def setUp(self):
super(TestV1PythonAPI, self).setUp()
self.auth = token_endpoint.Token(endpoint='http://127.0.0.1:5050',
token='token')
self.session = ks_session.Session(self.auth)
self.client = client.ClientV1(session=self.session)
functional.cfg.CONF.set_override('store_data', 'none', 'processing')
def _create_auth_plugin(self):
if self.auth_token_info:
access_info = access.create(body=self.auth_token_info,
auth_token=self.auth_token)
return access_plugin.AccessInfoPlugin(
auth_ref=access_info, auth_url=self.keystone_v3_endpoint)
if self.password:
# Never trust the password. Refer to keyring
LOG.info("Re-determining password from keyring")
self.password = keyring.get_password('CGCS', self.username)
# TIS user_domain_id is blank. Use user_domain_name to lookup user
user_domain_name = cfg.CONF.user_domain_name
return generic.Password(username=self.username,
password=self.password,
project_id=self.tenant_id,
user_domain_id=self.user_domain,
user_domain_name=user_domain_name,
auth_url=self.keystone_v3_endpoint)
if self.auth_token:
# FIXME(jamielennox): This is broken but consistent. If you
# only have a token but don't load a service catalog then
# url_for wont work. Stub with the keystone endpoint so at
# least it might be right.
return token_endpoint.Token(endpoint=self.keystone_v3_endpoint,
token=self.auth_token)
LOG.error("Keystone API connection failed, no password "
"trust or auth_token!")
raise exception.AuthorizationFailure()
def _create_auth_plugin(self):
if self.auth_token_info:
access_info = access.create(body=self.auth_token_info,
auth_token=self.auth_token)
return access_plugin.AccessInfoPlugin(
auth_ref=access_info, auth_url=self.keystone_v3_endpoint)
if self.auth_token:
# FIXME(jamielennox): This is broken but consistent. If you
# only have a token but don't load a service catalog then
# url_for wont work. Stub with the keystone endpoint so at
# least it might be right.
return token_endpoint.Token(endpoint=self.keystone_v3_endpoint,
token=self.auth_token)
if self.password:
return generic.Password(username=self.username,
password=self.password,
project_id=self.tenant_id,
user_domain_id=self.user_domain,
auth_url=self.keystone_v3_endpoint)
LOG.error(
_LE("Keystone API connection failed, no password "
"trust or auth_token!"))
raise exception.AuthorizationFailure()
def auth(profile=None, **connection_args):
'''
Set up keystone credentials. Only intended to be used within Keystone-enabled modules.
CLI Example:
.. code-block:: bash
salt '*' keystone.auth
'''
kwargs = _get_kwargs(profile=profile, **connection_args)
if 'token' in kwargs:
auth = token_endpoint.Token(endpoint=kwargs['endpoint'],
token=kwargs['token'])
else:
# keystoneauth1 Password class does not accept some args. Therefore remove it from args for auth.
auth_connection_args = kwargs.copy()
auth_connection_args.pop('region_name', None)
auth_connection_args.pop('version', None)
auth_connection_args.pop('insecure', None)
auth = generic.Password(**auth_connection_args)
if 'insecure' in kwargs:
certs_verify = False
else:
certs_verify = True
sess = session.Session(auth=auth, verify=certs_verify)
keystone_client = client.Client(session=sess, **kwargs)
return keystone_client
def test_token_endpoint_user_id(self):
a = token_endpoint.Token(self.TEST_URL, self.TEST_TOKEN)
s = session.Session()
# we can't know this information about this sort of plugin
self.assertIsNone(a.get_user_id(s))
self.assertIsNone(a.get_project_id(s))
def test_endpoint_data_token_endpoint_no_discover(self):
plugin = token_endpoint.Token(endpoint=V3_URL, token='bogus')
data = plugin.get_endpoint_data(self.session, discover_versions=False)
self.assertEqual(data.api_version, (3, 0))
self.assertEqual(data.url, V3_URL)
self.assertEqual(plugin.get_api_major_version(self.session), (3, 0))
self.assertEqual(plugin.get_endpoint(self.session), V3_URL)
def __init__(self,
api_version,
inspector_url=None,
auth_token=None,
session=None,
service_type='baremetal-introspection',
interface=None,
region_name=None):
"""Create a client.
