def __init__(self, *args, **kwargs): network_args = {} network_args.update(settings.OPENSTACK_ARGS) network_args.update(settings.OPENSTACK_NETWORK_ARGS) self.user_manager = UserManager(**settings.OPENSTACK_ARGS.copy()) self.network_manager = NetworkManager(**network_args)
def __init__(self, provider=None, *args, **kwargs): if provider: all_creds = self._init_by_provider(provider, *args, **kwargs) else: all_creds = kwargs # Build credentials for each manager self.user_creds = self._build_user_creds(all_creds) self.image_creds = self._build_image_creds(all_creds) self.net_creds = self._build_network_creds(all_creds) #Initialize managers with respective credentials self.user_manager = UserManager(**self.user_creds) self.image_manager = ImageManager(**self.image_creds) self.network_manager = NetworkManager(**self.net_creds)
def __init__(self, provider=None, *args, **kwargs): super(AccountDriver, self).__init__() if provider: all_creds = self._init_by_provider(provider, *args, **kwargs) else: all_creds = kwargs if 'location' in all_creds: self.namespace = "Atmosphere_OpenStack:%s" % all_creds['location'] else: logger.info("Using default namespace.. Could cause conflicts if " "switching between providers. To avoid ambiguity, " "provide the kwarg: location='provider_prefix'") # Build credentials for each manager self.credentials = all_creds ex_auth_version = all_creds.get("ex_force_auth_version", '2.0_password') if ex_auth_version.startswith('2'): self.identity_version = 2 elif ex_auth_version.startswith('3'): self.identity_version = 3 else: raise Exception("Could not determine identity_version of %s" % ex_auth_version) user_creds = self._build_user_creds(all_creds) image_creds = self._build_image_creds(all_creds) net_creds = self._build_network_creds(all_creds) sdk_creds = self._build_sdk_creds(all_creds) # Initialize managers with respective credentials self.user_manager = UserManager(**user_creds) self.image_manager = ImageManager(**image_creds) self.network_manager = NetworkManager(**net_creds) self.openstack_sdk = _connect_to_openstack_sdk(**sdk_creds)
def __init__(self, provider=None, *args, **kwargs): super(AccountDriver, self).__init__() if provider: all_creds = self._init_by_provider(provider, *args, **kwargs) else: all_creds = kwargs if 'location' in all_creds: self.namespace = "Atmosphere_OpenStack:%s" % all_creds['location'] else: logger.info("Using default namespace.. Could cause conflicts if " "switching between providers. To avoid ambiguity, " "provide the kwarg: location='provider_prefix'") # Build credentials for each manager self.user_creds = self._build_user_creds(all_creds) self.image_creds = self._build_image_creds(all_creds) self.net_creds = self._build_network_creds(all_creds) #Initialize managers with respective credentials self.user_manager = UserManager(**self.user_creds) self.image_manager = ImageManager(**self.image_creds) self.network_manager = NetworkManager(**self.net_creds)
class AccountDriver(): user_manager = None image_manager = None network_manager = None core_provider = None MASTER_RULES_LIST = [ ("ICMP", -1, 255), #FTP Access ("UDP", 20, 20), # FTP data transfer ("TCP", 20, 21), # FTP control #SSH & Telnet Access ("TCP", 22, 23), ("UDP", 22, 23), # SMTP Mail #("TCP", 25, 25), # HTTP Access ("TCP", 80, 80), # POP Mail #("TCP", 109, 110), # SFTP Access ("TCP", 115, 115), # SQL Access #("TCP", 118, 118), #("UDP", 118, 118), # IMAP Access #("TCP", 143, 143), # SNMP Access #("UDP", 161, 161), # LDAP Access ("TCP", 389, 389), ("UDP", 389, 389), # HTTPS Access ("TCP", 443, 443), # LDAPS Access ("TCP", 636, 636), ("UDP", 636, 636), # Open up >1024 ("TCP", 1024, 4199), ("UDP", 1024, 4199), #SKIP PORT 4200.. See Below ("TCP", 4201, 65535), ("UDP", 4201, 65535), # Poke hole in 4200 for iPlant VMs proxy-access only (Shellinabox) ("TCP", 4200, 4200, "128.196.0.0/16"), ("UDP", 4200, 4200, "128.196.0.0/16"), ("TCP", 4200, 4200, "150.135.0.0/16"), ("UDP", 4200, 4200, "150.135.0.0/16"), ] def _init_by_provider(self, provider, *args, **kwargs): from service.driver import get_esh_driver self.core_provider = provider provider_creds = provider.get_credentials() self.provider_creds = provider_creds admin_identity = provider.get_admin_identity() admin_creds = admin_identity.get_credentials() self.admin_driver = get_esh_driver(admin_identity) admin_creds = self._libcloud_to_openstack(admin_creds) all_creds = {'location': provider.get_location()} all_creds.update(admin_creds) all_creds.update(provider_creds) return all_creds def __init__(self, provider=None, *args, **kwargs): if provider: all_creds = self._init_by_provider(provider, *args, **kwargs) else: all_creds = kwargs # Build credentials for each manager self.user_creds = self._build_user_creds(all_creds) self.image_creds = self._build_image_creds(all_creds) self.net_creds = self._build_network_creds(all_creds) #Initialize managers with respective credentials self.user_manager = UserManager(**self.user_creds) self.image_manager = ImageManager(**self.image_creds) self.network_manager = NetworkManager(**self.net_creds) def create_account(self, username, password=None, project_name=None, role_name=None, quota=None, max_quota=False): """ Create (And Update "latest changes") to an account """ if not self.core_provider: raise Exception("AccountDriver not initialized by provider," " cannot create identity. For account creation use" " build_account()") if username in self.core_provider.list_admin_names(): return (username, password, project) = self.build_account( username, password, project_name, role_name, max_quota) ident = self.create_identity(username, password, project.name, quota=quota, max_quota=max_quota) return ident def build_account(self, username, password, project_name=None, role_name=None, max_quota=False): finished = False #Attempt account creation while not finished: try: if not password: password = self.hashpass(username) if not project_name: project_name = username #1. Create Project: should exist before creating user project = self.user_manager.get_project(project_name) if not project: project = self.user_manager.create_project(project_name) # 2. Create User (And add them to the project) user = self.get_user(username) if not user: logger.info("Creating account: %s - %s - %s" % (username, password, project)) user = self.user_manager.create_user(username, password, project) # 3.1 Include the admin in the project #TODO: providercredential initialization of # "default_admin_role" self.user_manager.include_admin(project_name) # 3.2 Check the user has been given an appropriate role if not role_name: role_name = "_member_" self.user_manager.add_project_membership( project_name, username, role_name) # 4. Create a security group -- SUSPENDED.. Will occur on # instance launch instead. #self.init_security_group(user, password, project, # project.name, # self.MASTER_RULES_LIST) # 5. Create a keypair to use when launching with atmosphere self.init_keypair(user.name, password, project.name) finished = True except ConnectionError: logger.exception("Connection reset by peer. " "Waiting for one minute.") time.sleep(60) # Wait one minute except OverLimit: logger.exception("OverLimit on POST requests. " "Waiting for one minute.") time.sleep(60) # Wait one minute return (username, password, project) def init_keypair(self, username, password, project_name): keyname = settings.ATMOSPHERE_KEYPAIR_NAME with open(settings.ATMOSPHERE_KEYPAIR_FILE, "r") as pub_key_file: public_key = pub_key_file.read() return self.get_or_create_keypair(username, password, project_name, keyname, public_key) def init_security_group(self, username, password, project_name, security_group_name, rules_list): # 4.1. Update the account quota to hold a larger number of # roles than what is necessary user = self.user_manager.keystone.users.find(name=username) project = self.user_manager.keystone.tenants.find(name=project_name) nc = self.user_manager.nova rule_max = max(len(rules_list), 100) nc.quotas.update(project.id, security_group_rules=rule_max) #Change the description of the security group to match the project name try: #Create the default security group nova = self.user_manager.build_nova(username, password, project_name) sec_groups = nova.security_groups.list() if not sec_groups: nova.security_group.create("default", project_name) self.network_manager.rename_security_group(project) except ConnectionError, ce: logger.exception( "Failed to establish connection." " Security group creation FAILED") return None except NeutronClientException, nce: if nce.status_code != 404: logger.exception("Encountered unknown exception while renaming" " the security group") return None
class AccountDriver(): user_manager = None network_manager = None def __init__(self, *args, **kwargs): network_args = {} network_args.update(settings.OPENSTACK_ARGS) network_args.update(settings.OPENSTACK_NETWORK_ARGS) self.user_manager = UserManager(**settings.OPENSTACK_ARGS.copy()) self.network_manager = NetworkManager(**network_args) def get_openstack_clients(self, username, password=None, tenant_name=None): user_creds = self._get_openstack_credentials(username, password, tenant_name) neutron = self.network_manager.new_connection(**user_creds) keystone = _connect_to_keystone(*args, **kwargs) nova = _connect_to_nova(*args, **kwargs) glance = _connect_to_glance(keystone, *args, **kwargs) return { 'glance': glance, 'keystone': keystone, 'nova': nova, 'neutron': neutron, 'horizon': self._get_horizon_url(keystone.tenant_id) } def _get_horizon_url(self, tenant_id): parsed_url = urlparse(settings.OPENSTACK_AUTH_URL) return 'https://%s/horizon/auth/switch/%s/?next=/horizon/project/' %\ (parsed_url.hostname, tenant_id) def create_account(self, username, admin_role=False, max_quota=False): """ Create (And Update 'latest changes') to an account """ finished = False # Special case for admin.. Use the Openstack admin identity.. if username == 'admin': ident = self.create_openstack_identity( settings.OPENSTACK_ADMIN_KEY, settings.OPENSTACK_ADMIN_SECRET, settings.OPENSTACK_ADMIN_TENANT) return ident #Attempt account creation while not finished: try: password = self.hashpass(username) # Retrieve user, or create user & project user = self.get_or_create_user(username, password, True, admin_role) logger.debug(user) project = self.get_project(username) logger.debug(project) roles = user.list_roles(project) logger.debug(roles) if not roles: self.user_manager.add_project_member(username, username, admin_role) self.user_manager.build_security_group( user.name, self.hashpass(user.name), project.name) finished = True except OverLimit: print 'Requests are rate limited. Pausing for one minute.' time.sleep(60) # Wait one minute #(user, group) = self.create_usergroup(username) return (user, password, project) # was user # Useful methods called from above.. def get_or_create_user(self, username, password=None, usergroup=True, admin=False): user = self.get_user(username) if user: return user user = self.create_user(username, password, usergroup, admin) return user def create_user(self, username, password=None, usergroup=True, admin=False): if not password: password = self.hashpass(username) if usergroup: (project, user, role) = self.user_manager.add_usergroup(username, password, True, admin) else: user = self.user_manager.add_user(username, password) project = self.user_manager.get_project(username) #TODO: Instead, return user.get_user match, or call it if you have to.. return user def delete_user(self, username, usergroup=True, admin=False): project = self.user_manager.get_project(username) if project: self.network_manager.delete_project_network(username, project.name) if usergroup: deleted = self.user_manager.delete_usergroup(username) else: deleted = self.user_manager.delete_user(username) return deleted def hashpass(self, username): return sha1(username).hexdigest() def get_project_name_for(self, username): """ This should always map project to user For now, they are identical.. """ return username def get_project(self, project): return self.user_manager.get_project(project) def list_projects(self): return self.user_manager.list_projects() def get_user(self, user): return self.user_manager.get_user(user) def list_users(self): return self.user_manager.list_users() def list_usergroup_names(self): return [user.name for (user, project) in self.list_usergroups()] def list_usergroups(self): users = self.list_users() groups = self.list_projects() usergroups = [] for group in groups: for user in users: if user.name in group.name and\ settings.OPENSTACK_ADMIN_KEY not in user.name: usergroups.append((user, group)) break return usergroups def _get_openstack_credentials(self, username, password=None, tenant_name=None): if not tenant_name: tenant_name = self.get_project_name_for(username) if not password: password = self.hashpass(tenant_name) user_creds = {'auth_url': self.user_manager.nova.client.auth_url, 'region_name': self.user_manager.nova.client.region_name, 'username': username, 'password': password, 'tenant_name': tenant_name} return user_creds
