def novaclient(context, privileged_user=False, timeout=None, api_version=None): """Returns a Nova client @param privileged_user: If True, use the account from configuration (requires 'auth_type' and the other usual Keystone authentication options to be set in the [nova] section) @param timeout: Number of seconds to wait for an answer before raising a Timeout exception (None to disable) @param api_version: api version of nova """ if privileged_user and CONF[NOVA_GROUP].auth_type: LOG.debug('Creating Keystone auth plugin from conf') n_auth = ks_loading.load_auth_from_conf_options(CONF, NOVA_GROUP) elif privileged_user and CONF.os_privileged_user_name: # Fall back to the deprecated os_privileged_xxx settings. # TODO(gyurco): Remove it after Pike. if CONF.os_privileged_user_auth_url: url = CONF.os_privileged_user_auth_url else: url = _get_identity_endpoint_from_sc(context) LOG.debug( 'Creating Keystone password plugin from legacy settings ' 'using URL: %s', url) n_auth = identity.Password(auth_url=url, username=CONF.os_privileged_user_name, password=CONF.os_privileged_user_password, project_name=CONF.os_privileged_user_tenant, project_domain_id=context.project_domain, user_domain_id=context.user_domain) else: if CONF[NOVA_GROUP].token_auth_url: url = CONF[NOVA_GROUP].token_auth_url else: url = _get_identity_endpoint_from_sc(context) LOG.debug('Creating Keystone token plugin using URL: %s', url) n_auth = identity.Token(auth_url=url, token=context.auth_token, project_name=context.project_name, project_domain_id=context.project_domain) keystone_session = ks_loading.load_session_from_conf_options(CONF, NOVA_GROUP, auth=n_auth) c = nova_client.Client(api_versions.APIVersion(api_version or NOVA_API_VERSION), session=keystone_session, insecure=CONF[NOVA_GROUP].insecure, timeout=timeout, region_name=CONF[NOVA_GROUP].region_name, endpoint_type=CONF[NOVA_GROUP].interface, cacert=CONF[NOVA_GROUP].cafile, global_request_id=context.global_id, extensions=nova_extensions) return c
def gnocchiclient(request): (username, domain_name, token_id, auth_url) = get_auth_params_from_request(request) auth = identity.Token(auth_url=auth_url, token=token_id, \ project_name=username, project_domain_name=domain_name) sess = session.Session(auth=auth) return gnocchi_client.Client(version='1', session=sess)
def _get_auth_handler(kwargs): if 'token' in kwargs: auth = identity.Token( auth_url=kwargs.get('auth_url', None), token=kwargs.get('token', None), project_id=kwargs.get('project_id', None), project_name=kwargs.get('project_name', None), project_domain_id=kwargs.get('project_domain_id', None), project_domain_name=kwargs.get('project_domain_name', None)) elif {'username', 'password'} <= set(kwargs): auth = identity.Password( auth_url=kwargs.get('auth_url', None), username=kwargs.get('username', None), password=kwargs.get('password', None), project_id=kwargs.get('project_id', None), project_name=kwargs.get('project_name', None), project_domain_id=kwargs.get('project_domain_id', None), project_domain_name=kwargs.get('project_domain_name', None), user_domain_id=kwargs.get('user_domain_id', None), user_domain_name=kwargs.get('user_domain_name', None)) else: raise Exception('monascaclient can be configured with either ' '"token" or "username:password" but neither of ' 'them was found in passed arguments.') return auth
def _get_keystone_auth(self, context): if context.__class__.__name__ == 'KeystonePassword': return identity.Password( auth_url=context.auth_url, username=context.username, password=context.password, user_id=context.user_id, user_domain_id=context.user_domain_id, user_domain_name=context.user_domain_name, trust_id=context.trust_id, domain_id=context.domain_id, domain_name=context.domain_name, project_id=context.project_id, project_name=context.project_name, project_domain_id=context.project_domain_id, project_domain_name=context.project_domain_name, reauthenticate=context.reauthenticate) elif context.__class__.