def verify_project_id(context, project_id):
"""verify that a project_id exists.
This attempts to verify that a project id exists. If it does not,
an HTTPBadRequest is emitted.
"""
session = ksa_loading.load_session_from_conf_options(
CONF, 'keystone', auth=context.get_auth_plugin())
adap = ksa_loading.load_adapter_from_conf_options(CONF,
'keystone',
session=session,
min_version=(3, 0),
max_version=(3,
'latest'))
try:
resp = adap.get('/projects/%s' % project_id, raise_exc=False)
except kse.EndpointNotFound:
LOG.error(
"Keystone identity service version 3.0 was not found. This might "
"be because your endpoint points to the v2.0 versioned endpoint "
"which is not supported. Please fix this.")
raise exceptions.KeystoneCommunicationFailure(
_("KeystoneV3 endpoint not found"))
except kse.ClientException:
# something is wrong, like there isn't a keystone v3 endpoint,
# or nova isn't configured for the interface to talk to it;
# we'll take the pass and default to everything being ok.
LOG.info("Unable to contact keystone to verify project_id")
return True
if resp:
# All is good with this 20x status
return True
elif resp.status_code == 404:
# we got access, and we know this project is not there
raise exceptions.InvalidProject(
_("%s is not a valid project ID.") % project_id)
elif resp.status_code == 403:
# we don't have enough permission to verify this, so default
# to "it's ok".
LOG.info(
"Insufficient permissions for user %(user)s to verify "
"existence of project_id %(pid)s", {
"user": context.user_id,
"pid": project_id
})
return True
else:
LOG.warning(
"Unexpected response from keystone trying to "
"verify project_id %(pid)s - resp: %(code)s %(content)s", {
"pid": project_id,
"code": resp.status_code,
"content": resp.content
})
# realize we did something wrong, but move on with a warning
return True
def get_ksa_adapter(service_type,
ksa_auth=None,
ksa_session=None,
min_version=None,
max_version=None):
"""Construct a keystoneauth1 Adapter for a given service type.
We expect to find a conf group whose name corresponds to the service_type's
project according to the service-types-authority. That conf group must
provide at least ksa adapter options. Depending how the result is to be
used, ksa auth and/or session options may also be required, or the relevant
parameter supplied.
:param service_type: String name of the service type for which the Adapter
is to be constructed.
:param ksa_auth: A keystoneauth1 auth plugin. If not specified, we attempt
to find one in ksa_session. Failing that, we attempt to
load one from the conf.
:param ksa_session: A keystoneauth1 Session. If not specified, we attempt
to load one from the conf.
:param min_version: The minimum major version of the adapter's endpoint,
intended to be used as the lower bound of a range with
max_version.
If min_version is given with no max_version it is as
if max version is 'latest'.
:param max_version: The maximum major version of the adapter's endpoint,
intended to be used as the upper bound of a range with
min_version.
:return: A keystoneauth1 Adapter object for the specified service_type.
:raise: ConfGroupForServiceTypeNotFound If no conf group name could be
found for the specified service_type. This should be considered a
bug.
"""
# Get the conf group corresponding to the service type.
confgrp = _SERVICE_TYPES.get_project_name(service_type)
if not confgrp:
raise exception.ConfGroupForServiceTypeNotFound(stype=service_type)
# Ensure we have an auth.
# NOTE(efried): This could be None, and that could be okay - e.g. if the
# result is being used for get_endpoint() and the conf only contains
# endpoint_override.
if not ksa_auth:
if ksa_session and ksa_session.auth:
ksa_auth = ksa_session.auth
else:
ksa_auth = ks_loading.load_auth_from_conf_options(CONF, confgrp)
if not ksa_session:
ksa_session = ks_loading.load_session_from_conf_options(CONF,
confgrp,
auth=ksa_auth)
return ks_loading.load_adapter_from_conf_options(CONF,
confgrp,
session=ksa_session,
auth=ksa_auth,
min_version=min_version,
max_version=max_version)
def _load_adapter(source):
conf_group = 'group:%s' % source
auth = loading.load_auth_from_conf_options(CONF, conf_group)
sess = loading.load_session_from_conf_options(CONF, conf_group)
return loading.load_adapter_from_conf_options(CONF,
conf_group,
session=sess,
auth=auth)
def get_adapter(group, **adapter_kwargs):
"""Loads adapter from options in a configuration file section.
