def novaclient(context, privileged_user=False, timeout=None, api_version=None):
"""Returns a Nova client
@param privileged_user:
If True, use the account from configuration
(requires 'auth_type' and the other usual Keystone authentication
options to be set in the [nova] section)
@param timeout:
Number of seconds to wait for an answer before raising a
Timeout exception (None to disable)
@param api_version:
api version of nova
"""
if privileged_user and CONF[NOVA_GROUP].auth_type:
LOG.debug('Creating Keystone auth plugin from conf')
n_auth = ks_loading.load_auth_from_conf_options(CONF, NOVA_GROUP)
elif privileged_user and CONF.os_privileged_user_name:
# Fall back to the deprecated os_privileged_xxx settings.
# TODO(gyurco): Remove it after Pike.
if CONF.os_privileged_user_auth_url:
url = CONF.os_privileged_user_auth_url
else:
url = _get_identity_endpoint_from_sc(context)
LOG.debug(
'Creating Keystone password plugin from legacy settings '
'using URL: %s', url)
n_auth = identity.Password(auth_url=url,
username=CONF.os_privileged_user_name,
password=CONF.os_privileged_user_password,
project_name=CONF.os_privileged_user_tenant,
project_domain_id=context.project_domain,
user_domain_id=context.user_domain)
else:
if CONF[NOVA_GROUP].token_auth_url:
url = CONF[NOVA_GROUP].token_auth_url
else:
url = _get_identity_endpoint_from_sc(context)
LOG.debug('Creating Keystone token plugin using URL: %s', url)
n_auth = identity.Token(auth_url=url,
token=context.auth_token,
project_name=context.project_name,
project_domain_id=context.project_domain)
keystone_session = ks_loading.load_session_from_conf_options(CONF,
NOVA_GROUP,
auth=n_auth)
c = nova_client.Client(api_versions.APIVersion(api_version
or NOVA_API_VERSION),
session=keystone_session,
insecure=CONF[NOVA_GROUP].insecure,
timeout=timeout,
region_name=CONF[NOVA_GROUP].region_name,
endpoint_type=CONF[NOVA_GROUP].interface,
cacert=CONF[NOVA_GROUP].cafile,
global_request_id=context.global_id,
extensions=nova_extensions)
return c
def gnocchiclient(request):
(username, domain_name, token_id,
auth_url) = get_auth_params_from_request(request)
auth = identity.Token(auth_url=auth_url, token=token_id, \
project_name=username, project_domain_name=domain_name)
sess = session.Session(auth=auth)
return gnocchi_client.Client(version='1', session=sess)
def _get_auth_handler(kwargs):
if 'token' in kwargs:
auth = identity.Token(
auth_url=kwargs.get('auth_url', None),
token=kwargs.get('token', None),
project_id=kwargs.get('project_id', None),
project_name=kwargs.get('project_name', None),
project_domain_id=kwargs.get('project_domain_id', None),
project_domain_name=kwargs.get('project_domain_name', None))
elif {'username', 'password'} <= set(kwargs):
auth = identity.Password(
auth_url=kwargs.get('auth_url', None),
username=kwargs.get('username', None),
password=kwargs.get('password', None),
project_id=kwargs.get('project_id', None),
project_name=kwargs.get('project_name', None),
project_domain_id=kwargs.get('project_domain_id', None),
project_domain_name=kwargs.get('project_domain_name', None),
user_domain_id=kwargs.get('user_domain_id', None),
user_domain_name=kwargs.get('user_domain_name', None))
else:
raise Exception('monascaclient can be configured with either '
'"token" or "username:password" but neither of '
'them was found in passed arguments.')
