def _create_auth_plugin(self):
if self.trust_id:
importutils.import_module('keystonemiddleware.auth_token')
username = cfg.CONF.keystone_authtoken.admin_user
password = cfg.CONF.keystone_authtoken.admin_password
return v3.Password(username=username,
password=password,
user_domain_id='default',
auth_url=self._keystone_v3_endpoint,
trust_id=self.trust_id)
if self.auth_token_info:
auth_ref = access.AccessInfo.factory(body=self.auth_token_info,
auth_token=self.auth_token)
return _AccessInfoPlugin(self._keystone_v3_endpoint, auth_ref)
if self.auth_token:
# FIXME(jamielennox): This is broken but consistent. If you
# only have a token but don't load a service catalog then
# url_for wont work. Stub with the keystone endpoint so at
# least it might be right.
return token_endpoint.Token(endpoint=self._keystone_v3_endpoint,
token=self.auth_token)
if self.password:
return v3.Password(username=self.username,
password=self.password,
project_id=self.tenant_id,
user_domain_id='default',
auth_url=self._keystone_v3_endpoint)
LOG.error(_LE("Keystone v3 API connection failed, no password "
"trust or auth_token!"))
raise exception.AuthorizationFailure()
def stack_domain_user_token(self, username, project_id, password):
"""Get a token for a stack domain user."""
if not self.stack_domain:
# Note, no legacy fallback path as we don't want to deploy
# tokens for non stack-domain users inside instances
msg = _('Cannot get stack domain user token, no stack domain id '
'configured, please fix your heat.conf')
raise exception.Error(msg)
# Create a keystoneclient session, then request a token with no
# catalog (the token is expected to be used inside an instance
# where a specific endpoint will be specified, and user-data
# space is limited..)
if self._stack_domain_is_id:
auth = kc_auth_v3.Password(auth_url=self.v3_endpoint,
username=username,
password=password,
project_id=project_id,
user_domain_id=self.stack_domain)
else:
auth = kc_auth_v3.Password(auth_url=self.v3_endpoint,
username=username,
password=password,
project_id=project_id,
user_domain_name=self.stack_domain)
sess = session.Session(auth=auth)
# Note we do this directly via a post as there's currently
# no way to get a nocatalog token via keystoneclient
token_url = "%s/auth/tokens?nocatalog" % self.v3_endpoint
headers = {'Accept': 'application/json'}
if self._stack_domain_is_id:
domain = {'id': self.stack_domain}
else:
domain = {'name': self.stack_domain}
body = {
'auth': {
'scope': {
'project': {
'id': project_id
}
},
'identity': {
'password': {
'user': {
'domain': domain,
'password': password,
'name': username
}
},
'methods': ['password']
}
}
}
t = sess.post(token_url,
headers=headers,
json=body,
authenticated=False)
return t.headers['X-Subject-Token']
def test_with_multiple_scopes(self):
s = session.Session()
a = v3.Password(self.TEST_URL,
username=self.TEST_USER, password=self.TEST_PASS,
domain_id='x', project_id='x')
self.assertRaises(exceptions.AuthorizationFailure, a.get_auth_ref, s)
a = v3.Password(self.TEST_URL,
username=self.TEST_USER, password=self.TEST_PASS,
domain_id='x', trust_id='x')
self.assertRaises(exceptions.AuthorizationFailure, a.get_auth_ref, s)
def create(name1):
auth_url = 'http://10.37.129.10:5000/v3'
username = '******'
user_domain_name = 'Default'
project_name = 'admin'
project_domain_name = 'Default'
password = '******'
auth = v3.Password(auth_url=auth_url,
username=username,
password=password,
project_name=project_name,
project_domain_name=project_domain_name,
user_domain_name=user_domain_name)
sess = session.Session(auth=auth)
keystone = keystoneapi.Client(session=sess)
# print keystone.projects.list()
nova = novapi.Client(2, session=keystone.session)
# print nova.glance.list()
image = nova.glance.find_image('CentOS7')
# print nova.flavors.list()
flavor = nova.flavors.find(name='m1.medium')
