def _get_keystone_auth(self, session, auth_url, **kwargs):
auth_token = kwargs.pop('auth_token', None)
if auth_token:
return token.Token(
auth_url,
auth_token,
project_id=kwargs.pop('project_id'),
project_name=kwargs.pop('project_name'),
project_domain_id=kwargs.pop('project_domain_id'),
project_domain_name=kwargs.pop('project_domain_name'))
# NOTE(starodubcevna): this is a workaround for the bug:
# https://bugs.launchpad.net/python-openstackclient/+bug/1447704
# Change that fix this error in keystoneclient was abandoned,
# so we should use workaround until we move to keystoneauth.
# The idea of the code came from glanceclient.
(v2_auth_url, v3_auth_url) = self._discover_auth_versions(
session=session,
auth_url=auth_url)
if v3_auth_url:
# NOTE(starodubcevna): set user_domain_id and project_domain_id
# to default as it done in other projects.
return password.Password(auth_url,
username=kwargs.pop('username'),
user_id=kwargs.pop('user_id'),
password=kwargs.pop('password'),
user_domain_id=kwargs.pop(
'user_domain_id') or 'default',
user_domain_name=kwargs.pop(
'user_domain_name'),
project_id=kwargs.pop('project_id'),
project_name=kwargs.pop('project_name'),
project_domain_id=kwargs.pop(
'project_domain_id') or 'default')
elif v2_auth_url:
return password.Password(auth_url,
username=kwargs.pop('username'),
user_id=kwargs.pop('user_id'),
password=kwargs.pop('password'),
project_id=kwargs.pop('project_id'),
project_name=kwargs.pop('project_name'))
else:
# if we get here it means domain information is provided
# (caller meant to use Keystone V3) but the auth url is
# actually Keystone V2. Obviously we can't authenticate a V3
# user using V2.
exc.CommandError("Credential and auth_url mismatch. The given "
"auth_url is using Keystone V2 endpoint, which "
"may not able to handle Keystone V3 credentials. "
"Please provide a correct Keystone V3 auth_url.")
def keystone_auth():
'''
Authenticate with Keystone
NOTE: user_domain_name and project_domain_name are required for auth to
work properly. Not documented anywhere!
'''
try:
rc = myrc()
if int(rc['OS_IDENTITY_API_VERSION']) == 3:
keystone_version = 3
auth = v3.Password(auth_url=rc['OS_AUTH_URL'],
username=rc['OS_USERNAME'],
password=rc['OS_PASSWORD'],
project_name=rc['OS_TENANT_NAME'],
user_domain_name='default',
project_domain_name='default')
s = session.Session(auth=auth)
return s
except KeyError:
keystone_version = 2
auth = v2.Password(auth_url=rc['OS_AUTH_URL'],
username=rc['OS_USERNAME'],
password=rc['OS_PASSWORD'],
project_name=rc['OS_TENANT_NAME'])
s = session.Session(auth=auth)
return s
except Exception, e:
warning('keystone_auth()', repr(e))
sys.exit()
def get_session_from_deprecated():
auth = keystone_auth.Password(
username=CONF.admin_user,
password=CONF.admin_password,
project_name=CONF.admin_tenant_name,
tenant_name=CONF.admin_tenant_name,
auth_url=CONF.keystone_url,
)
params = {'auth': auth}
update_request_params_with_ssl(params)
return keystone_session.Session(**params)
def _get_keystone_auth(self, session, auth_url, **kwargs):
auth_token = kwargs.pop('auth_token', None)
if auth_token:
return token.Token(auth_url, auth_token, **kwargs)
else:
return password.Password(
auth_url,
username=kwargs.pop('username'),
user_id=kwargs.pop('user_id'),
password=kwargs.pop('password'),
user_domain_id=kwargs.pop('user_domain_id'),
user_domain_name=kwargs.pop('user_domain_name'),
**kwargs)
def get_clients(context):
global _SESSION
if not _SESSION:
_SESSION = session.Session()
auth = token_endpoint.Token(CONF.designate.url, context.auth_token)
client = d_client.Client(session=_SESSION, auth=auth)
admin_auth = password.Password(
auth_url=CONF.designate.admin_auth_url,
username=CONF.designate.admin_username,
password=CONF.designate.admin_password,
tenant_name=CONF.designate.admin_tenant_name,
tenant_id=CONF.designate.admin_tenant_id)
admin_client = d_client.Client(session=_SESSION, auth=admin_auth)
return client, admin_client
def _get_identity_client(self):
domain = self.conf.domain_name
kwargs = {
'username': self.conf.username,
'password': self.conf.password,
'tenant_name': self.conf.tenant_name,
'auth_url': self.conf.auth_url
}
# keystone v2 can't ignore domain details
if self.auth_version == '3':
kwargs.update({
'project_domain_name': domain,
'user_domain_name': domain
})
auth = password.Password(**kwargs)
return KeystoneWrapperClient(
auth, not self.conf.disable_ssl_certificate_validation)
def get_os_admin_session():
"""Create a context to interact with OpenStack as an administrator."""
# NOTE(ft): this is a singletone because keystone's session looks thread
# safe for both regular and token renewal requests
global _admin_session
if not _admin_session:
auth = keystone_auth.Password(
username=CONF.admin_user,
password=CONF.admin_password,
project_name=CONF.admin_tenant_name,
tenant_name=CONF.admin_tenant_name,
auth_url=CONF.keystone_url,
)
params = {'auth': auth}
update_request_params_with_ssl(params)
_admin_session = keystone_session.Session(**params)
return _admin_session
def get_clients(context):
global _SESSION
if not _SESSION:
if CONF.designate.insecure:
verify = False
else:
verify = CONF.designate.ca_cert or True
_SESSION = session.Session(verify=verify)
auth = token_endpoint.Token(CONF.designate.url, context.auth_token)
client = d_client.Client(session=_SESSION, auth=auth)
admin_auth = password.Password(
auth_url=CONF.designate.admin_auth_url,
username=CONF.designate.admin_username,
password=CONF.designate.admin_password,
tenant_name=CONF.designate.admin_tenant_name,
tenant_id=CONF.designate.admin_tenant_id)
admin_client = d_client.Client(session=_SESSION, auth=admin_auth)
return client, admin_client
def get_os_admin_context():
"""Create a context to interact with OpenStack as an administrator."""
# NOTE(ft): this is a singletone because keystone's session looks thread
# safe for both regular and token renewal requests
global _admin_session
if not _admin_session:
auth = keystone_auth.Password(
username=CONF.admin_user,
password=CONF.admin_password,
project_name=CONF.admin_tenant_name,
tenant_name=CONF.admin_tenant_name,
auth_url=CONF.keystone_url,
)
_admin_session = keystone_session.Session(auth=auth)
return RequestContext(None,
None,
session=_admin_session,
is_os_admin=True,
overwrite=False)
def _get_identity_client(self):
user_domain_name = self.conf.user_domain_name
project_domain_name = self.conf.project_domain_name
kwargs = {
'username': self.conf.username,
'password': self.conf.password,
'tenant_name': self.conf.tenant_name,
'auth_url': self.conf.auth_url
}
# keystone v2 can't ignore domain details
if self.auth_version == '3':
kwargs.update({
'user_domain_name': user_domain_name,
'project_domain_name': project_domain_name})
auth = password.Password(**kwargs)
if self.insecure:
verify_cert = False
else:
verify_cert = self.ca_file or True
return KeystoneWrapperClient(auth, verify_cert)
