def setup_keystoneauth(conf): if conf[CFG_GROUP].auth_type == "password-vitrage-legacy": LOG.warn("Value 'password-vitrage-legacy' for '[%s]/auth_type' " "is deprecated. And will be removed in Vitrage 2.0. " "Use 'password' instead.", CFG_GROUP) ka_loading.load_auth_from_conf_options(conf, CFG_GROUP)
def prepare_service(argv=None, config_files=None, conf=None): if argv is None: argv = sys.argv # FIXME(sileht): Use ConfigOpts() instead if conf is None: conf = cfg.CONF oslo_i18n.enable_lazy() log.register_options(conf) log_levels = (conf.default_log_levels + ['futurist=INFO', 'neutronclient=INFO', 'keystoneclient=INFO']) log.set_defaults(default_log_levels=log_levels) defaults.set_cors_middleware_defaults() policy_opts.set_defaults(conf) conf(argv[1:], project='ceilometer', validate_default_values=True, version=version.version_info.version_string(), default_config_files=config_files) ka_loading.load_auth_from_conf_options(conf, "service_credentials") log.setup(conf, 'ceilometer') # NOTE(liusheng): guru cannot run with service under apache daemon, so when # ceilometer-api running with mod_wsgi, the argv is [], we don't start # guru. if argv: gmr.TextGuruMeditation.setup_autorun(version) messaging.setup() return conf
def _get_glance_client(self, project_id=None): if project_id: auth_plugin = loading.load_auth_from_conf_options( CONF, CFG_GROUP, project_id=project_id) else: auth_plugin = loading.load_auth_from_conf_options(CONF, CFG_GROUP) session = loading.load_session_from_conf_options(CONF, CFG_GROUP, auth=auth_plugin) return glanceclient.client.Client(2, session=session)
def parse_args(args=None, prog=None): log.set_defaults() log.register_options(CONF) CONF( args=args, project='distil', prog=prog, version=version.version_info.version_string(), ) ka_loading.load_auth_from_conf_options(CONF, AUTH_GROUP) log.setup(CONF, prog)
def test_loading_v3(self): section = uuid.uuid4().hex auth_url = uuid.uuid4().hex, token = uuid.uuid4().hex trust_id = uuid.uuid4().hex project_id = uuid.uuid4().hex project_domain_name = uuid.uuid4().hex self.conf_fixture.config(auth_section=section, group=self.GROUP) loading.register_auth_conf_options(self.conf_fixture.conf, group=self.GROUP) self.conf_fixture.register_opts(to_oslo_opts(v3.Token().get_options()), group=section) self.conf_fixture.config(auth_type=self.V3TOKEN, auth_url=auth_url, token=token, trust_id=trust_id, project_id=project_id, project_domain_name=project_domain_name, group=section) a = loading.load_auth_from_conf_options(self.conf_fixture.conf, self.GROUP) self.assertEqual(token, a.auth_methods[0].token) self.assertEqual(trust_id, a.trust_id) self.assertEqual(project_id, a.project_id) self.assertEqual(project_domain_name, a.project_domain_name)
def test_loading_v2(self): section = uuid.uuid4().hex auth_url = uuid.uuid4().hex username = uuid.uuid4().hex password = uuid.uuid4().hex trust_id = uuid.uuid4().hex tenant_id = uuid.uuid4().hex self.conf_fixture.config(auth_section=section, group=self.GROUP) loading.register_auth_conf_options(self.conf_fixture.conf, group=self.GROUP) self.conf_fixture.register_opts( to_oslo_opts(v2.Password().get_options()), group=section) self.conf_fixture.config(auth_type=self.V2PASS, auth_url=auth_url, username=username, password=password, trust_id=trust_id, tenant_id=tenant_id, group=section) a = loading.load_auth_from_conf_options(self.conf_fixture.conf, self.GROUP) self.assertEqual(auth_url, a.auth_url) self.assertEqual(username, a.username) self.assertEqual(password, a.password) self.assertEqual(trust_id, a.trust_id) self.assertEqual(tenant_id, a.tenant_id)