The adapter_kwargs will be passed directly to keystoneauth1 Adapter
and will override the values loaded from config.
Consult keystoneauth1 docs for available adapter options.
:param group: name of the config section to load adapter options from
"""
return kaloading.load_adapter_from_conf_options(CONF, group,
**adapter_kwargs)
def verify_project_id(context, project_id):
"""verify that a project_id exists.
This attempts to verify that a project id exists. If it does not,
an HTTPBadRequest is emitted.
"""
session = ksa_loading.load_session_from_conf_options(
CONF, 'keystone', auth=context.get_auth_plugin())
adap = ksa_loading.load_adapter_from_conf_options(
CONF, 'keystone',
session=session, min_version=(3, 0), max_version=(3, 'latest'))
try:
resp = adap.get('/projects/%s' % project_id, raise_exc=False)
except kse.EndpointNotFound:
LOG.error(
"Keystone identity service version 3.0 was not found. This might "
"be because your endpoint points to the v2.0 versioned endpoint "
"which is not supported. Please fix this.")
raise exceptions.KeystoneCommunicationFailure(
_("KeystoneV3 endpoint not found"))
except kse.ClientException:
# something is wrong, like there isn't a keystone v3 endpoint,
# or nova isn't configured for the interface to talk to it;
# we'll take the pass and default to everything being ok.
LOG.info("Unable to contact keystone to verify project_id")
return True
if resp:
# All is good with this 20x status
return True
elif resp.status_code == 404:
# we got access, and we know this project is not there
raise exceptions.InvalidProject(
_("%s is not a valid project ID.") % project_id)
elif resp.status_code == 403:
# we don't have enough permission to verify this, so default
# to "it's ok".
LOG.info(
"Insufficient permissions for user %(user)s to verify "
"existence of project_id %(pid)s",
{"user": context.user_id, "pid": project_id})
return True
else:
LOG.warning(
"Unexpected response from keystone trying to "
"verify project_id %(pid)s - resp: %(code)s %(content)s",
{"pid": project_id,
"code": resp.status_code,
"content": resp.content})
# realize we did something wrong, but move on with a warning
return True
def test_load(self):
self.conf_fx.config(
service_type='type', service_name='name', interface='iface',
region_name='region', endpoint_override='endpoint',
group=self.GROUP)
adap = loading.load_adapter_from_conf_options(
self.conf_fx.conf, self.GROUP, session='session', auth='auth')
self.assertEqual('type', adap.service_type)
self.assertEqual('name', adap.service_name)
self.assertEqual('iface', adap.interface)
self.assertEqual('region', adap.region_name)
self.assertEqual('endpoint', adap.endpoint_override)
self.assertEqual('session', adap.session)
self.assertEqual('auth', adap.auth)
def test_load_retries(self):
self.conf_fx.config(service_type='type',
service_name='name',
connect_retries=3,
status_code_retries=5,
group=self.GROUP)
adap = loading.load_adapter_from_conf_options(self.conf_fx.conf,
self.GROUP,
session='session',
auth='auth')
self.assertEqual('type', adap.service_type)
self.assertEqual('name', adap.service_name)
self.assertEqual(3, adap.connect_retries)
self.assertEqual(5, adap.status_code_retries)
def get_ksa_adapter(service_type,
ksa_auth=None,
ksa_session=None,
min_version=None,
max_version=None):
"""Construct a keystoneauth1 Adapter for a given service type.
We expect to find a conf group whose name corresponds to the service_type's
project according to the service-types-authority. That conf group must
provide at least ksa adapter options. Depending how the result is to be
used, ksa auth and/or session options may also be required, or the relevant
parameter supplied.
A raise_exc=False adapter is returned, meaning responses >=400 return the
Response object rather than raising an exception. This behavior can be
overridden on a per-request basis by setting raise_exc=True.
:param service_type: String name of the service type for which the Adapter
is to be constructed.
:param ksa_auth: A keystoneauth1 auth plugin. If not specified, we attempt
to find one in ksa_session. Failing that, we attempt to
load one from the conf.
:param ksa_session: A keystoneauth1 Session. If not specified, we attempt
to load one from the conf.
