def switch(request, tenant_id, redirect_field_name=REDIRECT_FIELD_NAME):
""" Switches an authenticated user from one project to another. """
LOG.debug('Switching to tenant %s for user "%s".' %
(tenant_id, request.user.username))
insecure = getattr(settings, 'OPENSTACK_SSL_NO_VERIFY', False)
endpoint = request.user.endpoint
try:
if get_keystone_version() >= 3:
endpoint = endpoint.replace('v2.0', 'v3')
client = get_keystone_client().Client(tenant_id=tenant_id,
token=request.user.token.id,
auth_url=endpoint,
insecure=insecure,
debug=settings.DEBUG)
auth_ref = client.auth_ref
msg = 'Project switch successful for user "%(username)s".' % \
{'username': request.user.username}
LOG.info(msg)
except keystone_exceptions.ClientException:
msg = 'Project switch failed for user "%(username)s".' % \
{'username': request.user.username}
LOG.warning(msg)
auth_ref = None
LOG.exception('An error occurred while switching sessions.')
# Ensure the user-originating redirection url is safe.
# Taken from django.contrib.auth.views.login()
redirect_to = request.REQUEST.get(redirect_field_name, '')
if not is_safe_url(url=redirect_to, host=request.get_host()):
redirect_to = settings.LOGIN_REDIRECT_URL
if auth_ref:
old_endpoint = request.session['region_endpoint']
old_token = request.user.token
if old_token and old_endpoint and old_token.id != auth_ref.auth_token:
delete_token(endpoint=old_endpoint, token_id=old_token.id)
openstack_user = create_user_from_token(request, Token(auth_ref),
endpoint)
user = get_user_document().objects(
username=request.user.username).first()
utoken = openstack_user.token
otoken = trail.DocToken(user=utoken.user,
user_domain_id=utoken.user_domain_id,
id=utoken.id,
project=utoken.project,
tenant=utoken.project,
domain=utoken.domain,
roles=utoken.roles,
serviceCatalog=utoken.serviceCatalog)
user.token = otoken
user.authorized_tenants = [
remove_tenants(d.__dict__)
for d in openstack_user.authorized_tenants
]
user.service_catalog = openstack_user.service_catalog
user.services_region = openstack_user.services_region
user.project_name = openstack_user.project_name
user.tenant_name = openstack_user.tenant_name
user.tenant_id = openstack_user.tenant_id
user.project_id = openstack_user.project_id
role_perms = set([
"openstack.roles.%s" % role['name'].lower()
for role in otoken.roles
])
if "openstack.roles.admin" in role_perms:
user.is_superuser = True
else:
user.is_superuser = False
user.save()
set_session_from_user(request, user)
return shortcuts.redirect(redirect_to)
class CloudMongoBackend(object):
'To check permission seperate backend'
"""Authenticate using MongoEngine and mongoengine.django.auth.User.
"""
supports_object_permissions = False
supports_anonymous_user = False
supports_inactive_user = False
DEFAULT_IDENTITY_PORT = "" #":5000/v2.0"
def authenticate(self, request=None, username=None, password=None):
try:
get_user_document().objects(username=username.lower()).first()
except Exception, e:
print e
user = get_user_document().objects(username=username.lower()).first()
if user:
if password and user.check_password(password):
if not user.status:
msg = _("Your Account is Not Activated. \n"
"Please Activate Account, and Login")
LOG.debug(msg)
raise KeystoneAuthException(msg)
if user.roles == []:
msg = _("You do not have any permission to perform")
LOG.debug(msg)
raise KeystoneAuthException(msg)
backend = auth.get_backends()[0]
user.backend = "%s.%s" % (backend.__module__,
backend.__class__.__name__)
else:
msg = _("Please Login with " "Correct Password.")
