def _v3_client_init(self):
client = kc_v3.Client(session=self.session,
connect_retries=cfg.CONF.client_retry_limit,
region_name=self.auth_region_name)
if hasattr(self.context.auth_plugin, 'get_access'):
# NOTE(jamielennox): get_access returns the current token without
# reauthenticating if it's present and valid.
try:
auth_ref = self.context.auth_plugin.get_access(self.session)
except ks_exception.Unauthorized:
LOG.error("Keystone client authentication failed")
raise exception.AuthorizationFailure()
if self.context.trust_id:
# Sanity check
if not auth_ref.trust_scoped:
LOG.error("trust token re-scoping failed!")
raise exception.AuthorizationFailure()
# Sanity check that impersonation is effective
if self.context.trustor_user_id != auth_ref.user_id:
LOG.error("Trust impersonation failed")
raise exception.AuthorizationFailure()
return client
def _v2_client_init(self):
kwargs = {
'auth_url': self.context.auth_url,
'endpoint': self.context.auth_url,
'region_name': cfg.CONF.region_name_for_services
}
if self.context.region_name is not None:
kwargs['region_name'] = self.context.region_name
auth_kwargs = {}
# Note try trust_id first, as we can't reuse auth_token in that case
if self.context.trust_id is not None:
# We got a trust_id, so we use the admin credentials
# to authenticate, then re-scope the token to the
# trust impersonating the trustor user.
# Note that this currently requires the trustor tenant_id
# to be passed to the authenticate(), unlike the v3 call
kwargs.update(self._service_admin_creds())
auth_kwargs['trust_id'] = self.context.trust_id
auth_kwargs['tenant_id'] = self.context.tenant_id
elif self.context.auth_token is not None:
kwargs['tenant_name'] = self.context.tenant
kwargs['token'] = self.context.auth_token
elif self.context.password is not None:
kwargs['username'] = self.context.username
kwargs['password'] = self.context.password
kwargs['tenant_name'] = self.context.tenant
kwargs['tenant_id'] = self.context.tenant_id
else:
LOG.error(
_LE("Keystone v2 API connection failed, no password "
"or auth_token!"))
raise exception.AuthorizationFailure()
kwargs['cacert'] = self._get_client_option('ca_file')
kwargs['insecure'] = self._get_client_option('insecure')
kwargs['cert'] = self._get_client_option('cert_file')
kwargs['key'] = self._get_client_option('key_file')
client = kc.Client(**kwargs)
client.authenticate(**auth_kwargs)
# If we are authenticating with a trust auth_kwargs are set, so set
# the context auth_token with the re-scoped trust token
if auth_kwargs:
# Sanity check
if not client.auth_ref.trust_scoped:
LOG.error(_LE("v2 trust token re-scoping failed!"))
raise exception.AuthorizationFailure()
# All OK so update the context with the token
self.context.auth_token = client.auth_ref.auth_token
self.context.auth_url = kwargs.get('auth_url')
# Ensure the v2 API we're using is not impacted by keystone
# bug #1239303, otherwise we can't trust the user_id
if self.context.trustor_user_id != client.auth_ref.user_id:
LOG.error(
_LE("Trust impersonation failed, bug #1239303 "
"suspected, you may need a newer keystone"))
raise exception.AuthorizationFailure()
return client
def _v3_client_init(self):
kwargs = {'auth_url': self.v3_endpoint, 'endpoint': self.v3_endpoint}
# Note try trust_id first, as we can't reuse auth_token in that case
if self.context.trust_id is not None:
# We got a trust_id, so we use the admin credentials
# to authenticate with the trust_id so we can use the
# trust impersonating the trustor user.
kwargs.update(self._service_admin_creds())
kwargs['trust_id'] = self.context.trust_id
kwargs.pop('project_name')
elif self.context.auth_token_info is not None:
# The auth_ref version must be set according to the token version
if 'access' in self.context.auth_token_info:
kwargs['auth_ref'] = copy.deepcopy(
self.context.auth_token_info['access'])
kwargs['auth_ref']['version'] = 'v2.0'
kwargs['auth_ref']['token']['id'] = self.context.auth_token
elif 'token' in self.context.auth_token_info:
kwargs['auth_ref'] = copy.deepcopy(
self.context.auth_token_info['token'])
kwargs['auth_ref']['version'] = 'v3'
kwargs['auth_ref']['auth_token'] = self.context.auth_token
else:
LOG.error(_LE('Unknown version in auth_token_info'))
raise exception.AuthorizationFailure(
_('Unknown token version'))
elif self.context.auth_token is not None:
kwargs['token'] = self.context.auth_token
kwargs['project_id'] = self.context.tenant_id
elif self.context.password is not None:
kwargs['username'] = self.context.username
kwargs['password'] = self.context.password
kwargs['project_id'] = self.context.tenant_id
else:
LOG.error(
_LE("Keystone v3 API connection failed, no password "
"trust or auth_token!"))
raise exception.AuthorizationFailure()
kwargs.update(self._ssl_options())
client = kc_v3.Client(**kwargs)
# If auth_ref has already be specified via auth_token_info, don't
# authenticate as we want to reuse, rather than request a new token
if 'auth_ref' not in kwargs:
client.authenticate()
# If we are authenticating with a trust set the context auth_token
# with the trust scoped token
if 'trust_id' in kwargs:
# Sanity check
if not client.auth_ref.trust_scoped:
LOG.error(_LE("trust token re-scoping failed!"))
raise exception.AuthorizationFailure()
# Sanity check that impersonation is effective
if self.context.trustor_user_id != client.auth_ref.user_id:
LOG.error(_LE("Trust impersonation failed"))
raise exception.AuthorizationFailure()
return client
def _v3_client_init(self):
if self.context.auth_url:
v3_endpoint = self.context.auth_url.replace('v2.0', 'v3')
else:
# Import auth_token to have keystone_authtoken settings setup.
importutils.import_module('keystoneclient.middleware.auth_token')
v3_endpoint = self.conf.keystone_authtoken.auth_uri.replace(
'v2.0', 'v3')
kwargs = {'auth_url': v3_endpoint, 'endpoint': v3_endpoint}
# Note try trust_id first, as we can't reuse auth_token in that case
if self.context.trust_id is not None:
# We got a trust_id, so we use the admin credentials
# to authenticate with the trust_id so we can use the
# trust impersonating the trustor user.
kwargs.update(self._service_admin_creds())
kwargs['trust_id'] = self.context.trust_id
elif self.context.auth_token is not None:
kwargs['project_name'] = self.context.tenant
kwargs['token'] = self.context.auth_token
elif self.context.password is not None:
kwargs['username'] = self.context.username
kwargs['password'] = self.context.password
kwargs['project_name'] = self.context.tenant
kwargs['project_id'] = self.context.tenant_id
else:
logger.error(
_("Keystone v3 API connection failed, no password "
"trust or auth_token!"))
raise exception.AuthorizationFailure()
kwargs['cacert'] = self._get_client_option('ca_file')
kwargs['insecure'] = self._get_client_option('insecure')
kwargs['cert'] = self._get_client_option('cert_file')
kwargs['key'] = self._get_client_option('key_file')
client_v3 = kc_v3.Client(**kwargs)
client_v3.authenticate()
# If we are authenticating with a trust set the context auth_token
# with the trust scoped token
if 'trust_id' in kwargs:
# Sanity check
if not client_v3.auth_ref.trust_scoped:
logger.error(_("trust token re-scoping failed!"))
raise exception.AuthorizationFailure()
# All OK so update the context with the token
self.context.auth_token = client_v3.auth_ref.auth_token
self.context.auth_url = kwargs.get('auth_url')
# Sanity check that impersonation is effective
if self.context.trustor_user_id != client_v3.auth_ref.user_id:
logger.error("Trust impersonation failed")
raise exception.AuthorizationFailure()
return client_v3
def domain_admin_auth(self):
if not self._domain_admin_auth:
# Note we must specify the domain when getting the token
# as only a domain scoped token can create projects in the domain
if self._stack_domain_is_id:
auth_kwargs = {
'domain_id': self.stack_domain,
'user_domain_id': self.stack_domain
}
else:
auth_kwargs = {
'domain_name': self.stack_domain,
'user_domain_name': self.stack_domain
}
auth = kc_auth_v3.Password(username=self.domain_admin_user,
password=self.domain_admin_password,
auth_url=self.v3_endpoint,
**auth_kwargs)
# NOTE(jamielennox): just do something to ensure a valid token
try:
auth.get_token(self.session)
except kc_exception.Unauthorized:
LOG.error(_LE("Domain admin client authentication failed"))
raise exception.AuthorizationFailure()
self._domain_admin_auth = auth
return self._domain_admin_auth
def create_trust_context(self):
"""Create a trust using the trustor identity in the current context.
