def get_auth_plugin(opts):
auth_version = guess_auth_version(opts)
if opts.os_username:
if auth_version == '3':
return v3.Password(auth_url=opts.os_auth_url,
username=opts.os_username,
password=opts.os_password,
project_name=opts.os_project_name,
user_domain_name=opts.os_user_domain_name,
project_domain_name=opts.os_project_domain_name)
elif auth_version == '2.0':
return v2.Password(auth_url=opts.os_auth_url,
username=opts.os_username,
password=opts.os_password,
tenant_name=opts.os_tenant_name)
elif opts.os_token:
if auth_version == '3':
return v3.Token(auth_url=opts.os_auth_url,
token=opts.os_token,
project_name=opts.os_project_name,
project_domain_name=opts.os_project_domain_name)
elif auth_version == '2.0':
return v2.Token(auth_url=opts.os_auth_url,
token=opts.os_token,
tenant_name=opts.os_tenant_name)
raise Exception('Unable to determine correct auth method, please provide'
' either username or token')
def designateclient(request):
token = request.user.token.id
if keystone.get_version() < 3:
tenant_id = request.user.tenant_id
logwrap_info("using keystone v2.")
# keystone auth object
auth = v2_plugin.Token(auth_url="https://%s:5000/v2.0" %
settings.OPENSTACK_HOST,
tenant_id=tenant_id,
token=token)
else:
project_id = request.user.project_id
project_domain_id = request.session.get('domain_context')
logwrap_info("using keystone v3.")
auth = v3_plugin.Token(auth_url="https://%s:5000/v3" %
settings.OPENSTACK_HOST,
token=token,
project_id=project_id,
project_domain_id=project_domain_id)
# create a session
ks_session = keystone_session.Session(auth=auth)
# spawn designate client object
dns_client = designate_client.Client(session=ks_session)
logwrap_info("Created a new DNSaaS API Client Object.")
return dns_client
def setUp(self):
super(CrudManagerRequestIdTest, self).setUp()
auth = v2.Token(auth_url='http://127.0.0.1:5000',
token=self.TEST_TOKEN)
session_ = session.Session(auth=auth)
self.client = client.Client(session=session_,
include_metadata='True')._adapter
def setUp(self):
super(ManagerTest, self).setUp()
auth = v2.Token(auth_url='http://127.0.0.1:5000',
token=self.TEST_TOKEN)
session_ = session.Session(auth=auth)
self.client = client.Client(session=session_)._adapter
self.mgr = base.Manager(self.client)
self.mgr.resource_class = base.Resource
def _create_token_auth(self, project_id, token=None, url=None):
if not token:
token = self.data.unscoped_access_info.auth_token
if not url:
url = settings.OPENSTACK_KEYSTONE_URL
return v2_auth.Token(auth_url=url,
token=token,
tenant_id=project_id,
reauthenticate=False)
def get_keystone_session(auth_url, user):
if auth_url[-3:] == '/v3':
auth = v3.Token(auth_url, user.token.id, project_id=user.tenant_id)
else:
auth = v2.Token(auth_url,
user.token.id,
tenant_id=user.tenant_id,
tenant_name=user.tenant_name)
session = kssession.Session(auth=auth)
return session
def auth(self):
if 'v2' in self.auth_url:
token = v2.Token(token=self.token, auth_url=self.auth_url, tenant_id=self.tenant_id)
return token
# if 'v3' in self.auth_url:
else:
token = v3.TokenMethod(token=self.token)
return v3.Auth(auth_url=self.auth_url,
auth_methods=[token],
project_id=self.tenant_id
)
def authenticate_token(token):
auth = v2.Token(auth_url=settings.OPENSTACK_AUTH_URL, token=token)
sess = session.Session(auth=auth, timeout=2)
try:
sess.get_auth_headers()
return 200
except Unauthorized:
return 401
except ConnectFailure:
return 404
except ConnectTimeout:
return 504
def connection_token(self, **kwargs):
"""
Make a connection with a token
:param auth_url: str Authentication url
:param token: str Authentication token
:param tenant_id: str Tenant id
"""
self._authentication = v2.Token(auth_url=kwargs['auth_url'],
token=kwargs['token'],
tenant_id=kwargs['tenant_id'])
self._init_session_access_catalog()
def test_authenticate_with_token(self):
self.stub_auth(json=self.TEST_RESPONSE_DICT)