:param api_version: minimum API version that must be supported by
the server
:param inspector_url: *Ironic Inspector* URL in form:
http://host:port[/ver]. When session is provided, defaults to
service URL from the catalog. As a last resort
defaults to ``http://<current host>:5050/v<MAJOR>``.
:param auth_token: authentication token (deprecated, use session)
:param session: existing keystone session
:param service_type: service type to use when looking up the URL
:param interface: interface type (public, internal, etc) to use when
looking up the URL
:param region_name: region name to use when looking up the URL
"""
self._base_url = inspector_url or _DEFAULT_URL
self._auth_token = auth_token
if session is None:
if auth_token:
LOG.warning(
_LW('Passing auth_token to client objects '
'is deprecated, please pass session instead'))
auth = token_endpoint.Token(endpoint=self._base_url,
token=auth_token)
else:
auth = None
self._session = ks_session.Session(auth)
else:
self._session = session
if not inspector_url:
try:
self._base_url = session.get_endpoint(
service_type=service_type,
interface=interface,
region_name=region_name) or _DEFAULT_URL
except ks_exc.EndpointNotFound:
LOG.warning(
_LW('Endpoint for service %s was not found, '
'falling back to local host on port 5050'),
service_type)
self._base_url = self._base_url.rstrip('/')
self._api_version = self._check_api_version(api_version)
self._version_str = '%d.%d' % self._api_version
ver_postfix = '/v%d' % self._api_version[0]
if not self._base_url.endswith(ver_postfix):
self._base_url += ver_postfix
def __init__(self, auth_host, auth_port, auth_protocol, auth_admin_prefix,
admin_user, admin_password, admin_tenant_name, admin_token,
identity_uri, log):
log.warning(
"Use of the auth_admin_prefix, auth_host, auth_port, "
"auth_protocol, identity_uri, admin_token, admin_user, "
"admin_password, and admin_tenant_name configuration options was "
"deprecated in the Mitaka release in favor of an auth_plugin and "
"its related options. This class may be removed in a future "
"release.")
# NOTE(jamielennox): it does appear here that our default arguments
# are backwards. We need to do it this way so that we can handle the
# same deprecation strategy for CONF and the conf variable.
if not identity_uri:
log.warning('Configuring admin URI using auth fragments was '
'deprecated in the Kilo release, and will be '
'removed in the Newton release, '
'use \'identity_uri\ instead.')
if ':' in auth_host:
# Note(dzyu) it is an IPv6 address, so it needs to be wrapped
# with '[]' to generate a valid IPv6 URL, based on
# http://www.ietf.org/rfc/rfc2732.txt
auth_host = '[%s]' % auth_host
identity_uri = '%s://%s:%s' % (auth_protocol,
auth_host,
auth_port)
if auth_admin_prefix:
identity_uri = '%s/%s' % (identity_uri,
auth_admin_prefix.strip('/'))
self._identity_uri = identity_uri.rstrip('/')
# FIXME(jamielennox): Yes. This is wrong. We should be determining the
# plugin to use based on a combination of discovery and inputs. Much
# of this can be changed when we get keystoneclient 0.10. For now this
# hardcoded path is EXACTLY the same as the original auth_token did.
auth_url = '%s/v2.0' % self._identity_uri
if admin_token:
log.warning(
"The admin_token option in auth_token middleware was "
"deprecated in the Kilo release, and will be removed in the "
"Newton release, use admin_user and admin_password instead.")
