def test_password_cache_id(self): self.stub_auth(json=self.TEST_RESPONSE_DICT) trust_id = uuid.uuid4().hex a = v2.Password(self.TEST_URL, username=self.TEST_USER, password=self.TEST_PASS, trust_id=trust_id) b = v2.Password(self.TEST_URL, username=self.TEST_USER, password=self.TEST_PASS, trust_id=trust_id) a_id = a.get_cache_id() b_id = b.get_cache_id() self.assertEqual(a_id, b_id) c = v2.Password(self.TEST_URL, username=self.TEST_USER, password=self.TEST_PASS, tenant_id=trust_id) # same value different param c_id = c.get_cache_id() self.assertNotEqual(a_id, c_id) self.assertIsNone(a.get_auth_state()) self.assertIsNone(b.get_auth_state()) self.assertIsNone(c.get_auth_state()) s = session.Session() self.assertEqual(self.TEST_TOKEN, a.get_token(s)) self.assertTrue(self.requests_mock.called)
def region_env(name, tenant_name=None): if name == 'i01': OS_TENANT_NAME = 'openstack' OS_USERNAME = '******' OS_PASSWORD = '******' OS_AUTH_URL = 'http://' elif name == 'i02': OS_TENANT_NAME = 'openstack' OS_USERNAME = '******' OS_PASSWORD = '******' OS_AUTH_URL = 'http://' elif name == 'i03': OS_TENANT_NAME = 'openstack' OS_USERNAME = '******' OS_PASSWORD = '******' OS_AUTH_URL = 'http://' elif name == 'i04': OS_TENANT_NAME = 'openstack' OS_USERNAME = '******' OS_PASSWORD = '******' OS_AUTH_URL = 'http://' elif name == 'i05': OS_TENANT_NAME = 'openstack' OS_USERNAME = '******' OS_PASSWORD = '******' OS_AUTH_URL = 'http://' elif name == 'i06': OS_TENANT_NAME = 'openstack' OS_USERNAME = '******' OS_PASSWORD = '******' OS_AUTH_URL = 'http://' else: text.append(f"Place is not defined") if tenant_name is None: auth = keystone_auth.Password( username=OS_USERNAME, tenant_name=OS_TENANT_NAME, auth_url=OS_AUTH_URL, password=OS_PASSWORD, ) # need for show information from users if tenant_name is not None: auth = keystone_auth.Password( username=OS_USERNAME, tenant_name=tenant_name, auth_url=OS_AUTH_URL, password=OS_PASSWORD, ) # trying connection in keystone try: sess = session.Session(auth=auth) except Exception as ff: logger.exception(ff) return sess
def get_session(): auth = v2.Password(auth_url=auth_url, username=username, password=password, tenant_name="admin") session = ka_session.Session(auth=auth) return session
def get_session(op_config): """ Return keystone session :param op_config: :return: """ user_domain = op_config.get('OS_USER_DOMAIN_NAME') project_domain = op_config.get('OS_PROJECT_DOMAIN_NAME', user_domain) user = op_config.get('OS_USERNAME') password = op_config.get('OS_PASSWORD') project_id = op_config.get('OS_PROJECT_ID') auth_url = op_config.get('OS_AUTH_URL') verify = op_config.get('insecure', True) auth_params = { 'username': user, 'password': password, 'project_id': project_id, 'auth_url': auth_url } version_v3 = '/v3' in auth_url if version_v3: auth_params['user_domain_id'] = user_domain or project_domain auth_params['project_domain_id'] = project_domain or user_domain auth = v3.Password(**auth_params) else: auth_params['tenant_id'] = auth_params.pop('project_id') auth = v2.Password(**auth_params) sess = session.Session(auth=auth, verify=verify) return sess
def _get_client(self, username, password, tenant_name=None): if tenant_name: auth = keystone_v2_auth.Password( auth_url=self.auth_url, username=username, password=password, tenant_name=tenant_name, ) else: auth = keystone_v2_auth.Password( auth_url=self.auth_url, username=username, password=password ) sess = session.Session(auth=auth) client = client_v2.Client(session=sess, timeout=self.timeout, debug=self.debug) return client, sess