class AccountDriver(): user_manager = None image_manager = None network_manager = None core_provider = None MASTER_RULES_LIST = [ ("ICMP", -1, 255), #FTP Access ("UDP", 20, 20), # FTP data transfer ("TCP", 20, 21), # FTP control #SSH & Telnet Access ("TCP", 22, 23), ("UDP", 22, 23), # SMTP Mail #("TCP", 25, 25), # HTTP Access ("TCP", 80, 80), # POP Mail #("TCP", 109, 110), # SFTP Access ("TCP", 115, 115), # SQL Access #("TCP", 118, 118), #("UDP", 118, 118), # IMAP Access #("TCP", 143, 143), # SNMP Access #("UDP", 161, 161), # LDAP Access ("TCP", 389, 389), ("UDP", 389, 389), # HTTPS Access ("TCP", 443, 443), # LDAPS Access ("TCP", 636, 636), ("UDP", 636, 636), # Open up >1024 ("TCP", 1024, 4199), ("UDP", 1024, 4199), #SKIP PORT 4200.. See Below ("TCP", 4201, 65535), ("UDP", 4201, 65535), # Poke hole in 4200 for iPlant VMs proxy-access only (Shellinabox) ("TCP", 4200, 4200, "128.196.0.0/16"), ("UDP", 4200, 4200, "128.196.0.0/16"), ("TCP", 4200, 4200, "150.135.0.0/16"), ("UDP", 4200, 4200, "150.135.0.0/16"), ] def _init_by_provider(self, provider, *args, **kwargs): from api import get_esh_driver self.core_provider = provider provider_creds = provider.get_credentials() self.provider_creds = provider_creds admin_identity = provider.get_admin_identity() admin_creds = admin_identity.get_credentials() self.admin_driver = get_esh_driver(admin_identity) admin_creds = self._libcloud_to_openstack(admin_creds) all_creds = {'location': provider.get_location()} all_creds.update(admin_creds) all_creds.update(provider_creds) return all_creds def __init__(self, provider=None, *args, **kwargs): if provider: all_creds = self._init_by_provider(provider, *args, **kwargs) else: all_creds = kwargs # Build credentials for each manager self.user_creds = self._build_user_creds(all_creds) self.image_creds = self._build_image_creds(all_creds) self.net_creds = self._build_network_creds(all_creds) #Initialize managers with respective credentials self.user_manager = UserManager(**self.user_creds) self.image_manager = ImageManager(**self.image_creds) self.network_manager = NetworkManager(**self.net_creds) def create_account(self, username, password=None, project_name=None, role_name=None, quota=None, max_quota=False): """ Create (And Update "latest changes") to an account """ if not self.core_provider: raise Exception("AccountDriver not initialized by provider," " cannot create identity. For account creation use" " build_account()") if username in self.core_provider.list_admin_names(): return (username, password, project) = self.build_account( username, password, project_name, role_name, max_quota) ident = self.create_identity(username, password, project.name, quota=quota, max_quota=max_quota) return ident def build_account(self, username, password, project_name=None, role_name=None, max_quota=False): finished = False #Attempt account creation while not finished: try: if not password: password = self.hashpass(username) if not project_name: project_name = username #1. Create Project: should exist before creating user project = self.user_manager.get_project(project_name) if not project: project = self.user_manager.create_project(project_name) # 2. Create User (And add them to the project) user = self.get_user(username) if not user: logger.info("Creating account: %s - %s - %s" % (username, password, project)) user = self.user_manager.create_user(username, password, project) # 3.1 Include the admin in the project #TODO: providercredential initialization of # "default_admin_role" self.user_manager.include_admin(project_name) # 3.2 Check the user has been given an appropriate role if not role_name: role_name = "_member_" self.user_manager.add_project_membership( project_name, username, role_name) # 4. Create a security group -- SUSPENDED.. Will occur on # instance launch instead. #self.init_security_group(user, password, project, # project.name, # self.MASTER_RULES_LIST) # 5. Create a keypair to use when launching with atmosphere self.init_keypair(user.name, password, project.name) finished = True except ConnectionError: logger.exception("Connection reset by peer. " "Waiting for one minute.") time.sleep(60) # Wait one minute except OverLimit: logger.exception("OverLimit on POST requests. " "Waiting for one minute.") time.sleep(60) # Wait one minute return (username, password, project) def init_keypair(self, username, password, project_name): keyname = settings.ATMOSPHERE_KEYPAIR_NAME with open(settings.ATMOSPHERE_KEYPAIR_FILE, "r") as pub_key_file: public_key = pub_key_file.read() return self.get_or_create_keypair(username, password, project_name, keyname, public_key) def init_security_group(self, username, password, project_name, security_group_name, rules_list): # 4.1. Update the account quota to hold a larger number of # roles than what is necessary user = self.user_manager.keystone.users.find(name=username) project = self.user_manager.keystone.tenants.find(name=project_name) nc = self.user_manager.nova rule_max = max(len(rules_list), 100) nc.quotas.update(project.id, security_group_rules=rule_max) #Change the description of the security group to match the project name try: #Create the default security group nova = self.user_manager.build_nova(username, password, project_name) sec_groups = nova.security_groups.list() if not sec_groups: nova.security_group.create("default", project_name) self.network_manager.rename_security_group(project) except ConnectionError, ce: logger.exception( "Failed to establish connection." " Security group creation FAILED") return None except NeutronClientException, nce: if nce.status_code != 404: logger.exception("Encountered unknown exception while renaming" " the security group") return None
class AccountDriver(BaseAccountDriver): user_manager = None image_manager = None network_manager = None core_provider = None MASTER_RULES_LIST = [ ("ICMP", -1, -1), # FTP Access ("UDP", 20, 20), # FTP data transfer ("TCP", 20, 21), # FTP control # SSH & Telnet Access ("TCP", 22, 23), ("UDP", 22, 23), # SMTP Mail # HTTP Access ("TCP", 80, 80), # POP Mail # SFTP Access ("TCP", 115, 115), # SQL Access # IMAP Access # SNMP Access # LDAP Access ("TCP", 389, 389), ("UDP", 389, 389), # HTTPS Access ("TCP", 443, 443), # LDAPS Access ("TCP", 636, 636), ("UDP", 636, 636), # Open up >1024 ("TCP", 1024, 4199), ("UDP", 1024, 4199), # SKIP PORT 4200.. See Below ("TCP", 4201, 65535), ("UDP", 4201, 65535), # Poke hole in 4200 for iPlant VMs proxy-access only (Shellinabox) ("TCP", 4200, 4200, "128.196.0.0/16"), ("UDP", 4200, 4200, "128.196.0.0/16"), ("TCP", 4200, 4200, "150.135.0.0/16"), ("UDP", 4200, 4200, "150.135.0.0/16"), ] def clear_cache(self): self.admin_driver.provider.machineCls.invalidate_provider_cache( self.admin_driver.provider) return self.admin_driver def _init_by_provider(self, provider, *args, **kwargs): from service.driver import get_esh_driver self.core_provider = provider provider_creds = provider.get_credentials() self.provider_creds = provider_creds admin_identity = provider.admin admin_creds = admin_identity.get_credentials() self.admin_driver = get_esh_driver(admin_identity) admin_creds = self._libcloud_to_openstack(admin_creds) all_creds = {'location': provider.get_location()} all_creds.update(admin_creds) all_creds.update(provider_creds) return all_creds def __init__(self, provider=None, *args, **kwargs): super(AccountDriver, self).__init__() if provider: all_creds = self._init_by_provider(provider, *args, **kwargs) else: all_creds = kwargs if 'location' in all_creds: self.namespace = "Atmosphere_OpenStack:%s" % all_creds['location'] else: logger.info("Using default namespace.. Could cause conflicts if " "switching between providers. To avoid ambiguity, " "provide the kwarg: location='provider_prefix'") # Build credentials for each manager self.credentials = all_creds ex_auth_version = all_creds.get("ex_force_auth_version", '2.0_password') if ex_auth_version.startswith('2'): self.identity_version = 2 elif ex_auth_version.startswith('3'): self.identity_version = 3 else: raise Exception("Could not determine identity_version of %s" % ex_auth_version) user_creds = self._build_user_creds(all_creds) image_creds = self._build_image_creds(all_creds) net_creds = self._build_network_creds(all_creds) sdk_creds = self._build_sdk_creds(all_creds) # Initialize managers with respective credentials self.user_manager = UserManager(**user_creds) self.image_manager = ImageManager(**image_creds) self.network_manager = NetworkManager(**net_creds) self.openstack_sdk = _connect_to_openstack_sdk(**sdk_creds) def create_account(self, username, password=None, project_name=None, role_name=None, quota=None, max_quota=False): """ Create (And Update "latest changes") to an account """ if not self.core_provider: raise Exception("AccountDriver not initialized by provider," " cannot create identity. For account creation use" " build_account()") if username in self.core_provider.list_admin_names(): return (username, password, project) = self.build_account( username, password, project_name, role_name, max_quota) ident = self.create_identity(username, password, project.name, quota=quota, max_quota=max_quota) return ident def build_account(self, username, password, project_name=None, role_name=None, max_quota=False): finished = False # Attempt account creation while not finished: try: if not password: password = self.hashpass(username) if not project_name: project_name = username # 1. Create Project: should exist before creating user project = self.user_manager.get_project(project_name) if not project: kwargs = {} if self.identity_version > 2: kwargs.update({'domain': 'default'}) project = self.user_manager.create_project(project_name, **kwargs) # 2. Create User (And add them to the project) user = self.get_user(username) if not user: logger.info("Creating account: %s - %s - %s" % (username, password, project)) kwargs = {} if self.identity_version > 2: kwargs.update({'domain': 'default'}) user = self.user_manager.create_user(username, password, project, **kwargs) # 3.1 Include the admin in the project # TODO: providercredential initialization of # "default_admin_role" self.user_manager.include_admin(project_name) # 3.2 Check the user has been given an appropriate role if not role_name: role_name = "_member_" self.user_manager.add_project_membership( project_name, username, role_name) # 4. Create a security group -- SUSPENDED.. Will occur on # instance launch instead. # self.init_security_group(user, password, project, # project.name, # self.MASTER_RULES_LIST) # 5. Create a keypair to use when launching with atmosphere self.init_keypair(user.name, password, project.name) finished = True except ConnectionError: logger.exception("Connection reset by peer. " "Waiting for one minute.") time.sleep(60) # Wait one minute except OverLimit: logger.exception("OverLimit on POST requests. " "Waiting for one minute.") time.sleep(60) # Wait one minute return (username, password, project) def init_keypair(self, username, password, project_name): keyname = settings.ATMOSPHERE_KEYPAIR_NAME with open(settings.ATMOSPHERE_KEYPAIR_FILE, "r") as pub_key_file: public_key = pub_key_file.read() return self.get_or_create_keypair(username, password, project_name, keyname, public_key) def init_security_group(self, username, password, project_name, security_group_name, rules_list): # 4.1. Update the account quota to hold a larger number of # roles than what is necessary # user = user_matches[0] # -- User:Keystone rev. kwargs = {} if self.identity_version > 2: kwargs.update({'domain': 'default'}) user_matches = [u for u in self.user_manager.keystone.users.list(**kwargs) if u.name == username] if not user_matches or len(user_matches) > 1: raise Exception("User maps to *MORE* than one account on openstack default domain! Ask a programmer for help here!") user = user_matches[0] kwargs = {} if self.identity_version > 2: kwargs.update({'domain_id': 'default'}) project = self.user_manager.keystone_projects().find(name=project_name, **kwargs) nc = self.user_manager.nova rule_max = max(len(rules_list), 100) nc.quotas.update(project.id, security_group_rules=rule_max) # Change the description of the security group to match the project # name try: # Create the default security group nova = self.user_manager.build_nova(username, password, project_name) sec_groups = nova.security_groups.list() if not sec_groups: nova.security_group.create("default", project_name) self.network_manager.rename_security_group(project) except ConnectionError as ce: logger.exception( "Failed to establish connection." " Security group creation FAILED") return None except NeutronClientException as nce: if nce.status_code != 404: logger.exception("Encountered unknown exception while renaming" " the security group") return None # Start creating security group return self.user_manager.build_security_group( user.name, password, project.name, security_group_name, rules_list) def add_rules_to_security_groups(self, core_identity_list, security_group_name, rules_list): for identity in core_identity_list: creds = self.parse_identity(identity) sec_group = self.user_manager.find_security_group( creds["username"], creds["password"], creds["tenant_name"], security_group_name) if not sec_group: raise Exception("No security gruop found matching name %s" % security_group_name) self.user_manager.add_security_group_rules( creds["username"], creds["password"], creds["tenant_name"], security_group_name, rules_list) def get_or_create_keypair(self, username, password, project_name, keyname, public_key): """ keyname - Name of the keypair public_key - Contents of public key in OpenSSH format """ clients = self.get_openstack_clients(username, password, project_name) if self.identity_version == 2: nova = clients["nova"] keypairs = nova.keypairs.list() else: osdk = clients["openstack_sdk"] keypairs = [kp for kp in osdk.compute.keypairs()] for kp in keypairs: if kp.name == keyname: if kp.public_key != public_key: raise Exception( "Mismatched public key found for keypair named: %s" ". Expected: %s Original: %s" % (keyname, public_key, kp.public_key)) return (kp, False) return (self.create_keypair( username, password, project_name, keyname, public_key), True) def create_keypair(self, username, password, project_name, keyname, public_key): """ keyname - Name of the keypair public_key - Contents of public key in OpenSSH format """ clients = self.get_openstack_clients(username, password, project_name) if self.identity_version == 2: nova = clients["nova"] keypair = nova.keypairs.create( keyname, public_key=public_key) else: osdk = clients["openstack_sdk"] keypair = osdk.compute.create_keypair( name=keyname, public_key=public_key) return keypair def accept_shared_image(self, glance_image, project_name): """ This is only required when sharing using 'the v2 api' on glance. """ # FIXME: Abusing the 'project_name' == 'username' mapping clients = self.get_openstack_clients(project_name) project = self.user_manager.get_project(project_name) glance = clients["glance"] glance.image_members.update( glance_image.id, project.id, 'accepted') def rebuild_security_groups(self, core_identity, rules_list=None): creds = self.parse_identity(core_identity) if not rules_list: rules_list = self.MASTER_RULES_LIST return self.user_manager.build_security_group( creds["username"], creds["password"], creds["tenant_name"], creds["tenant_name"], rules_list, rebuild=True) def parse_identity(self, core_identity): identity_creds = self._libcloud_to_openstack( core_identity.get_credentials()) return identity_creds def clean_credentials(self, credential_dict): """ This function cleans up a dictionary of credentials. After running this function: * Erroneous dictionary keys are removed * Missing credentials are listed """ creds = ["username", "password", "project_name"] missing_creds = [] # 1. Remove non-credential information from the dict for key in credential_dict.keys(): if key not in creds: credential_dict.pop(key) # 2. Check the dict has all the required credentials for c in creds: if not hasattr(credential_dict, c): missing_creds.append(c) return missing_creds def create_identity(self, username, password, project_name, quota=None, max_quota=False, account_admin=False): if not self.core_provider: raise Exception("AccountDriver not initialized by provider, " "cannot create identity") identity = Identity.create_identity( username, self.core_provider.location, quota=quota, # Flags.. max_quota=max_quota, account_admin=account_admin, # Pass in credentials with cred_ namespace cred_key=username, cred_secret=password, cred_ex_tenant_name=project_name, cred_ex_project_name=project_name) # Return the identity return identity def rebuild_project_network(self, username, project_name, dns_nameservers=[]): self.network_manager.delete_project_network(username, project_name) net_args = self._base_network_creds() self.network_manager.create_project_network( username, self.hashpass(username), project_name, get_unique_number=get_unique_id, dns_nameservers=dns_nameservers, **net_args) return True def delete_security_group(self, identity): identity_creds = self.parse_identity(identity) project_name = identity_creds["tenant_name"] project = self.user_manager.keystone.tenants.find(name=project_name) sec_group_r = self.network_manager.neutron.list_security_groups( tenant_id=project.id) sec_groups = sec_group_r["security_groups"] for sec_group in sec_groups: self.network_manager.neutron.delete_security_group(sec_group["id"]) return True def delete_network(self, identity, remove_network=True): # Core credentials need to be converted to openstack names identity_creds = self.parse_identity(identity) username = identity_creds["username"] project_name = identity_creds["tenant_name"] # Convert from libcloud names to openstack client names return self.network_manager.delete_project_network( username, project_name, remove_network=remove_network) def create_network(self, identity): # Core credentials need to be converted to openstack names identity_creds = self.parse_identity(identity) username = identity_creds["username"] password = identity_creds["password"] project_name = identity_creds["tenant_name"] dns_nameservers = [ dns_server.ip_address for dns_server in identity.provider.dns_server_ips.order_by('order')] # Convert from libcloud names to openstack client names net_args = self._base_network_creds() return self.network_manager.create_project_network( username, password, project_name, get_unique_number=get_unique_id, dns_nameservers=dns_nameservers, **net_args) # Useful methods called from above.. def delete_account(self, username, projectname): self.os_delete_account(username, projectname) Identity.delete_identity(username, self.core_provider.location) def os_delete_account(self, username, projectname): project = self.user_manager.get_project(projectname) # 1. Network cleanup if project: self.network_manager.delete_project_network(username, projectname) # 2. Role cleanup (Admin too) self.user_manager.delete_all_roles(username, projectname) adminuser = self.user_manager.keystone.username self.user_manager.delete_all_roles(adminuser, projectname) # 3. Project cleanup self.user_manager.delete_project(projectname) # 4. User cleanup user = self.user_manager.get_user(username) if user: self.user_manager.delete_user(username) return True def hashpass(self, username): # TODO: Must be better. return sha1(username).hexdigest() def get_project_name_for(self, username): """ This should always map project to user For now, they are identical.. TODO: Make this intelligent. use keystone. """ return username def _get_image(self, *args, **kwargs): return self.image_manager.get_image(*args, **kwargs) # For one-time caching def _list_all_images(self, *args, **kwargs): return self.image_manager.list_images(*args, **kwargs) def tenant_instances_map( self, status_list=[], match_all=False, include_empty=False): """ Maps 'Tenant' objects to all the 'owned instances' as listed by the admin driver Optional fields: * status_list (list) - If provided, only include instance if it's status/tmp_status matches a value in the list. * match_all (bool) - If True, instances must match ALL words in the list. * include_empty (bool) - If True, include ALL tenants in the map. """ all_projects = self.list_projects() all_instances = self.list_all_instances() if include_empty: project_map = {proj: [] for proj in all_projects} else: project_map = {} for instance in all_instances: try: # NOTE: will someday be 'projectId' tenant_id = instance.extra['tenantId'] project = [p for p in all_projects if p.id == tenant_id][0] except (ValueError, KeyError): raise Exception( "The implementaion for recovering a tenant id has changed. Update the code base above this line!") metadata = instance._node.extra.get('metadata', {}) instance_status = instance.extra.get('status') task = instance.extra.get('task') tmp_status = metadata.get('tmp_status', '') if status_list: if match_all: truth = all( True if ( status_name and status_name in [ instance_status, task, tmp_status]) else False for status_name in status_list) else: truth = any( True if ( status_name and status_name in [ instance_status, task, tmp_status]) else False for status_name in status_list) if not truth: logger.info( "Found an instance:%s for tenant:%s but skipped because %s could be found in the list: (%s - %s - %s)" % (instance.id, project.name, "none of the status_names" if not match_all else "not all of the status names", instance_status, task, tmp_status)) continue instance_list = project_map.get(project, []) instance_list.append(instance) project_map[project] = instance_list return project_map def list_all_instances(self, **kwargs): return self.admin_driver.list_all_instances(**kwargs) def list_all_images(self, **kwargs): return self.image_manager.list_images(**kwargs) def get_project_by_id(self, project_id): return self.user_manager.get_project_by_id(project_id) def get_project(self, project_name, **kwargs): if self.identity_version > 2: kwargs = self._parse_domain_kwargs(kwargs) return self.user_manager.get_project(project_name, **kwargs) def _make_tenant_id_map(self): all_projects = self.list_projects() tenant_id_map = {project.id: project.name for project in all_projects} return tenant_id_map def create_trust( self, trustee_project_name, trustee_username, trustee_domain_name, trustor_project_name, trustor_username, trustor_domain_name, roles=[], impersonation=True): """ Trustee == Consumer Trustor == Resource Owner Given the *names* of projects, users, and domains gather all required information for a Trust-Create create a new trust object NOTE: we set impersonation to True -- it has a 'normal default' of False! """ default_roles = [{"name": "admin"}] trustor_domain = self.openstack_sdk.identity.find_domain( trustor_domain_name) if not trustor_domain: raise ValueError("Could not find trustor domain named %s" % trustor_domain_name) trustee_domain = self.openstack_sdk.identity.find_domain( trustee_domain_name) if not trustee_domain: raise ValueError("Could not find trustee domain named %s" % trustee_domain_name) trustee_user = self.get_user( trustee_username, domain_id=trustee_domain.id) # trustee_project = self.get_project( # trustee_username, domain_name=trustee_domain.id) trustor_user = self.get_user( trustor_username, domain_id=trustor_domain.id) trustor_project = self.get_project( trustor_project_name, domain_id=trustor_domain.id) if not roles: roles = default_roles new_trust = self.openstack_sdk.identity.create_trust( impersonation=impersonation, project_id=trustor_project.id, trustor_user_id=trustor_user.id, trustee_user_id=trustee_user.id, roles=roles, domain_id=trustee_domain.id) return new_trust def list_trusts(self): return [t for t in self.openstack_sdk.identity.trusts()] def list_projects(self, **kwargs): if self.identity_version > 2: kwargs = self._parse_domain_kwargs(kwargs, domain_override='domain') return self.user_manager.list_projects(**kwargs) def list_roles(self, **kwargs): """ Keystone already accepts 'domain_name' to restrict what roles to return """ return self.user_manager.keystone.roles.list(**kwargs) def get_role(self, role_name_or_id, **list_kwargs): if self.identity_version > 2: list_kwargs = self._parse_domain_kwargs(list_kwargs) role_list = self.list_roles(**list_kwargs) found_roles = [role for role in role_list if role.id == role_name_or_id or role.name == role_name_or_id] if not found_roles: return None if len(found_roles) > 1: raise Exception("role name/id %s matched more than one value -- Fix the code" % (role_name_or_id,)) return found_roles[0] def get_user(self, user_name_or_id, **list_kwargs): if self.identity_version > 2: list_kwargs = self._parse_domain_kwargs(list_kwargs) user_list = self.list_users(**list_kwargs) found_users = [user for user in user_list if user.id == user_name_or_id or user.name == user_name_or_id] if not found_users: return None if len(found_users) > 1: raise