def get_os_admin_auth_plugin(cluster):
"""Return an admin auth plugin based on the cluster trust id or project
If a trust id is available for the cluster, then it is used
to create an auth plugin scoped to the trust. If not, the
project name from the current context is used to scope the
auth plugin.
:param cluster: The id of the cluster to use for trust identification.
"""
ctx = context.current()
cluster = conductor.cluster_get(ctx, cluster)
if CONF.use_identity_api_v3 and cluster.trust_id:
return keystone.auth_for_admin(trust_id=cluster.trust_id)
return keystone.auth_for_admin(project_name=ctx.tenant_name)
def get_os_admin_auth_plugin(cluster):
'''Return an admin auth plugin based on the cluster trust id or project
If a trust id is available for the cluster, then it is used
to create an auth plugin scoped to the trust. If not, the
project name from the current context is used to scope the
auth plugin.
:param cluster: The id of the cluster to use for trust identification.
'''
ctx = context.current()
cluster = conductor.cluster_get(ctx, cluster)
if CONF.use_identity_api_v3 and cluster.trust_id:
return keystone.auth_for_admin(trust_id=cluster.trust_id)
return keystone.auth_for_admin(project_name=ctx.tenant_name)
def delete_trust_from_cluster(cluster):
"""Delete a trust from a cluster
If the cluster has a trust delegated to it, then delete it and set
the trust id to None.
:param cluster: The cluster to delete the trust from.
"""
if cluster.trust_id:
keystone_auth = keystone.auth_for_admin(trust_id=cluster.trust_id)
delete_trust(keystone_auth, cluster.trust_id)
ctx = context.current()
conductor.cluster_update(ctx, cluster, {"trust_id": None})
def delete_trust_from_cluster(cluster):
'''Delete a trust from a cluster
If the cluster has a trust delegated to it, then delete it and set
the trust id to None.
:param cluster: The cluster to delete the trust from.
'''
ctx = context.current()
cluster = conductor.cluster_get(ctx, cluster)
if CONF.use_identity_api_v3 and cluster.trust_id:
keystone_auth = keystone.auth_for_admin(trust_id=cluster.trust_id)
delete_trust(keystone_auth, cluster.trust_id)
conductor.cluster_update(ctx, cluster, {'trust_id': None})
def create_trust_for_cluster(cluster, expires=True):
"""Create a trust for a cluster
This delegates a trust from the current user to the Sahara admin user
based on the current context roles, and then adds the trust identifier
to the cluster object.
:param expires: The trust will expire if this is set to True.
"""
ctx = context.current()
trustor = keystone.auth()
trustee = keystone.auth_for_admin(project_name=CONF.keystone_authtoken.admin_tenant_name)
trust_id = create_trust(trustor=trustor, trustee=trustee, role_names=ctx.roles, expires=expires)
conductor.cluster_update(ctx, cluster, {"trust_id": trust_id})
def delete_trust_from_cluster(cluster):
'''Delete a trust from a cluster
If the cluster has a trust delegated to it, then delete it and set
the trust id to None.
:param cluster: The cluster to delete the trust from.
'''
ctx = context.current()
cluster = conductor.cluster_get(ctx, cluster)
if CONF.use_identity_api_v3 and cluster.trust_id:
keystone_auth = keystone.auth_for_admin(trust_id=cluster.trust_id)
delete_trust(keystone_auth, cluster.trust_id)
conductor.cluster_update(ctx,
cluster,
{'trust_id': None})
def use_os_admin_auth_token(cluster):
"""Set the current context to the admin user's trust scoped token
This will configure the current context to the admin user's identity
with the cluster's tenant. It will also generate an authentication token
based on the admin user and a delegated trust associated with the
cluster.
:param cluster: The cluster to use for tenant and trust identification.
"""
if cluster.trust_id:
ctx = context.current()
ctx.username = CONF.keystone_authtoken.admin_user
ctx.tenant_id = cluster.tenant_id
ctx.auth_plugin = keystone.auth_for_admin(trust_id=cluster.trust_id)
ctx.auth_token = keystone.token_from_auth(ctx.auth_plugin)
ctx.service_catalog = json.dumps(keystone.service_catalog_from_auth(ctx.auth_plugin))
def use_os_admin_auth_token(cluster):
'''Set the current context to the admin user's trust scoped token
This will configure the current context to the admin user's identity
with the cluster's tenant. It will also generate an authentication token
based on the admin user and a delegated trust associated with the
cluster.
:param cluster: The cluster to use for tenant and trust identification.
'''
ctx = context.current()
cluster = conductor.cluster_get(ctx, cluster)
if CONF.use_identity_api_v3 and cluster.trust_id:
ctx.username = CONF.keystone_authtoken.admin_user
ctx.tenant_id = cluster.tenant_id
ctx.auth_plugin = keystone.auth_for_admin(trust_id=cluster.trust_id)
ctx.auth_token = context.get_auth_token()
ctx.service_catalog = json.dumps(
keystone.service_catalog_from_auth(ctx.auth_plugin))
def create_trust_for_cluster(cluster, expires=True):
'''Create a trust for a cluster
This delegates a trust from the current user to the Sahara admin user
based on the current context roles, and then adds the trust identifier
to the cluster object.
:param expires: The trust will expire if this is set to True.
'''
ctx = context.current()
cluster = conductor.cluster_get(ctx, cluster)
if CONF.use_identity_api_v3 and not cluster.trust_id:
trustor = keystone.auth()
trustee = keystone.auth_for_admin(
project_name=CONF.keystone_authtoken.admin_tenant_name)
trust_id = create_trust(trustor=trustor,
trustee=trustee,
role_names=ctx.roles,
allow_redelegation=True)
conductor.cluster_update(ctx, cluster, {'trust_id': trust_id})
def create_trust_for_cluster(cluster, expires=True):
'''Create a trust for a cluster
This delegates a trust from the current user to the Sahara admin user
based on the current context roles, and then adds the trust identifier
to the cluster object.
:param expires: The trust will expire if this is set to True.
'''
ctx = context.current()
cluster = conductor.cluster_get(ctx, cluster)
if CONF.use_identity_api_v3 and not cluster.trust_id:
trustor = keystone.auth()
trustee = keystone.auth_for_admin(
project_name=CONF.keystone_authtoken.admin_tenant_name)
trust_id = create_trust(trustor=trustor,
trustee=trustee,
role_names=ctx.roles,
allow_redelegation=True)
conductor.cluster_update(ctx,
cluster,
{'trust_id': trust_id})
