def test_password_cache_id(self):
self.stub_auth(json=self.TEST_RESPONSE_DICT)
trust_id = uuid.uuid4().hex
a = v2.Password(self.TEST_URL,
username=self.TEST_USER,
password=self.TEST_PASS,
trust_id=trust_id)
b = v2.Password(self.TEST_URL,
username=self.TEST_USER,
password=self.TEST_PASS,
trust_id=trust_id)
a_id = a.get_cache_id()
b_id = b.get_cache_id()
self.assertEqual(a_id, b_id)
c = v2.Password(self.TEST_URL,
username=self.TEST_USER,
password=self.TEST_PASS,
tenant_id=trust_id) # same value different param
c_id = c.get_cache_id()
self.assertNotEqual(a_id, c_id)
self.assertIsNone(a.get_auth_state())
self.assertIsNone(b.get_auth_state())
self.assertIsNone(c.get_auth_state())
s = session.Session()
self.assertEqual(self.TEST_TOKEN, a.get_token(s))
self.assertTrue(self.requests_mock.called)
def region_env(name, tenant_name=None):
if name == 'i01':
OS_TENANT_NAME = 'openstack'
OS_USERNAME = '******'
OS_PASSWORD = '******'
OS_AUTH_URL = 'http://'
elif name == 'i02':
OS_TENANT_NAME = 'openstack'
OS_USERNAME = '******'
OS_PASSWORD = '******'
OS_AUTH_URL = 'http://'
elif name == 'i03':
OS_TENANT_NAME = 'openstack'
OS_USERNAME = '******'
OS_PASSWORD = '******'
OS_AUTH_URL = 'http://'
elif name == 'i04':
OS_TENANT_NAME = 'openstack'
OS_USERNAME = '******'
OS_PASSWORD = '******'
OS_AUTH_URL = 'http://'
elif name == 'i05':
OS_TENANT_NAME = 'openstack'
OS_USERNAME = '******'
OS_PASSWORD = '******'
OS_AUTH_URL = 'http://'
elif name == 'i06':
OS_TENANT_NAME = 'openstack'
OS_USERNAME = '******'
OS_PASSWORD = '******'
OS_AUTH_URL = 'http://'
else:
text.append(f"Place is not defined")
if tenant_name is None:
auth = keystone_auth.Password(
username=OS_USERNAME,
tenant_name=OS_TENANT_NAME,
auth_url=OS_AUTH_URL,
password=OS_PASSWORD,
)
# need for show information from users
if tenant_name is not None:
auth = keystone_auth.Password(
username=OS_USERNAME,
tenant_name=tenant_name,
auth_url=OS_AUTH_URL,
password=OS_PASSWORD,
)
# trying connection in keystone
try:
sess = session.Session(auth=auth)
except Exception as ff:
logger.exception(ff)
return sess
def get_session():
auth = v2.Password(auth_url=auth_url,
username=username,
password=password,
tenant_name="admin")
session = ka_session.Session(auth=auth)
return session
def get_session(op_config):
"""
Return keystone session
:param op_config:
:return:
"""
user_domain = op_config.get('OS_USER_DOMAIN_NAME')
project_domain = op_config.get('OS_PROJECT_DOMAIN_NAME', user_domain)
user = op_config.get('OS_USERNAME')
password = op_config.get('OS_PASSWORD')
project_id = op_config.get('OS_PROJECT_ID')
auth_url = op_config.get('OS_AUTH_URL')
verify = op_config.get('insecure', True)
auth_params = {
'username': user,
'password': password,
'project_id': project_id,
'auth_url': auth_url
}
version_v3 = '/v3' in auth_url
if version_v3:
auth_params['user_domain_id'] = user_domain or project_domain
auth_params['project_domain_id'] = project_domain or user_domain
auth = v3.Password(**auth_params)
else:
auth_params['tenant_id'] = auth_params.pop('project_id')
auth = v2.Password(**auth_params)
sess = session.Session(auth=auth, verify=verify)
return sess
def _get_client(self, username, password, tenant_name=None):
if tenant_name:
auth = keystone_v2_auth.Password(
auth_url=self.auth_url,
username=username,
password=password,
tenant_name=tenant_name,
)
else:
auth = keystone_v2_auth.Password(
auth_url=self.auth_url, username=username, password=password
)
sess = session.Session(auth=auth)
client = client_v2.Client(session=sess, timeout=self.timeout, debug=self.debug)
return client, sess
def get_keystone_session(creds):
url_parts = urlparse.urlparse(creds['auth_url'])
path = url_parts.path.lower()
if path.startswith('/v3'):
# Use v3 plugin to authenticate
# Note (thread-safety): blocking call
auth = v3.Password(
auth_url=creds['auth_url'],
username=creds['username'],
password=creds['password'],
project_name=creds.get('project_name') or creds.get('tenant_name'),
user_domain_name=creds.get('user_domain_name', 'Default'),
project_domain_name=creds.get('project_domain_name', 'Default'))
else:
# Use v2 plugin
# Note (thread-safety): blocking call
auth = v2.Password(auth_url=creds['auth_url'],
username=creds['username'],
password=creds['password'],
tenant_name=creds['tenant_name'])