LOG.debug(msg)
raise KeystoneAuthException(msg)
cloud = []
cloud1 = []
cloud2 = []
cloud1 = sum([[
y.cloudid for y in i.policy if y.cloudid.platform == "Cnext"
] for i in user.roles], [])
cloud2 = sum([[
y.cloudid for y in i.policy if y.cloudid.platform == "Amazon"
] for i in user.roles], [])
cloud3 = sum([[
y.cloudid for y in i.policy if y.cloudid.platform == "Hpcloud"
] for i in user.roles], [])
cloud = sum([[
y.cloudid
for y in i.policy if y.cloudid.platform == "Openstack"
] for i in user.roles], [])
if cloud:
try:
cloud_endpoint = cloud[0]["cloud_meta"]["endpoint"]
cloud_accesskey = cloud[0]["cloud_meta"]["publickey"]
cloud_privatekey = trail.encode_decode(
cloud[0]["cloud_meta"]["privatekey"], "decode")
##Getting openstack user object by calling keystone client ##
openstack_user = authenticate(user_domain_name=None,
username=cloud_accesskey,
password=cloud_privatekey,
auth_url=cloud_endpoint +
self.DEFAULT_IDENTITY_PORT)
utoken = openstack_user.token
otoken = trail.DocToken(
user=utoken.user,
user_domain_id=utoken.user_domain_id,
id=utoken.id,
project=utoken.project,
tenant=utoken.project,
domain=utoken.domain,
roles=utoken.roles,
serviceCatalog=utoken.serviceCatalog)
user.token = otoken
user.authorized_tenants = [
remove_tenants(d.__dict__)
for d in openstack_user.authorized_tenants
]
user.service_catalog = openstack_user.service_catalog
user.services_region = openstack_user.services_region
user.project_name = openstack_user.project_name
user.tenant_name = openstack_user.tenant_name
user.tenant_id = openstack_user.tenant_id
user.project_id = openstack_user.project_id
user.endpoint = cloud_endpoint + self.DEFAULT_IDENTITY_PORT
user.openstackname = cloud[0]["name"]
msg = _("Successfully user token created in " "Mongodb.")
LOG.debug(msg)
except:
pass
if cloud1:
user.cnextpublickey = cloud1[0]["cloud_meta"]["publickey"]
user.cnextprivatekey = cloud1[0]["cloud_meta"]["privatekey"]
user.cnextendpoint = cloud1[0]["cloud_meta"]["endpoint"]
user.cnextname = cloud1[0]["name"]
if cloud2:
user.awspublickey = cloud2[0]["cloud_meta"]["publickey"]
user.awsprivatekey = cloud2[0]["cloud_meta"]["privatekey"]
user.awsendpoint = cloud2[0]["cloud_meta"]["endpoint"]
user.awsname = cloud2[0]["name"]
if cloud3:
try:
for x in range(len(cloud3)):
cloud_endpoint = cloud3[x]["cloud_meta"]["endpoint"]
cloud_accesskey = cloud3[x]["cloud_meta"]["publickey"]
cloud_privatekey = trail.encode_decode(
cloud3[x]["cloud_meta"]["privatekey"], "decode")
##Getting openstack user object by calling keystone client ##
openstack_user = authenticate(
user_domain_name=None,
username=cloud_accesskey,
password=cloud_privatekey,
auth_url=cloud_endpoint +
self.DEFAULT_IDENTITY_PORT)
utoken = openstack_user.token
otoken = trail.DocToken(
user=utoken.user,
user_domain_id=utoken.user_domain_id,
id=utoken.id,
project=utoken.project,
tenant=utoken.project,
domain=utoken.domain,
roles=utoken.roles,
serviceCatalog=utoken.serviceCatalog)
hp = trail.Hpclouddata(token = otoken,\
authorized_tenants = [remove_tenants(d.__dict__) for d in openstack_user.authorized_tenants],\
service_catalog = openstack_user.service_catalog,\
services_region = openstack_user.services_region,\
project_name = openstack_user.project_name,\
tenant_name = openstack_user.tenant_name,\
tenant_id = openstack_user.tenant_id,\
project_id = openstack_user.project_id,\
endpoint = cloud_endpoint + "",\
hpcloudid = cloud3[x]["id"]
)
hp.save()
if x == 0:
user.hp_attr = hp
user.hpname = cloud3[x]["name"]
msg = _("Successfully user token created in " "Mongodb.")
