def _get_keystone_conn(self): if self._ks: return verify = self._kscertbundle if self._use_certs else not self._insecure if self._admin_token: auth = kauth.token.Token(self._auth_url, token=self._admin_token) else: kwargs = { 'username': self._auth_user, 'password': self._auth_passwd, } # Add user domain info kwargs.update( **cfgmutils.get_user_domain_kwargs(self._config_sections)) # Get project scope auth params scope_kwargs = cfgmutils.get_project_scope_kwargs( self._config_sections) if not scope_kwargs: # Default to domain scoped auth scope_kwargs = cfgmutils.get_domain_scope_kwargs( self._config_sections) kwargs.update(**scope_kwargs) auth = kauth.password.Password(self._auth_url, **kwargs) sess = ksession.Session(auth=auth, verify=verify) try: self._ks = kclient.Client(session=sess, auth_url=self._auth_url) except kexceptions.DiscoveryFailure: # Probably a v2 Keytone API, remove v3 args and try again v3_args = ['user_domain_name', 'project_domain_name', 'domain_id'] for arg in v3_args: kwargs.pop(arg, None) kwargs['project_name'] = self._admin_tenant auth = kauth.password.Password(self._auth_url, **kwargs) sess = ksession.Session(auth=auth, verify=verify) self._ks = kclient.Client(session=sess, auth_url=self._auth_url) if self._endpoint_type and auth.auth_ref.service_catalog: self._ks.management_url = \ auth.auth_ref.service_catalog.get_urls( service_type='identity', endpoint_type=self._endpoint_type)[0] ConnectionState.update(conn_type=ConnType.OTHER, name='Keystone', status=ConnectionStatus.UP, message='', server_addrs=[self._auth_url])
def __init__(self, server_mgr, args): self.args = args _kscertbundle='' if args.auth_protocol == 'https' and args.cafile: certs=[args.cafile] if args.keyfile and args.certfile: certs=[args.certfile, args.keyfile, args.cafile] _kscertbundle=cfgmutils.getCertKeyCaBundle(_DEFAULT_KS_CERT_BUNDLE,certs) self._conf_info = { 'admin_port': args.admin_port, 'max_requests': args.max_requests, 'region_name': args.region_name, 'insecure': args.insecure, 'signing_dir': args.signing_dir, } if args.auth_url: auth_url = args.auth_url else: auth_url = '%s://%s:%s/%s' % ( args.auth_protocol, args.auth_host, args.auth_port, _DEFAULT_KS_VERSION) if 'v2.0' in auth_url.split('/'): identity_uri = '%s://%s:%s' % ( args.auth_protocol, args.auth_host, args.auth_port) self._conf_info.update({ 'auth_host': args.auth_host, 'auth_port': args.auth_port, 'auth_protocol': args.auth_protocol, 'admin_user': args.admin_user, 'admin_password': args.admin_password, 'admin_tenant_name': args.admin_tenant_name, 'identity_uri': identity_uri}) else: self._conf_info.update({ 'auth_type': args.auth_type, 'auth_url': auth_url, 'username': args.admin_user, 'password': args.admin_password, }) # Add user domain info self._conf_info.update(**cfgmutils.get_user_domain_kwargs(args)) # Get project scope auth params scope_kwargs = cfgmutils.get_project_scope_kwargs(args) if not scope_kwargs: # Default to domain scoped auth scope_kwargs = cfgmutils.get_domain_scope_kwargs(args) self._conf_info.update(**scope_kwargs) if _kscertbundle: self._conf_info['cafile'] = _kscertbundle self._server_mgr = server_mgr self._auth_method = args.auth self._auth_middleware = None self._mt_rbac = server_mgr.is_rbac_enabled() self._auth_needed = server_mgr.is_auth_needed() if not self._auth_method: return if self._auth_method != 'keystone': raise UnknownAuthMethod() # map keystone id to users. Needed for quantum plugin because contrail # plugin doesn't have access to user token and ends up sending admin # admin token along with user-id and role self._ks_users = {} # configure memcache if enabled if self._auth_needed and 'memcache_servers' in args: self._conf_info[ 'memcached_servers'] = args.memcache_servers.split(',') if 'token_cache_time' in args: self._conf_info['token_cache_time'] = args.token_cache_time self._user_auth_middleware = None self._hdr_from_token_auth_middleware = None
def __init__(self, server_mgr, args): self.args = args _kscertbundle = '' if args.auth_protocol == 'https' and args.cafile: certs = [args.cafile] if args.keyfile and args.certfile: certs = [args.certfile, args.keyfile, args.cafile] _kscertbundle = cfgmutils.getCertKeyCaBundle( _DEFAULT_KS_CERT_BUNDLE, certs) self._conf_info = { 'admin_port': args.admin_port, 'max_requests': args.max_requests, 'region_name': args.region_name, 'insecure': args.insecure, 'signing_dir': args.signing_dir, } if args.auth_url: auth_url = args.auth_url else: auth_url = '%s://%s:%s/%s' % (args.auth_protocol, args.auth_host, args.auth_port, _DEFAULT_KS_VERSION) if 'v2.0' in auth_url.split('/'): identity_uri = '%s://%s:%s' % (args.auth_protocol, args.auth_host, args.auth_port) self._conf_info.update({ 'auth_host': args.auth_host, 'auth_port': args.auth_port, 'auth_protocol': args.auth_protocol, 'admin_user': args.admin_user, 'admin_password': args.admin_password, 'admin_tenant_name': args.admin_tenant_name, 'identity_uri': identity_uri }) else: self._conf_info.update({ 'auth_type': args.auth_type, 'auth_url': auth_url, 'username': args.admin_user, 'password': args.admin_password, }) # Add user domain info self._conf_info.update(**cfgmutils.get_user_domain_kwargs(args)) # Get project scope auth params scope_kwargs = cfgmutils.get_project_scope_kwargs(args) if not scope_kwargs: # Default to domain scoped auth scope_kwargs = cfgmutils.get_domain_scope_kwargs(args) self._conf_info.update(**scope_kwargs) if _kscertbundle: self._conf_info['cafile'] = _kscertbundle self._server_mgr = server_mgr self._auth_method = args.auth self._auth_middleware = None self._mt_rbac = server_mgr.is_rbac_enabled() self._auth_needed = server_mgr.is_auth_needed() if not self._auth_method: return if self._auth_method != 'keystone': raise UnknownAuthMethod() # map keystone id to users. Needed for quantum plugin because contrail # plugin doesn't have access to user token and ends up sending admin # admin token along with user-id and role self._ks_users = {} # configure memcache if enabled if self._auth_needed and 'memcache_servers' in args: self._conf_info['memcached_servers'] = args.memcache_servers.split( ',') if 'token_cache_time' in args: self._conf_info['token_cache_time'] = args.token_cache_time self._user_auth_middleware = None self._hdr_from_token_auth_middleware = None