__name__ == 'KeystoneToken': return identity.Token( auth_url=context.auth_url, token=context.token, trust_id=context.trust_id, domain_id=context.domain_id, domain_name=context.domain_name, project_id=context.project_id, project_name=context.project_name, project_domain_id=context.project_domain_id, project_domain_name=context.project_domain_name, reauthenticate=context.reauthenticate) # this will be kept for oslo.context compatibility until # projects begin to use utils.credential_factory elif context.__class__.__name__ == 'RequestContext': if getattr(context, 'get_auth_plugin', None): return context.get_auth_plugin() else: return identity.Token( auth_url=self.conf.barbican.auth_endpoint, token=context.auth_token, project_id=context.project_id, project_name=context.project_name, project_domain_id=context.project_domain_id, project_domain_name=context.project_domain_name) else: msg = _("context must be of type KeystonePassword, " "KeystoneToken, or RequestContext.") LOG.error(msg) raise exception.Forbidden(reason=msg)
def get_token_client_session(token=None, project_id=None, conf=None): auth_url = cfg.CONF[CFG_KEYSTONE_GROUP].auth_uri.replace('v2.0', 'v3') if token is None or project_id is None: execution_session = helpers.get_execution_session() token = execution_session.token project_id = execution_session.project_id token_auth = identity.Token(auth_url, token=token, project_id=project_id) session = _get_session(auth=token_auth, conf_section=conf) return session
def _get_keystone_auth(self, context): if context.__class__.__name__ is 'KeystonePassword': return identity.Password( auth_url=self._auth_url, username=context.username, password=context.password, user_id=context.user_id, user_domain_id=context.user_domain_id, user_domain_name=context.user_domain_name, trust_id=context.trust_id, domain_id=context.domain_id, domain_name=context.domain_name, project_id=context.project_id, project_name=context.project_name, project_domain_id=context.project_domain_id, project_domain_name=context.project_domain_name, reauthenticate=context.reauthenticate) elif context.__class__.__name__ is 'KeystoneToken': return identity.Token( auth_url=self._auth_url, token=context.token, trust_id=context.trust_id, domain_id=context.domain_id, domain_name=context.domain_name, project_id=context.project_id, project_name=context.project_name, project_domain_id=context.project_domain_id, project_domain_name=context.project_domain_name, reauthenticate=context.reauthenticate) # this will be kept for oslo.context compatibility until # projects begin to use utils.credential_factory elif (context.__class__.__name__ is 'RequestContext' or context.__class__.__name__ is 'Context'): return identity.Token(auth_url=self._auth_url, token=context.auth_token, project_id=context.tenant) else: msg = _("context must be of type KeystonePassword, " "KeystoneToken, RequestContext, or Context, got type " "%s") % context.__class__.__name__ LOG.error(msg) raise exception.Forbidden(reason=msg)
def _keystone_client( context: 'context.RequestContext', version: tuple[int, int] = (3, 0) ) -> client.Client: """Creates and returns an instance of a generic keystone client. :param context: The request context :param version: version of Keystone to request :return: keystoneclient.client.Client object """ if context.system_scope is not None: auth_plugin = identity.Token(auth_url=CONF.keystone_authtoken.auth_url, token=context.auth_token, system_scope=context.system_scope) elif context.domain_id is not None: auth_plugin = identity.Token(auth_url=CONF.keystone_authtoken.auth_url, token=context.auth_token, domain_id=context.domain_id) elif context.project_id is not None: auth_plugin = identity.Token(auth_url=CONF.keystone_authtoken.auth_url, token=context.auth_token, project_id=context.project_id) else: # We're dealing with an unscoped token from keystone that doesn't # carry any authoritative power outside of the user simplify proving # they know their own password. This token isn't associated with any # authorization target (e.g., system, domain, or project). auth_plugin = context.get_auth_plugin() client_session = ka_loading.session.Session().load_from_options( auth=auth_plugin, insecure=CONF.keystone_authtoken.insecure, cacert=CONF.keystone_authtoken.cafile, key=CONF.keystone_authtoken.keyfile, cert=CONF.keystone_authtoken.certfile, split_loggers=CONF.service_user.split_loggers) return client.Client(auth_url=CONF.keystone_authtoken.auth_url, session=client_session, version=version)