The trust is created with the trustee as the heat service user.
If the current context already contains a trust_id, we do nothing
and return the current context.
Returns a context containing the new trust_id.
"""
if self.context.trust_id:
return self.context
# We need the service admin user ID (not name), as the trustor user
# can't lookup the ID in keystoneclient unless they're admin
# workaround this by getting the user_id from admin_client
try:
trustee_user_id = self.context.trusts_auth_plugin.get_user_id(
self.session)
except ks_exception.Unauthorized:
LOG.error("Domain admin client authentication failed")
raise exception.AuthorizationFailure()
trustor_user_id = self.context.auth_plugin.get_user_id(self.session)
trustor_proj_id = self.context.auth_plugin.get_project_id(self.session)
role_kw = {}
# inherit the roles of the trustor, unless set trusts_delegated_roles
if cfg.CONF.trusts_delegated_roles:
role_kw['role_names'] = cfg.CONF.trusts_delegated_roles
else:
token_info = self.context.auth_token_info
if token_info and token_info.get('token', {}).get('roles'):
role_kw['role_ids'] = [
r['id'] for r in token_info['token']['roles']
]
else:
role_kw['role_names'] = self.context.roles
allow_redelegation = (cfg.CONF.reauthentication_auth_method == 'trusts'
and cfg.CONF.allow_trusts_redelegation)
try:
trust = self.client.trusts.create(
trustor_user=trustor_user_id,
trustee_user=trustee_user_id,
project=trustor_proj_id,
impersonation=True,
allow_redelegation=allow_redelegation,
**role_kw)
except ks_exception.NotFound:
LOG.debug("Failed to find roles %s for user %s" %
(role_kw, trustor_user_id))
raise exception.MissingCredentialError(required=_("roles %s") %
role_kw)
context_data = self.context.to_dict()
context_data['overwrite'] = False
trust_context = context.RequestContext.from_dict(context_data)
trust_context.trust_id = trust.id
trust_context.trustor_user_id = trustor_user_id
return trust_context
def _v3_client_init(self):
kwargs = {}
if self.context.auth_token is not None:
kwargs['project_name'] = self.context.tenant
kwargs['token'] = self.context.auth_token
kwargs['auth_url'] = self.context.auth_url.replace('v2.0', 'v3')
kwargs['endpoint'] = kwargs['auth_url']
elif self.context.trust_id is not None:
# We got a trust_id, so we use the admin credentials and get a
# Token back impersonating the trustor user
kwargs.update(self._service_admin_creds(api_version=3))
kwargs['trust_id'] = self.context.trust_id
elif self.context.password is not None:
kwargs['username'] = self.context.username
kwargs['password'] = self.context.password
kwargs['project_name'] = self.context.tenant
kwargs['project_id'] = self.context.tenant_id
kwargs['auth_url'] = self.context.auth_url.replace('v2.0', 'v3')
kwargs['endpoint'] = kwargs['auth_url']
else:
logger.error(
_("Keystone v3 API connection failed, no password "
"or auth_token!"))
raise exception.AuthorizationFailure()
kwargs['cacert'] = self._get_client_option('ca_file')
kwargs['insecure'] = self._get_client_option('insecure')
kwargs['cert'] = self._get_client_option('cert_file')
kwargs['key'] = self._get_client_option('key_file')
client = kc_v3.Client(**kwargs)
# Have to explicitly authenticate() or client.auth_ref is None
client.authenticate()
return client
def _create_auth_plugin(self):
if self.auth_token_info:
access_info = access.create(body=self.auth_token_info,
auth_token=self.auth_token)
return access_plugin.AccessInfoPlugin(
auth_ref=access_info, auth_url=self.keystone_v3_endpoint)
if self.password:
# Never trust the password. Refer to keyring
LOG.info("Re-determining password from keyring")
self.password = keyring.get_password('CGCS', self.username)
# TIS user_domain_id is blank. Use user_domain_name to lookup user
user_domain_name = cfg.CONF.user_domain_name
return generic.Password(username=self.username,
password=self.password,
project_id=self.tenant_id,
user_domain_id=self.user_domain,
user_domain_name=user_domain_name,
auth_url=self.keystone_v3_endpoint)
if self.auth_token:
# FIXME(jamielennox): This is broken but consistent. If you
# only have a token but don't load a service catalog then
# url_for wont work. Stub with the keystone endpoint so at
# least it might be right.
return token_endpoint.Token(endpoint=self.keystone_v3_endpoint,
token=self.auth_token)
LOG.error("Keystone API connection failed, no password "
"trust or auth_token!")
raise exception.AuthorizationFailure()
def _create_auth_plugin(self):
if self.auth_token_info:
access_info = access.create(body=self.auth_token_info,
auth_token=self.auth_token)
return access_plugin.AccessInfoPlugin(
auth_ref=access_info, auth_url=self.keystone_v3_endpoint)
if self.auth_token:
# FIXME(jamielennox): This is broken but consistent. If you
# only have a token but don't load a service catalog then
# url_for wont work. Stub with the keystone endpoint so at
# least it might be right.
return token_endpoint.Token(endpoint=self.keystone_v3_endpoint,
token=self.auth_token)
if self.password:
return generic.Password(username=self.username,
password=self.password,
project_id=self.tenant_id,
user_domain_id=self.user_domain,
auth_url=self.keystone_v3_endpoint)
LOG.error(
_LE("Keystone API connection failed, no password "
"trust or auth_token!"))
raise exception.AuthorizationFailure()
def _create_auth_plugin(self):
if self.trust_id:
importutils.import_module('keystonemiddleware.auth_token')
username = cfg.CONF.keystone_authtoken.admin_user
password = cfg.CONF.keystone_authtoken.admin_password
return v3.Password(username=username,
password=password,
user_domain_id='default',
auth_url=self._keystone_v3_endpoint,
trust_id=self.trust_id)
if self.auth_token_info:
auth_ref = access.AccessInfo.factory(body=self.auth_token_info,
auth_token=self.auth_token)
return _AccessInfoPlugin(self._keystone_v3_endpoint, auth_ref)
if self.auth_token:
# FIXME(jamielennox): This is broken but consistent. If you
# only have a token but don't load a service catalog then
# url_for wont work. Stub with the keystone endpoint so at
# least it might be right.
return token_endpoint.Token(endpoint=self._keystone_v3_endpoint,
token=self.auth_token)
if self.password:
return v3.Password(username=self.username,
password=self.password,
project_id=self.tenant_id,
user_domain_id='default',
auth_url=self._keystone_v3_endpoint)
LOG.error(_LE("Keystone v3 API connection failed, no password "
"trust or auth_token!"))
raise exception.AuthorizationFailure()
def _v2_client_init(self):
kwargs = {'auth_url': self.context.auth_url}
auth_kwargs = {}
# Note try trust_id first, as we can't reuse auth_token in that case
if self.context.trust_id is not None:
# We got a trust_id, so we use the admin credentials
# to authenticate, then re-scope the token to the
# trust impersonating the trustor user.
# Note that this currently requires the trustor tenant_id
# to be passed to the authenticate(), unlike the v3 call
kwargs.update(self._service_admin_creds(api_version=2))
auth_kwargs['trust_id'] = self.context.trust_id
auth_kwargs['tenant_id'] = self.context.tenant_id
elif self.context.auth_token is not None:
kwargs['tenant_name'] = self.context.tenant
kwargs['token'] = self.context.auth_token
elif self.context.password is not None:
kwargs['username'] = self.context.username
kwargs['password'] = self.context.password
kwargs['tenant_name'] = self.context.tenant
kwargs['tenant_id'] = self.context.tenant_id
else:
logger.error(
_("Keystone v2 API connection failed, no password "
"or auth_token!"))
