def _get_keystone_conn(self):
if self._ks:
return
verify = self._kscertbundle if self._use_certs else not self._insecure
if self._admin_token:
auth = kauth.token.Token(self._auth_url, token=self._admin_token)
else:
kwargs = {
'username': self._auth_user,
'password': self._auth_passwd,
}
# Add user domain info
kwargs.update(
**cfgmutils.get_user_domain_kwargs(self._config_sections))
# Get project scope auth params
scope_kwargs = cfgmutils.get_project_scope_kwargs(
self._config_sections)
if not scope_kwargs:
# Default to domain scoped auth
scope_kwargs = cfgmutils.get_domain_scope_kwargs(
self._config_sections)
kwargs.update(**scope_kwargs)
auth = kauth.password.Password(self._auth_url, **kwargs)
sess = ksession.Session(auth=auth, verify=verify)
try:
self._ks = kclient.Client(session=sess, auth_url=self._auth_url)
except kexceptions.DiscoveryFailure:
# Probably a v2 Keytone API, remove v3 args and try again
v3_args = ['user_domain_name', 'project_domain_name', 'domain_id']
for arg in v3_args:
kwargs.pop(arg, None)
kwargs['project_name'] = self._admin_tenant
auth = kauth.password.Password(self._auth_url, **kwargs)
sess = ksession.Session(auth=auth, verify=verify)
self._ks = kclient.Client(session=sess, auth_url=self._auth_url)
if self._endpoint_type and auth.auth_ref.service_catalog:
self._ks.management_url = \
auth.auth_ref.service_catalog.get_urls(
service_type='identity',
endpoint_type=self._endpoint_type)[0]
ConnectionState.update(conn_type=ConnType.OTHER,
name='Keystone',
status=ConnectionStatus.UP,
message='',
server_addrs=[self._auth_url])
def __init__(self, server_mgr, args):
self.args = args
_kscertbundle=''
if args.auth_protocol == 'https' and args.cafile:
certs=[args.cafile]
if args.keyfile and args.certfile:
certs=[args.certfile, args.keyfile, args.cafile]
_kscertbundle=cfgmutils.getCertKeyCaBundle(_DEFAULT_KS_CERT_BUNDLE,certs)
self._conf_info = {
'admin_port': args.admin_port,
'max_requests': args.max_requests,
'region_name': args.region_name,
'insecure': args.insecure,
'signing_dir': args.signing_dir,
}
if args.auth_url:
auth_url = args.auth_url
else:
auth_url = '%s://%s:%s/%s' % (
args.auth_protocol, args.auth_host, args.auth_port,
_DEFAULT_KS_VERSION)
if 'v2.0' in auth_url.split('/'):
identity_uri = '%s://%s:%s' % (
args.auth_protocol, args.auth_host, args.auth_port)
self._conf_info.update({
'auth_host': args.auth_host,
'auth_port': args.auth_port,
'auth_protocol': args.auth_protocol,
'admin_user': args.admin_user,
'admin_password': args.admin_password,
'admin_tenant_name': args.admin_tenant_name,
'identity_uri': identity_uri})
else:
self._conf_info.update({
'auth_type': args.auth_type,
'auth_url': auth_url,
'username': args.admin_user,
'password': args.admin_password,
})
# Add user domain info
self._conf_info.update(**cfgmutils.get_user_domain_kwargs(args))
# Get project scope auth params
scope_kwargs = cfgmutils.get_project_scope_kwargs(args)
if not scope_kwargs:
# Default to domain scoped auth
scope_kwargs = cfgmutils.get_domain_scope_kwargs(args)
self._conf_info.update(**scope_kwargs)
if _kscertbundle:
self._conf_info['cafile'] = _kscertbundle
self._server_mgr = server_mgr
self._auth_method = args.auth
self._auth_middleware = None
self._mt_rbac = server_mgr.is_rbac_enabled()
self._auth_needed = server_mgr.is_auth_needed()
if not self._auth_method:
return
if self._auth_method != 'keystone':
raise UnknownAuthMethod()
# map keystone id to users. Needed for quantum plugin because contrail
# plugin doesn't have access to user token and ends up sending admin
# admin token along with user-id and role
self._ks_users = {}
# configure memcache if enabled
if self._auth_needed and 'memcache_servers' in args:
self._conf_info[
'memcached_servers'] = args.memcache_servers.split(',')
if 'token_cache_time' in args:
self._conf_info['token_cache_time'] = args.token_cache_time
self._user_auth_middleware = None
self._hdr_from_token_auth_middleware = None
def __init__(self, server_mgr, args):
self.args = args
_kscertbundle = ''
if args.auth_protocol == 'https' and args.cafile:
certs = [args.cafile]
if args.keyfile and args.certfile:
certs = [args.certfile, args.keyfile, args.cafile]
_kscertbundle = cfgmutils.getCertKeyCaBundle(
_DEFAULT_KS_CERT_BUNDLE, certs)
self._conf_info = {
'admin_port': args.admin_port,
'max_requests': args.max_requests,
'region_name': args.region_name,
'insecure': args.insecure,
'signing_dir': args.signing_dir,
}
if args.auth_url:
auth_url = args.auth_url
else:
auth_url = '%s://%s:%s/%s' % (args.auth_protocol, args.auth_host,
args.auth_port, _DEFAULT_KS_VERSION)
if 'v2.0' in auth_url.split('/'):
identity_uri = '%s://%s:%s' % (args.auth_protocol, args.auth_host,
args.auth_port)
self._conf_info.update({
'auth_host': args.auth_host,
'auth_port': args.auth_port,
'auth_protocol': args.auth_protocol,
'admin_user': args.admin_user,
'admin_password': args.admin_password,
'admin_tenant_name': args.admin_tenant_name,
'identity_uri': identity_uri
})
else:
self._conf_info.update({
'auth_type': args.auth_type,
'auth_url': auth_url,
'username': args.admin_user,
'password': args.admin_password,
})
# Add user domain info
self._conf_info.update(**cfgmutils.get_user_domain_kwargs(args))
# Get project scope auth params
scope_kwargs = cfgmutils.get_project_scope_kwargs(args)
if not scope_kwargs:
# Default to domain scoped auth
scope_kwargs = cfgmutils.get_domain_scope_kwargs(args)
self._conf_info.update(**scope_kwargs)
if _kscertbundle:
self._conf_info['cafile'] = _kscertbundle
self._server_mgr = server_mgr
self._auth_method = args.auth
self._auth_middleware = None
self._mt_rbac = server_mgr.is_rbac_enabled()
self._auth_needed = server_mgr.is_auth_needed()
if not self._auth_method:
return
if self._auth_method != 'keystone':
raise UnknownAuthMethod()
# map keystone id to users. Needed for quantum plugin because contrail
# plugin doesn't have access to user token and ends up sending admin
# admin token along with user-id and role
self._ks_users = {}
# configure memcache if enabled
if self._auth_needed and 'memcache_servers' in args:
self._conf_info['memcached_servers'] = args.memcache_servers.split(
',')
if 'token_cache_time' in args:
self._conf_info['token_cache_time'] = args.token_cache_time
self._user_auth_middleware = None
self._hdr_from_token_auth_middleware = None