def get_token_client_session(token=None, project_id=None, conf=None): auth_uri = cfg.CONF['murano_auth'].auth_uri if not auth_uri: versionutils.report_deprecated_feature( LOG, "Please update configuration in 'murano_auth' group") auth_uri = cfg.CONF[CFG_KEYSTONE_GROUP].auth_uri auth_url = auth_uri.replace('v2.0', 'v3') if token is None or project_id is None: execution_session = helpers.get_execution_session() token = execution_session.token project_id = execution_session.project_id token_auth = identity.Token(auth_url, token=token, project_id=project_id) session = _get_session(auth=token_auth, conf_section=conf) return session
def _connect_to_keystone_auth_v3(auth_url, auth_token, project_name, domain_name, **kwargs): """ Give a auth_url and auth_token, authenticate with keystone version 3 to get a scoped_token, Exchange token to receive an auth, session, token scoped to a sepcific project_name and domain_name. """ token_auth = identity.Token(auth_url=auth_url, token=auth_token, project_domain_id=domain_name, project_name=project_name) token_sess = Session(auth=token_auth) token_token = token_sess.get_token() return (token_auth, token_sess, token_token)
def client(request): insecure = getattr(settings, 'OPENSTACK_SSL_NO_VERIFY', False) cacert = getattr(settings, 'OPENSTACK_SSL_CACERT', None) auth = identity.Token(auth_url=request.user.endpoint, token=request.user.token.id, project_id=request.user.project_id) verify = False if cacert: verify = cacert elif not insecure: verify = True sess = session.Session(auth=auth, verify=verify) return api_client.Client(VERSIONS.get_active_version()["version"], service_type=SAHARA_SERVICE, session=sess)
def novaclient(context, privileged_user=False, timeout=None): """Returns a Nova client @param privileged_user: If True, use the account from configuration (requires 'auth_type' and the other usual Keystone authentication options to be set in the [nova] section) @param timeout: Number of seconds to wait for an answer before raising a Timeout exception (None to disable) """ if privileged_user and CONF[NOVA_GROUP].auth_type: n_auth = ks_loading.load_auth_from_conf_options(CONF, NOVA_GROUP) else: if CONF[NOVA_GROUP].token_auth_url: url = CONF[NOVA_GROUP].token_auth_url else: # Search for the identity endpoint in the service catalog # if nova.token_auth_url is not configured matching_endpoints = [] for service in context.service_catalog: if service.get('type') != 'identity': continue for endpoint in service['endpoints']: if (not CONF[NOVA_GROUP].region_name or endpoint.get('region') == CONF[NOVA_GROUP].region_name): matching_endpoints.append(endpoint) if not matching_endpoints: raise nova_exceptions.EndpointNotFound() url = matching_endpoints[0].get(CONF[NOVA_GROUP].interface + 'URL') n_auth = identity.Token(auth_url=url, token=context.auth_token, project_name=context.project_name, project_domain_id=context.project_domain) keystone_session = ks_loading.load_session_from_conf_options(CONF, NOVA_GROUP, auth=n_auth) c = nova_client.Client(api_versions.APIVersion(NOVA_API_VERSION), session=keystone_session, insecure=CONF[NOVA_GROUP].insecure, timeout=timeout, region_name=CONF[NOVA_GROUP].region_name, endpoint_type=CONF[NOVA_GROUP].interface, cacert=CONF[NOVA_GROUP].cafile, extensions=nova_extensions) return c