# Note (thread-safety): blocking call?
session = kssession.Session(auth=auth)
return session
def get_session():
"""Build the session object."""
auth = v2.Password(auth_url=os.environ["OS_AUTH_URL"],
username=os.environ["OS_USERNAME"],
password=os.environ["OS_PASSWORD"],
tenant_id=os.environ["OS_TENANT_ID"])
return session.Session(auth=auth)
def __init__(self):
auth = v2.Password(auth_url=env['OS_AUTH_URL'],
username=env['OS_USERNAME'],
password=env['OS_PASSWORD'],
tenant_id=env['OS_TENANT_ID'])
sess = session.Session(auth=auth)
self.keystone_client = keystone.Client(
username=env['OS_USERNAME'],
password=env['OS_PASSWORD'],
tenant_id=env['OS_TENANT_ID'],
auth_url=env['OS_AUTH_URL'],
region_name=env['OS_REGION_NAME'])
heat_url = self.keystone_client \
.service_catalog.url_for(service_type='orchestration',
endpoint_type='publicURL')
self.nova_client = nova.Client('2.1',
region_name=env['OS_REGION_NAME'],
session=sess)
self.cinder_client = cinder.Client('2',
region_name=env['OS_REGION_NAME'],
session=sess)
self.glance_client = glance.Client('2',
region_name=env['OS_REGION_NAME'],
session=sess)
self.neutron_client = neutron.Client(region_name=env['OS_REGION_NAME'],
session=sess)
self.heat_client = heat.Client('1',
region_name=env['OS_REGION_NAME'],
endpoint=heat_url,
session=sess)
def _get_auth_plugin(self, version, **kwargs):
if version == 'v2.0':
auth_plugin = v2.Password(**kwargs)
else:
auth_plugin = v3.Password(**kwargs)
return auth_plugin
def _get_keystone_auth(self,
username=None,
api_key=None,
auth_url=None,
project_id=None,
project_name=None):
if not auth_url:
raise RuntimeError("No auth url specified")
if 'v2.0' in auth_url:
return v2.Password(auth_url=auth_url,
username=username,
password=api_key,
tenant_id=project_id,
tenant_name=project_name)
else:
# NOTE(jamielennox): Setting these to default is what
# keystoneclient does in the event they are not passed.
return v3.Password(auth_url=auth_url,
username=username,
password=api_key,
user_domain_id='default',
project_id=project_id,
project_name=project_name,
project_domain_id='default')
def get_auth_plugin(opts):
auth_version = guess_auth_version(opts)
if opts.os_username:
if auth_version == '3':
return v3.Password(auth_url=opts.os_auth_url,
username=opts.os_username,
password=opts.os_password,
project_name=opts.os_project_name,
user_domain_name=opts.os_user_domain_name,
project_domain_name=opts.os_project_domain_name)
elif auth_version == '2.0':
return v2.Password(auth_url=opts.os_auth_url,
username=opts.os_username,
password=opts.os_password,
tenant_name=opts.os_tenant_name)
elif opts.os_token:
if auth_version == '3':
return v3.Token(auth_url=opts.os_auth_url,
token=opts.os_token,
project_name=opts.os_project_name,
project_domain_name=opts.os_project_domain_name)
elif auth_version == '2.0':
return v2.Token(auth_url=opts.os_auth_url,
token=opts.os_token,
tenant_name=opts.os_tenant_name)
raise Exception('Unable to determine correct auth method, please provide'
' either username or token')
def openstack_get_token(self, report_flag=None):
if report_flag is None:
Reporter.unit_test_start(True)
try:
auth = v2.Password(username=self.auth['username'],
password=self.auth['password'],
tenant_name=self.auth['tenant_id'],
auth_url=self.auth['auth_url'])
sess = session.Session(auth=auth, timeout=5)
token = sess.get_token()
if not token:
Reporter.REPORT_MSG(
" >> OpentStack Authentication NOK ---> get token fail")
if report_flag is None:
Reporter.unit_test_stop('nok')
return False
else:
Reporter.REPORT_MSG(
" >> OpenStack Authentication OK ---> user: %s, token: %s",
self.auth['username'], token)
if report_flag is None:
Reporter.unit_test_stop('ok')
return True
except exceptions.AuthorizationFailure, err:
Reporter.REPORT_MSG(" >> OpentStack Authentication Fail ---> %s",
err)
return False
def _get_auth(self):
if self.cloud_auth["domain_name"]:
if self.cloud_auth["auth_type"] == 'password':
kwargs = {
'auth_url': self.cloud_auth["auth_url"],
'username': self.cloud_auth["username"],
'password': self.cloud_auth["password"],
'user_domain_name': self.cloud_auth["domain_name"]
}
if self.unscoped:
kwargs['unscoped'] = self.unscoped
else:
kwargs['project_id'] = self.cloud_auth["project_id"]
return v3.Password(**kwargs)
else:
access_key = \
self.cloud_auth.application_credential_secret
access_key_id = \
self.cloud_auth.application_credential_id
kwargs = {
'auth_url': self.cloud_auth.auth_url,
'application_credential_secret': access_key,
'application_credential_id': access_key_id
}
return v3.ApplicationCredential(**kwargs)
else:
kwargs = {
'auth_url': self.cloud_auth.auth_url,
'username': self.cloud_auth.username,
'password': self.cloud_auth.password,
'tenant_id': self.cloud_auth.project_id
}
return v2.Password(**kwargs)
def _replay_cassette(self):
plugin = v2.Password(auth_url=self.TEST_AUTH_URL,
password=self.TEST_PASSWORD,
username=self.TEST_USERNAME,
tenant_name=self.TEST_TENANT_NAME)
s = session.Session()
s.get_token(auth=plugin)
def read(data=None):
starttime = time.time()
auth = v2.Password(username=os_username,
password=os_password,
tenant_name=os_tenant,
auth_url=os_auth_url)
sess = session.Session(auth=auth)
gnocchi = client.Client(session=sess)
status = gnocchi.status.get()
metric = collectd.Values()
metric.plugin = 'gnocchi_status'
metric.interval = INTERVAL
metric.type = 'gauge'
metric.type_instance = 'measures'
metric.values = [status['storage']['summary']['measures']]
metric.dispatch()
metric = collectd.Values()
metric.plugin = 'gnocchi_status'
metric.interval = INTERVAL
metric.type = 'gauge'
metric.type_instance = 'metrics'