a = v2.Token(self.TEST_URL, 'foo')
s = session.Session(a)
self.assertEqual({'X-Auth-Token': self.TEST_TOKEN},
s.get_auth_headers())
req = {'auth': {'token': {'id': 'foo'}}}
self.assertRequestBodyIs(json=req)
self.assertRequestHeaderEqual('x-Auth-Token', 'foo')
self.assertRequestHeaderEqual('Content-Type', 'application/json')
self.assertRequestHeaderEqual('Accept', 'application/json')
self.assertEqual(s.auth.auth_ref.auth_token, self.TEST_TOKEN)
def _get_keystone_token(self, ks_version, auth_url, auth_token, tenant_id):
if int(ks_version) == 2:
auth = v2.Token(auth_url=auth_url,
token=auth_token,
tenant_id=tenant_id)
elif int(ks_version) == 3:
auth = v3.Token(auth_url=auth_url,
token=auth_token,
project_id=tenant_id)
else:
raise a10_ex.InvalidConfig(
'keystone version must be protocol version 2 or 3')
return self._get_keystone_stuff(ks_version, auth)
def _get_keystone_v2_auth(self, v2_auth_url, **kwargs):
auth_token = kwargs.pop('auth_token', None)
tenant_id = kwargs.pop('project_id', None)
tenant_name = kwargs.pop('project_name', None)
if auth_token:
return v2_auth.Token(v2_auth_url,
auth_token,
tenant_id=tenant_id,
tenant_name=tenant_name)
else:
return v2_auth.Password(v2_auth_url,
username=kwargs.pop('username', None),
password=kwargs.pop('password', None),
tenant_id=tenant_id,
tenant_name=tenant_name)
def get_plugin(self, auth_url=None, token=None, project_id=None, **kwargs):
if not all((auth_url, token)):
return None
if utils.get_keystone_version() >= 3:
return v3_auth.Token(auth_url=auth_url,
token=token,
project_id=project_id,
reauthenticate=False)
else:
return v2_auth.Token(auth_url=auth_url,
token=token,
tenant_id=project_id,
reauthenticate=False)
def authenticate(endpoint, token, login_user, login_password, tenant_name,
insecure):
"""Return a keystone client object"""
if token:
auth = v2.Token(auth_url=endpoint, token=token)
else:
auth = v2.Password(auth_url=endpoint, username=login_user,
password=login_password, tenant_name=tenant_name)
if insecure:
verify=False
else:
verify=True
sess = session.Session(auth=auth, verify=verify)
return client.Client(session=sess)
def get_token_auth_plugin(auth_url, token, project_id=None, domain_name=None):
if get_keystone_version() >= 3:
if domain_name:
return v3_auth.Token(auth_url=auth_url,
token=token,
domain_name=domain_name,
reauthenticate=False)
else:
return v3_auth.Token(auth_url=auth_url,
token=token,
project_id=project_id,
reauthenticate=False)
else:
return v2_auth.Token(auth_url=auth_url,
token=token,
tenant_id=project_id,
reauthenticate=False)
def test_resource_lazy_getattr(self):
auth = v2.Token(token=self.TEST_TOKEN,
auth_url='http://127.0.0.1:5000')
session_ = session.Session(auth=auth)
self.client = client.Client(session=session_)
self.useFixture(
fixtures.MockPatchObject(self.client._adapter,
'get',
side_effect=AttributeError,
autospec=True))
f = roles.Role(self.client.roles, {'id': 1, 'name': 'Member'})
self.assertEqual(f.name, 'Member')
# Missing stuff still fails after a second get
self.assertRaises(AttributeError, getattr, f, 'blahblah')
def keymanagerclient(request):
token = request.user.token.id
if keystone.get_version() < 3:
tenant_id = request.user.tenant_id
logwrap_info("using keystone v2")
ks_auth = v2.Token("https://%s:5000/v2.0" % settings.OPENSTACK_HOST,
token=token, tenant_id=tenant_id)
else:
project_id = request.user.project_id
domain_id = request.session.get('domain_context')
logwrap_info("using keystone v3")
ks_auth = v3.Token("https://%s:5000/v3" % settings.OPENSTACK_HOST,
token=token,
project_id=project_id,
project_domain_id=domain_id)
ks_session = session.Session(auth=ks_auth)
return client.Client(session=ks_session)
def get_auth_plugin(opts):
"""Create the right keystone connection depending on the version
for the api, if username/password and token are provided, username and
password takes precedence.
