def get_admin_session():
"""Returns a keystone session from Mistral's service credentials."""
if CONF.keystone_authtoken.auth_type is None:
auth = auth_plugins.Password(
CONF.keystone_authtoken.auth_uri,
username=CONF.keystone_authtoken.admin_user,
password=CONF.keystone_authtoken.admin_password,
project_name=CONF.keystone_authtoken.admin_tenant_name,
# NOTE(jaosorior): Once mistral supports keystone v3 properly, we
# can fetch the following values from the configuration.
user_domain_name='Default',
project_domain_name='Default')
return ks_session.Session(auth=auth)
else:
auth = loading.load_auth_from_conf_options(
CONF,
'keystone_authtoken'
)
return loading.load_session_from_conf_options(
CONF,
'keystone_authtoken',
auth=auth
)
def __init__(self, username, password, project, auth_url, insecure,
**kwargs):
data = {
'username': username,
'password': password,
'project_name': project,
}
if kwargs['user_domain_name'] is not None:
if kwargs['project_domain_name'] is None:
kwargs['project_domain_name'] = 'Default'
data.update({
'domain_id': kwargs.get('domain_id'),
'project_domain_id': kwargs.get('project_domain_id'),
'project_domain_name': kwargs.get('project_domain_name'),
'user_domain_id': kwargs.get('user_domain_id'),
'user_domain_name': kwargs.get('user_domain_name')
})
self.auth = keystone_auth.Password(auth_url, **data)
session = keystone_session.Session(auth=self.auth, verify=(not insecure))
self.client = keystone_client.Client(session=session)
self.admin_role_id = None
self.tenant_info = None
self.admin_role_name = kwargs['admin_role_name']
self.user_id = self.auth.auth_ref.user_id
def trusts_auth_plugin(self):
if self._trusts_auth_plugin:
return self._trusts_auth_plugin
self._trusts_auth_plugin = ks_loading.load_auth_from_conf_options(
cfg.CONF, TRUSTEE_CONF_GROUP, trust_id=self.trust_id)
if self._trusts_auth_plugin:
return self._trusts_auth_plugin
LOG.warning(_LW('Using the keystone_authtoken user as the heat '
'trustee user directly is deprecated. Please add the '
'trustee credentials you need to the %s section of '
'your heat.conf file.') % TRUSTEE_CONF_GROUP)
cfg.CONF.import_group('keystone_authtoken',
'keystonemiddleware.auth_token')
trustee_user_domain = 'default'
if 'user_domain_id' in cfg.CONF.keystone_authtoken:
trustee_user_domain = cfg.CONF.keystone_authtoken.user_domain_id
self._trusts_auth_plugin = generic.Password(
username=cfg.CONF.keystone_authtoken.admin_user,
password=cfg.CONF.keystone_authtoken.admin_password,
user_domain_id=trustee_user_domain,
auth_url=self.keystone_v3_endpoint,
trust_id=self.trust_id)
return self._trusts_auth_plugin
def init_client(self, args):
try:
from keystoneauth1.identity import generic
from keystoneauth1 import session
auth = generic.Password(
auth_url=args.OS_AUTH_URL,
username=args.OS_USERNAME,
password=args.OS_PASSWORD,
project_name=args.OS_TENANT_NAME,
)
sess = session.Session(auth=auth)
keystone = keystone_client.Client(session=sess)
self.keystone = keystone
except Exception as e:
raise e
try:
# NOTE(flwang): It's OK only talk to WLG region to get the data
region = 'nz_wlg_2'
distil_url = "https://api.cloud.catalyst.net.nz:9999"
distil = distil_client.Client(version='2',
distil_url=distil_url,
session=sess,
region_name=region)
self.distil = distil
except Exception as e:
raise e
def auth(profile=None, **connection_args):
'''
Set up keystone credentials. Only intended to be used within Keystone-enabled modules.