metric.values = [status['storage']['summary']['metrics']]
metric.dispatch()
timediff = time.time() - starttime
if timediff > INTERVAL:
collectd.warning('gnocchi_status: Took: {} > {}'.format(
round(timediff, 2), INTERVAL))
def _get_keystone_session(self):
username = self._pnda_env['openstack_parameters']['KEYSTONE_USER']
password = self._pnda_env['openstack_parameters']['KEYSTONE_PASSWORD']
auth_url = self._pnda_env['openstack_parameters']['KEYSTONE_AUTH_URL']
if int(self._pnda_env['openstack_parameters']
['KEYSTONE_AUTH_VERSION']) == 2:
CONSOLE.info('Auth version provided is v2')
tenant_name = self._pnda_env['openstack_parameters'][
'KEYSTONE_TENANT']
auth = v2.Password(auth_url=auth_url,
username=username,
password=password,
tenant_name=tenant_name)
elif int(self._pnda_env['openstack_parameters']
['KEYSTONE_AUTH_VERSION']) == 3:
CONSOLE.info('Auth version provided is v3')
project_name = self._pnda_env['openstack_parameters'][
'KEYSTONE_TENANT']
auth = v3.Password(auth_url=auth_url,
username=username,
password=password,
project_name=project_name)
else:
CONSOLE.error('Invalid Auth API version')
sys.exit(1)
keystone_session = session.Session(auth=auth)
kwargs = {
'auth_url': auth_url,
'session': keystone_session,
'auth': auth
}
return kwargs
def test_password_change_auth_state(self):
self.stub_auth(json=self.TEST_RESPONSE_DICT)
expired = ksa_utils.before_utcnow(days=2)
token = fixture.V2Token(expires=expired)
auth_ref = access.create(body=token)
a = v2.Password(self.TEST_URL,
username=self.TEST_USER,
password=self.TEST_PASS,
tenant_id=uuid.uuid4().hex)
initial_cache_id = a.get_cache_id()
state = a.get_auth_state()
self.assertIsNone(state)
state = json.dumps({
'auth_token': auth_ref.auth_token,
'body': auth_ref._data
})
a.set_auth_state(state)
self.assertEqual(token.token_id, a.auth_ref.auth_token)
s = session.Session()
self.assertEqual(self.TEST_TOKEN, a.get_token(s)) # updates expired
self.assertEqual(initial_cache_id, a.get_cache_id())
def create_ost_auth_session(deploy):
# type: (Deploy) -> session.Session
""" Create a keystoneauth Session object using keystone v3 used to create Openstack API clients.
:return: Session used to authenticate with various Openstack API clients.
"""
if deploy.auth_version == 2:
auth = v2.Password(auth_url=deploy.openstack_auth_url,
username=deploy.ost_username,
password=deploy.ost_password,
tenant_name=deploy.ost_project_name)
elif deploy.auth_version == 3:
if deploy.ost_project_id:
auth = v3.Password(auth_url=deploy.openstack_auth_url,
username=deploy.ost_username,
password=deploy.ost_password,
project_id=deploy.ost_project_id)
else:
auth = v3.Password(auth_url=deploy.openstack_auth_url,
username=deploy.ost_username,
password=deploy.ost_password,
project_name=deploy.ost_project_name,
user_domain_name=deploy.ost_domain,
project_domain_name=deploy.ost_domain)
else:
raise ConfigException("auth_version must be in [2,3]")
return session.Session(auth=auth, verify=deploy.cacert)
def _get_client(self):
if self._client is not None:
return self._client
if (self.tenant_id is not None or self.tenant_name is not None):
auth = v2_auth.Password(
auth_url=self.auth_url,
username=self.username,
password=self.password,
tenant_id=self.tenant_id,
tenant_name=self.tenant_name)
elif self.project_name is not None:
auth = v3_auth.Password(
auth_url=self.auth_url,
username=self.username,
password=self.password,
project_name=self.project_name,
project_domain_name=self.project_domain_name,
user_domain_name=self.user_domain_name)
else:
auth = None
session = ks_session.Session(auth=auth)
self._client = client.Client(
session=session, service_type=self.service_type)
return self._client
def _keystone_session(self):
"""
Connect to Keystone and return a session object.
:rtype: :class:`keystoneauth1.session.Session`
:return: A Keystone session object.