def get_keystone_session(creds): url_parts = urlparse.urlparse(creds['auth_url']) path = url_parts.path.lower() if path.startswith('/v3'): # Use v3 plugin to authenticate # Note (thread-safety): blocking call auth = v3.Password( auth_url=creds['auth_url'], username=creds['username'], password=creds['password'], project_name=creds.get('project_name') or creds.get('tenant_name'), user_domain_name=creds.get('user_domain_name', 'Default'), project_domain_name=creds.get('project_domain_name', 'Default')) else: # Use v2 plugin # Note (thread-safety): blocking call auth = v2.Password(auth_url=creds['auth_url'], username=creds['username'], password=creds['password'], tenant_name=creds['tenant_name']) # Note (thread-safety): blocking call? session = kssession.Session(auth=auth) return session
def get_session(): """Build the session object.""" auth = v2.Password(auth_url=os.environ["OS_AUTH_URL"], username=os.environ["OS_USERNAME"], password=os.environ["OS_PASSWORD"], tenant_id=os.environ["OS_TENANT_ID"]) return session.Session(auth=auth)
def __init__(self): auth = v2.Password(auth_url=env['OS_AUTH_URL'], username=env['OS_USERNAME'], password=env['OS_PASSWORD'], tenant_id=env['OS_TENANT_ID']) sess = session.Session(auth=auth) self.keystone_client = keystone.Client( username=env['OS_USERNAME'], password=env['OS_PASSWORD'], tenant_id=env['OS_TENANT_ID'], auth_url=env['OS_AUTH_URL'], region_name=env['OS_REGION_NAME']) heat_url = self.keystone_client \ .service_catalog.url_for(service_type='orchestration', endpoint_type='publicURL') self.nova_client = nova.Client('2.1', region_name=env['OS_REGION_NAME'], session=sess) self.cinder_client = cinder.Client('2', region_name=env['OS_REGION_NAME'], session=sess) self.glance_client = glance.Client('2', region_name=env['OS_REGION_NAME'], session=sess) self.neutron_client = neutron.Client(region_name=env['OS_REGION_NAME'], session=sess) self.heat_client = heat.Client('1', region_name=env['OS_REGION_NAME'], endpoint=heat_url, session=sess)
def _get_auth_plugin(self, version, **kwargs): if version == 'v2.0': auth_plugin = v2.Password(**kwargs) else: auth_plugin = v3.Password(**kwargs) return auth_plugin
def _get_keystone_auth(self, username=None, api_key=None, auth_url=None, project_id=None, project_name=None): if not auth_url: raise RuntimeError("No auth url specified") if 'v2.0' in auth_url: return v2.Password(auth_url=auth_url, username=username, password=api_key, tenant_id=project_id, tenant_name=project_name) else: # NOTE(jamielennox): Setting these to default is what # keystoneclient does in the event they are not passed. return v3.Password(auth_url=auth_url, username=username, password=api_key, user_domain_id='default', project_id=project_id, project_name=project_name, project_domain_id='default')
def get_auth_plugin(opts): auth_version = guess_auth_version(opts) if opts.os_username: if auth_version == '3': return v3.Password(auth_url=opts.os_auth_url, username=opts.os_username, password=opts.os_password, project_name=opts.os_project_name, user_domain_name=opts.os_user_domain_name, project_domain_name=opts.os_project_domain_name) elif auth_version == '2.0': return v2.Password(auth_url=opts.os_auth_url, username=opts.os_username, password=opts.os_password, tenant_name=opts.os_tenant_name) elif opts.os_token: if auth_version == '3': return v3.Token(auth_url=opts.os_auth_url, token=opts.os_token, project_name=opts.os_project_name, project_domain_name=opts.os_project_domain_name) elif auth_version == '2.0': return v2.Token(auth_url=opts.os_auth_url, token=opts.os_token, tenant_name=opts.os_tenant_name) raise Exception('Unable to determine correct auth method, please provide' ' either username or token')
