def _openstack_auth_from_config(**config):
if config.get('username') and config.get('password'):
plugin_class = get_plugin_class('password')
else:
plugin_class = get_plugin_class('token')
plugin_options = plugin_class.get_options()
plugin_kwargs = {}
for option in plugin_options:
if option.dest in config:
plugin_kwargs[option.dest] = config[option.dest]
return plugin_class(**plugin_kwargs)
def _openstack_auth_from_config(auth_plugin='password', **config):
"""
Create an OpenStack authentication plugin from the given configuration.
:param str auth_plugin: The name of the authentication plugin to create.
:param config: Parameters to supply to the authentication plugin. The
exact parameters depends on the authentication plugin selected.
:return: The authentication object.
"""
if auth_plugin == 'rackspace':
plugin_class = RackspaceAuth
else:
plugin_class = get_plugin_class(auth_plugin)
plugin_options = plugin_class.get_options()
plugin_kwargs = {}
for option in plugin_options:
# option.dest is the python compatible attribute name in the plugin
# implementation.
# option.dest is option.name with hyphens replaced with underscores.
if option.dest in config:
plugin_kwargs[option.dest] = config[option.dest]
return plugin_class(**plugin_kwargs)
def _member_role_exists(instack_env):
# This is a workaround for puppet removing the deprecated _member_
# role on upgrade - if it exists we must not remove role assignments
# or trusts stored in the undercloud heat will break
if not _stackrc_exists():
instack_env['MEMBER_ROLE_EXISTS'] = 'False'
return
user, password, tenant, auth_url = _get_auth_values()
role_exists = False
try:
# Note this is made somewhat verbose due to trying to handle
# any format auth_url (versionless, v2,0/v3 suffix)
auth_plugin_class = auth.get_plugin_class('password')
auth_kwargs = {
'auth_url': auth_url,
'username': user,
'password': password,
'project_name': tenant}
if 'v2.0' not in auth_url:
auth_kwargs.update({
'project_domain_name': 'default',
'user_domain_name': 'default'})
auth_plugin = auth_plugin_class(**auth_kwargs)
sess = session.Session(auth=auth_plugin)
disc = discover.Discover(session=sess)
c = disc.create_client()
role_names = [r.name for r in c.roles.list()]
role_exists = '_member_' in role_names
except ks_exceptions.ConnectionError:
# This will happen on initial deployment, assume False
# as no new deployments should have _member_
role_exists = False
instack_env['MEMBER_ROLE_EXISTS'] = six.text_type(role_exists)
def _openstack_auth_from_config(auth_plugin='password', **config):
"""
Create an OpenStack authentication plugin from the given configuration.
:param str auth_plugin: The name of the authentication plugin to create.
:param config: Parameters to supply to the authentication plugin. The
exact parameters depends on the authentication plugin selected.
:return: The authentication object.
"""
if auth_plugin == 'rackspace':
plugin_class = RackspaceAuth
else:
plugin_class = get_plugin_class(auth_plugin)
plugin_options = plugin_class.get_options()
plugin_kwargs = {}
for option in plugin_options:
# option.dest is the python compatible attribute name in the plugin
# implementation.
# option.dest is option.name with hyphens replaced with underscores.
if option.dest in config:
plugin_kwargs[option.dest] = config[option.dest]
return plugin_class(**plugin_kwargs)
def _get_auth_plugin(self):