# print nova.neutron.list()
network = nova.neutron.find_network('test')
#name1="vm_api"
server = nova.servers.create(name=name1, image=image, flavor=flavor, nics=[{'net-id': network.id}])
def test_invalidate_response(self):
auth_responses = [{
'status_code': 200,
'json': self.TEST_RESPONSE_DICT,
'headers': {
'X-Subject-Token': 'token1'
}
}, {
'status_code': 200,
'json': self.TEST_RESPONSE_DICT,
'headers': {
'X-Subject-Token': 'token2'
}
}]
self.requests_mock.post('%s/auth/tokens' % self.TEST_URL,
auth_responses)
a = v3.Password(self.TEST_URL,
username=self.TEST_USER,
password=self.TEST_PASS)
s = session.Session(auth=a)
self.assertEqual('token1', s.get_token())
self.assertEqual({'X-Auth-Token': 'token1'}, s.get_auth_headers())
a.invalidate()
self.assertEqual('token2', s.get_token())
self.assertEqual({'X-Auth-Token': 'token2'}, s.get_auth_headers())
def test_authenticate_with_username_password_project_scoped(self):
self.stub_auth(json=self.TEST_RESPONSE_DICT)
a = v3.Password(self.TEST_URL,
username=self.TEST_USER,
password=self.TEST_PASS,
project_id=self.TEST_DOMAIN_ID)
s = session.Session(a)
self.assertEqual({'X-Auth-Token': self.TEST_TOKEN},
s.get_auth_headers())
req = {
'auth': {
'identity': {
'methods': ['password'],
'password': {
'user': {
'name': self.TEST_USER,
'password': self.TEST_PASS
}
}
},
'scope': {
'project': {
'id': self.TEST_DOMAIN_ID
}
}
}
}
self.assertRequestBodyIs(json=req)
self.assertEqual(s.auth.auth_ref.auth_token, self.TEST_TOKEN)
self.assertEqual(s.auth.auth_ref.project_id, self.TEST_DOMAIN_ID)
def get_auth_plugin(opts):
auth_version = guess_auth_version(opts)
if opts.os_username:
if auth_version == '3':
return v3.Password(auth_url=opts.os_auth_url,
username=opts.os_username,
password=opts.os_password,
project_name=opts.os_project_name,
user_domain_name=opts.os_user_domain_name,
project_domain_name=opts.os_project_domain_name)
elif auth_version == '2.0':
return v2.Password(auth_url=opts.os_auth_url,
username=opts.os_username,
password=opts.os_password,
tenant_name=opts.os_tenant_name)
elif opts.os_token:
if auth_version == '3':
return v3.Token(auth_url=opts.os_auth_url,
token=opts.os_token,
project_name=opts.os_project_name,
project_domain_name=opts.os_project_domain_name)
elif auth_version == '2.0':
return v2.Token(auth_url=opts.os_auth_url,
token=opts.os_token,
tenant_name=opts.os_tenant_name)
raise Exception('Unable to determine correct auth method, please provide'
' either username or token')
def dc_get_subcloud_sysinv_url(subcloud_name):
user_auth = v3.Password(
auth_url=CONF.endpoint_cache.auth_uri,
username=CONF.endpoint_cache.username,
user_domain_name=CONF.endpoint_cache.user_domain_name,
password=CONF.endpoint_cache.password,
project_name=CONF.endpoint_cache.project_name,
project_domain_name=CONF.endpoint_cache.project_domain_name,
)
timeout = CONF.endpoint_cache.http_connect_timeout
admin_session = session.Session(auth=user_auth, timeout=timeout)
ks_client = keystone_client.Client(
session=admin_session,
region_name=constants.REGION_ONE_NAME,
interface=constants.OS_INTERFACE_INTERNAL)
services = ks_client.services.list(name='sysinv')
if len(services) == 0:
raise Exception('Cannot find sysinv service')
s_id = services[0].id
sc_sysinv_urls = ks_client.endpoints.list(
service=s_id,
interface=constants.OS_INTERFACE_ADMIN,
region=subcloud_name)
if len(sc_sysinv_urls) == 0:
raise Exception('Cannot find sysinv endpoint for %s' % subcloud_name)
sc_sysinv_url = sc_sysinv_urls[0].url
LOG.info('%s sysinv endpoint %s' % (subcloud_name, sc_sysinv_url))
if not sc_sysinv_url:
raise Exception('{} sysinv endpoint is None'.format(subcloud_name))
return sc_sysinv_url
def get_auth_plugin(opts):
"""Create the right keystone connection depending on the version
for the api, if username/password and token are provided, username and
password takes precedence.