Exception("User name/id %s matched more than one value -- Fix the code" % (user_name_or_id,)) return found_users[0] def _parse_domain_kwargs(self, kwargs, domain_override='domain_id'): """ CLI's replace domain_name with the actual domain. We replicate that functionality to avoid operator-frustration. """ domain_key = 'domain_name' domain_name_or_id = kwargs.get(domain_key) if not domain_name_or_id: return kwargs domain = self.openstack_sdk.identity.find_domain(domain_name_or_id) if not domain: raise ValueError("Could not find domain %s by name or id." % domain_name_or_id) kwargs.pop(domain_key) kwargs[domain_override] = domain.id return kwargs def list_users(self, **kwargs): if self.identity_version > 2: kwargs = self._parse_domain_kwargs(kwargs) return self.user_manager.keystone.users.list(**kwargs) def list_usergroup_names(self): return [user.name for (user, project) in self.list_usergroups()] def list_usergroups(self): """ TODO: This function is AWFUL just scrap it. """ users = self.list_users() groups = self.list_projects() usergroups = [] admin_usernames = self.core_provider.list_admin_names() for group in groups: for user in users: if user.name in admin_usernames: continue if user.name in group.name: usergroups.append((user, group)) break return usergroups def _get_horizon_url(self, tenant_id): parsed_url = urlparse(self.provider_creds["auth_url"]) return "https://%s/horizon/auth/switch/%s/?next=/horizon/project/" %\ (parsed_url.hostname, tenant_id) def get_openstack_clients(self, username, password=None, tenant_name=None): # TODO: I could replace with identity.. but should I? # Build credentials for each manager all_creds = self._get_openstack_credentials( username, password, tenant_name) # Initialize managers with respective credentials image_creds = self._build_image_creds(all_creds) net_creds = self._build_network_creds(all_creds) sdk_creds = self._build_sdk_creds(all_creds) if self.identity_version > 2: openstack_sdk = _connect_to_openstack_sdk(**sdk_creds) else: openstack_sdk = None neutron = self.network_manager.new_connection(**net_creds) keystone, nova, glance = self.image_manager._new_connection( **image_creds) return { "glance": glance, "keystone": keystone, "nova": nova, "neutron": neutron, "openstack_sdk": openstack_sdk, "horizon": self._get_horizon_url(keystone.tenant_id) } def _get_openstack_credentials(self, username, password=None, tenant_name=None): if not tenant_name: tenant_name = self.get_project_name_for(username) if not password: password = self.hashpass(tenant_name) osdk_creds = { "auth_url": self.user_manager.nova.client.auth_url.replace('/v3','').replace('/v2.0',''), "admin_url": self.user_manager.keystone._management_url.replace('/v2.0','').replace('/v3',''), "region_name": self.user_manager.nova.client.region_name, "username": username, "password": password, "tenant_name": tenant_name } return osdk_creds # Credential manipulaters def _libcloud_to_openstack(self, credentials): credentials["username"] = credentials.pop("key") credentials["password"] = credentials.pop("secret") credentials["tenant_name"] = credentials.pop("ex_tenant_name") return credentials def _base_network_creds(self): """ These credentials should be used when another user/pass/tenant combination will be used NOTE: JETSTREAM auth_url to be '/v3' """ net_args = self.provider_creds.copy() # NOTE: The neutron 'auth_url' is the ADMIN_URL net_args["auth_url"] = net_args.pop("admin_url")\ .replace("/tokens", "").replace('/v2.0', '').replace('/v3', '') if self.identity_version == 3: auth_prefix = '/v3' elif self.identity_version == 2: auth_prefix = '/v2.0' if auth_prefix not in net_args['auth_url']: net_args['auth_url'] += auth_prefix return net_args def _build_network_creds(self, credentials): """ Credentials - dict() return the credentials required to build a "NetworkManager" object NOTE: JETSTREAM auth_url to be '/v3' """ net_args = credentials.copy() # Required: net_args.get("username") net_args.get("password") net_args.get("tenant_name") net_args.get("router_name") net_args.get("region_name") # NOTE: The neutron 'auth_url' is the ADMIN_URL net_args["auth_url"] = net_args.pop("admin_url").replace("/tokens", "") # Ignored: net_args.pop("location", None) net_args.pop("ex_project_name", None) net_args.pop("ex_force_auth_version", None) auth_url = net_args.get('auth_url') if self.identity_version == 3: auth_prefix = '/v3' elif self.identity_version == 2: auth_prefix = '/v2.0' net_args["auth_url"] = auth_url.replace("/v2.0", "").replace('/v3', '').replace("/tokens", "") if auth_prefix not in net_args['auth_url']: net_args["auth_url"] += auth_prefix return net_args def _build_image_creds(self, credentials): """ Credentials - dict() return the credentials required to build a "UserManager" object NOTE: Expects auth_url to be '/v2.0/tokens' NOTE: JETSTREAM auth_url to be '/v3' """ img_args = credentials.copy() # Required: for required_arg in [ "username", "password", "tenant_name", "auth_url", "region_name"]: if required_arg not in img_args or not img_args[required_arg]: raise ValueError( "ImageManager is missing a Required Argument: %s" % required_arg) ex_auth_version = img_args.pop("ex_force_auth_version", '2.0_password') # Supports v2.0 or v3 Identity if ex_auth_version.startswith('2'): auth_url_prefix = "/v2.0/tokens" auth_version = 'v2.0' elif ex_auth_version.startswith('3'): auth_url_prefix = "/v3/tokens" auth_version = 'v3' img_args['version'] = auth_version img_args["auth_url"] = img_args.get('auth_url','').replace("/v2.0","").replace("/tokens", "").replace('/v3','') if auth_url_prefix not in img_args['auth_url']: img_args["auth_url"] += auth_url_prefix return img_args def _build_user_creds(self, credentials): """ Credentials - dict() return the credentials required to build a "UserManager" object NOTE: Expects auth_url to be '/v2.0' """ user_args = credentials.copy() # Required args: user_args.get("username") user_args.get("password") user_args.get("tenant_name") ex_auth_version = user_args.pop("ex_force_auth_version", '2.0_password') # Supports v2.0 or v3 Identity if ex_auth_version.startswith('2'): auth_url_prefix = "/v2.0/" auth_version = 'v2.0' elif ex_auth_version.startswith('3'): auth_url_prefix = "/v3/" auth_version = 'v3' auth_url = user_args.get('auth_url') user_args["auth_url"] = auth_url.replace("/v2.0", "").replace("/tokens", "") if auth_url_prefix not in user_args['auth_url']: user_args["auth_url"] += auth_url_prefix user_args.get("region_name") user_args['version'] = user_args.get("version", auth_version) # Removable args: user_args.pop("admin_url", None) user_args.pop("location", None) user_args.pop("router_name", None) user_args.pop("ex_project_name", None) return user_args def _build_sdk_creds(self, credentials): """ Credentials - dict() return the credentials required to build an "Openstack SDK" connection NOTE: Expects auth_url to be ADMIN aand be '/v3' """ os_args = credentials.copy() # Required args: os_args.get("username") os_args.get("password") if 'tenant_name' in os_args and 'project_name' not in os_args: os_args['project_name'] = os_args.get("tenant_name") os_args.get("region_name") ex_auth_version = os_args.pop("ex_force_auth_version", '2.0_password') # Supports v2.0 or v3 Identity if ex_auth_version.startswith('2'): auth_url_prefix = "/v2.0/" auth_version = 'v2.0' elif ex_auth_version.startswith('3'): auth_url_prefix = "/v3/" auth_version = 'v3' os_args["auth_url"] = os_args.get("auth_url")\ .replace("/tokens", "").replace('/v2.0', '').replace('/v3', '') # NOTE: Openstack 'auth_url' is ACTUALLY the admin url. if auth_url_prefix not in os_args['admin_url']: os_args["auth_url"] = os_args['admin_url'] + auth_url_prefix if 'project_domain_name' not in os_args: os_args['project_domain_name'] = 'default' if 'user_domain_name' not in os_args: os_args['user_domain_name'] = 'default' if 'identity_api_version' not in os_args: os_args['identity_api_version'] = 3 # Removable args: os_args.pop("ex_force_auth_version", None) os_args.pop("admin_url", None) os_args.pop("location", None) os_args.pop("router_name", None) os_args.pop("ex_project_name", None) os_args.pop("ex_tenant_name", None) os_args.pop("tenant_name", None) return os_args
class AccountDriver(BaseAccountDriver): user_manager = None image_manager = None network_manager = None core_provider = None cloud_config = {} def clear_cache(self): self.admin_driver.provider.machineCls.invalidate_provider_cache(self.admin_driver.provider) return self.admin_driver def _init_by_provider(self, provider, *args, **kwargs): from service.driver import get_esh_driver self.core_provider = provider provider_creds = provider.get_credentials() self.cloud_config = provider.cloud_config self.provider_creds = provider_creds admin_identity = provider.admin admin_creds = admin_identity.get_credentials() self.admin_driver = get_esh_driver(admin_identity) admin_creds = self._libcloud_to_openstack(admin_creds) all_creds = {"location": provider.get_location()} all_creds.update(admin_creds) all_creds.update(provider_creds) return all_creds def __init__(self, provider=None, *args, **kwargs): super(AccountDriver, self).__init__() if provider: all_creds = self._init_by_provider(provider, *args, **kwargs) else: all_creds = kwargs if "location" in all_creds: self.namespace = "Atmosphere_OpenStack:%s" % all_creds["location"] else: logger.info( "Using default namespace.. Could cause conflicts if " "switching between providers. To avoid ambiguity, " "provide the kwarg: location='provider_prefix'" ) # Build credentials for each manager self.credentials = all_creds ex_auth_version = all_creds.get("ex_force_auth_version", "2.0_password") if ex_auth_version.startswith("2"): self.identity_version = 2 elif ex_auth_version.startswith("3"): self.identity_version = 3 else: raise Exception("Could not determine identity_version of %s" % ex_auth_version) user_creds = self._build_user_creds(all_creds) image_creds = self._build_image_creds(all_creds) net_creds = self._build_network_creds(all_creds) sdk_creds = self._build_sdk_creds(all_creds) # Initialize managers with respective credentials self.user_manager = UserManager(**user_creds) self.image_manager = ImageManager(**image_creds) self.network_manager = NetworkManager(**net_creds) self.openstack_sdk = _connect_to_openstack_sdk(**sdk_creds) def create_account(self, username, password=None, project_name=None, role_name=None, quota=None, max_quota=False): """ Create (And Update "latest changes") to an account """ if not self.core_provider: raise Exception( "AccountDriver not initialized by provider," " cannot create identity. For account creation use" " build_account()" ) if username in self.core_provider.list_admin_names(): return (username, password, project) = self.build_account(username, password, project_name, role_name, max_quota) ident = self.create_identity(username, password, project.name, quota=quota, max_quota=max_quota) return ident def build_account( self, username, password, project_name=None, role_name=None, max_quota=False, domain_name="default" ): finished = False # Attempt account creation while not finished: try: if not password: password = self.hashpass(username) if not project_name: project_name = username # 1. Create Project: should exist before creating user project_kwargs = {} if self.identity_version > 2: project_kwargs.update({"domain_id": domain_name}) project = self.user_manager.get_project(project_name, **project_kwargs) if not project: if self.identity_version > 2: project_kwargs = {"domain": domain_name} project = self.user_manager.create_project(project_name, **project_kwargs) # 2. Create User (And add them to the project) user = self.get_user(username) if not user: logger.info("Creating account: %s - %s - %s" % (username, password, project)) user_kwargs = {} if self.identity_version > 2: user_kwargs.update({"domain": domain_name}) user = self.user_manager.create_user(username, password, project, **user_kwargs) # 3.1 Include the admin in the project # TODO: providercredential initialization of # "default_admin_role" self.user_manager.include_admin(project_name) # 3.2 Check the user has been given an appropriate role if not role_name: try: role_name = self.cloud_config["user"]["user_role_name"] except KeyError: logger.warn( "Cloud config ['user']['user_role_name'] is missing -- using deprecated settings.DEFAULT_KEYSTONE_ROLE" ) role_name = settings.DEFAULT_KEYSTONE_ROLE self.user_manager.add_project_membership(project_name, username, role_name) # , domain_name) # 4. Create a keypair to use when launching with atmosphere self.init_keypair(user.name, password, project.name) finished = True except ConnectionError: logger.exception("Connection reset by peer. " "Waiting for one minute.") time.sleep(60) # Wait one minute except NovaOverLimit: logger.exception("OverLimit on POST requests. " "Waiting for one minute.") time.sleep(60) # Wait one minute return (username, password, project) def change_password(self, identity, new_password, old_password=None): try: self.update_openstack_password(identity, new_password, old_password=old_password) self.update_password_credential(identity, new_password) return True except Exception: logger.exception("Could not change password") return False def update_password_credential(self, core_identity, new_password): """ """ try: password_cred = core_identity.credential_set.get(key="secret") password_cred.value = new_password password_cred.save() except ObjectDoesNotExist: raise Exception("The 'key' for a secret has changed! " "Ask a programmer for help!") def update_openstack_password(self, identity, new_password, strategy=None): identity_creds = self.parse_identity(identity) username = identity_creds["username"] if not strategy: strategy = DEFAULT_PASSWORD_UPDATE if not strategy or strategy == "keystone_password_update": return self.keystone_password_update(username, new_password) if strategy == "openstack_sdk_password_update": return self.openstack_sdk_password_update(username, new_password) else: raise ValueError("Invalid 'Update Password' strategy: %s" % strategy) def keystone_password_update(self, username, new_password): keystone = self.user_manager.keystone user = keystone.users.find(name=username) return keystone.users.update_password(user, new_password) def openstack_sdk_password_update(self, username, new_password): user_id = self.get_user(username).id return self.openstack_sdk.identity.update_user(user_id, password=new_password) def init_keypair(self, username, password, project_name): keyname = settings.ATMOSPHERE_KEYPAIR_NAME with open(settings.ATMOSPHERE_KEYPAIR_FILE, "r") as pub_key_file: public_key = pub_key_file.read() return self.get_or_create_keypair(username, password, project_name, keyname, public_key) def init_security_group(self, core_identity, security_group_name=None): # 4.1. Update the account quota to hold a larger number of # roles than what is necessary # user = user_matches[0] # -- User:Keystone rev. try: rules_list = core_identity.provider.cloud_config["network"]["default_security_rules"] except KeyError: logger.warn( "Cloud config ['user']['default_security_rules'] is missing -- using deprecated settings.DEFAULT_RULES" ) rules_list = DEFAULT_RULES identity_creds = self.parse_identity(core_identity) username = identity_creds["username"] password = identity_creds["password"] project_name = identity_creds["tenant_name"] kwargs = {} if self.identity_version > 2: kwargs.update({"domain": "default"}) user_matches = [u for u in self.user_manager.keystone.users.list(**kwargs) if u.name == username] if not user_matches or len(user_matches) > 1: raise Exception( "User maps to *MORE* than one account on openstack default domain! Ask a programmer for help here!" ) user = user_matches[0] kwargs = {} if self.identity_version > 2: kwargs.update({"domain_id": "default"}) project = self.user_manager.keystone_projects().find(name=project_name, **kwargs) nc = self.user_manager.nova rule_max = max(len(rules_list), 100) nc.quotas.update(project.id, security_group_rules=rule_max) # Change the description of the security group to match the project # name try: # Create the default security group nova = self.user_manager.build_nova(username, password, project_name) sec_groups = nova.security_groups.list() if not sec_groups: nova.security_group.create("default", project_name) self.network_manager.rename_security_group(project, security_group_name=security_group_name) except ConnectionError as ce: logger.exception("Failed to establish connection." " Security group creation FAILED") return None except NeutronClientException as nce: if nce.status_code != 404: logger.exception("Encountered unknown exception while renaming" " the security group") return None # Start creating security group return self.user_manager.build_security_group( user.name, password, project.name, security_group_name, rules_list ) def add_rules_to_security_groups(self, core_identity_list, security_group_name, rules_list): for identity in core_identity_list: creds = self.parse_identity(identity) sec_group = self.user_manager.find_security_group( creds["username"], creds["password"], creds["tenant_name"], security_group_name ) if not sec_group: raise Exception("No security gruop found matching name %s" % security_group_name) self.user_manager.add_security_group_rules( creds["username"], creds["password"], creds["tenant_name"], security_group_name, rules_list ) def get_or_create_keypair(self, username, password, project_name, keyname, public_key): """ keyname - Name of the keypair public_key - Contents of public key in OpenSSH format """ clients = self.get_openstack_clients(username, password, project_name) if self.identity_version == 2: nova = clients["nova"] keypairs = nova.keypairs.list() else: osdk = clients["openstack_sdk"] keypairs = [kp for kp in osdk.compute.keypairs()] for kp in keypairs: if kp.name == keyname: if kp.public_key != public_key: raise Exception( "Mismatched public key found for keypair named: %s" ". Expected: %s Original: %s" % (keyname, public_key, kp.public_key) ) return (kp, False) return (self.create_keypair(username, password, project_name, keyname, public_key), True) def create_keypair(self, username, password, project_name, keyname, public_key): """ keyname - Name of the keypair public_key - Contents of public key in OpenSSH format """ clients = self.get_openstack_clients(username, password, project_name) if self.identity_version == 2: nova = clients["nova"] keypair = nova.keypairs.create(keyname, public_key=public_key) else: osdk = clients["openstack_sdk"] keypair = osdk.compute.create_keypair(name=keyname, public_key=public_key) return keypair def accept_shared_image(self, glance_image, project_name): """ This is only required when sharing using 'the v2 api' on glance. """ # FIXME: Abusing the 'project_name' == 'username' mapping clients = self.get_openstack_clients(project_name) project = self.user_manager.get_project(project_name) glance = clients["glance"] glance.image_members.update(glance_image.id, project.id, "accepted") def rebuild_security_groups(self, core_identity, rules_list=None): creds = self.parse_identity(core_identity) if not rules_list: try: rules_list = self.cloud_config["network"]["default_security_rules"] except KeyError: logger.warn( "Cloud config ['network']['default_security_rules'] is missing -- using deprecated settings.DEFAULT_RULES" ) rules_list = DEFAULT_RULES return self.user_manager.build_security_group( creds["username"], creds["password"], creds["tenant_name"], creds["tenant_name"], rules_list, rebuild=True ) def parse_identity(self, core_identity): identity_creds = self._libcloud_to_openstack(core_identity.get_credentials()) return identity_creds def clean_credentials(self, credential_dict): """ This function cleans up a dictionary of credentials. After running this function: * Erroneous dictionary keys are removed * Missing credentials are listed """ creds = ["username", "password", "project_name"] missing_creds = [] # 1. Remove non-credential information from the dict for key in credential_dict.keys(): if key not in creds: credential_dict.pop(key) # 2. Check the dict has all the required credentials for c in creds: if not hasattr(credential_dict, c): missing_creds.append(c) return missing_creds def create_identity(self, username, password, project_name, quota=None, max_quota=False, account_admin=False): if not self.core_provider: raise Exception("AccountDriver not initialized by provider, " "cannot create identity") identity = Identity.create_identity( username, self.core_provider.location, quota=quota, # Flags.. max_quota=max_quota, account_admin=account_admin, # Pass in credentials with cred_ namespace cred_key=username, cred_secret=password, cred_ex_tenant_name=project_name, cred_ex_project_name=project_name, ) # Return the identity return identity def rebuild_project_network(self, username, project_name, dns_nameservers=[]): self.network_manager.delete_project_network(username, project_name) net_args = self._base_network_creds() self.network_manager.create_project_network( username, self.hashpass(username), project_name, get_unique_number=_get_unique_id, dns_nameservers=dns_nameservers, **net_args ) return True def delete_security_group(self, identity): identity_creds = self.parse_identity(identity) project_name = identity_creds["tenant_name"] project = self.user_manager.keystone.tenants.find(name=project_name) sec_group_r = self.network_manager.neutron.list_security_groups(tenant_id=project.id) sec_groups = sec_group_r["security_groups"] for sec_group in sec_groups: self.network_manager.neutron.delete_security_group(sec_group["id"]) return True def select_network_strategy(self, identity, topology_name=None): """ Select a network topology and initialize it with the identity/provider specific information required. """ # Select Cls if not topology_name: NetworkTopologyStrategyCls = ExternalRouter else: NetworkTopologyStrategyCls = get_topology_cls(topology_name) try: network_strategy = NetworkTopologyStrategyCls(identity) except: logger.exception("Error initializing Network Topology - %s + %s " % (NetworkTopologyStrategyCls, identity)) raise return network_strategy def dns_nameservers_for(self, identity): dns_nameservers = [dns_server.ip_address for dns_server in identity.provider.dns_server_ips.order_by("order")] return dns_nameservers def delete_user_network(self, identity, options={}): """ 1. Look at the provider for network topology hints 2. If no network topology exists, use the "Default network" settings. 3. Delete network based on topology """ identity_creds = self.parse_identity(identity) project_name = identity_creds["tenant_name"] neutron = self.get_openstack_client(identity, "neutron") try: topology_name = self.cloud_config["network"]["topology"] except KeyError: logger.exception( "Network topology not selected -- " "Will attempt to use the last known default: ExternalRouter." ) topology_name = None network_strategy = self.select_network_strategy(identity, topology_name) if options.get("skip_network"): return self._delete_user_subnet(network_strategy, neutron, project_name) return self._delete_user_network(network_strategy, neutron, project_name) def _delete_user_subnet(self, network_strategy, neutron, prefix_name): network_strategy.delete_router_interface( self.network_manager, neutron, "%s-router" % prefix_name, "%s-subnet" % prefix_name ) network_strategy.delete_router(self.network_manager, neutron, "%s-router" % prefix_name) network_strategy.delete_subnet(self.network_manager, neutron, "%s-subnet" % prefix_name) def _delete_user_network(self, network_strategy, neutron, prefix_name): self._delete_user_subnet(network_strategy, neutron, prefix_name) network_strategy.delete_network(self.network_manager, neutron, "%s-net" % prefix_name) return def create_user_network(self, identity): """ 1. Look at the provider for network topology hints 2. If no network topology exists, use the "Default network" settings. 