CLI Example:
.. code-block:: bash
salt '*' keystone.auth
'''
__utils__['versions.warn_until'](
'Sodium',
('The keystone module has been deprecated and will be removed in {version}. '
'Please update to using the keystoneng module'),
)
kwargs = _get_kwargs(profile=profile, **connection_args)
disc = discover.Discover(auth_url=kwargs['auth_url'])
v2_auth_url = disc.url_for('v2.0')
v3_auth_url = disc.url_for('v3.0')
if v3_auth_url:
global _OS_IDENTITY_API_VERSION
global _TENANTS
_OS_IDENTITY_API_VERSION = 3
_TENANTS = 'projects'
kwargs['auth_url'] = v3_auth_url
else:
kwargs['auth_url'] = v2_auth_url
kwargs.pop('user_domain_name')
kwargs.pop('project_domain_name')
auth = generic.Password(**kwargs)
sess = session.Session(auth=auth)
ks_cl = disc.create_client(session=sess)
return ks_cl
def auth(profile=None, **connection_args):
'''
Set up keystone credentials. Only intended to be used within Keystone-enabled modules.
CLI Example:
.. code-block:: bash
salt '*' keystone.auth
'''
kwargs = _get_kwargs(profile=profile, **connection_args)
if 'token' in kwargs:
auth = token_endpoint.Token(endpoint=kwargs['endpoint'],
token=kwargs['token'])
else:
# keystoneauth1 Password class does not accept some args. Therefore remove it from args for auth.
auth_connection_args = kwargs.copy()
auth_connection_args.pop('region_name', None)
auth_connection_args.pop('version', None)
auth_connection_args.pop('insecure', None)
auth = generic.Password(**auth_connection_args)
if 'insecure' in kwargs:
certs_verify = False
else:
certs_verify = True
sess = session.Session(auth=auth, verify=certs_verify)
keystone_client = client.Client(session=sess, **kwargs)
return keystone_client
def _create_auth_plugin(self):
if self.auth_token_info:
access_info = access.create(body=self.auth_token_info,
auth_token=self.auth_token)
return access_plugin.AccessInfoPlugin(
auth_ref=access_info, auth_url=self.keystone_v3_endpoint)
if self.password:
# Never trust the password. Refer to keyring
LOG.info("Re-determining password from keyring")
self.password = keyring.get_password('CGCS', self.username)
# TIS user_domain_id is blank. Use user_domain_name to lookup user
user_domain_name = cfg.CONF.user_domain_name
return generic.Password(username=self.username,
password=self.password,
project_id=self.tenant_id,
user_domain_id=self.user_domain,
user_domain_name=user_domain_name,
auth_url=self.keystone_v3_endpoint)
if self.auth_token:
# FIXME(jamielennox): This is broken but consistent. If you
# only have a token but don't load a service catalog then
# url_for wont work. Stub with the keystone endpoint so at
# least it might be right.
return token_endpoint.Token(endpoint=self.keystone_v3_endpoint,
token=self.auth_token)
LOG.error("Keystone API connection failed, no password "
"trust or auth_token!")
raise exception.AuthorizationFailure()
def _create_auth_plugin(self):
if self.auth_token_info:
access_info = access.create(body=self.auth_token_info,
auth_token=self.auth_token)
return access_plugin.AccessInfoPlugin(
auth_ref=access_info, auth_url=self.keystone_v3_endpoint)
if self.auth_token:
# FIXME(jamielennox): This is broken but consistent. If you
# only have a token but don't load a service catalog then
# url_for wont work. Stub with the keystone endpoint so at
# least it might be right.
return token_endpoint.Token(endpoint=self.keystone_v3_endpoint,
token=self.auth_token)
if self.password:
return generic.Password(username=self.username,
password=self.password,
project_id=self.tenant_id,
user_domain_id=self.user_domain,
auth_url=self.keystone_v3_endpoint)
LOG.error(
_LE("Keystone API connection failed, no password "
"trust or auth_token!"))
raise exception.AuthorizationFailure()
def auth(profile=None, **connection_args):
"""
Set up keystone credentials. Only intended to be used within Keystone-enabled modules.