def openstack_get_token(self, report_flag=None): if report_flag is None: Reporter.unit_test_start(True) try: auth = v2.Password(username=self.auth['username'], password=self.auth['password'], tenant_name=self.auth['tenant_id'], auth_url=self.auth['auth_url']) sess = session.Session(auth=auth, timeout=5) token = sess.get_token() if not token: Reporter.REPORT_MSG( " >> OpentStack Authentication NOK ---> get token fail") if report_flag is None: Reporter.unit_test_stop('nok') return False else: Reporter.REPORT_MSG( " >> OpenStack Authentication OK ---> user: %s, token: %s", self.auth['username'], token) if report_flag is None: Reporter.unit_test_stop('ok') return True except exceptions.AuthorizationFailure, err: Reporter.REPORT_MSG(" >> OpentStack Authentication Fail ---> %s", err) return False
def _get_auth(self): if self.cloud_auth["domain_name"]: if self.cloud_auth["auth_type"] == 'password': kwargs = { 'auth_url': self.cloud_auth["auth_url"], 'username': self.cloud_auth["username"], 'password': self.cloud_auth["password"], 'user_domain_name': self.cloud_auth["domain_name"] } if self.unscoped: kwargs['unscoped'] = self.unscoped else: kwargs['project_id'] = self.cloud_auth["project_id"] return v3.Password(**kwargs) else: access_key = \ self.cloud_auth.application_credential_secret access_key_id = \ self.cloud_auth.application_credential_id kwargs = { 'auth_url': self.cloud_auth.auth_url, 'application_credential_secret': access_key, 'application_credential_id': access_key_id } return v3.ApplicationCredential(**kwargs) else: kwargs = { 'auth_url': self.cloud_auth.auth_url, 'username': self.cloud_auth.username, 'password': self.cloud_auth.password, 'tenant_id': self.cloud_auth.project_id } return v2.Password(**kwargs)
def _replay_cassette(self): plugin = v2.Password(auth_url=self.TEST_AUTH_URL, password=self.TEST_PASSWORD, username=self.TEST_USERNAME, tenant_name=self.TEST_TENANT_NAME) s = session.Session() s.get_token(auth=plugin)
def read(data=None): starttime = time.time() auth = v2.Password(username=os_username, password=os_password, tenant_name=os_tenant, auth_url=os_auth_url) sess = session.Session(auth=auth) gnocchi = client.Client(session=sess) status = gnocchi.status.get() metric = collectd.Values() metric.plugin = 'gnocchi_status' metric.interval = INTERVAL metric.type = 'gauge' metric.type_instance = 'measures' metric.values = [status['storage']['summary']['measures']] metric.dispatch() metric = collectd.Values() metric.plugin = 'gnocchi_status' metric.interval = INTERVAL metric.type = 'gauge' metric.type_instance = 'metrics' metric.values = [status['storage']['summary']['metrics']] metric.dispatch() timediff = time.time() - starttime if timediff > INTERVAL: collectd.warning('gnocchi_status: Took: {} > {}'.format( round(timediff, 2), INTERVAL))
def _get_keystone_session(self): username = self._pnda_env['openstack_parameters']['KEYSTONE_USER'] password = self._pnda_env['openstack_parameters']['KEYSTONE_PASSWORD'] auth_url = self._pnda_env['openstack_parameters']['KEYSTONE_AUTH_URL'] if int(self._pnda_env['openstack_parameters'] ['KEYSTONE_AUTH_VERSION']) == 2: CONSOLE.info('Auth version provided is v2') tenant_name = self._pnda_env['openstack_parameters'][ 'KEYSTONE_TENANT'] auth = v2.Password(auth_url=auth_url, username=username, password=password, tenant_name=tenant_name) elif int(self._pnda_env['openstack_parameters'] ['KEYSTONE_AUTH_VERSION']) == 3: CONSOLE.info('Auth version provided is v3') project_name = self._pnda_env['openstack_parameters'][ 'KEYSTONE_TENANT'] auth = v3.Password(auth_url=auth_url, username=username, password=password, project_name=project_name) else: CONSOLE.error('Invalid Auth API version') sys.exit(1) keystone_session = session.Session(auth=auth) kwargs = { 'auth_url': auth_url, 'session': keystone_session, 'auth': auth } return kwargs