"""
auth_version = guess_auth_version(opts)
if opts.os_username:
if auth_version == '3':
return v3.Password(auth_url=opts.os_auth_url,
username=opts.os_username,
password=opts.os_password,
project_name=opts.os_project_name,
user_domain_name=opts.os_user_domain_name,
project_domain_name=opts.os_project_domain_name)
elif auth_version == '2.0':
return v2.Password(auth_url=opts.os_auth_url,
username=opts.os_username,
password=opts.os_password,
tenant_name=opts.os_tenant_name)
elif opts.os_token:
if auth_version == '3':
return v3.Token(auth_url=opts.os_auth_url,
token=opts.os_token,
project_name=opts.os_project_name,
project_domain_name=opts.os_project_domain_name)
elif auth_version == '2.0':
return v2.Token(auth_url=opts.os_auth_url,
token=opts.os_token,
tenant_name=opts.os_tenant_name)
raise Exception('Unable to determine correct auth method, please provide'
' either username or token')
def login(username, password, domain='Default'):
"""
Perform the initial login to the BLL, using the given credentials. This
uses the "normal" keystone workflow of:
- Connecting to keystone and obtain an unscoped token (not scoped to any
particular project or domain)
- Get a list of projects available to the given user
- Select a project, and connect to keystone again (with the unscoped token)
to receive a project-scoped token.
Returns a keystone auth_ref, which contains the token, expiration, and
other info about the authentication
This function is primarily used in the initial login UI screen, but is
also used by the deploy service
"""
LOG.debug("Obtaining unscoped token for user %s", username)
auth = v3.Password(auth_url=get_auth_url(),
username=username,
password=password,
user_domain_name=domain,
unscoped=True)
unscoped_session = session.Session(auth=auth,
user_agent=USER_AGENT,
verify=verify_https())
try:
unscoped_token = unscoped_session.get_token()
except Exception as e:
raise BllAuthenticationFailedException(
"User is not authorized on the %s domain: [%s]" % (domain, str(e)))
return get_appropriate_auth_ref(unscoped_token)
def _get_client(auth_url=None, token=None, login_username=None, login_password=None, login_project_name=None,
login_project_domain_name=None, login_user_domain_name=None, login_domain_name=None,
insecure=False, ca_cert=None):
"""Return a ks_client client object"""
auth_plugin = None
if login_domain_name and login_project_name:
raise Exception("Token can be scoped either to project or domain. Use either domain or project")
if token:
auth_plugin = token_endpoint.Token(endpoint=auth_url, token=token)
else:
auth_plugin = v3.Password(auth_url=auth_url, username=login_username, password=login_password,
project_name=login_project_name, project_domain_name=login_project_domain_name,
user_domain_name=login_user_domain_name, domain_name=login_domain_name)
verify = False
if not insecure:
# Caller wants cert verification
verify = ca_cert or True
# Client cert is not supported now. Will add it later with cert=client_cert option
auth_session = session.Session(
auth=auth_plugin, verify=verify)
return v3client.Client(auth_url=auth_url, session=auth_session)
def v3_authenticate(self):
auth = v3.Password(auth_url=self.auth_url,
user_id=self.user_id,
password=self.password,
project_id=self.project_id)
self.session = ksc_session.Session(auth=auth, verify=False)
self.token = self.session.auth.get_token(self.session)
def _get_keystone_session(cloud):
authsplit = cloud.authurl.split('/')
version = int(float(authsplit[-1][1:])) if len(authsplit[-1]) > 0 else int(
float(authsplit[-2][1:]))
if version == 2:
try:
auth = v2.Password(auth_url=cloud.authurl,
username=cloud.username,
password=cloud.password,
tenant_name=cloud.project)
sess = session.Session(auth=auth,
verify=config.cert_auth_bundle_path)
except Exception as exc:
print(
"Problem importing keystone modules, and getting session: %s" %
exc)
return sess
elif version == 3:
#connect using keystone v3
try:
auth = v3.Password(auth_url=cloud.authurl,
username=cloud.username,
password=cloud.password,
project_name=cloud.project,
user_domain_name=cloud.user_domain_name,
project_domain_name=cloud.project_domain_name)
sess = session.Session(auth=auth,
verify=config.cert_auth_bundle_path)
except Exception as exc:
print(
"Problem importing keystone modules, and getting session: %s" %
exc)
return sess
def _password_session(request):
# TODO(garcianavalon) better domain usage
domain = 'default'
endpoint = getattr(settings, 'OPENSTACK_KEYSTONE_URL')
insecure = getattr(settings, 'OPENSTACK_SSL_NO_VERIFY', False)
verify = getattr(settings, 'OPENSTACK_SSL_CACERT', True)
if insecure:
verify = False
credentials = getattr(settings, 'IDM_USER_CREDENTIALS')
LOG.debug(
('Creating a new internal keystoneclient '
'connection to %s.'),
endpoint)
auth = v3.Password(
username=credentials['username'],
password=credentials['password'],
project_name=credentials['project'],
user_domain_id=domain,
project_domain_id=domain,
auth_url=endpoint)
return session.Session(auth=auth, verify=verify)
def authenticate_keystone_admin(self,
keystone_sentry,
user,
password,
tenant=None,
api_version=None,
keystone_ip=None):
"""Authenticates admin user with the keystone admin endpoint."""
self.log.debug('Authenticating keystone admin...')
unit = keystone_sentry
if not keystone_ip:
keystone_ip = unit.relation('shared-db',
'mysql:shared-db')['private-address']
base_ep = "http://{}:35357".format(keystone_ip.strip().decode('utf-8'))
if not api_version or api_version == 2:
ep = base_ep + "/v2.0"
return keystone_client.Client(username=user,
password=password,
tenant_name=tenant,
auth_url=ep)
else:
ep = base_ep + "/v3"
auth = keystone_id_v3.Password(
user_domain_name='default',
username=user,
password=password,
domain_name='default',
auth_url=ep,
)
sess = keystone_session.Session(auth=auth)
return keystone_client_v3.Client(session=sess)
def trusts_auth_plugin(self):
if self._trusts_auth_plugin:
return self._trusts_auth_plugin
self._trusts_auth_plugin = auth.load_from_conf_options(
cfg.CONF, TRUSTEE_CONF_GROUP, trust_id=self.trust_id)
if self._trusts_auth_plugin:
return self._trusts_auth_plugin
LOG.warning(_LW('Using the keystone_authtoken user '
'as the conveyorheat '
'trustee user directly is deprecated. Please add the '
'trustee credentials you need to the %s section of '
'your heat.conf file.') % TRUSTEE_CONF_GROUP)
cfg.CONF.import_group('keystone_authtoken',
'keystonemiddleware.auth_token')
trustee_user_domain = 'default'
if 'user_domain_id' in cfg.CONF.keystone_authtoken:
trustee_user_domain = cfg.CONF.keystone_authtoken.user_domain_id
self._trusts_auth_plugin = v3.Password(
username=cfg.CONF.keystone_authtoken.admin_user,
password=cfg.CONF.keystone_authtoken.admin_password,
user_domain_id=trustee_user_domain,
auth_url=self.keystone_v3_endpoint,
trust_id=self.trust_id)
return self._trusts_auth_plugin
def _resolve_project_name(self, tenant_id):
try:
username = cfg.CONF[self.name].keystone_auth_name
passwd = cfg.CONF[self.name].keystone_auth_pass
project = cfg.CONF[self.name].keystone_auth_project
url = cfg.CONF[self.name].keystone_auth_url
except KeyError:
LOG.debug('Missing a config setting for keystone auth.')