self._plugin = token_endpoint.Token(auth_url, admin_token)
else:
self._plugin = v2.Password(auth_url,
username=admin_user,
password=admin_password,
tenant_name=admin_tenant_name)
self._LOG = log
self._discover = None
def test_basic_case(self):
self.requests_mock.get(self.TEST_URL, text='body')
a = token_endpoint.Token(self.TEST_URL, self.TEST_TOKEN)
s = session.Session(auth=a)
data = s.get(self.TEST_URL, authenticated=True)
self.assertEqual(data.text, 'body')
self.assertRequestHeaderEqual('X-Auth-Token', self.TEST_TOKEN)
def test_endpoint_data_token_endpoint_discover(self):
mock = self.requests_mock.get(
V3_URL, status_code=200, json=V3_VERSION_ENTRY)
plugin = token_endpoint.Token(endpoint=V3_URL, token='bogus')
data = plugin.get_endpoint_data(self.session)
self.assertEqual(data.api_version, (3, 0))
self.assertEqual(data.url, V3_URL)
self.assertEqual(plugin.get_api_major_version(self.session), (3, 0))
self.assertEqual(plugin.get_endpoint(self.session), V3_URL)
self.assertTrue(mock.called_once)
def test_basic_endpoint_case(self):
self.stub_url('GET', ['p'], text='body')
a = token_endpoint.Token(self.TEST_URL, self.TEST_TOKEN)
s = session.Session(auth=a)
data = s.get('/p',
authenticated=True,
endpoint_filter={'service': 'identity'})
self.assertEqual(self.TEST_URL, a.get_endpoint(s))
self.assertEqual('body', data.text)
self.assertRequestHeaderEqual('X-Auth-Token', self.TEST_TOKEN)
def _mock_client_delete_token(self, user, token, url=None):
if not url:
url = settings.OPENSTACK_KEYSTONE_URL
plugin = token_endpoint.Token(
endpoint=url, token=self.data.unscoped_access_info.auth_token)
client = self.ks_client_module.Client(session=mox.IsA(session.Session),
auth=plugin)
client.tokens = self.mox.CreateMockAnything()
client.tokens.delete(token=token)
return client
def get_service_auth(endpoint, auth_token, service_auth):
"""Create auth plugin wrapping both user and service auth.
When properly configured and using auth_token middleware,
requests with valid service auth will not fail
if the user token is expired.
Ideally we would use the plugin provided by auth_token middleware
however this plugin isn't serialized yet.
"""
user_auth = token_endpoint.Token(endpoint, auth_token)
return service_token.ServiceTokenAuthWrapper(user_auth=user_auth,
service_auth=service_auth)
def test_request_id_header_session_client(self):
global_id = "req-%s" % uuid.uuid4()
kwargs = {'global_request_id': global_id}
auth = token_endpoint.Token(self.endpoint, self.token)
sess = session.Session(auth=auth)
http_client = http.SessionClient(sess, **kwargs)
path = '/v2/images/my-image'
self.mock.get(self.endpoint + path)
http_client.get(path)
headers = self.mock.last_request.headers
self.assertEqual(global_id, headers['X-OpenStack-Request-ID'])
def get_session(auth_url, endpoint, domain_id, domain_name, project_id,
project_name, project_domain_name, project_domain_id, username,
user_id, password, user_domain_id, user_domain_name, token,
insecure, cacert, all_tenants=False, edit_managed=False):
# NOTE: all_tenants and edit_managed are here for backwards compat
# reasons, do not add additional modifiers here.
session = ks_session.Session()
# Build + Attach Authentication Plugin
auth_args = {
'auth_url': auth_url,
'domain_id': domain_id,
'domain_name': domain_name,
'project_id': project_id,
'project_name': project_name,
'project_domain_name': project_domain_name,
'project_domain_id': project_domain_id,
}
if token and endpoint:
session.auth = token_endpoint.Token(endpoint, token)
elif token:
auth_args.update({
'token': token
})
session.auth = generic.Token(**auth_args)
else:
auth_args.update({
'username': username,
'user_id': user_id,
'password': password,
'user_domain_id': user_domain_id,
'user_domain_name': user_domain_name,
})
session.auth = generic.Password(**auth_args)
# SSL/TLS Server Cert Verification
if insecure is True:
session.verify = False
else:
session.verify = cacert
# NOTE: all_tenants and edit_managed are here for backwards compat
# reasons, do not add additional modifiers here.
session.all_tenants = all_tenants
session.edit_managed = edit_managed
return session
def get_project_list(*args, **kwargs):
is_federated = kwargs.get('is_federated', False)
sess = kwargs.get('session') or get_session()
auth_url, _ = fix_auth_url_version_prefix(kwargs['auth_url'])
auth = token_endpoint.Token(auth_url, kwargs['token'])
client = get_keystone_client().Client(session=sess, auth=auth)
if is_federated:
projects = client.federation.projects.list()
else:
projects = client.projects.list(user=kwargs.get('user_id'))
projects.sort(key=lambda project: project.name.lower())
return projects
def get_ksa_client(context):
"""Returns a keystoneauth Adapter using token from context.