"""
auth_version = guess_auth_version(opts)
if opts.os_username:
if auth_version == '3':
return v3.Password(auth_url=opts.os_auth_url,
username=opts.os_username,
password=opts.os_password,
project_name=opts.os_project_name,
user_domain_name=opts.os_user_domain_name,
user_domain_id=opts.os_user_domain_id,
project_domain_name=opts.os_project_domain_name,
project_domain_id=opts.os_project_domain_id,
project_id=opts.os_project_id)
elif auth_version == '2.0':
return v2.Password(auth_url=opts.os_auth_url,
username=opts.os_username,
password=opts.os_password,
tenant_name=opts.os_tenant_name)
elif opts.os_token:
if auth_version == '3':
return v3.Token(auth_url=opts.os_auth_url,
token=opts.os_token,
project_name=opts.os_project_name,
project_domain_name=opts.os_project_domain_name,
project_domain_id=opts.os_project_domain_id,
project_id=opts.os_project_id)
elif auth_version == '2.0':
return v2.Token(auth_url=opts.os_auth_url,
token=opts.os_token,
tenant_name=opts.os_tenant_name)
raise Exception('Unable to determine correct auth method, please provide'
' either username or token')
def _get_keystone_session(**kwargs):
# TODO(fabgia): the heavy lifting here should be really done by Keystone.
# Unfortunately Keystone does not support a richer method to perform
# discovery and return a single viable URL. A bug against Keystone has
# been filed: https://bugs.launchpad.net/python-keystoneclient/+bug/1330677
# first create a Keystone session
cacert = kwargs.pop('cacert', None)
cert = kwargs.pop('cert', None)
key = kwargs.pop('key', None)
insecure = kwargs.pop('insecure', False)
auth_url = kwargs.pop('auth_url', None)
project_id = kwargs.pop('project_id', None)
project_name = kwargs.pop('project_name', None)
token = kwargs['token']
timeout = kwargs.get('timeout')
if insecure:
verify = False
else:
verify = cacert or True
if cert and key:
# passing cert and key together is deprecated in favour of the
# requests lib form of having the cert and key as a tuple
cert = (cert, key)
# create the keystone client session
ks_session = session.Session(verify=verify, cert=cert, timeout=timeout)
v2_auth_url, v3_auth_url = _discover_auth_versions(ks_session, auth_url)
username = kwargs.pop('username', None)
user_id = kwargs.pop('user_id', None)
user_domain_name = kwargs.pop('user_domain_name', None)
user_domain_id = kwargs.pop('user_domain_id', None)
project_domain_name = kwargs.pop('project_domain_name', None)
project_domain_id = kwargs.pop('project_domain_id', None)
if v3_auth_url:
if not user_domain_id:
user_domain_id = 'default'
if not user_domain_name:
user_domain_name = 'default'
if not project_domain_id:
project_domain_id = 'default'
if not project_domain_name:
project_domain_name = 'default'
auth = None
use_domain = (user_domain_id or user_domain_name or project_domain_id
or project_domain_name)
use_v3 = v3_auth_url and (use_domain or (not v2_auth_url))
use_v2 = v2_auth_url and not use_domain
if use_v3 and token:
auth = v3_auth.Token(v3_auth_url,
token=token,
project_name=project_name,
project_id=project_id,
project_domain_name=project_domain_name,
project_domain_id=project_domain_id)
elif use_v2 and token:
auth = v2_auth.Token(v2_auth_url,
token=token,
tenant_id=project_id,
tenant_name=project_name)
elif use_v3:
# the auth_url as v3 specified
# e.g. http://no.where:5000/v3
# Keystone will return only v3 as viable option
auth = v3_auth.Password(v3_auth_url,
username=username,
password=kwargs.pop('password', None),
user_id=user_id,
user_domain_name=user_domain_name,
user_domain_id=user_domain_id,
project_name=project_name,
project_id=project_id,
project_domain_name=project_domain_name,
project_domain_id=project_domain_id)
elif use_v2:
# the auth_url as v2 specified
# e.g. http://no.where:5000/v2.0
# Keystone will return only v2 as viable option
auth = v2_auth.Password(v2_auth_url,
username,
kwargs.pop('password', None),
tenant_id=project_id,
tenant_name=project_name)
else:
raise exc.CommandError('Unable to determine the Keystone version '
'to authenticate with using the given '
'auth_url.')
