def _authenticate_external(self, context, auth): """Try to authenticate an external user via REMOTE_USER variable. Returns auth_token_data, (user_ref, tenant_ref, metadata_ref) """ if "REMOTE_USER" not in context: raise ExternalAuthNotApplicable() username = context["REMOTE_USER"] try: user_ref = self.identity_api.get_user_by_name(context=context, user_name=username) user_id = user_ref["id"] except exception.UserNotFound as e: raise exception.Unauthorized(e) tenant_id = self._get_project_id_from_auth(context, auth) tenant_ref = self._get_project_ref(context, user_id, tenant_id) metadata_ref = self._get_metadata_ref(context, user_id, tenant_id) self._append_roles(metadata_ref, self._get_group_metadata_ref(context, user_id, tenant_id)) self._append_roles(metadata_ref, self._get_domain_metadata_ref(context, user_id, tenant_id)) expiry = core.default_expire_time() auth_token_data = self._get_auth_token_data(user_ref, tenant_ref, metadata_ref, expiry) return auth_token_data, (user_ref, tenant_ref, metadata_ref)
def _authenticate_external(self, context, auth): """Try to authenticate an external user via REMOTE_USER variable. Returns auth_token_data, (user_ref, tenant_ref, metadata_ref) """ if 'REMOTE_USER' not in context.get('environment', {}): raise ExternalAuthNotApplicable() # NOTE(jamielennox): xml and json differ and get confused about what # empty auth should look like so just reset it. if not auth: auth = {} username = context['environment']['REMOTE_USER'] try: user_ref = self.identity_api.get_user_by_name( username, CONF.identity.default_domain_id) user_id = user_ref['id'] except exception.UserNotFound as e: raise exception.Unauthorized(e) metadata_ref = {} tenant_id = self._get_project_id_from_auth(auth) tenant_ref, metadata_ref['roles'] = self._get_project_roles_and_ref( user_id, tenant_id) expiry = core.default_expire_time() bind = None if ('kerberos' in CONF.token.bind and context['environment']. get('AUTH_TYPE', '').lower() == 'negotiate'): bind = {'kerberos': username} return (user_ref, tenant_ref, metadata_ref, expiry, bind)
def _authenticate_external(self, context, auth): """Try to authenticate an external user via REMOTE_USER variable. Returns auth_token_data, (user_ref, tenant_ref, metadata_ref) """ if 'REMOTE_USER' not in context.get('environment', {}): raise ExternalAuthNotApplicable() #NOTE(jamielennox): xml and json differ and get confused about what # empty auth should look like so just reset it. if not auth: auth = {} username = context['environment']['REMOTE_USER'] try: user_ref = self.identity_api.get_user_by_name( username, CONF.identity.default_domain_id) user_id = user_ref['id'] except exception.UserNotFound as e: raise exception.Unauthorized(e) metadata_ref = {} tenant_id = self._get_project_id_from_auth(auth) tenant_ref, metadata_ref['roles'] = self._get_project_roles_and_ref( user_id, tenant_id) expiry = core.default_expire_time() bind = None if ('kerberos' in CONF.token.bind and context['environment'].get( 'AUTH_TYPE', '').lower() == 'negotiate'): bind = {'kerberos': username} return (user_ref, tenant_ref, metadata_ref, expiry, bind)
def _authenticate_external(self, context, auth): """Try to authenticate an external user via REMOTE_USER variable. Returns auth_token_data, (user_ref, tenant_ref, metadata_ref) """ if "REMOTE_USER" not in context.get("environment", {}): raise ExternalAuthNotApplicable() # NOTE(jamielennox): xml and json differ and get confused about what # empty auth should look like so just reset it. if not auth: auth = {} username = context["environment"]["REMOTE_USER"] try: user_ref = self.identity_api.get_user_by_name(username, DEFAULT_DOMAIN_ID) user_id = user_ref["id"] except exception.UserNotFound as e: raise exception.Unauthorized(e) metadata_ref = {} tenant_id = self._get_project_id_from_auth(auth) tenant_ref, metadata_ref["roles"] = self._get_project_roles_and_ref(user_id, tenant_id) expiry = core.default_expire_time() bind = None if "kerberos" in CONF.token.bind and context["environment"].get("AUTH_TYPE", "").lower() == "negotiate": bind = {"kerberos": username} return (user_ref, tenant_ref, metadata_ref, expiry, bind)