# NOTE(jamielennox): Ideally this would use get_from_conf_options
# however that is not possible because we have to support the override
# pattern we use in _conf_get. There is a somewhat replacement for this
# in keystoneclient in load_from_options_getter which should be used
# when available. Until then this is essentially a copy and paste of
# the ksc load_from_conf_options code because we need to get a fix out
# for this quickly.
# FIXME(jamielennox): update to use load_from_options_getter when
# https://review.openstack.org/162529 merges.
# !!! - UNDER NO CIRCUMSTANCES COPY ANY OF THIS CODE - !!!
group = self._conf_get('auth_section') or _base.AUTHTOKEN_GROUP
plugin_name = self._conf_get('auth_plugin', group=group)
plugin_kwargs = dict()
if plugin_name:
plugin_class = auth.get_plugin_class(plugin_name)
else:
plugin_class = _auth.AuthTokenPlugin
# logger object is a required parameter of the default plugin
plugin_kwargs['log'] = self._LOG
plugin_opts = plugin_class.get_options()
CONF.register_opts(plugin_opts, group=group)
for opt in plugin_opts:
val = self._conf_get(opt.dest, group=group)
if val is not None:
val = opt.type(val)
plugin_kwargs[opt.dest] = val
return plugin_class.load_from_options(**plugin_kwargs)
def _member_role_exists(instack_env):
# This is a workaround for puppet removing the deprecated _member_
# role on upgrade - if it exists we must not remove role assignments
# or trusts stored in the undercloud heat will break
if not _stackrc_exists():
instack_env['MEMBER_ROLE_EXISTS'] = 'False'
return
user, password, tenant, auth_url = _get_auth_values()
role_exists = False
try:
# Note this is made somewhat verbose due to trying to handle
# any format auth_url (versionless, v2,0/v3 suffix)
auth_plugin_class = auth.get_plugin_class('password')
auth_kwargs = {
'auth_url': auth_url,
'username': user,
'password': password,
'project_name': tenant
}
if 'v2.0' not in auth_url:
auth_kwargs.update({
'project_domain_name': 'default',
'user_domain_name': 'default'
})
auth_plugin = auth_plugin_class(**auth_kwargs)
sess = session.Session(auth=auth_plugin)
disc = discover.Discover(session=sess)
c = disc.create_client()
role_names = [r.name for r in c.roles.list()]
role_exists = '_member_' in role_names
except ks_exceptions.ConnectionError:
# This will happen on initial deployment, assume False
# as no new deployments should have _member_
role_exists = False
instack_env['MEMBER_ROLE_EXISTS'] = six.text_type(role_exists)
def _get_auth_plugin(self):
# NOTE(jamielennox): Ideally this would use get_from_conf_options
# however that is not possible because we have to support the override
# pattern we use in _conf_get. There is a somewhat replacement for this
# in keystoneclient in load_from_options_getter which should be used
# when available. Until then this is essentially a copy and paste of
# the ksc load_from_conf_options code because we need to get a fix out
# for this quickly.
# FIXME(jamielennox): update to use load_from_options_getter when
# https://review.openstack.org/162529 merges.
# !!! - UNDER NO CIRCUMSTANCES COPY ANY OF THIS CODE - !!!
group = self._conf_get('auth_section') or _base.AUTHTOKEN_GROUP
plugin_name = self._conf_get('auth_plugin', group=group)
plugin_kwargs = dict()
if plugin_name:
plugin_class = auth.get_plugin_class(plugin_name)
else:
plugin_class = _auth.AuthTokenPlugin
# logger object is a required parameter of the default plugin
plugin_kwargs['log'] = self._LOG
plugin_opts = plugin_class.get_options()
CONF.register_opts(plugin_opts, group=group)
for opt in plugin_opts:
val = self._conf_get(opt.dest, group=group)
