}
client = heat_client.Client(api_version, **kwargs)
profile = osprofiler_profiler and options.profile
if profile:
osprofiler_profiler.init(options.profile)
args.func(client, args)
if profile:
trace_id = osprofiler_profiler.get().get_base_id()
print(_("Trace ID: %s") % trace_id)
print(
_("To display trace use next command:\n"
"osprofiler trace show --html %s ") % trace_id)
def authenticate(self, req, session=None):
"""Perform authentication via Keystone.
:param req: Request dict containing list of parameters required
for Keystone authentication.
"""
if not isinstance(req, dict):
raise TypeError('The input "req" is not typeof dict.')
session = session
mistral_url = req.get('mistral_url')
endpoint_type = req.get('endpoint_type', 'publicURL')
service_type = req.get('service_type', 'workflowv2')
auth_url = req.get('auth_url')
username = req.get('username')
user_id = req.get('user_id')
api_key = req.get('api_key')
auth_token = req.get('auth_token')
project_name = req.get('project_name')
project_id = req.get('project_id')
region_name = req.get('region_name')
user_domain_name = req.get('user_domain_name')
user_domain_id = req.get('user_domain_id')
project_domain_name = req.get('project_domain_name')
project_domain_id = req.get('project_domain_id')
target_auth_url = req.get('target_auth_url')
target_username = req.get('target_username')
target_user_id = req.get('target_user_id')
target_api_key = req.get('target_api_key')
target_auth_token = req.get('target_auth_token')
target_project_name = req.get('target_project_name')
target_project_id = req.get('target_project_id')
target_user_domain_name = req.get('target_user_domain_name')
target_user_domain_id = req.get('target_user_domain_id')
target_project_domain_name = req.get('target_project_domain_name')
target_project_domain_id = req.get('target_project_domain_id')
if project_name and project_id:
raise RuntimeError('Only project name or project id should be set')
if username and user_id:
raise RuntimeError('Only user name or user id should be set')
auth_response = {}
if not session:
auth = None
if auth_token:
auth = auth_plugin.Token(
auth_url=auth_url,
token=auth_token,
project_id=project_id,
project_name=project_name,
project_domain_name=project_domain_name,
project_domain_id=project_domain_id)
elif api_key and (username or user_id):
auth = auth_plugin.Password(
auth_url=auth_url,
username=username,
user_id=user_id,
password=api_key,
user_domain_name=user_domain_name,
user_domain_id=user_domain_id,
project_id=project_id,
project_name=project_name,
project_domain_name=project_domain_name,
project_domain_id=project_domain_id)
else:
# NOTE(jaosorior): We don't crash here cause it's needed for
# bash-completion to work. However, we do issue a warning to
# the user so if the request doesn't work. It's because of
# this.
LOG.warning("You must either provide a valid token or "
"a password (api_key) and a user.")
if auth:
session = ks_session.Session(auth=auth)
if session:
if not mistral_url:
try:
mistral_url = session.get_endpoint(
service_type=service_type,
endpoint_type=endpoint_type,
region_name=region_name)
except Exception:
mistral_url = None
auth_response['mistral_url'] = mistral_url
auth_response['session'] = session
if target_auth_url:
if target_auth_token:
target_auth = auth_plugin.Token(
auth_url=target_auth_url,
token=target_auth_token,
project_id=target_project_id,
project_name=target_project_name,
project_domain_name=target_project_domain_name,
project_domain_id=target_project_domain_id)
elif target_api_key and (target_username or target_user_id):
target_auth = auth_plugin.Password(
auth_url=target_auth_url,
username=target_username,
user_id=target_user_id,
password=target_api_key,
user_domain_name=target_user_domain_name,
user_domain_id=target_user_domain_id,
project_id=target_project_id,
project_name=target_project_name,
project_domain_name=target_project_domain_name,
project_domain_id=target_project_domain_id)
else:
raise RuntimeError("You must either provide a valid token or "
"a password (target_api_key) and a user.")
target_session = ks_session.Session(auth=target_auth)
target_auth_headers = target_session.get_auth_headers() or {}
# NOTE: (sharatss) The target_auth_token is required here so that
# it can be passed as a separate header later.
target_auth_token = target_auth_headers.get('X-Auth-Token')
auth_response.update({
api.TARGET_AUTH_TOKEN:
target_auth_token,
api.TARGET_PROJECT_ID:
target_session.get_project_id(),
api.TARGET_USER_ID:
target_session.get_user_id(),
api.TARGET_AUTH_URI:
target_auth_url,
api.TARGET_SERVICE_CATALOG:
jsonutils.dumps(
target_auth.get_access(
target_session).service_catalog.catalog)
})
return auth_response