def novaclient(context, privileged_user=False, timeout=None, api_version=None): """Returns a Nova client @param privileged_user: If True, use the account from configuration (requires 'auth_type' and the other usual Keystone authentication options to be set in the [nova] section) @param timeout: Number of seconds to wait for an answer before raising a Timeout exception (None to disable) @param api_version: api version of nova """ if privileged_user and CONF[NOVA_GROUP].auth_type: LOG.debug('Creating Keystone auth plugin from conf') n_auth = ks_loading.load_auth_from_conf_options(CONF, NOVA_GROUP) else: if CONF[NOVA_GROUP].token_auth_url: url = CONF[NOVA_GROUP].token_auth_url else: url = _get_identity_endpoint_from_sc(context) LOG.debug('Creating Keystone token plugin using URL: %s', url) n_auth = identity.Token(auth_url=url, token=context.auth_token, project_name=context.project_name, project_domain_id=context.project_domain_id) if CONF.auth_strategy == 'keystone': n_auth = service_auth.get_auth_plugin(context, auth=n_auth) keystone_session = ks_loading.load_session_from_conf_options( CONF, NOVA_GROUP, auth=n_auth) c = nova_client.Client( api_versions.APIVersion(api_version or NOVA_API_VERSION), session=keystone_session, insecure=CONF[NOVA_GROUP].insecure, timeout=timeout, region_name=CONF[NOVA_GROUP].region_name, endpoint_type=CONF[NOVA_GROUP].interface, cacert=CONF[NOVA_GROUP].cafile, global_request_id=context.global_id, extensions=nova_extensions) return c
def authenticate(x_auth_token): """Attempts to authenticate client using keystoneauth1""" try: auth_url = 'http://192.168.2.4/identity' project_id = 'demo' auth = identity.Token(auth_url, token=x_auth_token, project_id=project_id) sess = session.Session(auth=auth) ks = keyClient.Client(session=sess, project_id=project_id) ks.authenticate(token=x_auth_token) app.logger.debug('Request authorized') return 0 except Exception as ex: app.logger.debug('Request unauthorized!\n') return 1
def get_token_client_session(token=None, project_id=None, conf=None): www_authenticate_uri = \ cfg.CONF[CFG_MURANO_AUTH_GROUP].www_authenticate_uri if not www_authenticate_uri: versionutils.report_deprecated_feature( LOG, 'Please configure www_authenticate_uri in ' + CFG_MURANO_AUTH_GROUP + 'group') www_authenticate_uri = \ cfg.CONF[CFG_KEYSTONE_GROUP].www_authenticate_uri auth_url = www_authenticate_uri.replace('v2.0', 'v3') if token is None or project_id is None: execution_session = helpers.get_execution_session() token = execution_session.token project_id = execution_session.project_id token_auth = identity.Token(auth_url, token=token, project_id=project_id) session = _get_session(auth=token_auth, conf_section=conf) return session
def authenticate_user(self): """Authenticate user and set client by using passed params.""" if self.options.os_token: auth = identity.Token( auth_url=self.options.os_auth_url, token=self.options.os_token, tenant_id=self.options.os_tenant_id, tenant_name=self.options.os_tenant_name, project_id=self.options.os_project_id, project_name=self.options.os_project_name, project_domain_id=self.options.os_project_domain_id, project_domain_name=self.options.os_project_domain_name ) else: auth = identity.Password( auth_url=self.options.os_auth_url, username=self.options.os_username, tenant_id=self.options.os_tenant_id, tenant_name=self.options.os_tenant_name, password=self.options.os_password, project_id=self.options.os_project_id, project_name=self.options.os_project_name, project_domain_id=self.options.os_project_domain_id, project_domain_name=self.options.os_project_domain_name, user_domain_id=self.options.os_user_domain_id, user_domain_name=self.options.os_user_domain_name ) sess = session.Session( auth=auth, verify=(self.options.os_cacert or not self.options.insecure) ) self.client = blazar_client.Client( self.options.os_reservation_api_version, session=sess, service_type=self.options.service_type, interface=self.options.endpoint_type, region_name=self.options.os_region_name, ) return
def _keystone_client(context, version=(3, 0)): """Creates and returns an instance of a generic keystone client. :param context: The request context :param version: version of Keystone to request :return: keystoneclient.client.Client object """ auth_plugin = identity.Token(auth_url=CONF.keystone_authtoken.auth_uri, token=context.auth_token, project_id=context.project_id) client_session = ka_loading.session.Session().load_from_options( auth=auth_plugin, insecure=CONF.keystone_authtoken.insecure, cacert=CONF.keystone_authtoken.cafile, key=CONF.keystone_authtoken.keyfile, cert=CONF.keystone_authtoken.certfile) return client.Client(auth_url=CONF.keystone_authtoken.auth_uri, session=client_session, version=version)