3. Create network based on topology """ # Prepare args identity_creds = self.parse_identity(identity) username = identity_creds["username"] project_name = identity_creds["tenant_name"] neutron = self.get_openstack_client(identity, "neutron") dns_nameservers = self.dns_nameservers_for(identity) try: topology_name = self.cloud_config["network"]["topology"] except KeyError: logger.exception( "Network topology not selected -- " "Will attempt to use the last known default: ExternalRouter." ) topology_name = None network_strategy = self.select_network_strategy(identity, topology_name) # May raise exception network_strategy.validate(identity) network = network_strategy.get_or_create_network( self.network_manager, neutron, "%s-net" % project_name ) # NOTE: the name of the network here is a *hint* not a guarantee. # Use `network.name` from here subnet = network_strategy.get_or_create_user_subnet( self.network_manager, neutron, network["id"], username, "%s-subnet" % project_name, dns_nameservers=dns_nameservers, ) router = network_strategy.get_or_create_router(self.network_manager, neutron, "%s-router" % project_name) gateway = network_strategy.get_or_create_router_gateway(self.network_manager, neutron, router, network) interface = network_strategy.get_or_create_router_interface( self.network_manager, neutron, router, subnet, "%s-router-intf" % project_name ) network_resources = {"network": network, "subnet": subnet, "router": router, "interface": interface} return network_resources # Useful methods called from above.. def delete_account(self, username, projectname): self.os_delete_account(username, projectname) Identity.delete_identity(username, self.core_provider.location) def os_delete_account(self, username, projectname): project = self.user_manager.get_project(projectname) # 1. Network cleanup if project: self.network_manager.delete_project_network(username, projectname) # 2. Role cleanup (Admin too) self.user_manager.delete_all_roles(username, projectname) adminuser = self.user_manager.keystone.username self.user_manager.delete_all_roles(adminuser, projectname) # 3. Project cleanup self.user_manager.delete_project(projectname) # 4. User cleanup user = self.user_manager.get_user(username) if user: self.user_manager.delete_user(username) return True def hashpass(self, username): """ Create a unique password using 'username' """ cloud_pass = self.cloud_config["user"].get("secret") if not cloud_pass or len(cloud_pass) < 32: raise ValueError("Cloud config ['user']['secret'] is required and " + "must be of length 32 or more") if not username: raise ValueError("Missing username, cannot create hash") return sha256(username + cloud_pass).hexdigest() def get_project_name_for(self, username): """ This should always map project to user For now, they are identical.. TODO: Make this intelligent. use keystone. """ return username def _get_image(self, *args, **kwargs): return self.image_manager.get_image(*args, **kwargs) # For one-time caching def _list_all_images(self, *args, **kwargs): return self.image_manager.list_images(*args, **kwargs) def tenant_instances_map(self, status_list=[], match_all=False, include_empty=False): """ Maps 'Tenant' objects to all the 'owned instances' as listed by the admin driver Optional fields: * status_list (list) - If provided, only include instance if it's status/tmp_status matches a value in the list. * match_all (bool) - If True, instances must match ALL words in the list. * include_empty (bool) - If True, include ALL tenants in the map. """ all_projects = self.list_projects() all_instances = self.list_all_instances() if include_empty: project_map = {proj: [] for proj in all_projects} else: project_map = {} for instance in all_instances: try: # NOTE: will someday be 'projectId' tenant_id = instance.extra["tenantId"] project = [p for p in all_projects if p.id == tenant_id][0] except (ValueError, KeyError): raise Exception( "The implementaion for recovering a tenant id has changed. Update the code base above this line!" ) metadata = instance._node.extra.get("metadata", {}) instance_status = instance.extra.get("status") task = instance.extra.get("task") tmp_status = metadata.get("tmp_status", "") if status_list: if match_all: truth = all( True if (status_name and status_name in [instance_status, task, tmp_status]) else False for status_name in status_list ) else: truth = any( True if (status_name and status_name in [instance_status, task, tmp_status]) else False for status_name in status_list ) if not truth: logger.info( "Found an instance:%s for tenant:%s but skipped because %s could be found in the list: (%s - %s - %s)" % ( instance.id, project.name, "none of the status_names" if not match_all else "not all of the status names", instance_status, task, tmp_status, ) ) continue instance_list = project_map.get(project, []) instance_list.append(instance) project_map[project] = instance_list return project_map def list_all_instances(self, **kwargs): return self.admin_driver.list_all_instances(**kwargs) def list_all_images(self, **kwargs): return self.image_manager.list_images(**kwargs) def list_all_snapshots(self, **kwargs): return [img for img in self.list_all_images(**kwargs) if "snapshot" in img.get("image_type", "image").lower()] def get_project_by_id(self, project_id): return self.user_manager.get_project_by_id(project_id) def get_project(self, project_name, **kwargs): if self.identity_version > 2: kwargs = self._parse_domain_kwargs(kwargs) return self.user_manager.get_project(project_name, **kwargs) def _make_tenant_id_map(self): all_projects = self.list_projects() tenant_id_map = {project.id: project.name for project in all_projects} return tenant_id_map def create_trust( self, trustee_project_name, trustee_username, trustee_domain_name, trustor_project_name, trustor_username, trustor_domain_name, roles=[], impersonation=True, ): """ Trustee == Consumer Trustor == Resource Owner Given the *names* of projects, users, and domains gather all required information for a Trust-Create create a new trust object NOTE: we set impersonation to True -- it has a 'normal default' of False! """ default_roles = [{"name": "admin"}] trustor_domain = self.openstack_sdk.identity.find_domain(trustor_domain_name) if not trustor_domain: raise ValueError("Could not find trustor domain named %s" % trustor_domain_name) trustee_domain = self.openstack_sdk.identity.find_domain(trustee_domain_name) if not trustee_domain: raise ValueError("Could not find trustee domain named %s" % trustee_domain_name) trustee_user = self.get_user(trustee_username, domain_id=trustee_domain.id) # trustee_project = self.get_project( # trustee_username, domain_name=trustee_domain.id) trustor_user = self.get_user(trustor_username, domain_id=trustor_domain.id) trustor_project = self.get_project(trustor_project_name, domain_id=trustor_domain.id) if not roles: roles = default_roles new_trust = self.openstack_sdk.identity.create_trust( impersonation=impersonation, project_id=trustor_project.id, trustor_user_id=trustor_user.id, trustee_user_id=trustee_user.id, roles=roles, domain_id=trustee_domain.id, ) return new_trust def list_trusts(self): return [t for t in self.openstack_sdk.identity.trusts()] def list_projects(self, **kwargs): if self.identity_version > 2: kwargs = self._parse_domain_kwargs(kwargs, domain_override="domain") return self.user_manager.list_projects(**kwargs) def list_roles(self, **kwargs): """ Keystone already accepts 'domain_name' to restrict what roles to return """ return self.user_manager.keystone.roles.list(**kwargs) def get_role(self, role_name_or_id, **list_kwargs): if self.identity_version > 2: list_kwargs = self._parse_domain_kwargs(list_kwargs) role_list = self.list_roles(**list_kwargs) found_roles = [role for role in role_list if role.id == role_name_or_id or role.name == role_name_or_id] if not found_roles: return None if len(found_roles) > 1: raise Exception("role name/id %s matched more than one value -- Fix the code" % (role_name_or_id,)) return found_roles[0] def get_user(self, user_name_or_id, **list_kwargs): user_list = self.list_users(**list_kwargs) found_users = [user for user in user_list if user.id == user_name_or_id or user.name == user_name_or_id] if not found_users: return None if len(found_users) > 1: raise Exception("User name/id %s matched more than one value -- Fix the code" % (user_name_or_id,)) return found_users[0] def _parse_domain_kwargs(self, kwargs, domain_override="domain_id", default_domain="default"): """ CLI's replace domain_name with the actual domain. We replicate that functionality to avoid operator-frustration. """ domain_key = "domain_name" if self.identity_version <= 2: return kwargs if domain_override in kwargs: if domain_key in kwargs: kwargs.pop(domain_key) return kwargs if domain_key not in kwargs: kwargs[domain_key] = default_domain # Set to default domain domain_name_or_id = kwargs.get(domain_key) domain = self.openstack_sdk.identity.find_domain(domain_name_or_id) if not domain: raise ValueError("Could not find domain %s by name or id." % domain_name_or_id) kwargs.pop(domain_key, "") kwargs[domain_override] = domain.id return kwargs def list_users(self, **kwargs): if self.identity_version > 2: kwargs = self._parse_domain_kwargs(kwargs, domain_override="domain") return self.user_manager.keystone.users.list(**kwargs) def get_quota_limit(self, username, project_name): limits = {} abs_limits = self.get_absolute_limits() user_limits = self.get_user_limits(username, project_name) if abs_limits: limits.update(abs_limits) if user_limits: limits.update(user_limits) return limits def get_absolute_limits(self): limits = {} os_limits = self.admin_driver._connection.ex_get_limits() try: absolute_limits = os_limits["absolute"] limits["cpu"] = absolute_limits["maxTotalCores"] limits["floating_ips"] = absolute_limits["maxTotalFloatingIps"] limits["instances"] = absolute_limits["maxTotalInstances"] limits["keypairs"] = absolute_limits["maxTotalKeypairs"] limits["ram"] = absolute_limits["maxTotalRAMSize"] except: logger.exception("The method for 'reading' absolute limits has changed!") return limits def get_user_limits(self, username, project_name): limits = {} try: user_id = self.get_user(username).id except: logger.exception("Failed to find user %s" % username) raise ValueError("Unknown user %s" % username) try: project_id = self.get_project(project_name).id except: logger.exception("Failed to find project %s" % project_name) raise ValueError("Unknown project %s" % project_name) user_limits = self._ex_list_quota_for_user(user_id, project_id) if not user_limits: return limits try: user_quota = user_limits["quota_set"] limits["cpu"] = user_quota["cores"] limits["floating_ips"] = user_quota["floating_ips"] limits["instances"] = user_quota["instances"] limits["keypairs"] = user_quota["key_pairs"] limits["ram"] = user_quota["ram"] except: logger.exception("The method for 'reading' absolute limits has changed!") return limits def _ex_list_quota_for_user(self, user_id, tenant_id): """ """ server_resp = self.admin_driver._connection.connection.request( "/os-quota-sets/%s?user_id=%s" % (tenant_id, user_id) ) quota_obj = server_resp.object return quota_obj def list_usergroup_names(self): return [user.name for (user, project) in self.list_usergroups()] def list_usergroups(self): """ TODO: This function is AWFUL just scrap it. """ users = self.list_users() groups = self.list_projects() usergroups = [] admin_usernames = self.core_provider.list_admin_names() for group in groups: for user in users: if user.name in admin_usernames: continue if user.name in group.name: usergroups.append((user, group)) break return usergroups def _get_horizon_url(self, tenant_id): parsed_url = urlparse(self.provider_creds["auth_url"]) return "https://%s/horizon/auth/switch/%s/?next=/horizon/project/" % (parsed_url.hostname, tenant_id) def get_openstack_clients(self, username, password=None, tenant_name=None): # Build credentials for each manager all_creds = self._get_openstack_credentials(username, password, tenant_name) # Initialize managers with respective credentials all_clients = self.get_user_clients(all_creds) openstack_sdk = self.get_openstack_sdk_client(all_creds) neutron = self.get_neutron_client(all_creds) glance = self.get_glance_client(all_creds) all_clients.update( { "glance": glance, "neutron": neutron, "openstack_sdk": openstack_sdk, "horizon": self._get_horizon_url(all_clients["keystone"].tenant_id), } ) return all_clients def get_openstack_client(self, identity, client_name): identity_creds = self.parse_identity(identity) username = identity_creds["username"] password = identity_creds["password"] project_name = identity_creds["tenant_name"] all_creds = self._get_openstack_credentials(username, password, project_name) if client_name == "neutron": return self.get_neutron_client(all_creds) elif client_name == "glance": return self.get_glance_client(all_creds) elif client_name == "keystone": return self.get_user_clients(all_creds)["keystone"] elif client_name == "nova": return self.get_user_clients(all_creds)["nova"] elif client_name == "swift": return self.get_user_clients(all_creds)["swift"] elif client_name == "openstack": return self.get_openstack_sdk_client(all_creds) else: raise ValueError("Invalid client_name %s" % client_name) def get_glance_client(self, all_creds): image_creds = self._build_image_creds(all_creds) _, _, glance = self.image_manager._new_connection(**image_creds) return glance def get_neutron_client(self, all_creds): net_creds = self._build_network_creds(all_creds) neutron = self.network_manager.new_connection(**net_creds) return neutron def get_user_clients(self, all_creds): user_creds = self._build_user_creds(all_creds) (keystone, nova, swift) = self.user_manager.new_connection(**user_creds) return {"keystone": keystone, "nova": nova, "swift": swift} def get_openstack_sdk_client(self, all_creds): sdk_creds = self._build_sdk_creds(all_creds) openstack_sdk = _connect_to_openstack_sdk(**sdk_creds) return openstack_sdk def _get_openstack_credentials(self, username, password=None, tenant_name=None): if not tenant_name: tenant_name = self.get_project_name_for(username) if not password: password = self.hashpass(tenant_name) version = self.user_manager.keystone_version() if version == 2: ex_version = "2.0_password" elif version == 3: ex_version = "3.x_password" osdk_creds = { "auth_url": self.user_manager.nova.client.auth_url.replace("/v3", "").replace("/v2.0", ""), "admin_url": self.user_manager.keystone._management_url.replace("/v2.0", "").replace("/v3", ""), "ex_force_auth_version": ex_version, "region_name": self.user_manager.nova.client.region_name, "username": username, "password": password, "tenant_name": tenant_name, } return osdk_creds # Credential manipulaters def _libcloud_to_openstack(self, credentials): credentials["username"] = credentials.pop("key") credentials["password"] = credentials.pop("secret") credentials["tenant_name"] = credentials.pop("ex_tenant_name") return credentials def _base_network_creds(self): """ These credentials should be used when another user/pass/tenant combination will be used NOTE: JETSTREAM auth_url to be '/v3' """ net_args = self.provider_creds.copy() # NOTE: The neutron 'auth_url' is the ADMIN_URL net_args["auth_url"] = net_args.pop("admin_url").replace("/tokens", "").replace("/v2.0", "").replace("/v3", "") if self.identity_version == 3: auth_prefix = "/v3" elif self.identity_version == 2: auth_prefix = "/v2.0" if auth_prefix not in net_args["auth_url"]: net_args["auth_url"] += auth_prefix return net_args def _build_network_creds(self, credentials): """ Credentials - dict() return the credentials required to build a "NetworkManager" object NOTE: JETSTREAM auth_url to be '/v3' """ net_args = credentials.copy() # Required: net_args.get("username") net_args.get("password") net_args.get("tenant_name") net_args.get("router_name") net_args.get("region_name") # NOTE: The neutron 'auth_url' is the ADMIN_URL net_args["auth_url"] = net_args.pop("admin_url").replace("/tokens", "") # Ignored: net_args.pop("location", None) net_args.pop("ex_project_name", None) net_args.pop("ex_force_auth_version", None) auth_url = net_args.get("auth_url") if self.identity_version == 3: auth_prefix = "/v3" elif self.identity_version == 2: auth_prefix = "/v2.0" net_args["auth_url"] = auth_url.replace("/v2.0", "").replace("/v3", "").replace("/tokens", "") if auth_prefix not in net_args["auth_url"]: net_args["auth_url"] += auth_prefix return net_args def _build_image_creds(self, credentials): """ Credentials - dict() return the credentials required to build a "UserManager" object NOTE: Expects auth_url to be '/v2.0/tokens' NOTE: JETSTREAM auth_url to be '/v3' """ img_args = credentials.copy() # Required: for required_arg in ["username", "password", "tenant_name", "auth_url", "region_name"]: if required_arg not in img_args or not img_args[required_arg]: raise ValueError("ImageManager is missing a Required Argument: %s" % required_arg) ex_auth_version = img_args.get("ex_force_auth_version", "2.0_password") # Supports v2.0 or v3 Identity if ex_auth_version.startswith("2"): auth_url_prefix = "/v2.0/tokens" auth_version = "v2.0" elif ex_auth_version.startswith("3"): auth_url_prefix = "/v3/tokens" auth_version = "v3" img_args["version"] = auth_version img_args["auth_url"] = ( img_args.get("auth_url", "").replace("/v2.0", "").replace("/tokens", "").replace("/v3", "") ) if auth_url_prefix not in img_args["auth_url"]: img_args["auth_url"] += auth_url_prefix return img_args def _build_user_creds(self, credentials): """ Credentials - dict() return the credentials required to build a "UserManager" object NOTE: Expects auth_url to be '/v2.0' """ user_args = credentials.copy() # Required args: user_args.get("username") user_args.get("password") user_args.get("tenant_name") ex_auth_version = user_args.pop("ex_force_auth_version", "2.0_password") # Supports v2.0 or v3 Identity if ex_auth_version.startswith("2"): auth_url_prefix = "/v2.0/" auth_version = "v2.0" elif ex_auth_version.startswith("3"): auth_url_prefix = "/v3/" auth_version = "v3" auth_url = user_args.get("auth_url") user_args["auth_url"] = auth_url.replace("/v2.0", "").replace("/tokens", "") if auth_url_prefix not in user_args["auth_url"]: user_args["auth_url"] += auth_url_prefix user_args.get("region_name") user_args["version"] = user_args.get("version", auth_version) # Removable args: user_args.pop("admin_url", None) user_args.pop("location", None) user_args.pop("router_name", None) user_args.pop("ex_project_name", None) return user_args def _build_sdk_creds(self, credentials): """ Credentials - dict() return the credentials required to build an "Openstack SDK" connection NOTE: Expects auth_url to be ADMIN aand be '/v3' """ os_args = credentials.copy() # Required args: os_args.get("username") os_args.get("password") if "tenant_name" in os_args and "project_name" not in os_args: os_args["project_name"] = os_args.get("tenant_name") os_args.get("region_name") ex_auth_version = os_args.pop("ex_force_auth_version", "2.0_password") # Supports v2.0 or v3 Identity if ex_auth_version.startswith("2"): auth_url_prefix = "/v2.0/" auth_version = "v2.0" elif ex_auth_version.startswith("3"): auth_url_prefix = "/v3/" auth_version = "v3" os_args["auth_url"] = os_args.get("auth_url").replace("/tokens", "").replace("/v2.0", "").replace("/v3", "") # NOTE: Openstack 'auth_url' is ACTUALLY the admin url. if auth_url_prefix not in os_args["admin_url"]: os_args["auth_url"] = os_args["admin_url"] + auth_url_prefix if "project_domain_name" not in os_args: os_args["project_domain_name"] = "default" if "user_domain_name" not in os_args: os_args["user_domain_name"] = "default" if "identity_api_version" not in os_args: os_args[ "identity_api_version" ] = 3 # NOTE: this is what we use to determine whether or not to make openstack_sdk # Removable args: os_args.pop("ex_force_auth_version", None) os_args.pop("admin_url", None) os_args.pop("location", None) os_args.pop("router_name", None) os_args.pop("ex_project_name", None) os_args.pop("ex_tenant_name", None) os_args.pop("tenant_name", None) return os_args
class AccountDriver(CachedAccountDriver): user_manager = None image_manager = None network_manager = None core_provider = None MASTER_RULES_LIST = [ ("ICMP", 0, 255), # FTP Access ("UDP", 20, 20), # FTP data transfer ("TCP", 20, 21), # FTP control # SSH & Telnet Access ("TCP", 22, 23), ("UDP", 22, 23), # SMTP Mail # HTTP Access ("TCP", 80, 80), # POP Mail # SFTP Access ("TCP", 115, 115), # SQL Access # IMAP Access # SNMP Access # LDAP Access ("TCP", 389, 389), ("UDP", 389, 389), # HTTPS Access ("TCP", 443, 443), # LDAPS Access ("TCP", 636, 636), ("UDP", 636, 636), # Open up >1024 ("TCP", 1024, 4199), ("UDP", 1024, 4199), # SKIP PORT 4200.. See Below ("TCP", 4201, 65535), ("UDP", 4201, 65535), # Poke hole in 4200 for iPlant VMs proxy-access only (Shellinabox) ("TCP", 4200, 4200, "128.196.0.0/16"), ("UDP", 4200, 4200, "128.196.0.0/16"), ("TCP", 4200, 4200, "150.135.0.0/16"), ("UDP", 4200, 4200, "150.135.0.0/16"), ] def clear_cache(self): self.admin_driver.provider.machineCls.invalidate_provider_cache( self.admin_driver.provider) return self.admin_driver def _init_by_provider(self, provider, *args, **kwargs): from service.driver import get_esh_driver self.core_provider = provider provider_creds = provider.get_credentials() self.provider_creds = provider_creds admin_identity = provider.admin admin_creds = admin_identity.get_credentials() self.admin_driver = get_esh_driver(admin_identity) admin_creds = self._libcloud_to_openstack(admin_creds) all_creds = {'location': provider.get_location()} all_creds.update(admin_creds) all_creds.update(provider_creds) return all_creds def __init__(self, provider=None, *args, **kwargs): super(AccountDriver, self).__init__() if provider: all_creds = self._init_by_provider(provider, *args, **kwargs) else: all_creds = kwargs if 'location' in all_creds: self.namespace = "Atmosphere_OpenStack:%s" % all_creds['location'] else: logger.info("Using default namespace.. Could cause conflicts if " "switching between providers. To avoid ambiguity, " "provide the kwarg: location='provider_prefix'") # Build credentials for each manager self.user_creds = self._build_user_creds(all_creds) self.image_creds = self._build_image_creds(all_creds) self.net_creds = self._build_network_creds(all_creds) # Initialize managers with respective credentials self.user_manager = UserManager(**self.user_creds) self.image_manager = ImageManager(**self.image_creds) self.network_manager = NetworkManager(**self.net_creds) def create_account(self, username, password=None, project_name=None, role_name=None, quota=None, max_quota=False): """ Create (And Update "latest changes") to an account """ if not self.core_provider: raise Exception("AccountDriver not initialized by provider," " cannot create identity. For account creation use" " build_account()") if username in self.core_provider.list_admin_names(): return (username, password, project) = self.build_account( username, password, project_name, role_name, max_quota) ident = self.create_identity(username, password, project.name, quota=quota, max_quota=max_quota) return ident def build_account(self, username, password, project_name=None, role_name=None, max_quota=False): finished = False # Attempt account creation while not finished: try: if not password: password = self.hashpass(username) if not project_name: project_name = username # 1. Create Project: should exist before creating user project = self.user_manager.get_project(project_name) if not project: project = self.user_manager.create_project(project_name) # 2. Create User (And add them to the project) user = self.get_user(username) if not user: logger.info("Creating account: %s - %s - %s" % (username, password, project)) user = self.user_manager.create_user(username, password, project) # 3.1 Include the admin in the project # TODO: providercredential initialization of # "default_admin_role" self.user_manager.include_admin(project_name) # 3.2 Check the user has been given an appropriate role if not role_name: role_name = "_member_" self.user_manager.add_project_membership( project_name, username, role_name) # 4. Create a security group -- SUSPENDED.. Will occur on # instance launch instead. # self.init_security_group(user, password, project, # project.name, # self.MASTER_RULES_LIST) # 5. Create a keypair to use when launching with atmosphere self.init_keypair(user.name, password, project.name) finished = True except ConnectionError: logger.exception("Connection reset by peer. " "Waiting for one minute.") time.sleep(60) # Wait one minute except OverLimit: logger.exception("OverLimit on POST requests. " "Waiting for one minute.") time.sleep(60) # Wait one minute return (username, password, project) def init_keypair(self, username, password, project_name): keyname = settings.ATMOSPHERE_KEYPAIR_NAME with open(settings.ATMOSPHERE_KEYPAIR_FILE, "r") as pub_key_file: public_key = pub_key_file.read() return self.get_or_create_keypair(username, password, project_name, keyname, public_key) def init_security_group(self, username, password, project_name, security_group_name, rules_list): # 4.1. Update the account quota to hold a larger number of # roles than what is necessary user = self.user_manager.keystone.users.find(name=username) project = self.user_manager.keystone.tenants.find(name=project_name) nc = self.user_manager.nova rule_max = max(len(rules_list), 100) nc.quotas.update(project.id, security_group_rules=rule_max) # Change the description of the security group to match the project # name try: # Create the default security group nova = self.user_manager.build_nova(username, password, project_name) sec_groups = nova.security_groups.list() if not sec_groups: nova.security_group.create("default", project_name) self.network_manager.rename_security_group(project) except ConnectionError as ce: logger.exception( "Failed to establish connection." " Security group creation FAILED") return None except NeutronClientException as nce: if nce.status_code != 404: logger.exception("Encountered unknown exception while renaming" " the security group") return None # Start creating security group return self.user_manager.build_security_group( user.name, password, project.name, security_group_name, rules_list) def add_rules_to_security_groups(self, core_identity_list, security_group_name, rules_list): for identity in core_identity_list: creds = self.parse_identity(identity) sec_group = self.user_manager.find_security_group( creds["username"], creds["password"], creds["tenant_name"], security_group_name) if not sec_group: raise Exception("No security gruop found