if val is not None:
val = opt.type(val)
plugin_kwargs[opt.dest] = val
return plugin_class.load_from_options(**plugin_kwargs)
def configure_middleware(self,
auth_plugin,
group='keystone_authtoken',
**kwargs):
opts = auth.get_plugin_class(auth_plugin).get_options()
self.cfg.register_opts(opts, group=group)
self.cfg.config(group=group,
auth_plugin=auth_plugin,
**kwargs)
def get_keystone_session(auth_args):
from keystoneclient import auth as ksauth
from keystoneclient import session as kssession
auth_plugin = ksauth.get_plugin_class('password')
auth = auth_plugin(
auth_url=auth_args['auth_url'],
username=auth_args['username'],
password=auth_args['password'],
project_name=auth_args['tenant_name'],
)
return kssession.Session(auth=auth)
def list_auth_opts():
opt_list = copy.deepcopy(_nova_options)
opt_list.insert(0, auth.get_common_conf_options()[0])
# NOTE(mhickey): There are a lot of auth plugins, we just generate
# the config options for a few common ones
plugins = ['password', 'v2password', 'v3password']
for name in plugins:
for plugin_option in auth.get_plugin_class(name).get_options():
if all(option.name != plugin_option.name for option in opt_list):
opt_list.append(plugin_option)
opt_list.sort(key=operator.attrgetter('name'))
return [(NOVA_GROUP, opt_list)]
def list_auth_opts():
opt_list = copy.deepcopy(_nova_options)
opt_list.insert(0, auth.get_common_conf_options()[0])
# NOTE(mhickey): There are a lot of auth plugins, we just generate
# the config options for a few common ones
plugins = ['password', 'v2password', 'v3password']
for name in plugins:
for plugin_option in auth.get_plugin_class(name).get_options():
if all(option.name != plugin_option.name for option in opt_list):
opt_list.append(plugin_option)
opt_list.sort(key=operator.attrgetter('name'))
return [(NOVA_GROUP, opt_list)]
def configure_middleware(self,
auth_plugin,
**kwargs):
opts = auth.get_plugin_class(auth_plugin).get_options()
self.cfg.register_opts(opts, group=_base.AUTHTOKEN_GROUP)
# Since these tests cfg.config() themselves rather than waiting for
# auth_token to do it on __init__ we need to register the base auth
# options (e.g., auth_plugin)
auth.register_conf_options(self.cfg.conf, group=_base.AUTHTOKEN_GROUP)
self.cfg.config(group=_base.AUTHTOKEN_GROUP,
auth_plugin=auth_plugin,
**kwargs)
def _validate_auth_ksc(self, config):
try:
import keystoneclient.auth as ksc_auth
except ImportError:
return config
# May throw a keystoneclient.exceptions.NoMatchingPlugin
plugin_options = ksc_auth.get_plugin_class(
config['auth_type']).get_options()
for p_opt in plugin_options:
# if it's in config.auth, win, kill it from config dict
# if it's in config and not in config.auth, move it
# deprecated loses to current
# provided beats default, deprecated or not
winning_value = self._find_winning_auth_value(
p_opt, config['auth'])
if not winning_value:
winning_value = self._find_winning_auth_value(p_opt, config)
# if the plugin tells us that this value is required
# then error if it's doesn't exist now
if not winning_value and p_opt.required:
raise exceptions.OpenStackConfigException(
'Unable to find auth information for cloud'
' {cloud} in config files {files}'
' or environment variables. Missing value {auth_key}'
' required for auth plugin {plugin}'.format(
cloud=cloud,
files=','.join(self._config_files),
auth_key=p_opt.name,
plugin=config.get('auth_type')))
# Clean up after ourselves
for opt in [p_opt.name] + [o.name for o in p_opt.deprecated_opts]:
opt = opt.replace('-', '_')
config.pop(opt, None)
config['auth'].pop(opt, None)
if winning_value:
