def _create_keystone_client(self, args, version=None):
from keystoneclient.auth import identity
from keystoneclient import client
auth_arg_list = [
"username",
"project_name",
"tenant_name",
"auth_url",
"password",
]
# NOTE(bigjools): If forcing a v2.0 URL then you cannot specify
# domain-related info, or the service discovery will fail.
if "v2.0" not in args["auth_url"] and version != "2":
auth_arg_list.extend(
["user_domain_name", "domain_name", "project_domain_name"])
auth_args = {key: args.get(key) for key in auth_arg_list}
auth = identity.Password(**auth_args)
session = self._get_session(auth=auth)
args["session"] = session
# NOTE(bigjools): When using sessions, keystoneclient no longer
# does any pre-auth and calling client.authenticate() with
# sessions is deprecated (it's still possible to call it but if
# endpoint is defined it'll crash). We're forcing that pre-auth
# here because the use of the service_catalog depends on doing
# this. Also note that while the API has got the
# endpoints.list() equivalent, there is no service_type in that
# list which is why we need to ensure service_catalog is still
# present.
auth_ref = auth.get_access(session)
ks = client.Client(version=version, **args)
ks.auth_ref = auth_ref
return ks
def admin_session():
auth = keystone_identity.Password(
auth_url=CONF.keystone_url,
username=CONF.keystone_authtoken['admin_user'],
password=CONF.keystone_authtoken['admin_password'],
project_name=CONF.keystone_authtoken['admin_tenant_name'])
session = keystone_session.Session(auth=auth)
return session
def get_client_session(execution_session=None, conf=None):
if not execution_session:
execution_session = helpers.get_execution_session()
trust_id = execution_session.trust_id
if trust_id is None:
return get_token_client_session(
token=execution_session.token,
project_id=execution_session.project_id)
kwargs = _get_keystone_admin_parameters(False)
kwargs['trust_id'] = trust_id
password_auth = identity.Password(**kwargs)
session = ks_session.Session(auth=password_auth)
_set_ssl_parameters(conf, session)
return session
def _get_session(self, auth_url=None, version=None):
from keystoneauth1 import discover
from keystoneauth1 import session
from keystoneclient.auth import identity
password_args = {
"auth_url": auth_url or self.credential.auth_url,
"username": self.credential.username,
"password": self.credential.password,
"tenant_name": self.credential.tenant_name
}
version = OSClient.get("keystone")(self.credential, self.api_info,
self.cache).choose_version(version)
if version is None:
# NOTE(rvasilets): If version not specified than we discover
# available version with the smallest number. To be able to
# discover versions we need session
temp_session = session.Session(
verify=(self.credential.cacert
or not self.credential.insecure),
timeout=CONF.openstack_client_http_timeout)
version = str(
discover.Discover(
temp_session,
password_args["auth_url"]).version_data()[0]["version"][0])
if "v2.0" not in password_args["auth_url"] and (version != "2"):
password_args.update({
"user_domain_name":
self.credential.user_domain_name,
"domain_name":
self.credential.domain_name,
"project_domain_name":
self.credential.project_domain_name,
})
identity_plugin = identity.Password(**password_args)
sess = session.Session(auth=identity_plugin,
verify=(self.credential.cacert
or not self.credential.insecure),
timeout=CONF.openstack_client_http_timeout)
return sess, identity_plugin
def create_keystone_admin_client(scoped):
kwargs = _get_keystone_admin_parameters(scoped)
password_auth = identity.Password(**kwargs)
session = ks_session.Session(auth=password_auth)
_set_ssl_parameters(cfg.CONF.keystone_authtoken, session)
return ks_client.Client(session=session)