raise exception.AuthorizationFailure()
kwargs['cacert'] = self._get_client_option('ca_file')
kwargs['insecure'] = self._get_client_option('insecure')
kwargs['cert'] = self._get_client_option('cert_file')
kwargs['key'] = self._get_client_option('key_file')
client_v2 = kc.Client(**kwargs)
client_v2.authenticate(**auth_kwargs)
# If we are authenticating with a trust auth_kwargs are set, so set
# the context auth_token with the re-scoped trust token
if auth_kwargs:
# Sanity check
if not client_v2.auth_ref.trust_scoped:
logger.error(_("v2 trust token re-scoping failed!"))
raise exception.AuthorizationFailure()
# All OK so update the context with the token
self.context.auth_token = client_v2.auth_ref.auth_token
self.context.auth_url = kwargs.get('auth_url')
return client_v2
def _v3_client_init(self):
kwargs = {
'auth_url': self.v3_endpoint,
'endpoint': self.v3_endpoint
}
# Note try trust_id first, as we can't reuse auth_token in that case
if self.context.trust_id is not None:
# We got a trust_id, so we use the admin credentials
# to authenticate with the trust_id so we can use the
# trust impersonating the trustor user.
kwargs.update(self._service_admin_creds())
kwargs['trust_id'] = self.context.trust_id
elif self.context.auth_token is not None:
kwargs['project_name'] = self.context.tenant
kwargs['token'] = self.context.auth_token
elif self.context.password is not None:
kwargs['username'] = self.context.username
kwargs['password'] = self.context.password
kwargs['project_name'] = self.context.tenant
kwargs['project_id'] = self.context.tenant_id
else:
logger.error(_("Keystone v3 API connection failed, no password "
"trust or auth_token!"))
raise exception.AuthorizationFailure()
kwargs.update(self._ssl_options())
client_v3 = kc_v3.Client(**kwargs)
client_v3.authenticate()
# If we are authenticating with a trust set the context auth_token
# with the trust scoped token
if 'trust_id' in kwargs:
# Sanity check
if not client_v3.auth_ref.trust_scoped:
logger.error(_("trust token re-scoping failed!"))
raise exception.AuthorizationFailure()
# All OK so update the context with the token
self.context.auth_token = client_v3.auth_ref.auth_token
self.context.auth_url = kwargs.get('auth_url')
# Sanity check that impersonation is effective
if self.context.trustor_user_id != client_v3.auth_ref.user_id:
logger.error("Trust impersonation failed")
raise exception.AuthorizationFailure()
return client_v3
def stack_domain_id(self):
if not self._stack_domain_id:
try:
access = self.domain_admin_auth.get_access(self.session)
except kc_exception.Unauthorized:
LOG.error(_LE("Keystone client authentication failed"))
raise exception.AuthorizationFailure()
self._stack_domain_id = access.domain_id
return self._stack_domain_id
def trusts_auth_plugin(self):
if not self._trusts_auth_plugin:
self._trusts_auth_plugin = ks_loading.load_auth_from_conf_options(
cfg.CONF, TRUSTEE_CONF_GROUP, trust_id=self.trust_id)
if not self._trusts_auth_plugin:
LOG.error('Please add the trustee credentials you need '
'to the %s section of your heat.conf file.',
TRUSTEE_CONF_GROUP)
raise exception.AuthorizationFailure()
return self._trusts_auth_plugin
def keystone_v3_endpoint(self):
if self.auth_url:
return self.auth_url.replace('v2.0', 'v3')
else:
auth_uri = endpoint_utils.get_auth_uri()
if auth_uri:
return auth_uri
else:
LOG.error('Keystone API endpoint not provided. Set '
'auth_uri in section [clients_keystone] '
'of the configuration file.')
raise exception.AuthorizationFailure()
def admin_client(self):
if not self._admin_client:
# Create admin client connection to v3 API
admin_creds = self._service_admin_creds()
admin_creds.update(self._ssl_options())
c = kc_v3.Client(**admin_creds)
if c.authenticate():
self._admin_client = c
else:
logger.error("Admin client authentication failed")
raise exception.AuthorizationFailure()
return self._admin_client
def admin_client(self):
if not self._admin_client:
# Create admin client connection to v3 API
admin_creds = self._service_admin_creds()
admin_creds.update(self._ssl_options())
c = kc_v3.Client(**admin_creds)
try:
c.authenticate()
self._admin_client = c
except kc_exception.Unauthorized:
LOG.error(_LE("Admin client authentication failed"))
raise exception.AuthorizationFailure()
return self._admin_client
def __authenticate(self):
pyrax.set_setting("identity_type", "keystone")
pyrax.set_setting("auth_endpoint", self.context.auth_url)
logger.info(_("Authenticating username:%s") % self.context.username)
self.pyrax = pyrax.auth_with_token(self.context.auth_token,
tenant_id=self.context.tenant_id,
tenant_name=self.context.tenant,
region=(cfg.CONF.region_name
or None))
if not self.pyrax:
raise exception.AuthorizationFailure("No services available.")