CLI Example:
.. code-block:: bash
salt '*' keystone.auth
"""
__utils__["versions.warn_until"](
"Phosphorus",
("The keystone module has been deprecated and will be removed in {version}. "
"Please update to using the keystoneng module"),
)
kwargs = _get_kwargs(profile=profile, **connection_args)
disc = discover.Discover(auth_url=kwargs["auth_url"])
v2_auth_url = disc.url_for("v2.0")
v3_auth_url = disc.url_for("v3.0")
if v3_auth_url:
global _OS_IDENTITY_API_VERSION
global _TENANTS
_OS_IDENTITY_API_VERSION = 3
_TENANTS = "projects"
kwargs["auth_url"] = v3_auth_url
else:
kwargs["auth_url"] = v2_auth_url
kwargs.pop("user_domain_name")
kwargs.pop("project_domain_name")
auth = generic.Password(**kwargs)
sess = session.Session(auth=auth)
ks_cl = disc.create_client(session=sess)
return ks_cl
def auth(profile=None, **connection_args):
'''
Set up keystone credentials. Only intended to be used within Keystone-enabled modules.
CLI Example:
.. code-block:: bash
salt '*' keystone.auth
'''
kwargs = _get_kwargs(profile=profile, **connection_args)
disc = discover.Discover(auth_url=kwargs['auth_url'])
v2_auth_url = disc.url_for('v2.0')
v3_auth_url = disc.url_for('v3.0')
if v3_auth_url:
global _OS_IDENTITY_API_VERSION
global _TENANTS
_OS_IDENTITY_API_VERSION = 3
_TENANTS = 'projects'
kwargs['auth_url'] = v3_auth_url
else:
kwargs['auth_url'] = v2_auth_url
kwargs.pop('user_domain_name')
kwargs.pop('project_domain_name')
auth = generic.Password(**kwargs)
sess = session.Session(auth=auth)
ks_cl = disc.create_client(session=sess)
return ks_cl
def get_keystone_auth(self):
keystone_session = kssession.Session(verify=True)
if self.options['os_auth_token']:
kwargs = {
'token': self.options['os_auth_token'],
'auth_url': self.options['os_auth_url']
}
keystone_auth = generic.Token(**kwargs)
else:
project_id = self.options['os_project_id'] or self.options[
'os_tenant_id'] # noqa: E501
project_name = self.options['os_project_name'] or self.options[
'os_tenant_name'] # noqa: E501
kwargs = {
'username': self.options['os_username'],
'user_id': self.options['os_user_id'],
'user_domain_id': self.options['os_user_domain_id'],
'user_domain_name': self.options['os_user_domain_name'],
'password': self.options['os_password'],
'auth_url': self.options['os_auth_url'],
'project_id': project_id,
'project_name': project_name,
'project_domain_id': self.options['os_project_domain_id'],
'project_domain_name': self.options['os_project_domain_name'],
}
keystone_auth = generic.Password(**kwargs)
return (keystone_session, keystone_auth)
def execute():
global zip_file
global function_module
global function_method
global auth_url
global username
global password
global trust_id
params = request.get_json() or {}
input = params.get('input') or {}
execution_id = params['execution_id']
app.logger.info(
'Request received, execution_id:%s, input: %s, auth_url: %s, '
'username: %s, trust_id: %s' %
(execution_id, input, auth_url, username, trust_id))
# Provide an openstack session to user's function
os_session = None
if auth_url:
auth = generic.Password(username=username,
password=password,
auth_url=auth_url,
trust_id=trust_id,
user_domain_name='Default')
os_session = session.Session(auth=auth, verify=False)
input.update({'context': {'os_session': os_session}})
manager = Manager()
return_dict = manager.dict()
return_dict['success'] = True
start = time.time()
# Run the function in a separate process to avoid messing up the log
p = Process(target=_invoke_function,
args=(execution_id, zip_file, function_module, function_method,
input, return_dict))
p.start()
p.join()
duration = round(time.time() - start, 3)
with open('%s.out' % execution_id) as f:
logs = f.read()
os.remove('%s.out' % execution_id)
return Response(response=json.dumps({
'output': return_dict.get('result'),
'duration': duration,
'logs': logs,
'success': return_dict['success']
}),
status=200,
mimetype='application/json')
def _init_auth(self):
auth = generic.Password(
username=self.parsed_url.username,
password=self.parsed_url.password,
project_name=self.parsed_url.path[1:],
user_domain_id=self.conf.user_domain_id,
user_domain_name=self.conf.user_domain_name,
project_domain_id=self.conf.project_domain_id,
project_domain_name=self.conf.project_domain_name,
auth_url=self.conf.auth_url)
self.session = keystone_session.Session(auth=auth)
def __init__(self,
username,
password,
project_id,
auth_url,
endpoint_type="publicURL",
insecure=False,
**kwargs):
data = {
'username': username,
'password': password,
'project_id': project_id,
'user_domain_id': kwargs.get('user_domain_id'),
'user_domain_name': kwargs.get('user_domain_name'),
'project_domain_id': kwargs.get('project_domain_id'),
'project_domain_name': kwargs.get('project_domain_name'),
'domain_id': kwargs.get('domain_id')
}
auth = keystone_auth.Password(auth_url, **data)
session = keystone_session.Session(auth=auth, verify=(not insecure))
self.client = keystone_client.Client(session=session)