def _authenticate_external(self, context, auth): """Try to authenticate an external user via REMOTE_USER variable. Returns auth_token_data, (user_ref, tenant_ref, metadata_ref) """ if 'REMOTE_USER' not in context: raise ExternalAuthNotApplicable() username = context['REMOTE_USER'] try: user_ref = self.identity_api.get_user_by_name( context=context, user_name=username, domain_id=DEFAULT_DOMAIN_ID) user_id = user_ref['id'] except exception.UserNotFound as e: raise exception.Unauthorized(e) tenant_id = self._get_project_id_from_auth(context, auth) tenant_ref = self._get_project_ref(context, user_id, tenant_id) metadata_ref = self._get_metadata_ref(context, user_id, tenant_id) # TODO (henry-nash) If no tenant was specified, instead check # for a domain and find any related user/group roles self._append_roles(metadata_ref, self._get_group_metadata_ref( context, user_id, tenant_id)) expiry = core.default_expire_time() return (user_ref, tenant_ref, metadata_ref, expiry)
def _authenticate_external(self, context, auth): """Try to authenticate an external user via REMOTE_USER variable. Returns auth_token_data, (user_ref, tenant_ref, metadata_ref) """ if 'REMOTE_USER' not in context: raise ExternalAuthNotApplicable() username = context['REMOTE_USER'] try: user_ref = self.identity_api.get_user_by_name( context=context, user_name=username, domain_id=DEFAULT_DOMAIN_ID) user_id = user_ref['id'] except exception.UserNotFound as e: raise exception.Unauthorized(e) tenant_id = self._get_project_id_from_auth(context, auth) tenant_ref = self._get_project_ref(context, user_id, tenant_id) metadata_ref = self._get_metadata_ref(context, user_id, tenant_id) # TODO (henry-nash) If no tenant was specified, instead check # for a domain and find any related user/group roles self._append_roles( metadata_ref, self._get_group_metadata_ref(context, user_id, tenant_id)) expiry = core.default_expire_time() return (user_ref, tenant_ref, metadata_ref, expiry)
def authenticate(self, context, accesskey=None): if 'accessKeyCredentials' not in accesskey: raise exception.Unauthorized( message='Invalid access key authentication request') user_ref = self._get_user(accesskey) user_ref = { 'default_project_id': user_ref.get('default_project_id'), 'domain_id': user_ref.get('domain_id'), 'enabled': user_ref.get('enabled'), 'id': user_ref.get('id'), 'name': user_ref.get('name'), 'email': user_ref.get('email') } user_ref = self.v3_to_v2_user(user_ref) tenant_ref = {} metadata_ref = {} roles_ref = {} catalog_ref = {} expiry = core.default_expire_time() bind = None '''tenant_ref = self.assignment_api.get_project(creds_ref['tenant_id']) user_ref = self.identity_api.get_user(creds_ref['user_id']) metadata_ref = {} metadata_ref['roles'] = ( self.assignment_api.get_roles_for_user_and_project( user_ref['id'], tenant_ref['id'])) trust_id = creds_ref.get('trust_id') if trust_id: metadata_ref['trust_id'] = trust_id metadata_ref['trustee_user_id'] = user_ref['id'] roles = metadata_ref.get('roles', []) if not roles: raise exception.Unauthorized(message='User not valid for tenant.') roles_ref = [self.assignment_api.get_role(role_id) for role_id in roles] catalog_ref = self.catalog_api.get_catalog( user_ref['id'], tenant_ref['id'], metadata_ref) # NOTE(morganfainberg): Make sure the data is in correct form since it # might be consumed external to Keystone and this is a v2.0 controller. # The token provider does not explicitly care about user_ref version # in this case, but the data is stored in the token itself and should # match the version''' user_ref = self.v3_to_v2_user(user_ref) auth_token_data = dict(user=user_ref, tenant=tenant_ref, metadata=metadata_ref, id='placeholder') (token_id, token_data) = self.token_provider_api.issue_v2_token( auth_token_data, roles_ref, catalog_ref) return token_data