"""
if self._cached_keystone_session:
return self._cached_keystone_session
if self._keystone_version == 3:
from keystoneauth1.identity import v3
auth = v3.Password(auth_url=self.auth_url,
username=self.username,
password=self.password,
user_domain_name=self.user_domain_name,
project_domain_name=self.project_domain_name,
project_name=self.project_name)
self._cached_keystone_session = session.Session(auth=auth)
else:
from keystoneauth1.identity import v2
auth = v2.Password(self.auth_url, username=self.username,
password=self.password,
tenant_name=self.project_name)
self._cached_keystone_session = session.Session(auth=auth)
return self._cached_keystone_session
def get_token_v2(keystone_ip, username, password, tenant_name):
auth_url = 'http://{}:5000/v2.0'.format(keystone_ip)
auth = v2.Password(auth_url=auth_url, username=username,
password=password, tenant_name=tenant_name)
sess = session.Session(auth=auth)
token = sess.get_token()
return token
def test_replay_of_bad_url_fails(self):
plugin = v2.Password(auth_url='http://invalid-auth-url/v2.0/',
password=self.TEST_PASSWORD,
username=self.TEST_USERNAME,
tenant_name=self.TEST_TENANT_NAME)
s = session.Session()
self.assertRaises(exceptions.BetamaxError, s.get_token, auth=plugin)
def __init__(self):
""" Add keystone glue to resolve extra_specs for private iaas tenants """
# auth url
if CONF.keystone_version == 2:
LOG.info("PRIVATEIAAS: Initializing v2.0 API session")
self.auth_url = CONF.keystone_url + "/v2.0"
# create an admin session object
self.admin_auth = auth_v2.Password(
username=CONF.keystone_username,
password=CONF.keystone_password,
tenant_name=CONF.keystone_tenant_name,
auth_url=self.auth_url)
self.admin_session = keystone_session.Session(auth=self.admin_auth)
else:
LOG.info("PRIVATEIAAS: Initializing v3 API session")
self.auth_url = CONF.keystone_url + "/v3"
self.admin_auth = auth_v3.Password(
username=CONF.keystone_username,
password=CONF.keystone_password,
project_name=CONF.keystone_tenant_name,
user_domain_name=CONF.user_domain_name,
project_domain_name=CONF.project_domain_name,
auth_url=self.auth_url)
self.admin_session = keystone_session.Session(auth=self.admin_auth)
try:
LOG.info("PRIVATEIAAS: Spawning ADMIN CLIENT")
# admin session
if CONF.keystone_version == 2:
self.keystoneclient = keystone_client.Client(
session=self.admin_session)
else:
self.keystoneclient = keystone_client_v3.Client(
session=self.admin_session)
except AuthorizationFailure as user_failed_auth_step:
LOG.info(user_failed_auth_step.message)
raise user_failed_auth_step
except Unauthorized as user_unauthorized:
LOG.info(user_unauthorized.message)
raise user_unauthorized
# OK, object created
# TODO: Preload keystone tenant list?
if CONF.debug:
LOG.info("[PRIVATEIAAS]: Filter Object Created")
# tenant manager reference
if hasattr(self.keystoneclient, "projects"):
self.tenant_manager = getattr(self.keystoneclient, "projects")
else:
self.tenant_manager = getattr(self.keystoneclient, "tenants")
# build callback table
self.private_iaas_callbacks = {
True: self.react_true,
False: self.react_false
}
def keystone_auth():
"""Auth from OS_ env vars """
auth_plugin = v2.Password(auth_url=os.environ['OS_AUTH_URL'],
username=os.environ['OS_USERNAME'],
password=os.environ['OS_PASSWORD'],
tenant_name=os.environ['OS_TENANT_NAME'])
s = session.Session(auth=auth_plugin)
return (s, auth_plugin)
def __init__(self, logger, **kwargs):
self.auth = v2.Password(username=kwargs.get('username', 'admin'),
password=kwargs.get('password', 'Juniper'),
tenant_name=kwargs.get('tenant_name', 'admin'),
auth_url=kwargs.get('auth_url', None))
self.sess = session.Session(auth=self.auth)
self.keystone = client.Client(session=self.sess)
self.__logger = logger
def __authenticate(self):
# Authenticate using ENV variables
auth = v2.Password(auth_url=env['OS_AUTH_URL'],
username=env['OS_USERNAME'],
password=env['OS_PASSWORD'],
tenant_id=env['OS_TENANT_ID'])
# Open auth session
sess = session.Session(auth=auth)
return sess
def __init__(self, auth_host, auth_port, auth_protocol, auth_admin_prefix,
admin_user, admin_password, admin_tenant_name, admin_token,
identity_uri, log):
log.warning(
"Use of the auth_admin_prefix, auth_host, auth_port, "
"auth_protocol, identity_uri, admin_token, admin_user, "
"admin_password, and admin_tenant_name configuration options was "
"deprecated in the Mitaka release in favor of an auth_plugin and "
"its related options. This class may be removed in a future "
"release.")