# Storing username, password, project_id and auth_url for
# use by clients libraries that cannot use an existing token.
self.username = username
self.password = password
self.project_id = auth.auth_ref.project_id
self.auth_url = auth_url
self.region_name = kwargs['region_name']
self.insecure = insecure
# Session variables to be used by clients when possible
self.token = auth.auth_ref.auth_token
self.user_id = auth.auth_ref.user_id
self.project_name = self.client.project_name
self.keystone_session = session
self.endpoint_type = endpoint_type
self.catalog = auth.auth_ref.service_catalog.get_endpoints(
interface=self.endpoint_type)
try:
# Detect if we are admin or not
self.client.roles.list() # Only admins are allowed to do this
except (
# The Exception Depends on OpenStack Infrastructure.
api_exceptions.Forbidden,
keystone_exceptions.
ConnectionRefused, # admin URL not permitted
api_exceptions.Unauthorized,
):
self.is_admin = False
else:
self.is_admin = True
def get_keystone_session(project_id=None):
kwargs = {
'auth_url': cfg.CONF.client.auth_url,
'username': cfg.CONF.client.admin_username,
'password': cfg.CONF.client.admin_password,
'user_domain_name': cfg.CONF.client.admin_user_domain_name,
'project_domain_name': cfg.CONF.client.admin_tenant_domain_name}
if not project_id:
kwargs['project_name'] = cfg.CONF.client.admin_tenant
else:
kwargs['project_id'] = project_id
auth = auth_identity.Password(**kwargs)
return session.Session(auth=auth)
def get_session(auth_url, endpoint, domain_id, domain_name, project_id,
project_name, project_domain_name, project_domain_id, username,
user_id, password, user_domain_id, user_domain_name, token,
insecure, cacert, all_tenants=False, edit_managed=False):
# NOTE: all_tenants and edit_managed are here for backwards compat
# reasons, do not add additional modifiers here.
session = ks_session.Session()
# Build + Attach Authentication Plugin
auth_args = {
'auth_url': auth_url,
'domain_id': domain_id,
'domain_name': domain_name,
'project_id': project_id,
'project_name': project_name,
'project_domain_name': project_domain_name,
'project_domain_id': project_domain_id,
}
if token and endpoint:
session.auth = token_endpoint.Token(endpoint, token)
elif token:
auth_args.update({
'token': token
})
session.auth = generic.Token(**auth_args)
else:
auth_args.update({
'username': username,
'user_id': user_id,
'password': password,
'user_domain_id': user_domain_id,
'user_domain_name': user_domain_name,
})
session.auth = generic.Password(**auth_args)
# SSL/TLS Server Cert Verification
if insecure is True:
session.verify = False
else:
session.verify = cacert
# NOTE: all_tenants and edit_managed are here for backwards compat
# reasons, do not add additional modifiers here.
session.all_tenants = all_tenants
session.edit_managed = edit_managed
return session
def get_admin_session():
"""Returns a keystone session from Mistral's service credentials."""