LOG.debug(msg)
except:
pass
user.save()
return user
else:
msg = _("Invalid Credentials.")
LOG.debug(msg)
raise KeystoneAuthException(msg)
return None
def action(self, request, obj_id):
cloud = tenantclouds.objects(id=obj_id).first()
roles = roledetail.objects(tenantid=request.user.tenantid)
for role in roles:
list1 = []
for a in role.policy:
if (str(a.cloudid.id) == str(obj_id)):
pass
else:
list1.append(a)
roledetail.objects(id=role.id).update(set__policy=list1)
user = get_user_document().objects(
username=request.user.username).first()
if cloud.platform == "Openstack":
if user.openstackname == cloud.name:
clouds = sum([[
y.cloudid
for y in i.policy if y.cloudid.platform == "Openstack"
] for i in user.roles], [])
if clouds:
openstack_user = openstack_authenticate.authenticate(
user_domain_name=None,
username=clouds[0]["cloud_meta"]["publickey"],
password=encode_decode(
clouds[0]["cloud_meta"]["privatekey"], "decode"),
auth_url=clouds[0]["cloud_meta"]["endpoint"])
utoken = openstack_user.token
if utoken:
delete_token(user.endpoint, user.token.id)
otoken = trail.DocToken(
user=utoken.user,
user_domain_id=utoken.user_domain_id,
id=utoken.id,
project=utoken.project,
tenant=utoken.project,
domain=utoken.domain,
roles=utoken.roles,
serviceCatalog=utoken.serviceCatalog)
user.token = otoken
user.authorized_tenants = [
remove_tenants(d.__dict__)
for d in openstack_user.authorized_tenants
]
user.service_catalog = openstack_user.service_catalog
user.services_region = openstack_user.services_region
user.project_name = openstack_user.project_name
user.tenant_name = openstack_user.tenant_name
user.tenant_id = openstack_user.tenant_id
user.project_id = openstack_user.project_id
user.endpoint = clouds[0]["cloud_meta"]["endpoint"] + ""
user.openstackname = clouds[0]["name"]
else:
delete_token(user.endpoint, user.token.id)
user.authorized_tenants = []
user.service_catalog = []
user.services_region = None
user.project_name = None
user.tenant_name = None
user.tenant_id = None
user.project_id = None
user.endpoint = None
user.token = None
user.openstackname = None
if cloud.platform == "Cnext":
if user.cnextname == cloud.name:
clouds = sum([[
y.cloudid
for y in i.policy if y.cloudid.platform == "Cnext"
] for i in user.roles], [])
if clouds:
user.cnextpublickey = clouds[0]["cloud_meta"]["publickey"]
user.cnextprivatekey = encode_decode(
clouds[0]["cloud_meta"]["privatekey"], "encode")
user.cnextendpoint = clouds[0]["cloud_meta"]["endpoint"]
user.cnextname = clouds[0]["name"]
else:
user.cnextpublickey = ""
user.cnextprivatekey = ""
user.cnextendpoint = ""
user.cnextname = ""
if cloud.platform == "Hpcloud":
hp_clouds = Hpclouddata.objects.all()
for hp_cloud in hp_clouds:
if hp_cloud.hpcloudid.id == cloud.id:
if hp_cloud.id == request.user.hp_attr.id:
clouds = sum([[
y.cloudid for y in i.policy
if y.cloudid.platform == "Hpcloud"
] for i in user.roles], [])
if clouds:
hpclouds = Hpclouddata.objects.all()
for hpcloud in hpclouds:
if hpcloud.hpcloudid.id != cloud.id:
user.hp_attr = hpcloud
hpcloudobj = tenantclouds.objects(
id=hpcloud.hpcloudid.id).first()
user.hpname = hpcloudobj.name
else:
user.hp_attr = None
user.hpname = None
hp = Hpclouddata.objects(id=hp_cloud.id).first()
hp.delete()
else:
hp = Hpclouddata.objects(id=hp_cloud.id).first()
hp.delete()
if cloud.platform == "Amazon":
if user.awsname == cloud.name:
clouds = sum([[
y.cloudid
for y in i.policy if y.cloudid.platform == "Amazon"
] for i in user.roles], [])
if clouds:
user.awspublickey = clouds[0]["cloud_meta"]["publickey"]
user.awsprivatekey = encode_decode(