:param min_version: The minimum major version of the adapter's endpoint,
intended to be used as the lower bound of a range with
max_version.
If min_version is given with no max_version it is as
if max version is 'latest'.
:param max_version: The maximum major version of the adapter's endpoint,
intended to be used as the upper bound of a range with
min_version.
:return: A keystoneauth1 Adapter object for the specified service_type.
:raise: ConfGroupForServiceTypeNotFound If no conf group name could be
found for the specified service_type.
"""
confgrp = _get_conf_group(service_type)
ksa_auth, ksa_session = _get_auth_and_session(confgrp, ksa_auth,
ksa_session)
return ks_loading.load_adapter_from_conf_options(CONF,
confgrp,
session=ksa_session,
auth=ksa_auth,
min_version=min_version,
max_version=max_version,
raise_exc=False)
def test_load_valid_interfaces_comma_list(self):
self.conf_fx.config(
service_type='type', service_name='name',
valid_interfaces='internal,public',
region_name='region', endpoint_override='endpoint',
version='2.0', group=self.GROUP)
adap = loading.load_adapter_from_conf_options(
self.conf_fx.conf, self.GROUP, session='session', auth='auth')
self.assertEqual('type', adap.service_type)
self.assertEqual('name', adap.service_name)
self.assertEqual(['internal', 'public'], adap.interface)
self.assertEqual('region', adap.region_name)
self.assertEqual('endpoint', adap.endpoint_override)
self.assertEqual('session', adap.session)
self.assertEqual('auth', adap.auth)
self.assertEqual('2.0', adap.version)
self.assertIsNone(adap.min_version)
self.assertIsNone(adap.max_version)
def test_load_valid_interfaces_comma_list(self):
self.conf_fx.config(
service_type='type', service_name='name',
valid_interfaces='internal,public',
region_name='region', endpoint_override='endpoint',
version='2.0', group=self.GROUP)
adap = loading.load_adapter_from_conf_options(
self.conf_fx.conf, self.GROUP, session='session', auth='auth')
self.assertEqual('type', adap.service_type)
self.assertEqual('name', adap.service_name)
self.assertEqual(['internal', 'public'], adap.interface)
self.assertEqual('region', adap.region_name)
self.assertEqual('endpoint', adap.endpoint_override)
self.assertEqual('session', adap.session)
self.assertEqual('auth', adap.auth)
self.assertEqual('2.0', adap.version)
self.assertIsNone(adap.min_version)
self.assertIsNone(adap.max_version)
def get_ironic_client(context=None):
session = ks_loading.load_session_from_conf_options(CONF, 'ironic')
service_auth = ks_loading.load_auth_from_conf_options(CONF, 'ironic')
# use user context if provided
user_auth = None
if context:
endpoint = ks_loading.load_adapter_from_conf_options(
CONF, 'ironic', session=session, auth=service_auth).get_endpoint()
user_auth = service_token.ServiceTokenAuthWrapper(
user_auth=token_endpoint.Token(endpoint, context.auth_token),
service_auth=service_auth)
sess = ks_loading.load_session_from_conf_options(CONF,
'ironic',
auth=user_auth
or service_auth)
kwargs = {'os_ironic_api_version': '1.65'}
cli = ironic_client.get_client(1, session=sess, **kwargs)
return cli
def get_ksa_adapter(service_type,
ksa_auth=None,
ksa_session=None,
min_version=None,
max_version=None):
"""Construct a keystoneauth1 Adapter for a given service type.
We expect to find a conf group whose name corresponds to the service_type's
project according to the service-types-authority. That conf group must
provide at least ksa adapter options. Depending how the result is to be
used, ksa auth and/or session options may also be required, or the relevant
parameter supplied.
A raise_exc=False adapter is returned, meaning responses >=400 return the
Response object rather than raising an exception. This behavior can be
overridden on a per-request basis by setting raise_exc=True.
:param service_type: String name of the service type for which the Adapter
is to be constructed.
:param ksa_auth: A keystoneauth1 auth plugin. If not specified, we attempt
to find one in ksa_session. Failing that, we attempt to
load one from the conf.
:param ksa_session: A keystoneauth1 Session. If not specified, we attempt
to load one from the conf.
:param min_version: The minimum major version of the adapter's endpoint,
intended to be used as the lower bound of a range with
max_version.