logger.info(
_("User %s authenticated successfully.") % self.context.username)
def create_trust_context(self):
"""Create a trust using the trustor identity in the current context.
The trust is created with the trustee as the heat service user.
If the current context already contains a trust_id, we do nothing
and return the current context.
Returns a context containing the new trust_id.
"""
if self.context.trust_id:
return self.context
# We need the service admin user ID (not name), as the trustor user
# can't lookup the ID in keystoneclient unless they're admin
# workaround this by getting the user_id from admin_client
try:
trustee_user_id = self.context.trusts_auth_plugin.get_user_id(
self.session)
except kc_exception.Unauthorized:
LOG.error(_LE("Domain admin client authentication failed"))
raise exception.AuthorizationFailure()
trustor_user_id = self.context.auth_plugin.get_user_id(self.session)
trustor_proj_id = self.context.auth_plugin.get_project_id(self.session)
# inherit the roles of the trustor, unless set trusts_delegated_roles
if cfg.CONF.trusts_delegated_roles:
roles = cfg.CONF.trusts_delegated_roles
else:
roles = self.context.roles
try:
trust = self.client.trusts.create(trustor_user=trustor_user_id,
trustee_user=trustee_user_id,
project=trustor_proj_id,
impersonation=True,
role_names=roles)
except kc_exception.NotFound:
LOG.debug("Failed to find roles %s for user %s" %
(roles, trustor_user_id))
raise exception.MissingCredentialError(required=_("roles %s") %
roles)
context_data = self.context.to_dict()
context_data['overwrite'] = False
trust_context = context.RequestContext.from_dict(context_data)
trust_context.trust_id = trust.id
trust_context.trustor_user_id = trustor_user_id
return trust_context
def validate_auth_plugin(auth_plugin, keystone_session):
"""Validate if this auth_plugin is valid to use."""
try:
auth_plugin.get_token(keystone_session)
except Exception as e:
# TODO(ricolin) Add heat document link for plugin information,
# once we generated one.
failure_reason = ("Failed to validate auth_plugin with error %s. "
"Please make sure the credential you provide is "
"correct. Also make sure the it is a valid Keystone "
"auth plugin type and contain in your "
"environment." % e)
raise exception.AuthorizationFailure(failure_reason=failure_reason)
def domain_admin_client(self):
if not self._domain_admin_client:
# Create domain admin client connection to v3 API
admin_creds = self._domain_admin_creds()
admin_creds.update(self._ssl_options())
c = kc_v3.Client(**admin_creds)
# Note we must specify the domain when getting the token
# as only a domain scoped token can create projects in the domain
if c.authenticate(domain_id=self.stack_domain_id):
self._domain_admin_client = c
else:
LOG.error(_("Domain admin client authentication failed"))
raise exception.AuthorizationFailure()
return self._domain_admin_client
def __authenticate(self):
# current implemenation shown below authenticates using
# username and password. Need make it work with auth-token
pyrax.set_setting("identity_type", "keystone")
pyrax.set_setting("auth_endpoint", self.context.auth_url)
logger.info("Authenticating with username:%s" % self.context.username)
self.pyrax = pyrax.auth_with_token(self.context.auth_token,
tenant_id=self.context.tenant_id,
tenant_name=self.context.tenant,
region=(cfg.CONF.region_name
or None))
if not self.pyrax:
raise exception.AuthorizationFailure("No services available.")
logger.info("User %s authenticated successfully." %
self.context.username)
def _authenticate(self):
"""Create an authenticated client context."""