clouds[0]["cloud_meta"]["privatekey"], "encode")
user.awsendpoint = clouds[0]["cloud_meta"]["endpoint"]
user.awsname = clouds[0]["name"]
else:
user.awspublickey = ""
user.awsprivatekey = ""
user.awsendpoint = ""
user.awsname = ""
user.save()
cloud.delete()
def handle(self, request, context):
cloud_id = context.get('cloud_id', None)
username = context.get('publickey', None)
cloudname = context.get('cloudname', None)
platform = context.get('platform', None)
password = context.get('secretkey', None)
endpoint = context.get('endpoint', None)
cloud_type = context.get('cloud_type', None)
if (username == '') & (password == ''):
username = context.get('publickey', None)
password = context.get('secretkey', None)
get_user_document().objects(username=request.user.username).first()
user = get_user_document().objects(
username=request.user.username).first()
try:
if platform == "Cnext":
httpInst = httplib2.Http()
httpInst.add_credentials(name = username, \
password = password)
url = endpoint + "/api/instance?resourceType=vm"
resp, body = httpInst.request(url)
if resp.status == 200:
cloud = tenantclouds(name=cloudname,
cloud_type=cloud_type,
platform=platform,
cloud_meta={
"publickey":
username,
"privatekey":
encode_decode(password, "encode"),
"endpoint":
endpoint
},
tenantid=request.user.tenantid.id,
cloudid=cloud_id)
cloud.save()
roles = roledetail.objects(
tenantid=request.user.tenantid.id)
allowed_action = actions.objects.first().allowed
for role in roles:
if role.roletype == "Tenant Admin" and role.name == "Tenant Admin":
i = {
"cloudid": cloud.id,
"provider": "ALL",
"region": "ALL",
"allowed": allowed_action
}
roledetail.objects(id=role.id).update(
push__policy=i)
else:
pass
if user.cnextname == "" or user.cnextname is None:
user.cnextpublickey = username
user.cnextprivatekey = encode_decode(
password, "encode")
user.cnextendpoint = endpoint
user.cnextname = cloudname
user.save()
refresh_session_policies(request, request.user)
return True
else:
return False
elif platform == "Openstack":
openstack_user = openstack_authenticate.authenticate(
user_domain_name=None,
username=username,
password=password,
auth_url=endpoint)
utoken = openstack_user.token
if utoken:
cloud = tenantclouds(name=cloudname,
cloud_type=cloud_type,
platform=platform,
cloud_meta={
"publickey":
username,
"privatekey":
encode_decode(password, "encode"),
"endpoint":
endpoint
},
tenantid=request.user.tenantid.id,
cloudid=cloud_id)
cloud.save()
allowed_action = actions.objects.first().allowed
roles = roledetail.objects(
tenantid=request.user.tenantid.id)
for role in roles:
if role.roletype == "Tenant Admin" and role.name == "Tenant Admin":
i = {
"cloudid": cloud.id,
"provider": "",
"region": "",
"allowed": allowed_action
}
roledetail.objects(id=role.id).update(
push__policy=i)
if user.openstackname == "" or user.openstackname is None:
otoken = trail.DocToken(
user=utoken.user,
user_domain_id=utoken.user_domain_id,
id=utoken.id,
project=utoken.project,
tenant=utoken.project,
domain=utoken.domain,
roles=utoken.roles,
serviceCatalog=utoken.serviceCatalog)
user.token = otoken
user.authorized_tenants = [
remove_tenants(d.__dict__)
for d in openstack_user.authorized_tenants
]
user.service_catalog = openstack_user.service_catalog
user.services_region = openstack_user.services_region
user.project_name = openstack_user.project_name
user.tenant_name = openstack_user.tenant_name
user.tenant_id = openstack_user.tenant_id
user.project_id = openstack_user.project_id
user.endpoint = endpoint + ""
user.openstackname = cloudname
msg = _("Successfully user token created in "
"Mongodb.")