def _authenticate_local(self, context, auth): """Try to authenticate against the identity backend. Returns auth_token_data, (user_ref, tenant_ref, metadata_ref) """ if 'passwordCredentials' not in auth: raise exception.ValidationError( attribute='passwordCredentials', target='auth') if "password" not in auth['passwordCredentials']: raise exception.ValidationError( attribute='password', target='passwordCredentials') password = auth['passwordCredentials']['password'] if ("userId" not in auth['passwordCredentials'] and "username" not in auth['passwordCredentials']): raise exception.ValidationError( attribute='username or userId', target='passwordCredentials') user_id = auth['passwordCredentials'].get('userId', None) username = auth['passwordCredentials'].get('username', '') if username: try: user_ref = self.identity_api.get_user_by_name( context=context, user_name=username) user_id = user_ref['id'] except exception.UserNotFound as e: raise exception.Unauthorized(e) tenant_id = self._get_tenant_id_from_auth(context, auth) try: auth_info = self.identity_api.authenticate( context=context, user_id=user_id, password=password, tenant_id=tenant_id) except AssertionError as e: raise exception.Unauthorized(e) (user_ref, tenant_ref, metadata_ref) = auth_info self._append_roles(metadata_ref, self._get_group_metadata_ref( context, user_id, tenant_id)) self._append_roles(metadata_ref, self._get_domain_metadata_ref( context, user_id, tenant_id)) expiry = core.default_expire_time() auth_token_data = self._get_auth_token_data(user_ref, tenant_ref, metadata_ref, expiry) return auth_token_data, (user_ref, tenant_ref, metadata_ref)
def _authenticate_local(self, context, auth): """Try to authenticate against the identity backend. Returns auth_token_data, (user_ref, tenant_ref, metadata_ref) """ if 'passwordCredentials' not in auth: raise exception.ValidationError( attribute='passwordCredentials', target='auth') if "password" not in auth['passwordCredentials']: raise exception.ValidationError( attribute='password', target='passwordCredentials') password = auth['passwordCredentials']['password'] max_pw_size = utils.MAX_PASSWORD_LENGTH if password and len(password) > max_pw_size: raise exception.ValidationSizeError(attribute='password', size=max_pw_size) if ("userId" not in auth['passwordCredentials'] and "username" not in auth['passwordCredentials']): raise exception.ValidationError( attribute='username or userId', target='passwordCredentials') user_id = auth['passwordCredentials'].get('userId', None) if user_id and len(user_id) > CONF.max_param_size: raise exception.ValidationSizeError(attribute='userId', size=CONF.max_param_size) username = auth['passwordCredentials'].get('username', '') if len(username) > CONF.max_param_size: raise exception.ValidationSizeError(attribute='username', size=CONF.max_param_size) if username: try: user_ref = self.identity_api.get_user_by_name( username, DEFAULT_DOMAIN_ID) user_id = user_ref['id'] except exception.UserNotFound as e: raise exception.Unauthorized(e) try: user_ref = self.identity_api.authenticate( user_id=user_id, password=password) except AssertionError as e: raise exception.Unauthorized(e) metadata_ref = {} tenant_id = self._get_project_id_from_auth(auth) tenant_ref, metadata_ref['roles'] = self._get_project_roles_and_ref( user_id, tenant_id) expiry = core.default_expire_time() return (user_ref, tenant_ref, metadata_ref, expiry, None)
def _authenticate_local(self, context, auth): """Try to authenticate against the identity backend. Returns auth_token_data, (user_ref, tenant_ref, metadata_ref) """ if "passwordCredentials" not in auth: raise exception.ValidationError(attribute="passwordCredentials", target="auth") if "password" not in auth["passwordCredentials"]: raise exception.ValidationError(attribute="password", target="passwordCredentials") password = auth["passwordCredentials"]["password"] max_pw_size = utils.MAX_PASSWORD_LENGTH if password and len(password) > max_pw_size: raise exception.ValidationSizeError(attribute="password", size=max_pw_size) if "userId" not in auth["passwordCredentials"] and "username" not in auth["passwordCredentials"]: raise exception.ValidationError(attribute="username or userId", target="passwordCredentials") user_id = auth["passwordCredentials"].get("userId", None) if user_id and len(user_id) > CONF.max_param_size: raise exception.ValidationSizeError(attribute="userId", size=CONF.max_param_size) username = auth["passwordCredentials"].get("username", "") if len(username) > CONF.max_param_size: raise exception.ValidationSizeError(attribute="username", size=CONF.max_param_size) if username: try: user_ref = self.identity_api.get_user_by_name( context=context, user_name=username, domain_id=DEFAULT_DOMAIN_ID ) user_id = user_ref["id"] except exception.UserNotFound as e: raise exception.Unauthorized(e) tenant_id = self._get_project_id_from_auth(context, auth) try: auth_info = self.identity_api.authenticate( context=context, user_id=user_id, password=password, tenant_id=tenant_id ) except AssertionError as e: raise exception.Unauthorized(e) (user_ref, tenant_ref, metadata_ref) = auth_info # By now we will have authorized and if a tenant/project was # specified, we will have obtained its metadata. In this case # we just need to add in any group roles. # # TODO (henry-nash) If no tenant was specified, instead check # for a domain and find any related user/group roles self._append_roles(metadata_ref, self._get_group_metadata_ref(context, user_id, tenant_id)) expiry = core.default_expire_time() return (user_ref, tenant_ref, metadata_ref, expiry)
def _authenticate_local(self, context, auth): """Try to authenticate against the identity backend. Returns auth_token_data, (user_ref, tenant_ref, metadata_ref) """ if 'passwordCredentials' not in auth: raise exception.ValidationError( attribute='passwordCredentials', target='auth') if "password" not in auth['passwordCredentials']: raise exception.ValidationError( attribute='password', target='passwordCredentials') password = auth['passwordCredentials']['password'] if password and len(password) > CONF.identity.max_password_length: raise exception.ValidationSizeError( attribute='password', size=CONF.identity.max_password_length) if ("userId" not in auth['passwordCredentials'] and "username" not in auth['passwordCredentials']): raise exception.ValidationError( attribute='username or userId', target='passwordCredentials') user_id = auth['passwordCredentials'].get('userId') if user_id and len(user_id) > CONF.max_param_size: raise exception.ValidationSizeError(attribute='userId', size=CONF.max_param_size) username = auth['passwordCredentials'].get('username', '') if len(username) > CONF.max_param_size: raise exception.ValidationSizeError(attribute='username', size=CONF.max_param_size) if username: try: user_ref = self.identity_api.get_user_by_name( username, CONF.identity.default_domain_id) user_id = user_ref['id'] except exception.UserNotFound as e: raise exception.Unauthorized(e) try: user_ref = self.identity_api.authenticate( context, user_id=user_id, password=password) except AssertionError as e: raise exception.Unauthorized(e.args[0]) metadata_ref = {} tenant_id = self._get_project_id_from_auth(auth) tenant_ref, metadata_ref['roles'] = self._get_project_roles_and_ref( user_id, tenant_id) expiry = core.default_expire_time() return (user_ref, tenant_ref, metadata_ref, expiry, None)
def _authenticate_ak(self, context, auth): if 'accessKeyCredentials' not in auth: raise exception.ValidationError( attribute='accessKeyCredentials', target='auth') if "accessKey" not in auth['accessKeyCredentials']: raise exception.ValidationError( attribute='password', target='passwordCredentials') access_key = auth['accessKeyCredentials']['accessKey'] #TODO: ATHEENDRA #if access_key and len(access_key) > CONF.identity.max_password_length: # raise exception.ValidationSizeError( # attribute='accessKey', size=CONF.identity.max_password_length) if ("userId" not in auth['accessKeyCredentials'] and "username" not in auth['accessKeyCredentials']): raise exception.ValidationError( attribute='username or userId', target='accessKeyCredentials') user_id = auth['accessKeyCredentials'].get('userId') if user_id and len(user_id) > CONF.max_param_size: raise exception.ValidationSizeError(attribute='userId', size=CONF.max_param_size) username = auth['accessKeyCredentials'].get('username', '') if len(username) > CONF.max_param_size: raise exception.ValidationSizeError(attribute='username', size=CONF.max_param_size) if username: try: user_ref = self.identity_api.get_user_by_name( username, CONF.identity.default_domain_id) user_id = user_ref['id'] except exception.UserNotFound as e: raise exception.Unauthorized(e) try: user_ref = self.identity_api.authenticate_ak( context, user_id=user_id, access_key=access_key) except AssertionError as e: raise exception.Unauthorized(e.args[0]) metadata_ref = {} tenant_id = self._get_project_id_from_auth(auth) tenant_ref, metadata_ref['roles'] = self._get_project_roles_and_ref( user_id, tenant_id) expiry = core.default_expire_time() return (user_ref, tenant_ref, metadata_ref, expiry, None)