If min_version is given with no max_version it is as
if max version is 'latest'.
:param max_version: The maximum major version of the adapter's endpoint,
intended to be used as the upper bound of a range with
min_version.
:return: A keystoneauth1 Adapter object for the specified service_type.
:raise: ConfGroupForServiceTypeNotFound If no conf group name could be
found for the specified service_type.
"""
# Get the conf group corresponding to the service type.
confgrp = _SERVICE_TYPES.get_project_name(service_type)
if not confgrp or not hasattr(CONF, confgrp):
# Try the service type as the conf group. This is necessary for e.g.
# placement, while it's still part of the nova project.
# Note that this might become the first thing we try if/as we move to
# using service types for conf group names in general.
confgrp = service_type
if not confgrp or not hasattr(CONF, confgrp):
raise exception.ConfGroupForServiceTypeNotFound(stype=service_type)
# Ensure we have an auth.
# NOTE(efried): This could be None, and that could be okay - e.g. if the
# result is being used for get_endpoint() and the conf only contains
# endpoint_override.
if not ksa_auth:
if ksa_session and ksa_session.auth:
ksa_auth = ksa_session.auth
else:
ksa_auth = ks_loading.load_auth_from_conf_options(CONF, confgrp)
if not ksa_session:
ksa_session = ks_loading.load_session_from_conf_options(CONF,
confgrp,
auth=ksa_auth)
return ks_loading.load_adapter_from_conf_options(CONF,
confgrp,
session=ksa_session,
auth=ksa_auth,
min_version=min_version,
max_version=max_version,
raise_exc=False)
def get_ksa_adapter(service_type, ksa_auth=None, ksa_session=None,
min_version=None, max_version=None):
"""Construct a keystoneauth1 Adapter for a given service type.
We expect to find a conf group whose name corresponds to the service_type's
project according to the service-types-authority. That conf group must
provide at least ksa adapter options. Depending how the result is to be
used, ksa auth and/or session options may also be required, or the relevant
parameter supplied.
A raise_exc=False adapter is returned, meaning responses >=400 return the
Response object rather than raising an exception. This behavior can be
overridden on a per-request basis by setting raise_exc=True.
:param service_type: String name of the service type for which the Adapter
is to be constructed.
:param ksa_auth: A keystoneauth1 auth plugin. If not specified, we attempt
to find one in ksa_session. Failing that, we attempt to
load one from the conf.
:param ksa_session: A keystoneauth1 Session. If not specified, we attempt
to load one from the conf.
:param min_version: The minimum major version of the adapter's endpoint,
intended to be used as the lower bound of a range with
max_version.
If min_version is given with no max_version it is as
if max version is 'latest'.
:param max_version: The maximum major version of the adapter's endpoint,
intended to be used as the upper bound of a range with
min_version.
:return: A keystoneauth1 Adapter object for the specified service_type.
:raise: ConfGroupForServiceTypeNotFound If no conf group name could be
found for the specified service_type.
"""
# Get the conf group corresponding to the service type.
confgrp = _SERVICE_TYPES.get_project_name(service_type)
if not confgrp or not hasattr(CONF, confgrp):
# Try the service type as the conf group. This is necessary for e.g.
# placement, while it's still part of the nova project.
# Note that this might become the first thing we try if/as we move to
# using service types for conf group names in general.
confgrp = service_type
if not confgrp or not hasattr(CONF, confgrp):
raise exception.ConfGroupForServiceTypeNotFound(stype=service_type)
# Ensure we have an auth.
# NOTE(efried): This could be None, and that could be okay - e.g. if the
# result is being used for get_endpoint() and the conf only contains
# endpoint_override.
if not ksa_auth:
if ksa_session and ksa_session.auth:
ksa_auth = ksa_session.auth
else:
ksa_auth = ks_loading.load_auth_from_conf_options(CONF, confgrp)
if not ksa_session:
ksa_session = ks_loading.load_session_from_conf_options(
CONF, confgrp, auth=ksa_auth)
return ks_loading.load_adapter_from_conf_options(
CONF, confgrp, session=ksa_session, auth=ksa_auth,
min_version=min_version, max_version=max_version, raise_exc=False)
def get_adapter(group, **adapter_kwargs):
return loading.load_adapter_from_conf_options(CONF, group,
**adapter_kwargs)