return
try:
auth = v3.Password(auth_url=url,
user_id=username,
password=passwd,
project_id=project)
sess = session.Session(auth=auth)
keystone = client.Client(session=sess, auth_url=url)
except keystoneexceptions.AuthorizationFailure:
LOG.debug('Keystone client auth failed.')
return
projectmanager = projects.ProjectManager(keystone)
proj = projectmanager.get(tenant_id)
if proj:
LOG.debug('Resolved project id %s as %s' % (tenant_id, proj.name))
return proj.name
else:
return 'unknown'
def nova_login(username, password, projectname, auth_url, user_domain_name,
project_domain_name, ssl_insecure, cacert, apitimeout):
legacy_import = False
try:
from keystoneauth1 import loading
from keystoneauth1 import session as ksc_session
from keystoneauth1.exceptions.discovery import DiscoveryFailure
from keystoneauth1.exceptions.http import Unauthorized
except ImportError:
try:
from keystoneclient import session as ksc_session
from keystoneclient.auth.identity import v3
legacy_import = True
except ImportError:
fail_usage("Failed: Keystone client not found or not accessible")
if not legacy_import:
loader = loading.get_plugin_loader("password")
auth = loader.load_from_options(
auth_url=auth_url,
username=username,
password=password,
project_name=projectname,
user_domain_name=user_domain_name,
project_domain_name=project_domain_name,
)
else:
auth = v3.Password(
auth_url=auth_url,
username=username,
password=password,
project_name=projectname,
user_domain_name=user_domain_name,
project_domain_name=project_domain_name,
cacert=cacert,
)
caverify = True
if ssl_insecure:
caverify = False
elif cacert:
caverify = cacert
session = ksc_session.Session(auth=auth,
verify=caverify,
timeout=apitimeout)
nova = client.Client("2", session=session, timeout=apitimeout)
apiversion = None
try:
apiversion = nova.versions.get_current()
except DiscoveryFailure as e:
fail_usage("Failed: Discovery Failure: " + str(e))
except Unauthorized as e:
fail_usage("Failed: Unauthorized: " + str(e))
except Exception as e:
logging.error(e)
logging.debug("Nova version: %s", apiversion)
return nova
def dc_get_service_endpoint_url(region, service_name, endpoint_type):
user_auth = v3.Password(
auth_url=CONF.endpoint_cache.auth_uri,
username=CONF.endpoint_cache.username,
user_domain_name=CONF.endpoint_cache.user_domain_name,
password=CONF.endpoint_cache.password,
project_name=CONF.endpoint_cache.project_name,
project_domain_name=CONF.endpoint_cache.project_domain_name,
)
timeout = CONF.endpoint_cache.http_connect_timeout
admin_session = session.Session(auth=user_auth, timeout=timeout)
ks_client = keystone_client.Client(
session=admin_session,
region_name=constants.REGION_ONE_NAME,
interface=constants.OS_INTERFACE_INTERNAL)
services = ks_client.services.list(name=service_name)
if len(services) == 0:
raise Exception('Cannot find %s service' % service_name)
s_id = services[0].id
endpoint_urls = ks_client.endpoints.list(service=s_id,
interface=endpoint_type,
region=region)
if len(endpoint_urls) == 0:
raise Exception('Cannot find %s endpoint for %s' %
(service_name, region))
endpoint_url = endpoint_urls[0].url
LOG.info('%s %s endpoint %s' % (region, service_name, endpoint_url))
return endpoint_url
def _get_keystone_session(self, **kwargs):
ks_session = session.Session.construct(kwargs)
# discover the supported keystone versions using the given auth url
auth_url = kwargs.pop('auth_url', None)
(v2_auth_url,
v3_auth_url) = self._discover_auth_versions(session=ks_session,
auth_url=auth_url)