def _authenticate_ak(self, context, auth): if 'accessKeyCredentials' not in auth: raise exception.ValidationError(attribute='accessKeyCredentials', target='auth') if "accessKey" not in auth['accessKeyCredentials']: raise exception.ValidationError(attribute='password', target='passwordCredentials') access_key = auth['accessKeyCredentials']['accessKey'] #TODO: ATHEENDRA #if access_key and len(access_key) > CONF.identity.max_password_length: # raise exception.ValidationSizeError( # attribute='accessKey', size=CONF.identity.max_password_length) if ("userId" not in auth['accessKeyCredentials'] and "username" not in auth['accessKeyCredentials']): raise exception.ValidationError(attribute='username or userId', target='accessKeyCredentials') user_id = auth['accessKeyCredentials'].get('userId') if user_id and len(user_id) > CONF.max_param_size: raise exception.ValidationSizeError(attribute='userId', size=CONF.max_param_size) username = auth['accessKeyCredentials'].get('username', '') if len(username) > CONF.max_param_size: raise exception.ValidationSizeError(attribute='username', size=CONF.max_param_size) if username: try: user_ref = self.identity_api.get_user_by_name( username, CONF.identity.default_domain_id) user_id = user_ref['id'] except exception.UserNotFound as e: raise exception.Unauthorized(e) try: user_ref = self.identity_api.authenticate_ak(context, user_id=user_id, access_key=access_key) except AssertionError as e: raise exception.Unauthorized(e.args[0]) metadata_ref = {} tenant_id = self._get_project_id_from_auth(auth) tenant_ref, metadata_ref['roles'] = self._get_project_roles_and_ref( user_id, tenant_id) expiry = core.default_expire_time() return (user_ref, tenant_ref, metadata_ref, expiry, None)
def _authenticate_local(self, context, auth): """Try to authenticate against the identity backend. Returns auth_token_data, (user_ref, tenant_ref, metadata_ref) """ if "passwordCredentials" not in auth: raise exception.ValidationError(attribute="passwordCredentials", target="auth") if "password" not in auth["passwordCredentials"]: raise exception.ValidationError(attribute="password", target="passwordCredentials") password = auth["passwordCredentials"]["password"] if password and len(password) > CONF.identity.max_password_length: raise exception.ValidationSizeError(attribute="password", size=CONF.identity.max_password_length) if "userId" not in auth["passwordCredentials"] and "username" not in auth["passwordCredentials"]: raise exception.ValidationError(attribute="username or userId", target="passwordCredentials") user_id = auth["passwordCredentials"].get("userId", None) if user_id and len(user_id) > CONF.max_param_size: raise exception.ValidationSizeError(attribute="userId", size=CONF.max_param_size) username = auth["passwordCredentials"].get("username", "") if len(username) > CONF.max_param_size: raise exception.ValidationSizeError(attribute="username", size=CONF.max_param_size) if username: try: user_ref = self.identity_api.get_user_by_name(username, DEFAULT_DOMAIN_ID) user_id = user_ref["id"] except exception.UserNotFound as e: raise exception.Unauthorized(e) try: user_ref = self.identity_api.authenticate(user_id=user_id, password=password) except AssertionError as e: raise exception.Unauthorized(e) metadata_ref = {} tenant_id = self._get_project_id_from_auth(auth) tenant_ref, metadata_ref["roles"] = self._get_project_roles_and_ref(user_id, tenant_id) expiry = core.default_expire_time() return (user_ref, tenant_ref, metadata_ref, expiry, None)
def _authenticate_external(self, context, auth): """Try to authenticate an external user via REMOTE_USER variable. Returns auth_token_data, (user_ref, tenant_ref, metadata_ref) """ if 'REMOTE_USER' not in context: raise ExternalAuthNotApplicable() username = context['REMOTE_USER'] try: user_ref = self.identity_api.get_user_by_name( username, DEFAULT_DOMAIN_ID) user_id = user_ref['id'] except exception.UserNotFound as e: raise exception.Unauthorized(e) metadata_ref = {} tenant_id = self._get_project_id_from_auth(auth) tenant_ref, metadata_ref['roles'] = self._get_project_roles_and_ref( user_id, tenant_id) expiry = core.default_expire_time() return (user_ref, tenant_ref, metadata_ref, expiry)