return auth
def _get_keystone_auth(self, context):
if context.__class__.__name__ == 'KeystonePassword':
return identity.Password(
auth_url=context.auth_url,
username=context.username,
password=context.password,
user_id=context.user_id,
user_domain_id=context.user_domain_id,
user_domain_name=context.user_domain_name,
trust_id=context.trust_id,
domain_id=context.domain_id,
domain_name=context.domain_name,
project_id=context.project_id,
project_name=context.project_name,
project_domain_id=context.project_domain_id,
project_domain_name=context.project_domain_name,
reauthenticate=context.reauthenticate)
elif context.__class__.__name__ == 'KeystoneToken':
return identity.Token(
auth_url=context.auth_url,
token=context.token,
trust_id=context.trust_id,
domain_id=context.domain_id,
domain_name=context.domain_name,
project_id=context.project_id,
project_name=context.project_name,
project_domain_id=context.project_domain_id,
project_domain_name=context.project_domain_name,
reauthenticate=context.reauthenticate)
# this will be kept for oslo.context compatibility until
# projects begin to use utils.credential_factory
elif context.__class__.__name__ == 'RequestContext':
if getattr(context, 'get_auth_plugin', None):
return context.get_auth_plugin()
else:
return identity.Token(
auth_url=self.conf.barbican.auth_endpoint,
token=context.auth_token,
project_id=context.project_id,
project_name=context.project_name,
project_domain_id=context.project_domain_id,
project_domain_name=context.project_domain_name)
else:
msg = _("context must be of type KeystonePassword, "
"KeystoneToken, or RequestContext.")
LOG.error(msg)
raise exception.Forbidden(reason=msg)
def get_token_client_session(token=None, project_id=None, conf=None):
auth_url = cfg.CONF[CFG_KEYSTONE_GROUP].auth_uri.replace('v2.0', 'v3')
if token is None or project_id is None:
execution_session = helpers.get_execution_session()
token = execution_session.token
project_id = execution_session.project_id
token_auth = identity.Token(auth_url, token=token, project_id=project_id)
session = _get_session(auth=token_auth, conf_section=conf)
return session
def _get_keystone_auth(self, context):
if context.__class__.__name__ is 'KeystonePassword':
return identity.Password(
auth_url=self._auth_url,
username=context.username,
password=context.password,
user_id=context.user_id,
user_domain_id=context.user_domain_id,
user_domain_name=context.user_domain_name,
trust_id=context.trust_id,
domain_id=context.domain_id,
domain_name=context.domain_name,
project_id=context.project_id,
project_name=context.project_name,
project_domain_id=context.project_domain_id,
project_domain_name=context.project_domain_name,
reauthenticate=context.reauthenticate)
elif context.__class__.__name__ is 'KeystoneToken':
return identity.Token(
auth_url=self._auth_url,
token=context.token,
trust_id=context.trust_id,
domain_id=context.domain_id,
domain_name=context.domain_name,
project_id=context.project_id,
project_name=context.project_name,
project_domain_id=context.project_domain_id,
project_domain_name=context.project_domain_name,
reauthenticate=context.reauthenticate)
# this will be kept for oslo.context compatibility until
# projects begin to use utils.credential_factory
elif (context.__class__.__name__ is 'RequestContext'
or context.__class__.__name__ is 'Context'):
return identity.Token(auth_url=self._auth_url,
token=context.auth_token,
project_id=context.tenant)
else:
msg = _("context must be of type KeystonePassword, "
"KeystoneToken, RequestContext, or Context, got type "
"%s") % context.__class__.__name__
LOG.error(msg)
raise exception.Forbidden(reason=msg)
def _keystone_client(
context: 'context.RequestContext', version: tuple[int, int] = (3, 0)
) -> client.Client:
"""Creates and returns an instance of a generic keystone client.
:param context: The request context
:param version: version of Keystone to request
:return: keystoneclient.client.Client object
"""
if context.system_scope is not None:
auth_plugin = identity.Token(auth_url=CONF.keystone_authtoken.auth_url,
token=context.auth_token,
system_scope=context.system_scope)
elif context.domain_id is not None:
auth_plugin = identity.Token(auth_url=CONF.keystone_authtoken.auth_url,
token=context.auth_token,
domain_id=context.domain_id)
elif context.project_id is not None:
auth_plugin = identity.Token(auth_url=CONF.keystone_authtoken.auth_url,
token=context.auth_token,
project_id=context.project_id)
else:
# We're dealing with an unscoped token from keystone that doesn't
# carry any authoritative power outside of the user simplify proving
# they know their own password. This token isn't associated with any
# authorization target (e.g., system, domain, or project).
auth_plugin = context.get_auth_plugin()
client_session = ka_loading.session.Session().load_from_options(
auth=auth_plugin,
insecure=CONF.keystone_authtoken.insecure,
cacert=CONF.keystone_authtoken.cafile,
key=CONF.keystone_authtoken.keyfile,
cert=CONF.keystone_authtoken.certfile,
split_loggers=CONF.service_user.split_loggers)
return client.Client(auth_url=CONF.keystone_authtoken.auth_url,
session=client_session,
version=version)
def get_token_client_session(token=None, project_id=None, conf=None):
auth_uri = cfg.CONF['murano_auth'].auth_uri
if not auth_uri:
versionutils.report_deprecated_feature(
LOG, "Please update configuration in 'murano_auth' group")
auth_uri = cfg.CONF[CFG_KEYSTONE_GROUP].auth_uri
auth_url = auth_uri.replace('v2.0', 'v3')
if token is None or project_id is None:
execution_session = helpers.get_execution_session()
token = execution_session.token
project_id = execution_session.project_id
token_auth = identity.Token(auth_url, token=token, project_id=project_id)
session = _get_session(auth=token_auth, conf_section=conf)
return session
def _connect_to_keystone_auth_v3(auth_url, auth_token, project_name,
domain_name, **kwargs):
"""
Give a auth_url and auth_token,
authenticate with keystone version 3 to get a scoped_token,
Exchange token to receive an auth, session, token scoped to a sepcific project_name and domain_name.
"""
token_auth = identity.Token(auth_url=auth_url,
token=auth_token,
project_domain_id=domain_name,
project_name=project_name)
token_sess = Session(auth=token_auth)
token_token = token_sess.get_token()
return (token_auth, token_sess, token_token)
def client(request):
insecure = getattr(settings, 'OPENSTACK_SSL_NO_VERIFY', False)
cacert = getattr(settings, 'OPENSTACK_SSL_CACERT', None)
auth = identity.Token(auth_url=request.user.endpoint,
token=request.user.token.id,
project_id=request.user.project_id)
verify = False
if cacert:
verify = cacert
elif not insecure:
verify = True
sess = session.Session(auth=auth, verify=verify)
return api_client.Client(VERSIONS.get_active_version()["version"],
service_type=SAHARA_SERVICE,
session=sess)
def novaclient(context, privileged_user=False, timeout=None):
"""Returns a Nova client
@param privileged_user: If True, use the account from configuration
(requires 'auth_type' and the other usual Keystone authentication
options to be set in the [nova] section)
@param timeout: Number of seconds to wait for an answer before raising a
Timeout exception (None to disable)
"""
if privileged_user and CONF[NOVA_GROUP].auth_type:
n_auth = ks_loading.load_auth_from_conf_options(CONF, NOVA_GROUP)
else:
if CONF[NOVA_GROUP].token_auth_url:
url = CONF[NOVA_GROUP].token_auth_url
else:
# Search for the identity endpoint in the service catalog
# if nova.token_auth_url is not configured
matching_endpoints = []
for service in context.service_catalog:
if service.get('type') != 'identity':
continue
for endpoint in service['endpoints']:
if (not CONF[NOVA_GROUP].region_name
or endpoint.get('region')
== CONF[NOVA_GROUP].region_name):
matching_endpoints.append(endpoint)
if not matching_endpoints:
raise nova_exceptions.EndpointNotFound()
url = matching_endpoints[0].get(CONF[NOVA_GROUP].interface + 'URL')
n_auth = identity.Token(auth_url=url,
token=context.auth_token,
project_name=context.project_name,
project_domain_id=context.project_domain)
keystone_session = ks_loading.load_session_from_conf_options(CONF,
NOVA_GROUP,
auth=n_auth)
c = nova_client.Client(api_versions.APIVersion(NOVA_API_VERSION),
session=keystone_session,
insecure=CONF[NOVA_GROUP].insecure,
timeout=timeout,
region_name=CONF[NOVA_GROUP].region_name,
endpoint_type=CONF[NOVA_GROUP].interface,
cacert=CONF[NOVA_GROUP].cafile,
extensions=nova_extensions)
return c
def novaclient(context, privileged_user=False, timeout=None, api_version=None):