auth = auth_plugins.Password(
CONF.keystone_authtoken.auth_uri,
username=CONF.keystone_authtoken.admin_user,
password=CONF.keystone_authtoken.admin_password,
project_name=CONF.keystone_authtoken.admin_tenant_name,
# NOTE(jaosorior): Once mistral supports keystone v3 properly, we can
# fetch the following values from the configuration.
user_domain_name='Default',
project_domain_name='Default')
return ks_session.Session(auth=auth)
def _init_auth(self):
auth = generic.Password(
username=self.parsed_url.username,
password=self.parsed_url.password,
project_name=self.parsed_url.path[1:],
user_domain_id=self.conf.user_domain_id,
user_domain_name=self.conf.user_domain_name,
project_domain_id=self.conf.project_domain_id,
project_domain_name=self.conf.project_domain_name,
auth_url=self.conf.auth_url)
self.session = keystone_session.Session(auth=auth)
self.endpoint = self.session.get_endpoint(
service_type='object-store',
interface=self.conf.interface,
region_name=self.conf.region_name)
def _get_auth(api_key=None,
auth_token=None,
auth_url=None,
project_domain_id=None,
project_domain_name=None,
project_id=None,
project_name=None,
user_domain_id=None,
user_domain_name=None,
user_id=None,
username=None,
**kwargs):
if project_name and project_id:
project_name = None
LOG.warning("Only one of project_name or project_id should be set,"
"project_name will be ignored")
if username and user_id:
username = None
LOG.warning("Only one of username or user_id should be set,"
"username will be ignored")
auth = {}
if auth_token:
auth = auth_plugin.Token(auth_url=auth_url,
project_domain_id=project_domain_id,
project_domain_name=project_domain_name,
project_id=project_id,
project_name=project_name,
token=auth_token)
elif api_key and (username or user_id):
auth = auth_plugin.Password(
auth_url=auth_url,
password=api_key,
project_domain_id=project_domain_id,
project_domain_name=project_domain_name,
project_id=project_id,
project_name=project_name,
user_domain_id=user_domain_id,
user_domain_name=user_domain_name,
user_id=user_id,
username=username)
return auth
def get_client(self):
"""
This function is based, with minor changes, on the official OpenStack
Heat client's shell implementation. Specifically,
python-heatclient/heatclient/shell.py.
"""
keystone_session = kssession.Session(verify=True)
if self.options['os_auth_token']:
kwargs = {
'token': self.options['os_auth_token'],
'auth_url': self.options['os_auth_url']
}
keystone_auth = generic.Token(**kwargs)
else:
project_id = self.options['os_project_id'] or self.options[
'os_tenant_id'] # noqa: E501
project_name = self.options['os_project_name'] or self.options[
'os_tenant_name'] # noqa: E501
kwargs = {
'username': self.options['os_username'],
'user_id': self.options['os_user_id'],
'user_domain_id': self.options['os_user_domain_id'],
'user_domain_name': self.options['os_user_domain_name'],
'password': self.options['os_password'],
'auth_url': self.options['os_auth_url'],
'project_id': project_id,
'project_name': project_name,
'project_domain_id': self.options['os_project_domain_id'],
'project_domain_name': self.options['os_project_domain_name'],
}
keystone_auth = generic.Password(**kwargs)
kwargs = {
'auth_url': self.options['os_auth_url'],
'session': keystone_session,
'auth': keystone_auth,
'service_type': self.service_type,
'endpoint_type': self.endpoint_type,
'region_name': self.options['os_region_name'],
'username': self.options['os_username'],
'password': self.options['os_password']
}
return heat_client.Client(self.api_version, **kwargs)
def main():
cfg.CONF(args=sys.argv[1:],
default_config_files=DEFAULT_CONFIG_FILES)
common_config.setup_logging()
config.register_infoblox_ipam_opts(cfg.CONF)
grid_id = cfg.CONF.infoblox.cloud_data_center_id
config.register_infoblox_grid_opts(cfg.CONF, grid_id)
try:
credentials, version = get_credentials()
except KeyError:
print("\nYou must provide an admin user credentials in the shell "
"environment.\nPlease export variables such as env[OS_USERNAME],"
" env[OS_PASSWORD], env[OS_AUTH_URL], env[OS_TENANT_NAME] or "
"env[OS_PROJECT_NAME]\n")
return
password_creds = credentials.copy()
password_creds.pop('region_name', None)