# Determine which authentication plugin to use. First inspect the
# auth_url to see the supported version. If both v3 and v2 are
# supported, then use the highest version if possible.
user_id = kwargs.pop('user_id', None)
username = kwargs.pop('username', None)
password = kwargs.pop('password', None)
user_domain_name = kwargs.pop('user_domain_name', None)
user_domain_id = kwargs.pop('user_domain_id', None)
# project and tenant can be used interchangeably
project_id = (kwargs.pop('project_id', None)
or kwargs.pop('tenant_id', None))
project_name = (kwargs.pop('project_name', None)
or kwargs.pop('tenant_name', None))
project_domain_id = kwargs.pop('project_domain_id', None)
project_domain_name = kwargs.pop('project_domain_name', None)
auth = None
use_domain = (user_domain_id or user_domain_name or project_domain_id
or project_domain_name)
use_v3 = v3_auth_url and (use_domain or (not v2_auth_url))
use_v2 = v2_auth_url and not use_domain
if use_v3:
auth = v3_auth.Password(v3_auth_url,
user_id=user_id,
username=username,
password=password,
user_domain_id=user_domain_id,
user_domain_name=user_domain_name,
project_id=project_id,
project_name=project_name,
project_domain_id=project_domain_id,
project_domain_name=project_domain_name)
elif use_v2:
auth = v2_auth.Password(v2_auth_url,
username,
password,
tenant_id=project_id,
tenant_name=project_name)
else:
# if we get here it means domain information is provided
# (caller meant to use Keystone V3) but the auth url is
# actually Keystone V2. Obviously we can't authenticate a V3
# user using V2.
exc.CommandError("Credential and auth_url mismatch. The given "
"auth_url is using Keystone V2 endpoint, which "
"may not able to handle Keystone V3 credentials. "
"Please provide a correct Keystone V3 auth_url.")
ks_session.auth = auth
return ks_session
def keystone_auth():
'''
Authenticate with Keystone
NOTE: user_domain_name and project_domain_name are required for auth to
work properly. Not documented anywhere!
'''
try:
rc = myrc()
if int(rc['OS_IDENTITY_API_VERSION']) == 3:
keystone_version = 3
auth = v3.Password(auth_url=rc['OS_AUTH_URL'],
username=rc['OS_USERNAME'],
password=rc['OS_PASSWORD'],
project_name=rc['OS_TENANT_NAME'],
user_domain_name='default',
project_domain_name='default')
s = session.Session(auth=auth)
return s
except KeyError:
keystone_version = 2
auth = v2.Password(auth_url=rc['OS_AUTH_URL'],
username=rc['OS_USERNAME'],
password=rc['OS_PASSWORD'],
project_name=rc['OS_TENANT_NAME'])
s = session.Session(auth=auth)
return s
except Exception, e:
warning('keystone_auth()', repr(e))
sys.exit()
def auth(self):
auth = v3.Password(auth_url=self.auth_url, username=self.username,
password=self.password,
project_name=self.project_name,
user_domain_id=self.user_domain_id,
project_domain_name=self.project_domain_name)
return auth
def test_authenticate_with_username_password(self):
self.stub_auth(json=self.TEST_RESPONSE_DICT)
a = v3.Password(self.TEST_URL,
username=self.TEST_USER,
password=self.TEST_PASS)
s = session.Session(auth=a)
self.assertEqual({'X-Auth-Token': self.TEST_TOKEN},
s.get_auth_headers())
req = {
'auth': {
'identity': {
'methods': ['password'],
'password': {
'user': {
'name': self.TEST_USER,
'password': self.TEST_PASS
}
}
}
}
}
self.assertRequestBodyIs(json=req)
self.assertRequestHeaderEqual('Content-Type', 'application/json')
self.assertRequestHeaderEqual('Accept', 'application/json')
self.assertEqual(s.auth.auth_ref.auth_token, self.TEST_TOKEN)
def test_authenticate_with_username_password_domain_scoped(self):
self.stub_auth(json=self.TEST_RESPONSE_DICT)
a = v3.Password(self.TEST_URL,
username=self.TEST_USER,
password=self.TEST_PASS,
domain_id=self.TEST_DOMAIN_ID)
