def _validate_deferred_auth_context(self, cnxt, stack): if cfg.CONF.deferred_auth_method != 'password': return if not stack.requires_deferred_auth(): return if cnxt.username is None: raise exception.MissingCredentialError(required='X-Auth-User') if cnxt.password is None: raise exception.MissingCredentialError(required='X-Auth-Key')
def check_auth_params(self): # Ensure that supplied credential parameters are as required for required in ('username', 'password', 'auth_url', 'strategy'): if required not in self.creds: raise exception.MissingCredentialError(required=required) if self.creds['strategy'] != 'keystone': raise exception.BadAuthStrategy(expected='keystone', received=self.creds['strategy']) # For v2.0 also check tenant is present if self.creds['auth_url'].rstrip('/').endswith('v2.0'): if 'tenant' not in self.creds: raise exception.MissingCredentialError(required='tenant')
def create_trust_context(self): """Create a trust using the trustor identity in the current context. The trust is created with the trustee as the heat service user. If the current context already contains a trust_id, we do nothing and return the current context. Returns a context containing the new trust_id. """ if self.context.trust_id: return self.context # We need the service admin user ID (not name), as the trustor user # can't lookup the ID in keystoneclient unless they're admin # workaround this by getting the user_id from admin_client try: trustee_user_id = self.context.trusts_auth_plugin.get_user_id( self.session) except ks_exception.Unauthorized: LOG.error("Domain admin client authentication failed") raise exception.AuthorizationFailure() trustor_user_id = self.context.auth_plugin.get_user_id(self.session) trustor_proj_id = self.context.auth_plugin.get_project_id(self.session) role_kw = {} # inherit the roles of the trustor, unless set trusts_delegated_roles if cfg.CONF.trusts_delegated_roles: role_kw['role_names'] = cfg.CONF.trusts_delegated_roles else: token_info = self.context.auth_token_info if token_info and token_info.get('token', {}).get('roles'): role_kw['role_ids'] = [ r['id'] for r in token_info['token']['roles'] ] else: role_kw['role_names'] = self.context.roles allow_redelegation = (cfg.CONF.reauthentication_auth_method == 'trusts' and cfg.CONF.allow_trusts_redelegation) try: trust = self.client.trusts.create( trustor_user=trustor_user_id, trustee_user=trustee_user_id, project=trustor_proj_id, impersonation=True, allow_redelegation=allow_redelegation, **role_kw) except ks_exception.NotFound: LOG.debug("Failed to find roles %s for user %s" % (role_kw, trustor_user_id)) raise exception.MissingCredentialError(required=_("roles %s") % role_kw) context_data = self.context.to_dict() context_data['overwrite'] = False trust_context = context.RequestContext.from_dict(context_data) trust_context.trust_id = trust.id trust_context.trustor_user_id = trustor_user_id return trust_context
def create_trust_context(self): """Create a trust using the trustor identity in the current context. The trust is created with the trustee as the heat service user. If the current context already contains a trust_id, we do nothing and return the current context. Returns a context containing the new trust_id. """ if self.context.trust_id: return self.context # We need the service admin user ID (not name), as the trustor user # can't lookup the ID in keystoneclient unless they're admin # workaround this by getting the user_id from admin_client try: trustee_user_id = self.context.trusts_auth_plugin.get_user_id( self.session) except kc_exception.Unauthorized: LOG.error(_LE("Domain admin client authentication failed")) raise exception.AuthorizationFailure() trustor_user_id = self.context.auth_plugin.get_user_id(self.session) trustor_proj_id = self.context.auth_plugin.get_project_id(self.session) # inherit the roles of the trustor, unless set trusts_delegated_roles if cfg.CONF.trusts_delegated_roles: roles = cfg.CONF.trusts_delegated_roles else: roles = self.context.roles try: trust = self.client.trusts.create(trustor_user=trustor_user_id, trustee_user=trustee_user_id, project=trustor_proj_id, impersonation=True, role_names=roles) except kc_exception.NotFound: LOG.debug("Failed to find roles %s for user %s" % (roles, trustor_user_id)) raise exception.MissingCredentialError(required=_("roles %s") % roles) context_data = self.context.to_dict() context_data['overwrite'] = False trust_context = context.RequestContext.from_dict(context_data) trust_context.trust_id = trust.id trust_context.trustor_user_id = trustor_user_id return trust_context
def create_trust_context(self): """Create a trust using the trustor identity in the current context. The trust is created with the trustee as the heat service user. If the current context already contains a trust_id, we do nothing and return the current context. Returns a context containing the new trust_id. """ if self.context.trust_id: return self.context # We need the service admin user ID (not name), as the trustor user # can't lookup the ID in keystoneclient unless they're admin # workaround this by getting the user_id from admin_client trustee_user_id = self.admin_client.auth_ref.user_id trustor_user_id = self.client.auth_ref.user_id trustor_project_id = self.client.auth_ref.project_id roles = cfg.CONF.trusts_delegated_roles try: trust = self.client.trusts.create(trustor_user=trustor_user_id, trustee_user=trustee_user_id, project=trustor_project_id, impersonation=True, role_names=roles) except kc_exception.NotFound: LOG.debug("Failed to find roles %s for user %s" % (roles, trustor_user_id)) raise exception.MissingCredentialError(required=_("roles %s") % roles) trust_context = context.RequestContext.from_dict( self.context.to_dict()) trust_context.trust_id = trust.id trust_context.trustor_user_id = trustor_user_id return trust_context
def _validate_mandatory_credentials(self, cnxt): if cnxt.username is None: raise exception.MissingCredentialError(required='X-Auth-User') if cnxt.password is None: raise exception.MissingCredentialError(required='X-Auth-Key')