# Prefer the plugin configuration dest value if the value's key
# is marked as depreciated.
if p_opt.dest is None:
config['auth'][p_opt.name.replace('-',
'_')] = (winning_value)
else:
config['auth'][p_opt.dest] = winning_value
return config
def keystone_session(self):
auth_plugin = ksauth.get_plugin_class("password")
_args = {"auth_url": self.auth_url, "username": self.username, "password": self.password}
if self.auth_version == 3:
_args.update(
{
"user_domain_name": DEFAULT_DOMAIN,
"project_domain_name": DEFAULT_DOMAIN,
"project_name": self.tenant_name,
}
)
else:
_args.update({"tenant_name": self.tenant_name})
_auth = auth_plugin(**_args)
return kssession.Session(auth=_auth)
def _validate_auth_ksc(self, config):
try:
import keystoneclient.auth as ksc_auth
except ImportError:
return config
# May throw a keystoneclient.exceptions.NoMatchingPlugin
plugin_options = ksc_auth.get_plugin_class(config["auth_type"]).get_options()
for p_opt in plugin_options:
# if it's in config.auth, win, kill it from config dict
# if it's in config and not in config.auth, move it
# deprecated loses to current
# provided beats default, deprecated or not
winning_value = self._find_winning_auth_value(p_opt, config["auth"])
if not winning_value:
winning_value = self._find_winning_auth_value(p_opt, config)
# if the plugin tells us that this value is required
# then error if it's doesn't exist now
if not winning_value and p_opt.required:
raise exceptions.OpenStackConfigException(
"Unable to find auth information for cloud"
" {cloud} in config files {files}"
" or environment variables. Missing value {auth_key}"
" required for auth plugin {plugin}".format(
cloud=cloud,
files=",".join(self._config_files),
auth_key=p_opt.name,
plugin=config.get("auth_type"),
)
)
# Clean up after ourselves
for opt in [p_opt.name] + [o.name for o in p_opt.deprecated_opts]:
opt = opt.replace("-", "_")
config.pop(opt, None)
config["auth"].pop(opt, None)
if winning_value:
# Prefer the plugin configuration dest value if the value's key
# is marked as depreciated.
if p_opt.dest is None:
config["auth"][p_opt.name.replace("-", "_")] = winning_value
else:
config["auth"][p_opt.dest] = winning_value
return config
def _openstack_auth_from_config(**config):
auth_plugin_name = config.pop('auth_plugin', 'password')
if auth_plugin_name == 'rackspace':
plugin_class = RackspaceAuth
else:
plugin_class = get_plugin_class(auth_plugin_name)
plugin_options = plugin_class.get_options()
plugin_kwargs = {}
for option in plugin_options:
# option.dest is the python compatible attribute name in the plugin
# implementation.
# option.dest is option.name with hyphens replaced with underscores.
if option.dest in config:
plugin_kwargs[option.dest] = config[option.dest]
return plugin_class(**plugin_kwargs)
def keystone_session(self):
auth_plugin = ksauth.get_plugin_class('password')
_args = {
'auth_url': self.auth_url,
'username': self.username,
'password': self.password,
}
if self.auth_version == 3:
_args.update({
'user_domain_name': DEFAULT_DOMAIN,
'project_domain_name': DEFAULT_DOMAIN,
'project_name': self.tenant_name,
})
else:
_args.update({
'tenant_name': self.tenant_name,
})
_auth = auth_plugin(**_args)
return kssession.Session(auth=_auth)
def keystone_session(self):
auth_plugin = ksauth.get_plugin_class('password')
_args = {
'auth_url': self.auth_url,
'username': self.username,
'password': self.password,
}
if self.auth_version == 3:
_args.update({
'user_domain_name': DEFAULT_DOMAIN,
'project_domain_name': DEFAULT_DOMAIN,
'project_name': self.tenant_name,
})
else:
_args.update({
'tenant_name': self.tenant_name,
})
_auth = auth_plugin(**_args)
return kssession.Session(auth=_auth)
def configure_middleware(self,
auth_plugin,
group='keystone_authtoken',
**kwargs):
# NOTE(gyee): For this test suite and for the stable liberty branch
# only, we will ignore deprecated calls that keystonemiddleware makes.
warnings.filterwarnings('ignore',
category=DeprecationWarning,
module='^keystonemiddleware\\.')
opts = auth.get_plugin_class(auth_plugin).get_options()
self.cfg.register_opts(opts, group=group)
# Since these tests cfg.config() themselves rather than waiting for
# auth_token to do it on __init__ we need to register the base auth
# options (e.g., auth_plugin)
auth.register_conf_options(self.cfg.conf, group=_base.AUTHTOKEN_GROUP)
self.cfg.config(group=group, auth_plugin=auth_plugin, **kwargs)