s = session.Session(a)
s.get_token()
req = {
'auth': {
'identity': {
'methods': ['password'],
'password': {
'user': {
'name': self.TEST_USER,
'password': self.TEST_PASS
}
}
},
'scope': {
'domain': {
'id': self.TEST_DOMAIN_ID
}
}
}
}
self.assertRequestBodyIs(json=req)
self.assertEqual(s.auth.auth_ref.auth_token, self.TEST_TOKEN)
def test_with_trust_id(self):
self.stub_auth(json=self.TEST_RESPONSE_DICT)
a = v3.Password(self.TEST_URL,
username=self.TEST_USER,
password=self.TEST_PASS,
trust_id='trust')
s = session.Session(a)
self.assertEqual({'X-Auth-Token': self.TEST_TOKEN},
s.get_auth_headers())
req = {
'auth': {
'identity': {
'methods': ['password'],
'password': {
'user': {
'name': self.TEST_USER,
'password': self.TEST_PASS
}
}
},
'scope': {
'OS-TRUST:trust': {
'id': 'trust'
}
}
}
}
self.assertRequestBodyIs(json=req)
self.assertEqual(s.auth.auth_ref.auth_token, self.TEST_TOKEN)
def test_with_domain_and_project_scoping(self):
a = v3.Password(self.TEST_URL,
username='******',
password='******',
project_id='project',
domain_id='domain')
self.assertRaises(exceptions.AuthorizationFailure, a.get_token, None)
def client_for_admin_user():
auth = v3.Password(auth_url=OS_AUTH_URL,
user_id=OS_USER_ID,
password=OS_PASSWORD,
project_id=OS_PROJECT_ID)
session = ksc_session.Session(auth=auth)
return keystone_v3.Client(session=session)
def _get_client(self):
if self._client is not None:
return self._client
if (self.tenant_id is not None or self.tenant_name is not None):
auth = v2_auth.Password(auth_url=self.auth_url,
username=self.username,
password=self.password,
tenant_id=self.tenant_id,
tenant_name=self.tenant_name)
elif self.project_name is not None:
auth = v3_auth.Password(
auth_url=self.auth_url,
username=self.username,
password=self.password,
project_name=self.project_name,
project_domain_name=self.project_domain_name,
user_domain_name=self.user_domain_name)
else:
auth = None
session = ks_session.Session(auth=auth)
self._client = client.Client(session=session,
service_type=self.service_type)
return self._client
def get_v3_auth(self, v3_auth_url):
username = self.options.os_username
user_id = self.options.os_user_id
user_domain_name = self.options.os_user_domain_name
user_domain_id = self.options.os_user_domain_id
password = self.options.os_password
project_id = self.options.os_project_id or self.options.os_tenant_id
project_name = (self.options.os_project_name
or self.options.os_tenant_name)
project_domain_name = self.options.os_project_domain_name
project_domain_id = self.options.os_project_domain_id
return v3_auth.Password(
v3_auth_url,
username=username,
password=password,
user_id=user_id,
user_domain_name=user_domain_name,
user_domain_id=user_domain_id,
project_id=project_id,
project_name=project_name,
project_domain_name=project_domain_name,
project_domain_id=project_domain_id,
)
def __init__(self, config_path, debug, log=None, region=None):
self.config_path = config_path
self.config = utils.get_config(config_path)
self.logger = utils.get_logger(__name__, self.config, debug, log)
self.logger.debug('=> config file: %s' % config_path)
self.debug = debug
self.dry_run = False
openstack = self.get_config_section('openstack')
auth = v3.Password(auth_url=openstack['auth_url'],
username=openstack['username'],
password=openstack['password'],
project_name=openstack['project_name'],
user_domain_name=openstack['default_domain'],
project_domain_name=openstack['default_domain'])
if 'keystone_cachain' in openstack:
self.sess = session.Session(auth=auth,
verify=openstack['keystone_cachain'])
else:
self.sess = session.Session(auth=auth)
if region:
self.region = region
else:
self.region = self.get_config('openstack', 'region')