user.save()
LOG.debug(msg)
else:
delete_token(endpoint, utoken.id)
refresh_session_policies(request, request.user)
return True
else:
return False
elif platform == "Hpcloud":
openstack_user = openstack_authenticate.authenticate(
user_domain_name=None,
username=username,
password=password,
auth_url=endpoint)
utoken = openstack_user.token
if utoken:
cloud = tenantclouds(name=cloudname,
cloud_type=cloud_type,
platform=platform,
cloud_meta={
"publickey":
username,
"privatekey":
encode_decode(password, "encode"),
"endpoint":
endpoint
},
tenantid=request.user.tenantid.id,
cloudid=cloud_id)
cloud.save()
allowed_action = actions.objects.first().allowed
roles = roledetail.objects(
tenantid=request.user.tenantid.id)
for role in roles:
if role.roletype == "Tenant Admin" and role.name == "Tenant Admin":
i = {
"cloudid": cloud.id,
"provider": "",
"region": "",
"allowed": allowed_action
}
roledetail.objects(id=role.id).update(
push__policy=i)
otoken = trail.DocToken(
user=utoken.user,
user_domain_id=utoken.user_domain_id,
id=utoken.id,
project=utoken.project,
tenant=utoken.project,
domain=utoken.domain,
roles=utoken.roles,
serviceCatalog=utoken.serviceCatalog)
hp = trail.Hpclouddata(token = otoken,\
authorized_tenants = [remove_tenants(d.__dict__) for d in openstack_user.authorized_tenants],\
service_catalog = openstack_user.service_catalog,\
services_region = openstack_user.services_region,\
project_name = openstack_user.project_name,\
tenant_name = openstack_user.tenant_name,\
tenant_id = openstack_user.tenant_id,\
project_id = openstack_user.project_id,\
endpoint = endpoint + "",\
hpcloudid = cloud.id
)
hp.save()
if user.hp_attr == "" or user.hp_attr is None:
user.hp_attr = hp
user.hpname = cloudname
user.save()
msg = _("Successfully user token created in " "Mongodb.")
LOG.debug(msg)
refresh_session_policies(request, request.user)
return True
else:
return False
elif platform == "Amazon":
status = test(endpoint, username, password)
if status == True:
cloud = tenantclouds(name=cloudname,
cloud_type=cloud_type,
platform=platform,
cloud_meta={
"publickey":
username,
"privatekey":
encode_decode(password, "encode"),
"endpoint":
endpoint
},
tenantid=request.user.tenantid.id,
cloudid=cloud_id)
cloud.save()
roles = roledetail.objects(
tenantid=request.user.tenantid.id)
allowed_action = actions.objects.first().allowed
for role in roles:
if role.roletype == "Tenant Admin" and role.name == "Tenant Admin":
i = {
"cloudid": cloud.id,
"provider": "ALL",
"region": "ALL",
"allowed": allowed_action
}
roledetail.objects(id=role.id).update(
push__policy=i)
else:
pass
if user.awsname == "" or user.awsname is None:
user.awspublickey = username
user.awsprivatekey = encode_decode(password, "encode")
user.awsendpoint = endpoint
user.awsname = cloudname
user.save()
refresh_session_policies(request, request.user)
return True
else:
return False
else:
cloud = tenantclouds(name=cloudname,
cloud_type=cloud_type,
platform=platform,
cloud_meta={
"publickey":
username,
"privatekey":
encode_decode(password, "encode"),
"endpoint":
endpoint
},
tenantid=request.user.tenantid.id)
cloud.save()
roles = roledetail.objects(tenantid=request.user.tenantid.id)
for role in roles:
if role.roletype == "Tenant Admin" and role.name == "Tenant Admin":
i = {
"cloudid":
cloud.id,
"provider": [],
"region": [],
"allowed": [
"Create Instance", "Delete Instance",
"Create KP and SG", "Delete KP and SG",
"Start Instance", "Stop Instance",
"Create Volume", "Delete Volume",
"Attach and Dettach Volume"
]
}
roledetail.objects(id=role.id).update(push__policy=i)
return True
except Exception, e:
messages.error(request, _(e.message))