def test_password_change_auth_state(self): self.stub_auth(json=self.TEST_RESPONSE_DICT) expired = ksa_utils.before_utcnow(days=2) token = fixture.V2Token(expires=expired) auth_ref = access.create(body=token) a = v2.Password(self.TEST_URL, username=self.TEST_USER, password=self.TEST_PASS, tenant_id=uuid.uuid4().hex) initial_cache_id = a.get_cache_id() state = a.get_auth_state() self.assertIsNone(state) state = json.dumps({ 'auth_token': auth_ref.auth_token, 'body': auth_ref._data }) a.set_auth_state(state) self.assertEqual(token.token_id, a.auth_ref.auth_token) s = session.Session() self.assertEqual(self.TEST_TOKEN, a.get_token(s)) # updates expired self.assertEqual(initial_cache_id, a.get_cache_id())
def create_ost_auth_session(deploy): # type: (Deploy) -> session.Session """ Create a keystoneauth Session object using keystone v3 used to create Openstack API clients. :return: Session used to authenticate with various Openstack API clients. """ if deploy.auth_version == 2: auth = v2.Password(auth_url=deploy.openstack_auth_url, username=deploy.ost_username, password=deploy.ost_password, tenant_name=deploy.ost_project_name) elif deploy.auth_version == 3: if deploy.ost_project_id: auth = v3.Password(auth_url=deploy.openstack_auth_url, username=deploy.ost_username, password=deploy.ost_password, project_id=deploy.ost_project_id) else: auth = v3.Password(auth_url=deploy.openstack_auth_url, username=deploy.ost_username, password=deploy.ost_password, project_name=deploy.ost_project_name, user_domain_name=deploy.ost_domain, project_domain_name=deploy.ost_domain) else: raise ConfigException("auth_version must be in [2,3]") return session.Session(auth=auth, verify=deploy.cacert)
def _get_client(self): if self._client is not None: return self._client if (self.tenant_id is not None or self.tenant_name is not None): auth = v2_auth.Password( auth_url=self.auth_url, username=self.username, password=self.password, tenant_id=self.tenant_id, tenant_name=self.tenant_name) elif self.project_name is not None: auth = v3_auth.Password( auth_url=self.auth_url, username=self.username, password=self.password, project_name=self.project_name, project_domain_name=self.project_domain_name, user_domain_name=self.user_domain_name) else: auth = None session = ks_session.Session(auth=auth) self._client = client.Client( session=session, service_type=self.service_type) return self._client
def _keystone_session(self): """ Connect to Keystone and return a session object. :rtype: :class:`keystoneauth1.session.Session` :return: A Keystone session object. """ if self._cached_keystone_session: return self._cached_keystone_session if self._keystone_version == 3: from keystoneauth1.identity import v3 auth = v3.Password(auth_url=self.auth_url, username=self.username, password=self.password, user_domain_name=self.user_domain_name, project_domain_name=self.project_domain_name, project_name=self.project_name) self._cached_keystone_session = session.Session(auth=auth) else: from keystoneauth1.identity import v2 auth = v2.Password(self.auth_url, username=self.username, password=self.password, tenant_name=self.project_name) self._cached_keystone_session = session.Session(auth=auth) return self._cached_keystone_session
def get_token_v2(keystone_ip, username, password, tenant_name): auth_url = 'http://{}:5000/v2.0'.format(keystone_ip) auth = v2.Password(auth_url=auth_url, username=username, password=password, tenant_name=tenant_name) sess = session.Session(auth=auth) token = sess.get_token() return token
def test_replay_of_bad_url_fails(self): plugin = v2.Password(auth_url='http://invalid-auth-url/v2.0/', password=self.TEST_PASSWORD, username=self.TEST_USERNAME, tenant_name=self.TEST_TENANT_NAME) s = session.Session() self.assertRaises(exceptions.BetamaxError, s.get_token, auth=plugin)