def _v3_client_init(self): kwargs = {'auth_url': self.endpoint, 'endpoint': self.endpoint} # Note try trust_id first, as we can't reuse auth_token in that case if self.context.trust_id is not None: # We got a trust_id, so we use the admin credentials # to authenticate with the trust_id so we can use the # trust impersonating the trustor user. kwargs.update(self._service_admin_creds()) kwargs['trust_id'] = self.context.trust_id kwargs.pop('project_name') auth = ka_loading.load_auth_from_conf_options( cfg.CONF, 'keystone_authtoken', **kwargs) elif self.context.auth_token is not None: kwargs['token'] = self.context.auth_token kwargs['project_id'] = self.context.tenant auth = identity.Token(auth_url=kwargs['auth_url'], token=kwargs['token'], project_id=kwargs['project_id']) else: LOG.error( _("Keystone v3 API connection failed, no password " "trust or auth_token!")) raise exception.AuthorizationFailure() session = ks_session.Session(auth=auth) client = kc_v3.Client(session=session) client.auth_ref = client.session.auth.get_access(client.session) # If we are authenticating with a trust set the context auth_token # with the trust scoped token if 'trust_id' in kwargs: # Sanity check if not client.auth_ref.trust_scoped: LOG.error(_("trust token re-scoping failed!")) raise exception.AuthorizationFailure() # All OK so update the context with the token self.context.auth_token = client.auth_ref.auth_token self.context.auth_url = self.endpoint self.context.user = client.auth_ref.user_id self.context.tenant = client.auth_ref.project_id self.context.user_name = client.auth_ref.username return client
async def middleware_handler(request: web.Request): headers = request.headers x_auth_token = headers.get("X-Auth-Token") project_id = request.match_info.get('project_id') c = config.Config.config_instance() try: auth = identity.Token(c.auth_url, token=x_auth_token, project_id=project_id) sess = session.Session(auth=auth) ks = client.Client(session=sess, project_id=project_id) ks.authenticate(token=x_auth_token) except Exception as ex: return web.json_response( status=401, data={ "error": { "message": ("Not authorized. Reason: {}".format(str(ex))) } }) return await handler(request)
def _construct_http_client(api_version=None, auth=None, auth_token=None, auth_url=None, cacert=None, cert=None, endpoint_override=None, endpoint_type='publicURL', http_log_debug=False, insecure=False, logger=None, os_cache=False, password=None, project_domain_id=None, project_domain_name=None, project_id=None, project_name=None, region_name=None, service_name=None, service_type='compute', session=None, timeout=None, timings=False, user_agent='python-novaclient', user_domain_id=None, user_domain_name=None, user_id=None, username=None, **kwargs): if not session: if not auth and auth_token: auth = identity.Token(auth_url=auth_url, token=auth_token, project_id=project_id, project_name=project_name, project_domain_id=project_domain_id, project_domain_name=project_domain_name) elif not auth: auth = identity.Password(username=username, user_id=user_id, password=password, project_id=project_id, project_name=project_name, auth_url=auth_url, project_domain_id=project_domain_id, project_domain_name=project_domain_name, user_domain_id=user_domain_id, user_domain_name=user_domain_name) session = ksession.Session(auth=auth, verify=(cacert or not insecure), timeout=timeout, cert=cert, user_agent=user_agent) return SessionClient(api_version=api_version, auth=auth, endpoint_override=endpoint_override, interface=endpoint_type, logger=logger, region_name=region_name, service_name=service_name, service_type=service_type, session=session, timings=timings, user_agent=user_agent, **kwargs)