"""Returns a Nova client
@param privileged_user:
If True, use the account from configuration
(requires 'auth_type' and the other usual Keystone authentication
options to be set in the [nova] section)
@param timeout:
Number of seconds to wait for an answer before raising a
Timeout exception (None to disable)
@param api_version:
api version of nova
"""
if privileged_user and CONF[NOVA_GROUP].auth_type:
LOG.debug('Creating Keystone auth plugin from conf')
n_auth = ks_loading.load_auth_from_conf_options(CONF, NOVA_GROUP)
else:
if CONF[NOVA_GROUP].token_auth_url:
url = CONF[NOVA_GROUP].token_auth_url
else:
url = _get_identity_endpoint_from_sc(context)
LOG.debug('Creating Keystone token plugin using URL: %s', url)
n_auth = identity.Token(auth_url=url,
token=context.auth_token,
project_name=context.project_name,
project_domain_id=context.project_domain_id)
if CONF.auth_strategy == 'keystone':
n_auth = service_auth.get_auth_plugin(context, auth=n_auth)
keystone_session = ks_loading.load_session_from_conf_options(
CONF,
NOVA_GROUP,
auth=n_auth)
c = nova_client.Client(
api_versions.APIVersion(api_version or NOVA_API_VERSION),
session=keystone_session,
insecure=CONF[NOVA_GROUP].insecure,
timeout=timeout,
region_name=CONF[NOVA_GROUP].region_name,
endpoint_type=CONF[NOVA_GROUP].interface,
cacert=CONF[NOVA_GROUP].cafile,
global_request_id=context.global_id,
extensions=nova_extensions)
return c
def authenticate(x_auth_token):
"""Attempts to authenticate client using keystoneauth1"""
try:
auth_url = 'http://192.168.2.4/identity'
project_id = 'demo'
auth = identity.Token(auth_url,
token=x_auth_token,
project_id=project_id)
sess = session.Session(auth=auth)
ks = keyClient.Client(session=sess, project_id=project_id)
ks.authenticate(token=x_auth_token)
app.logger.debug('Request authorized')
return 0
except Exception as ex:
app.logger.debug('Request unauthorized!\n')
return 1
def get_token_client_session(token=None, project_id=None, conf=None):
www_authenticate_uri = \
cfg.CONF[CFG_MURANO_AUTH_GROUP].www_authenticate_uri
if not www_authenticate_uri:
versionutils.report_deprecated_feature(
LOG, 'Please configure www_authenticate_uri in ' +
CFG_MURANO_AUTH_GROUP + 'group')
www_authenticate_uri = \
cfg.CONF[CFG_KEYSTONE_GROUP].www_authenticate_uri
auth_url = www_authenticate_uri.replace('v2.0', 'v3')
if token is None or project_id is None:
execution_session = helpers.get_execution_session()
token = execution_session.token
project_id = execution_session.project_id
token_auth = identity.Token(auth_url, token=token, project_id=project_id)
session = _get_session(auth=token_auth, conf_section=conf)
return session
def authenticate_user(self):
"""Authenticate user and set client by using passed params."""
if self.options.os_token:
auth = identity.Token(
auth_url=self.options.os_auth_url,
token=self.options.os_token,
tenant_id=self.options.os_tenant_id,
tenant_name=self.options.os_tenant_name,
project_id=self.options.os_project_id,
project_name=self.options.os_project_name,
project_domain_id=self.options.os_project_domain_id,
project_domain_name=self.options.os_project_domain_name
)
else:
auth = identity.Password(
auth_url=self.options.os_auth_url,
username=self.options.os_username,
tenant_id=self.options.os_tenant_id,
tenant_name=self.options.os_tenant_name,
password=self.options.os_password,
project_id=self.options.os_project_id,
project_name=self.options.os_project_name,
project_domain_id=self.options.os_project_domain_id,
project_domain_name=self.options.os_project_domain_name,
user_domain_id=self.options.os_user_domain_id,
user_domain_name=self.options.os_user_domain_name
)
sess = session.Session(
auth=auth,
verify=(self.options.os_cacert or not self.options.insecure)
)
self.client = blazar_client.Client(
self.options.os_reservation_api_version,
session=sess,
service_type=self.options.service_type,
interface=self.options.endpoint_type,
region_name=self.options.os_region_name,
)
return
def _keystone_client(context, version=(3, 0)):
"""Creates and returns an instance of a generic keystone client.