def _authenticate_local(self, context, auth): """Try to authenticate against the identity backend. Returns auth_token_data, (user_ref, tenant_ref, metadata_ref) """ if 'passwordCredentials' not in auth: raise exception.ValidationError(attribute='passwordCredentials', target='auth') if "password" not in auth['passwordCredentials']: raise exception.ValidationError(attribute='password', target='passwordCredentials') password = auth['passwordCredentials']['password'] max_pw_size = utils.MAX_PASSWORD_LENGTH if password and len(password) > max_pw_size: raise exception.ValidationSizeError(attribute='password', size=max_pw_size) if ("userId" not in auth['passwordCredentials'] and "username" not in auth['passwordCredentials']): raise exception.ValidationError(attribute='username or userId', target='passwordCredentials') user_id = auth['passwordCredentials'].get('userId', None) if user_id and len(user_id) > CONF.max_param_size: raise exception.ValidationSizeError(attribute='userId', size=CONF.max_param_size) username = auth['passwordCredentials'].get('username', '') if len(username) > CONF.max_param_size: raise exception.ValidationSizeError(attribute='username', size=CONF.max_param_size) if username: try: user_ref = self.identity_api.get_user_by_name( context=context, user_name=username, domain_id=DEFAULT_DOMAIN_ID) user_id = user_ref['id'] except exception.UserNotFound as e: raise exception.Unauthorized(e) tenant_id = self._get_project_id_from_auth(context, auth) try: auth_info = self.identity_api.authenticate(context=context, user_id=user_id, password=password, tenant_id=tenant_id) except AssertionError as e: raise exception.Unauthorized(e) (user_ref, tenant_ref, metadata_ref) = auth_info # By now we will have authorized and if a tenant/project was # specified, we will have obtained its metadata. In this case # we just need to add in any group roles. # # TODO (henry-nash) If no tenant was specified, instead check # for a domain and find any related user/group roles self._append_roles( metadata_ref, self._get_group_metadata_ref(context, user_id, tenant_id)) expiry = core.default_expire_time() return (user_ref, tenant_ref, metadata_ref, expiry)
def _authenticate_local(self, context, auth): """Try to authenticate against the identity backend. { "auth":{ "accessKeyCredentials":{ "username":"******", "accesskey":"myaccesskey", "tenantName":"customer-x" } } } Returns auth_token_data, (user_ref, tenant_ref, metadata_ref) """ if 'passwordCredentials' not in auth: raise exception.ValidationError(attribute='passwordCredentials', target='auth') if "password" not in auth['passwordCredentials']: raise exception.ValidationError(attribute='password', target='passwordCredentials') password = auth['passwordCredentials']['password'] if password and len(password) > CONF.identity.max_password_length: raise exception.ValidationSizeError( attribute='password', size=CONF.identity.max_password_length) if ("userId" not in auth['passwordCredentials'] and "username" not in auth['passwordCredentials']): raise exception.ValidationError(attribute='username or userId', target='passwordCredentials') user_id = auth['passwordCredentials'].get('userId') if user_id and len(user_id) > CONF.max_param_size: raise exception.ValidationSizeError(attribute='userId', size=CONF.max_param_size) username = auth['passwordCredentials'].get('username', '') if len(username) > CONF.max_param_size: raise exception.ValidationSizeError(attribute='username', size=CONF.max_param_size) if username: try: user_ref = self.identity_api.get_user_by_name( username, CONF.identity.default_domain_id) user_id = user_ref['id'] except exception.UserNotFound as e: raise exception.Unauthorized(e) try: user_ref = self.identity_api.authenticate(context, user_id=user_id, password=password) except AssertionError as e: raise exception.Unauthorized(e.args[0]) metadata_ref = {} tenant_id = self._get_project_id_from_auth(auth) tenant_ref, metadata_ref['roles'] = self._get_project_roles_and_ref( user_id, tenant_id) expiry = core.default_expire_time() return (user_ref, tenant_ref, metadata_ref, expiry, None)