matching name %s" % security_group_name) self.user_manager.add_security_group_rules( creds["username"], creds["password"], creds["tenant_name"], security_group_name, rules_list) def get_or_create_keypair(self, username, password, project_name, keyname, public_key): """ keyname - Name of the keypair public_key - Contents of public key in OpenSSH format """ clients = self.get_openstack_clients(username, password, project_name) nova = clients["nova"] keypairs = nova.keypairs.list() for kp in keypairs: if kp.name == keyname: if kp.public_key != public_key: raise Exception( "Mismatched public key found for keypair named: %s" ". Expected: %s Original: %s" % (keyname, public_key, kp.public_key)) return (kp, False) return (self.create_keypair( username, password, project_name, keyname, public_key), True) def create_keypair(self, username, password, project_name, keyname, public_key): """ keyname - Name of the keypair public_key - Contents of public key in OpenSSH format """ clients = self.get_openstack_clients(username, password, project_name) nova = clients["nova"] keypair = nova.keypairs.create( keyname, public_key=public_key) return keypair def rebuild_security_groups(self, core_identity, rules_list=None): creds = self.parse_identity(core_identity) if not rules_list: rules_list = self.MASTER_RULES_LIST return self.user_manager.build_security_group( creds["username"], creds["password"], creds["tenant_name"], creds["tenant_name"], rules_list, rebuild=True) def parse_identity(self, core_identity): identity_creds = self._libcloud_to_openstack( core_identity.get_credentials()) return identity_creds def clean_credentials(self, credential_dict): """ This function cleans up a dictionary of credentials. After running this function: * Erroneous dictionary keys are removed * Missing credentials are listed """ creds = ["username", "password", "project_name"] missing_creds = [] # 1. Remove non-credential information from the dict for key in credential_dict.keys(): if key not in creds: credential_dict.pop(key) # 2. Check the dict has all the required credentials for c in creds: if not hasattr(credential_dict, c): missing_creds.append(c) return missing_creds def create_identity(self, username, password, project_name, quota=None, max_quota=False, account_admin=False): if not self.core_provider: raise Exception("AccountDriver not initialized by provider, " "cannot create identity") identity = Identity.create_identity( username, self.core_provider.location, quota=quota, # Flags.. max_quota=max_quota, account_admin=account_admin, # Pass in credentials with cred_ namespace cred_key=username, cred_secret=password, cred_ex_tenant_name=project_name, cred_ex_project_name=project_name) # Return the identity return identity def rebuild_project_network(self, username, project_name, dns_nameservers=[]): self.network_manager.delete_project_network(username, project_name) net_args = self._base_network_creds() self.network_manager.create_project_network( username, self.hashpass(username), project_name, get_unique_number=get_uid_number, dns_nameservers=dns_nameservers, **net_args) return True def delete_security_group(self, identity): identity_creds = self.parse_identity(identity) project_name = identity_creds["tenant_name"] project = self.user_manager.keystone.tenants.find(name=project_name) sec_group_r = self.network_manager.neutron.list_security_groups( tenant_id=project.id) sec_groups = sec_group_r["security_groups"] for sec_group in sec_groups: self.network_manager.neutron.delete_security_group(sec_group["id"]) return True def delete_network(self, identity, remove_network=True): # Core credentials need to be converted to openstack names identity_creds = self.parse_identity(identity) username = identity_creds["username"] project_name = identity_creds["tenant_name"] # Convert from libcloud names to openstack client names return self.network_manager.delete_project_network( username, project_name, remove_network=remove_network) def create_network(self, identity): # Core credentials need to be converted to openstack names identity_creds = self.parse_identity(identity) username = identity_creds["username"] password = identity_creds["password"] project_name = identity_creds["tenant_name"] dns_nameservers = [ dns_server.ip_address for dns_server in identity.provider.dns_server_ips.order_by('order')] # Convert from libcloud names to openstack client names net_args = self._base_network_creds() return self.network_manager.create_project_network( username, password, project_name, get_unique_number=get_uid_number, dns_nameservers=dns_nameservers, **net_args) # Useful methods called from above.. def get_or_create_user(self, username, password=None, project=None, admin=False): user = self.get_user(username) if user: return user user = self.create_user(username, password, usergroup, admin) return user def create_user(self, username, password=None, usergroup=True, admin=False): if not password: password = self.hashpass(username) if usergroup: (project, user, role) = self.user_manager.add_usergroup( username, password, True, admin) else: user = self.user_manager.add_user(username, password) project = self.user_manager.get_project(username) # TODO: Instead, return user.get_user match, or call it if you have # to.. return user def delete_account(self, username, projectname): self.os_delete_account(username, projectname) Identity.delete_identity(username, self.core_provider.location) def os_delete_account(self, username, projectname): project = self.user_manager.get_project(projectname) # 1. Network cleanup if project: self.network_manager.delete_project_network(username, projectname) # 2. Role cleanup (Admin too) self.user_manager.delete_all_roles(username, projectname) adminuser = self.user_manager.keystone.username self.user_manager.delete_all_roles(adminuser, projectname) # 3. Project cleanup self.user_manager.delete_project(projectname) # 4. User cleanup user = self.user_manager.get_user(username) if user: self.user_manager.delete_user(username) return True def hashpass(self, username): # TODO: Must be better. return sha1(username).hexdigest() def get_project_name_for(self, username): """ This should always map project to user For now, they are identical.. """ return username def _get_image(self, *args, **kwargs): return self.image_manager.get_image(*args, **kwargs) # For one-time caching def _list_all_images(self, *args, **kwargs): return self.image_manager.list_images(*args, **kwargs) def tenant_instances_map( self, status_list=[], match_all=False, include_empty=False): """ Maps 'Tenant' objects to all the 'owned instances' as listed by the admin driver Optional fields: * status_list (list) - If provided, only include instance if it's status/tmp_status matches a value in the list. * match_all (bool) - If True, instances must match ALL words in the list. * include_empty (bool) - If True, include ALL tenants in the map. """ all_projects = self.list_projects() all_instances = self.list_all_instances() if include_empty: project_map = {proj: [] for proj in all_projects} else: project_map = {} for instance in all_instances: try: # NOTE: will someday be 'projectId' tenant_id = instance.extra['tenantId'] project = [p for p in all_projects if p.id == tenant_id][0] except (ValueError, KeyError): raise Exception( "The implementaion for recovering a tenant id has changed. Update the code base above this line!") metadata = instance._node.extra.get('metadata', {}) instance_status = instance.extra.get('status') task = instance.extra.get('task') tmp_status = metadata.get('tmp_status', '') if status_list: if match_all: truth = all( True if ( status_name and status_name in [ instance_status, task, tmp_status]) else False for status_name in status_list) else: truth = any( True if ( status_name and status_name in [ instance_status, task, tmp_status]) else False for status_name in status_list) if not truth: logger.info( "Found an instance:%s for tenant:%s but skipped because %s could be found in the list: (%s - %s - %s)" % (instance.id, project.name, "none of the status_names" if not match_all else "not all of the status names", instance_status, task, tmp_status)) continue instance_list = project_map.get(project, []) instance_list.append(instance) project_map[project] = instance_list return project_map def list_all_instances(self, **kwargs): return self.admin_driver.list_all_instances(**kwargs) def list_all_images(self, **kwargs): return self.image_manager.list_images(**kwargs) def get_project_by_id(self, project_id): return self.user_manager.get_project_by_id(project_id) def get_project(self, project_name): return self.user_manager.get_project(project_name) def _make_tenant_id_map(self): all_projects = self.list_projects() tenant_id_map = {project.id: project.name for project in all_projects} return tenant_id_map def list_projects(self): return self.user_manager.list_projects() def get_user(self, user): return self.user_manager.get_user(user) def list_users(self): return self.user_manager.list_users() def list_usergroup_names(self): return [user.name for (user, project) in self.list_usergroups()] def list_usergroups(self): """ TODO: This function is AWFUL just scrap it. """ users = self.list_users() groups = self.list_projects() usergroups = [] admin_usernames = self.core_provider.list_admin_names() for group in groups: for user in users: if user.name in admin_usernames: continue if user.name in group.name: usergroups.append((user, group)) break return usergroups def _get_horizon_url(self, tenant_id): parsed_url = urlparse(self.provider_creds["auth_url"]) return "https://%s/horizon/auth/switch/%s/?next=/horizon/project/" %\ (parsed_url.hostname, tenant_id) def get_openstack_clients(self, username, password=None, tenant_name=None): # TODO: I could replace with identity.. but should I? from rtwo.drivers.common import _connect_to_openstack_sdk user_creds = self._get_openstack_credentials( username, password, tenant_name) neutron = self.network_manager.new_connection(**user_creds) keystone, nova, glance = self.image_manager._new_connection( **user_creds) openstack_sdk = _connect_to_openstack_sdk(**user_creds) return { "glance": glance, "keystone": keystone, "nova": nova, "neutron": neutron, "horizon": self._get_horizon_url(keystone.tenant_id) } def _get_openstack_credentials(self, username, password=None, tenant_name=None): if not tenant_name: tenant_name = self.get_project_name_for(username) if not password: password = self.hashpass(tenant_name) user_creds = { "auth_url": self.user_manager.nova.client.auth_url, "region_name": self.user_manager.nova.client.region_name, "username": username, "password": password, "tenant_name": tenant_name } return user_creds # Credential manipulaters def _libcloud_to_openstack(self, credentials): credentials["username"] = credentials.pop("key") credentials["password"] = credentials.pop("secret") credentials["tenant_name"] = credentials.pop("ex_tenant_name") return credentials def _base_network_creds(self): """ These credentials should be used when another user/pass/tenant combination will be used """ net_args = self.provider_creds.copy() net_args["auth_url"] = net_args.pop("admin_url").replace("/tokens", "") return net_args def _build_network_creds(self, credentials): """ Credentials - dict() return the credentials required to build a "NetworkManager" object """ net_args = credentials.copy() # Required: net_args.get("username") net_args.get("password") net_args.get("tenant_name") net_args.get("router_name") net_args.get("region_name") # Ignored: net_args["auth_url"] = net_args.pop("admin_url").replace("/tokens", "") net_args.pop("location", None) net_args.pop("ex_project_name", None) return net_args def _build_image_creds(self, credentials): """ Credentials - dict() return the credentials required to build a "UserManager" object """ img_args = credentials.copy() # Required: for required_arg in [ "username", "password", "tenant_name", "auth_url", "region_name"]: if required_arg not in img_args or not img_args[required_arg]: raise ValueError( "ImageManager is missing a Required Argument: %s" % required_arg) return img_args def _build_user_creds(self, credentials): """ Credentials - dict() return the credentials required to build a "UserManager" object """ user_args = credentials.copy() # Required args: user_args.get("username") user_args.get("password") user_args.get("tenant_name") user_args["auth_url"] = user_args.get("auth_url")\ .replace("/tokens", "") user_args.get("region_name") # Removable args: user_args.pop("admin_url", None) user_args.pop("location", None) user_args.pop("router_name", None) user_args.pop("ex_project_name", None) return user_args