This will return a simple keystoneauth adapter that can be used to
make requests against a remote service using the token provided
(and already authenticated) from the user and stored in a
RequestContext.
:param context: User request context
:returns: keystoneauth1 Adapter object
"""
auth = token_endpoint.Token(CONF.keystone_authtoken.identity_uri,
context.auth_token)
return session.Session(auth=auth)
def test_endpoint_data_token_endpoint_adapter(self):
mock = self.requests_mock.get(
V3_URL, status_code=200, json=V3_VERSION_ENTRY)
plugin = token_endpoint.Token(endpoint=V3_URL, token='bogus')
client = adapter.Adapter(session.Session(plugin))
data = client.get_endpoint_data()
self.assertEqual(data.api_version, (3, 0))
self.assertEqual(data.url, V3_URL)
self.assertEqual(client.get_api_major_version(), (3, 0))
self.assertEqual(client.get_endpoint(), V3_URL)
self.assertTrue(mock.called_once)
def get_clients(context):
global _SESSION
if not _SESSION:
_SESSION = session.Session()
auth = token_endpoint.Token(CONF.designate.url, context.auth_token)
client = d_client.Client(session=_SESSION, auth=auth)
admin_auth = password.Password(
auth_url=CONF.designate.admin_auth_url,
username=CONF.designate.admin_username,
password=CONF.designate.admin_password,
tenant_name=CONF.designate.admin_tenant_name,
tenant_id=CONF.designate.admin_tenant_id)
admin_client = d_client.Client(session=_SESSION, auth=admin_auth)
return client, admin_client
def delete_token(endpoint, token_id):
"""Delete a token."""
try:
endpoint = utils.fix_auth_url_version(endpoint)
session = utils.get_session()
auth_plugin = token_endpoint.Token(endpoint=endpoint, token=token_id)
client = utils.get_keystone_client().Client(session=session,
auth=auth_plugin)
if utils.get_keystone_version() >= 3:
client.tokens.revoke_token(token=token_id)
else:
client.tokens.delete(token=token_id)
LOG.info('Deleted token %s' % token_id)
except keystone_exceptions.ClientException:
LOG.info('Could not delete token')
def get_system_access(user_id, auth_url, token, is_federated):
session = get_session()
auth_url, _ = fix_auth_url_version_prefix(auth_url)
auth = token_endpoint.Token(auth_url, token)
client = get_keystone_client().Client(session=session, auth=auth)
# Old versions of keystoneclient don't have auth.system endpoint yet.
auth_system = getattr(client.auth, 'system', None)
if auth_system is not None:
return 'all' in auth_system()
# Fall back to trying to get the system scope token.
try:
auth = get_token_auth_plugin(auth_url=auth_url, token=token,
system_scope='all')
auth.get_access(session)
except keystone_exceptions.ClientException:
return False
return True
def __init__(self, **kwargs):
"""Description
We suppose that in future we may want to use CNC in some places
where context will be available, so we create 2 different ways of
creating client from context(future) and kwargs(we use it now).