ks_session.auth = auth
return ks_session
def create_plugin(self, session, version, url, raw_status=None):
if discover.version_match((2, ), version):
return v2.Token(url, self._token, **self._v2_params)
elif discover.version_match((3, ), version):
return v3.Token(url, self._token, **self._v3_params)
def _get_keystone_session(self, **kwargs):
cacert = kwargs.pop('cacert', None)
cert = kwargs.pop('cert', None)
key = kwargs.pop('key', None)
insecure = kwargs.pop('insecure', False)
auth_url = kwargs.pop('auth_url', None)
project_id = kwargs.pop('project_id', None)
project_name = kwargs.pop('project_name', None)
token = kwargs.get('token')
if insecure:
verify = False
else:
verify = cacert or True
if cert and key:
# passing cert and key together is deprecated in favour of the
# requests lib form of having the cert and key as a tuple
cert = (cert, key)
# create the keystone client session
ks_session = session.Session(verify=verify, cert=cert)
v2_auth_url, v3_auth_url = self._discover_auth_versions(
ks_session, auth_url)
username = kwargs.pop('username', None)
user_id = kwargs.pop('user_id', None)
user_domain_name = kwargs.pop('user_domain_name', None)
user_domain_id = kwargs.pop('user_domain_id', None)
project_domain_name = kwargs.pop('project_domain_name', None)
project_domain_id = kwargs.pop('project_domain_id', None)
auth = None
use_domain = (user_domain_id or user_domain_name or project_domain_id
or project_domain_name)
use_v3 = v3_auth_url and (use_domain or (not v2_auth_url))
use_v2 = v2_auth_url and not use_domain
if use_v3 and token:
auth = v3_auth.Token(v3_auth_url,
token=token,
project_name=project_name,
project_id=project_id,
project_domain_name=project_domain_name,
project_domain_id=project_domain_id)
elif use_v2 and token:
auth = v2_auth.Token(v2_auth_url,
token=token,
tenant_id=project_id,
tenant_name=project_name)
elif use_v3:
# The auth_url as v3 specified
# e.g. http://no.where:5000/v3
# Keystone will return only v3 as viable option
auth = v3_auth.Password(v3_auth_url,
username=username,
password=kwargs.pop('password', None),
user_id=user_id,
user_domain_name=user_domain_name,
user_domain_id=user_domain_id,
project_name=project_name,
project_id=project_id,
project_domain_name=project_domain_name,
project_domain_id=project_domain_id)
elif use_v2:
# The auth_url as v2 specified
# e.g. http://no.where:5000/v2.0
# Keystone will return only v2 as viable option
auth = v2_auth.Password(v2_auth_url,
username,
kwargs.pop('password', None),
tenant_id=project_id,
tenant_name=project_name)
else:
raise errors.ZaqarError('Unable to determine the Keystone version '
'to authenticate with using the given '
'auth_url.')
ks_session.auth = auth
return ks_session