def __init__(self): """ Add keystone glue to resolve extra_specs for private iaas tenants """ # auth url if CONF.keystone_version == 2: LOG.info("PRIVATEIAAS: Initializing v2.0 API session") self.auth_url = CONF.keystone_url + "/v2.0" # create an admin session object self.admin_auth = auth_v2.Password( username=CONF.keystone_username, password=CONF.keystone_password, tenant_name=CONF.keystone_tenant_name, auth_url=self.auth_url) self.admin_session = keystone_session.Session(auth=self.admin_auth) else: LOG.info("PRIVATEIAAS: Initializing v3 API session") self.auth_url = CONF.keystone_url + "/v3" self.admin_auth = auth_v3.Password( username=CONF.keystone_username, password=CONF.keystone_password, project_name=CONF.keystone_tenant_name, user_domain_name=CONF.user_domain_name, project_domain_name=CONF.project_domain_name, auth_url=self.auth_url) self.admin_session = keystone_session.Session(auth=self.admin_auth) try: LOG.info("PRIVATEIAAS: Spawning ADMIN CLIENT") # admin session if CONF.keystone_version == 2: self.keystoneclient = keystone_client.Client( session=self.admin_session) else: self.keystoneclient = keystone_client_v3.Client( session=self.admin_session) except AuthorizationFailure as user_failed_auth_step: LOG.info(user_failed_auth_step.message) raise user_failed_auth_step except Unauthorized as user_unauthorized: LOG.info(user_unauthorized.message) raise user_unauthorized # OK, object created # TODO: Preload keystone tenant list? if CONF.debug: LOG.info("[PRIVATEIAAS]: Filter Object Created") # tenant manager reference if hasattr(self.keystoneclient, "projects"): self.tenant_manager = getattr(self.keystoneclient, "projects") else: self.tenant_manager = getattr(self.keystoneclient, "tenants") # build callback table self.private_iaas_callbacks = { True: self.react_true, False: self.react_false }
def keystone_auth(): """Auth from OS_ env vars """ auth_plugin = v2.Password(auth_url=os.environ['OS_AUTH_URL'], username=os.environ['OS_USERNAME'], password=os.environ['OS_PASSWORD'], tenant_name=os.environ['OS_TENANT_NAME']) s = session.Session(auth=auth_plugin) return (s, auth_plugin)
def __init__(self, logger, **kwargs): self.auth = v2.Password(username=kwargs.get('username', 'admin'), password=kwargs.get('password', 'Juniper'), tenant_name=kwargs.get('tenant_name', 'admin'), auth_url=kwargs.get('auth_url', None)) self.sess = session.Session(auth=self.auth) self.keystone = client.Client(session=self.sess) self.__logger = logger
def __authenticate(self): # Authenticate using ENV variables auth = v2.Password(auth_url=env['OS_AUTH_URL'], username=env['OS_USERNAME'], password=env['OS_PASSWORD'], tenant_id=env['OS_TENANT_ID']) # Open auth session sess = session.Session(auth=auth) return sess
def __init__(self, auth_host, auth_port, auth_protocol, auth_admin_prefix, admin_user, admin_password, admin_tenant_name, admin_token, identity_uri, log): log.warning( "Use of the auth_admin_prefix, auth_host, auth_port, " "auth_protocol, identity_uri, admin_token, admin_user, " "admin_password, and admin_tenant_name configuration options was " "deprecated in the Mitaka release in favor of an auth_plugin and " "its related options. This class may be removed in a future " "release.") # NOTE(jamielennox): it does appear here that our default arguments # are backwards. We need to do it this way so that we can handle the # same deprecation strategy for CONF and the conf variable. if not identity_uri: log.warning('Configuring admin URI using auth fragments was ' 'deprecated in the Kilo release, and will be ' 'removed in the Newton release, ' 'use \'identity_uri\ instead.') if ':' in auth_host: # Note(dzyu) it