# keystoneauth1 provides generic api to create auth object based on the
# arguments passed.
auth = generic.Password(**password_creds)
# Load keystone session using the ssl options which are in environment
session = load_session.Session().load_from_options(**get_session_options())
session.auth = auth
if version == '3':
client = client_3.Client(session=session)
else:
client = client_2_0.Client(session=session)
context = neutron_context.get_admin_context()
context.auth_token = client.ec2.client.get_token()
context.user_id = client.ec2.client.get_user_id()
context.tenant_id = client.ec2.client.get_project_id()
grid_manager = grid.GridManager(context)
grid_manager.sync(force_sync=True)
context.session.expunge_all()
credentials['session'] = session
for key in ('user_domain_id', 'project_domain_id'):
credentials.pop(key, None)
sync_neutron_to_infoblox(context, credentials, grid_manager)
def nclient(self):
if self._nclient:
return self._nclient
user = self._cfg.neutron.username
project = self._cfg.neutron.project_name
passwd = self._cfg.neutron.password
url = self._cfg.neutron.auth_url
u_domain = self._cfg.keystone_authtoken.user_domain_name
p_domain = self._cfg.keystone_authtoken.project_domain_name
auth = generic.Password(auth_url=url,
username=user,
password=passwd,
project_name=project,
project_domain_name=p_domain,
user_domain_name=u_domain)
sess = session.Session(auth=auth)
self._nclient = n_client.Client(session=sess)
return self._nclient
def get_client(self):
keystone_session = kssession.Session(verify=True)
if self.options['os_auth_token']:
kwargs = {
'token': self.options['os_auth_token'],
'auth_url': self.options['os_auth_url']
}
keystone_auth = generic.Token(**kwargs)
else:
project_id = self.options['os_project_id'] or self.options[
'os_tenant_id'] # noqa: E501
project_name = self.options['os_project_name'] or self.options[
'os_tenant_name'] # noqa: E501
kwargs = {
'username': self.options['os_username'],
'user_id': self.options['os_user_id'],
'user_domain_id': self.options['os_user_domain_id'],
'user_domain_name': self.options['os_user_domain_name'],
'password': self.options['os_password'],
'auth_url': self.options['os_auth_url'],
'project_id': project_id,
'project_name': project_name,
'project_domain_id': self.options['os_project_domain_id'],
'project_domain_name': self.options['os_project_domain_name'],
}
keystone_auth = generic.Password(**kwargs)
return nova_client.Client(
self.api_version,
self.options['os_username'],
self.options['os_password'],
project_id=self.options['os_project_id'],
project_name=self.options['os_project_name'],
user_id=self.options['os_user_id'],
auth_url=self.options['os_auth_url'],
region_name=self.options['os_region_name'],
endpoint_type=self.endpoint_type,
service_type=self.service_type,
session=keystone_session,
auth=keystone_auth,
project_domain_id=self.options['os_project_domain_id'],
project_domain_name=self.options['os_project_domain_name'],
user_domain_id=self.options['os_user_domain_id'],
user_domain_name=self.options['os_user_domain_name'])
def get_auth_session(auth_url,
username,
project_name,
password=None,
auth_token=None,
cacert=None):
if auth_token:
auth = ks_id.Token(auth_url=auth_url,
token=auth_token,
project_name=project_name,
project_domain_id='default')
else:
auth = ks_id.Password(auth_url=auth_url,
username=username,
password=password,
project_name=project_name,
user_domain_id='default',
project_domain_id='default')
return session.Session(auth=auth, verify=cacert)
def _get_auth(api_key=None,
auth_token=None,
auth_url=None,
project_domain_id=None,
project_domain_name=None,
project_id=None,
project_name=None,
user_domain_id=None,
user_domain_name=None,
user_id=None,
username=None,
**kwargs):
if project_name and project_id:
raise RuntimeError(
'Only one of project_name or project_id should be set')
if username and user_id:
raise RuntimeError('Only one of username or user_id should be set')
auth = {}
if auth_token:
auth = auth_plugin.Token(auth_url=auth_url,
project_domain_id=project_domain_id,
project_domain_name=project_domain_name,
project_id=project_id,