:param version: service client version which we will use
:type version: str
:param auth_token: keystone auth token
:type auth_token: str
:param endpoint_override: endpoint url which we will use
:type endpoint_override: str
"""
ctx = kwargs.pop('ctx', None)
auth_token = kwargs.pop('auth_token', None)
endpoint_override = kwargs.pop('endpoint_override', None)
version = kwargs.pop('version', cfg.CONF.nova_client_version)
if ctx is None:
try:
ctx = context.current()
except RuntimeError:
pass
if ctx is not None:
auth_token = auth_token or ctx.auth_token
endpoint_override = endpoint_override or \
base.url_for(ctx.service_catalog,
CONF.compute_service)
auth = token_endpoint.Token(endpoint_override, auth_token)
sess = session.Session(auth=auth)
kwargs.setdefault('endpoint_override', endpoint_override)
kwargs.setdefault('session', sess)
kwargs.setdefault('version', version)
self.nova = nova_client.Client(**kwargs)
self.nova.servers = ServerManager(self.nova)
self.exceptions = nova_exception
def get_clients(context):
global _SESSION
if not _SESSION:
_SESSION = loading.load_session_from_conf_options(CONF, 'designate')
auth = token_endpoint.Token(CONF.designate.url, context.auth_token)
client = d_client.Client(session=_SESSION, auth=auth)
if CONF.designate.auth_type:
admin_auth = loading.load_auth_from_conf_options(CONF, 'designate')
else:
admin_auth = password.Password(
auth_url=CONF.designate.admin_auth_url,
username=CONF.designate.admin_username,
password=CONF.designate.admin_password,
tenant_name=CONF.designate.admin_tenant_name,
tenant_id=CONF.designate.admin_tenant_id)
admin_client = d_client.Client(session=_SESSION, auth=admin_auth)
return client, admin_client
def get_clients(context):
global _SESSION
if not _SESSION:
if CONF.designate.insecure:
verify = False
else:
verify = CONF.designate.ca_cert or True
_SESSION = session.Session(verify=verify)
auth = token_endpoint.Token(CONF.designate.url, context.auth_token)
client = d_client.Client(session=_SESSION, auth=auth)
admin_auth = password.Password(
auth_url=CONF.designate.admin_auth_url,
username=CONF.designate.admin_username,
password=CONF.designate.admin_password,
tenant_name=CONF.designate.admin_tenant_name,
tenant_id=CONF.designate.admin_tenant_id)
admin_client = d_client.Client(session=_SESSION, auth=admin_auth)
return client, admin_client
def get_ironic_client(context=None):
session = ks_loading.load_session_from_conf_options(CONF, 'ironic')
service_auth = ks_loading.load_auth_from_conf_options(CONF, 'ironic')
# use user context if provided
user_auth = None
if context:
endpoint = ks_loading.load_adapter_from_conf_options(
CONF, 'ironic', session=session, auth=service_auth).get_endpoint()
user_auth = service_token.ServiceTokenAuthWrapper(
user_auth=token_endpoint.Token(endpoint, context.auth_token),
service_auth=service_auth)
sess = ks_loading.load_session_from_conf_options(CONF,
'ironic',
auth=user_auth
or service_auth)
kwargs = {'os_ironic_api_version': '1.65'}
cli = ironic_client.get_client(1, session=sess, **kwargs)
return cli
def get_session(auth_url, endpoint, domain_id, domain_name, project_id,
project_name, project_domain_name, project_domain_id, username,
user_id, password, user_domain_id, user_domain_name, token,
insecure, cacert):
session = ks_session.Session()
# Build + Attach Authentication Plugin
auth_args = {
'auth_url': auth_url,
'domain_id': domain_id,
'domain_name': domain_name,
'project_id': project_id,
'project_name': project_name,
'project_domain_name': project_domain_name,
'project_domain_id': project_domain_id,
}
if token and endpoint:
session.auth = token_endpoint.Token(endpoint, token)
elif token:
auth_args.update({'token': token})
session.auth = generic.Token(**auth_args)
else:
auth_args.update({
'username': username,
'user_id': user_id,
'password': password,
'user_domain_id': user_domain_id,
'user_domain_name': user_domain_name,
})
session.auth = generic.Password(**auth_args)
# SSL/TLS Server Cert Verification
if insecure is True:
session.verify = False
else:
session.verify = cacert
return session
def get_clients(context):
global _SESSION
if not _SESSION:
_SESSION = loading.load_session_from_conf_options(CONF, 'designate')
auth = token_endpoint.Token(CONF.designate.url, context.auth_token)
client = d_client.Client(session=_SESSION, auth=auth)
if CONF.designate.auth_type:
admin_auth = loading.load_auth_from_conf_options(CONF, 'designate')
else:
# TODO(tkajinam): Make this fail when admin_* parameters are removed.
admin_auth = password.Password(
auth_url=CONF.designate.admin_auth_url,
username=CONF.designate.admin_username,
password=CONF.designate.admin_password,
tenant_name=CONF.designate.admin_tenant_name,
tenant_id=CONF.designate.admin_tenant_id)
admin_client = d_client.Client(session=_SESSION,
auth=admin_auth,
endpoint_override=CONF.designate.url)
return client, admin_client
def test_endpoint_override_fails_to_replace_if_none(self):
# The token_endpoint plugin doesn't know user_id or project_id
auth = token_endpoint.Token(uuid.uuid4().hex, uuid.uuid4().hex)
sess = client_session.Session(auth=auth)
override_base = 'http://mytest/%(project_id)s'
e = self.assertRaises(ValueError,
sess.get,
'/path',
endpoint_override=override_base,
endpoint_filter={'service_type': 'identity'})
self.assertIn('project_id', str(e))
override_base = 'http://mytest/%(user_id)s'
e = self.assertRaises(ValueError,
sess.get,
'/path',
endpoint_override=override_base,
endpoint_filter={'service_type': 'identity'})
self.assertIn('user_id', str(e))
def keystoneclient(request, admin=False):
"""Returns a client connected to the Keystone backend.
Several forms of authentication are supported:
* Username + password -> Unscoped authentication
* Username + password + tenant id -> Scoped authentication
* Unscoped token -> Unscoped authentication
* Unscoped token + tenant id -> Scoped authentication
* Scoped token -> Scoped authentication
Available services and data from the backend will vary depending on
whether the authentication was scoped or unscoped.
Lazy authentication if an ``endpoint`` parameter is provided.
Calls requiring the admin endpoint should have ``admin=True`` passed in
as a keyword argument.
The client is cached so that subsequent API calls during the same
request/response cycle don't have to be re-authenticated.
"""
client_version = VERSIONS.get_active_version()
user = request.user
token_id = user.token.id
if is_multi_domain_enabled():
is_domain_context_specified = bool(
request.session.get("domain_context"))
# If user is Cloud Admin, Domain Admin or Mixed Domain Admin and there
# is no domain context specified, use domain scoped token
if is_domain_admin(request) and not is_domain_context_specified:
domain_token = request.session.get('domain_token')
if domain_token:
token_id = getattr(domain_token, 'auth_token', None)
if admin:
if not policy.check((("identity", "admin_required"),), request):
raise exceptions.NotAuthorized
endpoint_type = 'adminURL'
else:
endpoint_type = settings.OPENSTACK_ENDPOINT_TYPE
# Take care of client connection caching/fetching a new client.
# Admin vs. non-admin clients are cached separately for token matching.
cache_attr = "_keystoneclient_admin" if admin \
else backend.KEYSTONE_CLIENT_ATTR
if (hasattr(request, cache_attr) and
(not user.token.id or
getattr(request, cache_attr).auth_token == user.token.id)):
conn = getattr(request, cache_attr)
else:
endpoint = _get_endpoint_url(request, endpoint_type)
verify = not settings.OPENSTACK_SSL_NO_VERIFY
cacert = settings.OPENSTACK_SSL_CACERT
verify = verify and cacert
LOG.debug("Creating a new keystoneclient connection to %s.", endpoint)
remote_addr = request.environ.get('REMOTE_ADDR', '')
token_auth = token_endpoint.Token(endpoint=endpoint,
token=token_id)
keystone_session = session.Session(auth=token_auth,
original_ip=remote_addr,
verify=verify)
conn = client_version['client'].Client(session=keystone_session,
debug=settings.DEBUG)
setattr(request, cache_attr, conn)
return conn
def _mock_unscoped_client_with_token(self, user, unscoped):
plugin = token_endpoint.Token(settings.OPENSTACK_KEYSTONE_URL,
unscoped.auth_token)
return self.ks_client_module.Client(session=mox.IsA(session.Session),
auth=plugin)