self.pyrax = pyrax.create_context("rackspace")
self.pyrax.auth_endpoint = self.context.auth_url
LOG.info(_LI("Authenticating username: %s"), self.context.username)
tenant = self.context.tenant_id
tenant_name = self.context.tenant
self.pyrax.auth_with_token(self.context.auth_token,
tenant_id=tenant,
tenant_name=tenant_name)
if not self.pyrax.authenticated:
LOG.warning(_LW("Pyrax Authentication Failed."))
raise exception.AuthorizationFailure()
LOG.info(_LI("User %s authenticated successfully."),
self.context.username)
def domain_admin_client(self):
if not self._domain_admin_client:
# Create domain admin client connection to v3 API
admin_creds = self._domain_admin_creds()
admin_creds.update(self._ssl_options())
c = kc_v3.Client(**admin_creds)
# Note we must specify the domain when getting the token
# as only a domain scoped token can create projects in the domain
if self._stack_domain_is_id:
auth_kwargs = {'domain_id': self.stack_domain}
else:
auth_kwargs = {'domain_name': self.stack_domain}
try:
c.authenticate(**auth_kwargs)
self._domain_admin_client = c
except kc_exception.Unauthorized:
LOG.error(_LE("Domain admin client authentication failed"))
raise exception.AuthorizationFailure()
return self._domain_admin_client
def _v1_auth(self, token_url):
creds = self.creds
headers = {}
headers['X-Auth-User'] = creds['username']
headers['X-Auth-Key'] = creds['password']
tenant = creds.get('tenant')
if tenant:
headers['X-Auth-Tenant'] = tenant
resp, resp_body = self._do_request(token_url, 'GET', headers=headers)
def _management_url(self, resp):
for url_header in ('x-heat-management-url',
'x-server-management-url', 'x-heat'):
try:
return resp[url_header]
except KeyError as e:
not_found = e
raise not_found
if resp.status in (200, 204):
try:
self.management_url = _management_url(self, resp)
self.auth_token = resp['x-auth-token']
except KeyError:
raise exception.AuthorizationFailure()
elif resp.status == 305:
raise exception.AuthorizationRedirect(resp['location'])
elif resp.status == 400:
raise exception.AuthBadRequest(url=token_url)
elif resp.status == 401:
raise exception.NotAuthorized()
elif resp.status == 404:
raise exception.AuthUrlNotFound(url=token_url)
else:
raise Exception(_('Unexpected response: %s' % resp.status))
def keystone_v3_endpoint(self):
if self.auth_url:
auth_uri = self.auth_url.replace('v2.0', 'v3')
else:
# Look for the keystone auth_uri in the configuration. First we
# check the [clients_keystone] section, and if it is not set we
# look in [keystone_authtoken]
if cfg.CONF.clients_keystone.auth_uri:
discover = ks_discover.Discover(
auth_url=cfg.CONF.clients_keystone.auth_uri)
auth_uri = discover.url_for('3.0')
else:
# Import auth_token to have keystone_authtoken settings setup.
importutils.import_module('keystonemiddleware.auth_token')
if cfg.CONF.keystone_authtoken.auth_uri:
auth_uri = cfg.CONF.keystone_authtoken.auth_uri.replace(
'v2.0', 'v3')
else:
LOG.error('Keystone API endpoint not provided. Set '
'auth_uri in section [clients_keystone] '
'of the configuration file.')
raise exception.AuthorizationFailure()
return auth_uri
def _create(self):
"""Create an authenticated CBD client."""
region = cfg.CONF.region_name_for_services.lower()
if self.context.region_name:
region = self.context.region_name.lower()
LOG.info(_LI("CBD client authenticating username %s in region %s"),
self.context.username, region)
tenant = self.context.tenant_id
username = self.context.username
endpoint_uri = ("https://{region}.bigdata.api.rackspacecloud.com:443/"
"v2/{tenant}".format(region=region, tenant=tenant))
try:
return Lava(username=username,
tenant_id=self.context.tenant_id,
auth_url=self.context.auth_url,
api_key=None,
token=self.context.auth_token,
region=region,
endpoint=endpoint_uri,
verify_ssl=False)
except LavaError as exc:
LOG.warn(_LW("CBD client authentication failed: %s."), exc)
raise exception.AuthorizationFailure()
LOG.info(_LI("CBD user %s authenticated successfully."), username)