project_name=project_name,
token=auth_token)
elif api_key and (username or user_id):
auth = auth_plugin.Password(
auth_url=auth_url,
password=api_key,
project_domain_id=project_domain_id,
project_domain_name=project_domain_name,
project_id=project_id,
project_name=project_name,
user_domain_id=user_domain_id,
user_domain_name=user_domain_name,
user_id=user_id,
username=username)
return auth
def test_request_with_bad_credentials(self):
self.m.StubOutWithMock(ks_auth, 'Password')
m = ks_auth.Password(auth_url=self.config['auth_uri'],
password='******',
project_id='tenant_id1',
user_domain_id='domain1',
username='******')
m.AndRaise(keystone_exc.Unauthorized(401))
self.m.ReplayAll()
req = webob.Request.blank('/tenant_id1/')
req.headers['X_AUTH_USER'] = '******'
req.headers['X_AUTH_KEY'] = 'badpassword'
req.headers['X_AUTH_URL'] = self.config['auth_uri']
req.headers['X_USER_DOMAIN_ID'] = 'domain1'
self.middleware(req.environ, self._start_fake_response)
self.m.VerifyAll()
self.assertEqual(401, self.response_status)
def get_session(auth_url, endpoint, domain_id, domain_name, project_id,
project_name, project_domain_name, project_domain_id, username,
user_id, password, user_domain_id, user_domain_name, token,
insecure, cacert):
session = ks_session.Session()
# Build + Attach Authentication Plugin
auth_args = {
'auth_url': auth_url,
'domain_id': domain_id,
'domain_name': domain_name,
'project_id': project_id,
'project_name': project_name,
'project_domain_name': project_domain_name,
'project_domain_id': project_domain_id,
}
if token and endpoint:
session.auth = token_endpoint.Token(endpoint, token)
elif token:
auth_args.update({'token': token})
session.auth = generic.Token(**auth_args)
else:
auth_args.update({
'username': username,
'user_id': user_id,
'password': password,
'user_domain_id': user_domain_id,
'user_domain_name': user_domain_name,
})
session.auth = generic.Password(**auth_args)
# SSL/TLS Server Cert Verification
if insecure is True:
session.verify = False
else:
session.verify = cacert
return session
def test_valid_v2_request(self):
mock_auth = self.m.CreateMock(ks_auth.Password)
self.m.StubOutWithMock(ks_auth, 'Password')
ks_auth.Password(auth_url=self.config['auth_uri'],
password='******',
project_id='tenant_id1',
user_domain_id='domain1',
username='******').AndReturn(mock_auth)
m = mock_auth.get_access(mox.IsA(ks_session.Session))
m.AndReturn(FakeAccessInfo(**TOKEN_V2_RESPONSE))
self.m.ReplayAll()
req = webob.Request.blank('/tenant_id1/')
req.headers['X_AUTH_USER'] = '******'
req.headers['X_AUTH_KEY'] = 'goodpassword'
req.headers['X_AUTH_URL'] = self.config['auth_uri']
req.headers['X_USER_DOMAIN_ID'] = 'domain1'
self.middleware(req.environ, self._start_fake_response)
self.m.VerifyAll()
def main(args=sys.argv[1:]):
args = _parse_args(args)
_configure_logging(args)
if args.no_wait:
wait = None
else:
wait = args.timeout
auth = generic.Password(auth_url=args.os_auth_url,
username=args.os_username,
project_name=args.os_project_name,
password=args.os_password,
user_domain_name=args.os_user_domain_name,
project_domain_name=args.os_project_domain_name)
api = os_api.API(auth)
try:
args.func(api, args, wait=wait)
except Exception as exc:
LOG.critical('%s', exc, exc_info=args.debug)
sys.exit(1)
def stack_domain_user_token(self, user_id, project_id, password):
"""Get a token for a stack domain user."""
if not self.stack_domain:
# Note, no legacy fallback path as we don't want to deploy
# tokens for non stack-domain users inside instances
msg = _('Cannot get stack domain user token, no stack domain id '
'configured, please fix your heat.conf')
raise exception.Error(msg)
# Create a keystone session, then request a token with no
# catalog (the token is expected to be used inside an instance
# where a specific endpoint will be specified, and user-data
# space is limited..)
# TODO(rabi): generic auth plugins don't support `include_catalog'
# flag yet. We'll add it once it's supported..
auth = ks_auth.Password(auth_url=self.v3_endpoint,
user_id=user_id,
password=password,
project_id=project_id)
return auth.get_token(self.session)