:param context: The request context
:param version: version of Keystone to request
:return: keystoneclient.client.Client object
"""
auth_plugin = identity.Token(auth_url=CONF.keystone_authtoken.auth_uri,
token=context.auth_token,
project_id=context.project_id)
client_session = ka_loading.session.Session().load_from_options(
auth=auth_plugin,
insecure=CONF.keystone_authtoken.insecure,
cacert=CONF.keystone_authtoken.cafile,
key=CONF.keystone_authtoken.keyfile,
cert=CONF.keystone_authtoken.certfile)
return client.Client(auth_url=CONF.keystone_authtoken.auth_uri,
session=client_session,
version=version)
def _v3_client_init(self):
kwargs = {'auth_url': self.endpoint, 'endpoint': self.endpoint}
# Note try trust_id first, as we can't reuse auth_token in that case
if self.context.trust_id is not None:
# We got a trust_id, so we use the admin credentials
# to authenticate with the trust_id so we can use the
# trust impersonating the trustor user.
kwargs.update(self._service_admin_creds())
kwargs['trust_id'] = self.context.trust_id
kwargs.pop('project_name')
auth = ka_loading.load_auth_from_conf_options(
cfg.CONF, 'keystone_authtoken', **kwargs)
elif self.context.auth_token is not None:
kwargs['token'] = self.context.auth_token
kwargs['project_id'] = self.context.tenant
auth = identity.Token(auth_url=kwargs['auth_url'],
token=kwargs['token'],
project_id=kwargs['project_id'])
else:
LOG.error(
_("Keystone v3 API connection failed, no password "
"trust or auth_token!"))
raise exception.AuthorizationFailure()
session = ks_session.Session(auth=auth)
client = kc_v3.Client(session=session)
client.auth_ref = client.session.auth.get_access(client.session)
# If we are authenticating with a trust set the context auth_token
# with the trust scoped token
if 'trust_id' in kwargs:
# Sanity check
if not client.auth_ref.trust_scoped:
LOG.error(_("trust token re-scoping failed!"))
raise exception.AuthorizationFailure()
# All OK so update the context with the token
self.context.auth_token = client.auth_ref.auth_token
self.context.auth_url = self.endpoint
self.context.user = client.auth_ref.user_id
self.context.tenant = client.auth_ref.project_id
self.context.user_name = client.auth_ref.username
return client
async def middleware_handler(request: web.Request):
headers = request.headers
x_auth_token = headers.get("X-Auth-Token")
project_id = request.match_info.get('project_id')
c = config.Config.config_instance()
try:
auth = identity.Token(c.auth_url,
token=x_auth_token,
project_id=project_id)
sess = session.Session(auth=auth)
ks = client.Client(session=sess, project_id=project_id)
ks.authenticate(token=x_auth_token)
except Exception as ex:
return web.json_response(
status=401,
data={
"error": {
"message":
("Not authorized. Reason: {}".format(str(ex)))
}
})
return await handler(request)
def _construct_http_client(api_version=None,
auth=None,
auth_token=None,
auth_url=None,
cacert=None,
cert=None,
endpoint_override=None,
endpoint_type='publicURL',
http_log_debug=False,
insecure=False,
logger=None,
os_cache=False,
password=None,
project_domain_id=None,
project_domain_name=None,
project_id=None,
project_name=None,
region_name=None,
service_name=None,
service_type='compute',
session=None,
timeout=None,
timings=False,
user_agent='python-novaclient',
user_domain_id=None,
user_domain_name=None,
user_id=None,
username=None,
**kwargs):
if not session:
if not auth and auth_token:
auth = identity.Token(auth_url=auth_url,
token=auth_token,
project_id=project_id,
project_name=project_name,
project_domain_id=project_domain_id,
project_domain_name=project_domain_name)
elif not auth:
auth = identity.Password(username=username,
user_id=user_id,
password=password,
project_id=project_id,
project_name=project_name,
auth_url=auth_url,
project_domain_id=project_domain_id,
project_domain_name=project_domain_name,
user_domain_id=user_domain_id,
user_domain_name=user_domain_name)
session = ksession.Session(auth=auth,
verify=(cacert or not insecure),
timeout=timeout,
cert=cert,
user_agent=user_agent)
return SessionClient(api_version=api_version,
auth=auth,
endpoint_override=endpoint_override,
interface=endpoint_type,
logger=logger,
region_name=region_name,
service_name=service_name,
service_type=service_type,
session=session,
timings=timings,
user_agent=user_agent,
**kwargs)