is an IPv6 address, so it needs to be wrapped # with '[]' to generate a valid IPv6 URL, based on # http://www.ietf.org/rfc/rfc2732.txt auth_host = '[%s]' % auth_host identity_uri = '%s://%s:%s' % (auth_protocol, auth_host, auth_port) if auth_admin_prefix: identity_uri = '%s/%s' % (identity_uri, auth_admin_prefix.strip('/')) self._identity_uri = identity_uri.rstrip('/') # FIXME(jamielennox): Yes. This is wrong. We should be determining the # plugin to use based on a combination of discovery and inputs. Much # of this can be changed when we get keystoneclient 0.10. For now this # hardcoded path is EXACTLY the same as the original auth_token did. auth_url = '%s/v2.0' % self._identity_uri if admin_token: log.warning( "The admin_token option in auth_token middleware was " "deprecated in the Kilo release, and will be removed in the " "Newton release, use admin_user and admin_password instead.") self._plugin = token_endpoint.Token(auth_url, admin_token) else: self._plugin = v2.Password(auth_url, username=admin_user, password=admin_password, tenant_name=admin_tenant_name) self._LOG = log self._discover = None
def _get_keystone_auth_plugin(self, ks_session, **kwargs): # discover the supported keystone versions using the given auth url auth_url = kwargs.pop('auth_url', None) (v2_auth_url, v3_auth_url) = self._discover_auth_versions(session=ks_session, auth_url=auth_url) # Determine which authentication plugin to use. First inspect the # auth_url to see the supported version. If both v3 and v2 are # supported, then use the highest version if possible. user_id = kwargs.pop('user_id', None) username = kwargs.pop('username', None) password = kwargs.pop('password', None) user_domain_name = kwargs.pop('user_domain_name', None) user_domain_id = kwargs.pop('user_domain_id', None) # project and tenant can be used interchangeably project_id = (kwargs.pop('project_id', None) or kwargs.pop('tenant_id', None)) project_name = (kwargs.pop('project_name', None) or kwargs.pop('tenant_name', None)) project_domain_id = kwargs.pop('project_domain_id', None) project_domain_name = kwargs.pop('project_domain_name', None) auth = None use_domain = (user_domain_id or user_domain_name or project_domain_id or project_domain_name) use_v3 = v3_auth_url and (use_domain or (not v2_auth_url)) use_v2 = v2_auth_url and not use_domain if use_v3: auth = v3_auth.Password(v3_auth_url, user_id=user_id, username=username, password=password, user_domain_id=user_domain_id, user_domain_name=user_domain_name, project_id=project_id, project_name=project_name, project_domain_id=project_domain_id, project_domain_name=project_domain_name) elif use_v2: auth = v2_auth.Password(v2_auth_url, username, password, tenant_id=project_id, tenant_name=project_name) else: # if we get here it means domain information is provided # (caller meant to use Keystone V3) but the auth url is # actually Keystone V2. Obviously we can't authenticate a V3 # user using V2. exc.CommandError("Credential and auth_url mismatch. The given " "auth_url is using Keystone V2 endpoint, which " "may not able to handle Keystone V3 credentials. " "Please provide a correct Keystone V3 auth_url.") return auth
def authenticate(): auth_url = '{PROTO}://{HOST}:{IDENTITY_PORT}/v2.0'.format(**CONNECTION) auth = v2.Password(auth_url=auth_url, username=USERNAME, password=PASSWORD, tenant_name=TENANT, ) return session.Session(auth=auth)
def get_keystone_client(self, project_name, region_name): ''' creates a keystone client ''' auth = v2.Password(auth_url='http://' + self.ip + ':5000/v2.0', username=self.username, password=self.password, tenant_name=project_name) sess = session.Session(auth=auth) return keystone_client.Client(session=sess)