# NOTE(jamielennox): it does appear here that our default arguments
# are backwards. We need to do it this way so that we can handle the
# same deprecation strategy for CONF and the conf variable.
if not identity_uri:
log.warning('Configuring admin URI using auth fragments was '
'deprecated in the Kilo release, and will be '
'removed in the Newton release, '
'use \'identity_uri\ instead.')
if ':' in auth_host:
# Note(dzyu) it is an IPv6 address, so it needs to be wrapped
# with '[]' to generate a valid IPv6 URL, based on
# http://www.ietf.org/rfc/rfc2732.txt
auth_host = '[%s]' % auth_host
identity_uri = '%s://%s:%s' % (auth_protocol,
auth_host,
auth_port)
if auth_admin_prefix:
identity_uri = '%s/%s' % (identity_uri,
auth_admin_prefix.strip('/'))
self._identity_uri = identity_uri.rstrip('/')
# FIXME(jamielennox): Yes. This is wrong. We should be determining the
# plugin to use based on a combination of discovery and inputs. Much
# of this can be changed when we get keystoneclient 0.10. For now this
# hardcoded path is EXACTLY the same as the original auth_token did.
auth_url = '%s/v2.0' % self._identity_uri
if admin_token:
log.warning(
"The admin_token option in auth_token middleware was "
"deprecated in the Kilo release, and will be removed in the "
"Newton release, use admin_user and admin_password instead.")
self._plugin = token_endpoint.Token(auth_url, admin_token)
else:
self._plugin = v2.Password(auth_url,
username=admin_user,
password=admin_password,
tenant_name=admin_tenant_name)
self._LOG = log
self._discover = None
def _get_keystone_auth_plugin(self, ks_session, **kwargs):
# discover the supported keystone versions using the given auth url
auth_url = kwargs.pop('auth_url', None)
(v2_auth_url,
v3_auth_url) = self._discover_auth_versions(session=ks_session,
auth_url=auth_url)
# Determine which authentication plugin to use. First inspect the
# auth_url to see the supported version. If both v3 and v2 are
# supported, then use the highest version if possible.
user_id = kwargs.pop('user_id', None)
username = kwargs.pop('username', None)
password = kwargs.pop('password', None)
user_domain_name = kwargs.pop('user_domain_name', None)
user_domain_id = kwargs.pop('user_domain_id', None)
# project and tenant can be used interchangeably
project_id = (kwargs.pop('project_id', None)
or kwargs.pop('tenant_id', None))
project_name = (kwargs.pop('project_name', None)
or kwargs.pop('tenant_name', None))
project_domain_id = kwargs.pop('project_domain_id', None)
project_domain_name = kwargs.pop('project_domain_name', None)
auth = None
use_domain = (user_domain_id or user_domain_name or project_domain_id
or project_domain_name)
use_v3 = v3_auth_url and (use_domain or (not v2_auth_url))
use_v2 = v2_auth_url and not use_domain
if use_v3:
auth = v3_auth.Password(v3_auth_url,
user_id=user_id,
username=username,
password=password,
user_domain_id=user_domain_id,
user_domain_name=user_domain_name,
project_id=project_id,
project_name=project_name,
project_domain_id=project_domain_id,
project_domain_name=project_domain_name)
elif use_v2:
auth = v2_auth.Password(v2_auth_url,
username,
password,
tenant_id=project_id,
tenant_name=project_name)
else:
# if we get here it means domain information is provided
# (caller meant to use Keystone V3) but the auth url is
# actually Keystone V2. Obviously we can't authenticate a V3
# user using V2.
exc.CommandError("Credential and auth_url mismatch. The given "
"auth_url is using Keystone V2 endpoint, which "
"may not able to handle Keystone V3 credentials. "
"Please provide a correct Keystone V3 auth_url.")
return auth
def authenticate():
auth_url = '{PROTO}://{HOST}:{IDENTITY_PORT}/v2.0'.format(**CONNECTION)
auth = v2.Password(auth_url=auth_url,
username=USERNAME,
password=PASSWORD,
tenant_name=TENANT,
)
return session.Session(auth=auth)
def get_keystone_client(self, project_name, region_name):
'''
creates a keystone client
'''
auth = v2.Password(auth_url='http://' + self.ip + ':5000/v2.0',
username=self.username,
password=self.password,
tenant_name=project_name)
sess = session.Session(auth=auth)
return keystone_client.Client(session=sess)