LOG.error(e.message)
def handle(self, request, context):
id = context.get('id', None)
username = context.get('username', None)
cloudname = context.get('cloudname', None)
password = context.get('password', None)
endpoint = context.get('endpoint', None)
if (username == '') & (password == ''):
username = context.get('publickey', None)
password = context.get('secretkey', None)
try:
user = get_user_document().objects(username=request.user.username).first()
cloud = tenantclouds.objects(id = id).first()
if cloud.platform =="Amazon":
status = test(endpoint,username,password)
if status == True:
if user.awsname == cloud.name:
user.awspublickey = username
user.awsprivatekey = trail.encode_decode(password,"encode")
user.awsendpoint = endpoint
user.awsname = cloudname
else:
return False
if cloud.platform =="Cnext":
httpInst = httplib2.Http()
httpInst.add_credentials(name = username, \
password = password)
url = endpoint + ":8130/apiv2/instance"
resp, body = httpInst.request(url)
if resp.status == 200 :
if user.cnextname == cloud.name:
user.cnextpublickey = username
user.cnextprivatekey = trail.encode_decode(password,"encode")
user.cnextendpoint = endpoint
user.cnextname = cloudname
else:
return False
if cloud.platform =="Hpcloud":
openstack_user = openstack_authenticate.authenticate(user_domain_name=None,username=username,
password=password,
auth_url= endpoint)
utoken = openstack_user.token
if utoken:
hp = Hpclouddata.objects(id = request.user.hp_attr.id).first()
hpcloud = tenantclouds.objects(id = hp.hpcloudid.id).first()
if hpcloud.name == cloud.name:
otoken = trail.DocToken(user=utoken.user,
user_domain_id=utoken.user_domain_id,
id=utoken.id,
project=utoken.project,
tenant=utoken.project,
domain=utoken.domain,
roles=utoken.roles,
serviceCatalog=utoken.serviceCatalog
)
hp.token = otoken
hp.authorized_tenants = [remove_tenants(d.__dict__) for d in openstack_user.authorized_tenants]
hp.service_catalog = openstack_user.service_catalog
hp.services_region = openstack_user.services_region
hp.project_name = openstack_user.project_name
hp.tenant_name = openstack_user.tenant_name
hp.tenant_id = openstack_user.tenant_id
hp.project_id = openstack_user.project_id
hp.endpoint = endpoint
hp.save()
user.hpname = cloudname
else:
return False
if cloud.platform =="Openstack":
openstack_user = openstack_authenticate.authenticate(user_domain_name=None,username=username,
password=password,
auth_url= endpoint)
utoken = openstack_user.token
if utoken:
if user.openstackname == cloud.name:
delete_token(user.endpoint,user.token.id)
otoken = trail.DocToken(user=utoken.user,
user_domain_id=utoken.user_domain_id,
id=utoken.id,
project=utoken.project,
tenant=utoken.project,
domain=utoken.domain,
roles=utoken.roles,
serviceCatalog=utoken.serviceCatalog
)
user.token = otoken
user.authorized_tenants = [remove_tenants(d.__dict__) for d in openstack_user.authorized_tenants]
user.service_catalog = openstack_user.service_catalog
user.services_region = openstack_user.services_region
user.project_name = openstack_user.project_name
user.tenant_name = openstack_user.tenant_name
user.tenant_id = openstack_user.tenant_id
user.project_id = openstack_user.project_id
user.endpoint = endpoint + ""
user.openstackname = cloudname
else:
delete_token(endpoint,utoken.id)
else:
return False
clouds = tenantclouds.objects(id = id).update(set__name = cloudname,set__cloud_meta ={"publickey":username,"privatekey":trail.encode_decode(password,"encode"),"endpoint":endpoint})
user.save()
refresh_session_policies(request, request.user)
return True
except Exception,e:
messages.error(request,_(e.message))
LOG.error(e.message)