def _get_session(): global _session if not _session: auth = ka_loading.load_auth_from_conf_options(CONF, GROUP) _session = ka_loading.load_session_from_conf_options( CONF, GROUP, auth=auth) return _session
def _get_keystone_session(self): auth = ka_loading.load_auth_from_conf_options(cfg.CONF, _CLIENTS_AUTH_GROUP) sess = ka_loading.load_session_from_conf_options(cfg.CONF, _CLIENTS_AUTH_GROUP, auth=auth) return sess
def _migrate_keys(self, volumes, backups): LOG.info("Starting migration of ConfKeyManager keys.") # Establish a Barbican client session that will be used for the entire # key migration process. Use cinder's own service credentials. try: ks_loading.register_auth_conf_options(self.conf, 'keystone_authtoken') auth = ks_loading.load_auth_from_conf_options(self.conf, 'keystone_authtoken') sess = ks_session.Session(auth=auth) self.barbican = barbican_client.Client(session=sess) except Exception as e: LOG.error("Aborting encryption key migration due to " "error creating Barbican client: %s", e) return errors = 0 for item in itertools.chain(volumes, backups): try: self._migrate_encryption_key(item) except Exception as e: LOG.error("Error migrating encryption key: %s", e) # NOTE(abishop): There really shouldn't be any soft errors, so # if an error occurs migrating one key then chances are they # will all fail. This avoids filling the log with the same # error in situations where there are many keys to migrate. errors += 1 if errors > MAX_KEY_MIGRATION_ERRORS: LOG.error("Aborting encryption key migration " "(too many errors).") break
def _barbican_admin_init(self): # Import auth_token to have keystone_authtoken settings setup. auth = loading.load_auth_from_conf_options( cfg.CONF, 'keystone_authtoken') sess = loading.load_session_from_conf_options( cfg.CONF, 'keystone_authtoken', auth=auth) return barbicanclient.Client(session=sess)
def __init__(self): auth = ks_loading.load_auth_from_conf_options(cfg.CONF, 'nova') session = ks_loading.load_session_from_conf_options( cfg.CONF, 'nova', auth=auth) extensions = [ ext for ext in nova_client.discover_extensions(NOVA_API_VERSION) if ext.name == "server_external_events"] self.nclient = nova_client.Client( NOVA_API_VERSION, session=session, region_name=cfg.CONF.nova.region_name, endpoint_type=cfg.CONF.nova.endpoint_type, extensions=extensions) self.batch_notifier = batch_notifier.BatchNotifier( cfg.CONF.send_events_interval, self.send_events) # register callbacks for events pertaining resources affecting Nova callback_resources = ( resources.FLOATING_IP, resources.PORT, ) for resource in callback_resources: registry.subscribe(self._send_nova_notification, resource, events.BEFORE_RESPONSE)
def __init__(self, transformers, **kwargs): super(GnocchiCollector, self).__init__(transformers, **kwargs) adapter_options = {'connect_retries': 3} if CONF.collector_gnocchi.gnocchi_auth_type == 'keystone': auth_plugin = ks_loading.load_auth_from_conf_options( CONF, COLLECTOR_GNOCCHI_OPTS, ) adapter_options['interface'] = CONF.collector_gnocchi.interface else: auth_plugin = gauth.GnocchiBasicPlugin( user=CONF.collector_gnocchi.gnocchi_user, endpoint=CONF.collector_gnocchi.gnocchi_endpoint, ) adapter_options['region_name'] = CONF.collector_gnocchi.region_name verify = True if CONF.collector_gnocchi.cafile: verify = CONF.collector_gnocchi.cafile elif CONF.collector_gnocchi.insecure: verify = False self._conn = gclient.Client( '1', session_options={'auth': auth_plugin, 'verify': verify}, adapter_options=adapter_options, )
def _get_auth_plugin(self): """Load an auth plugin from CONF options.""" # If an auth plugin name is defined in `auth_type` option of [ironic] # group, register its options and load it. auth_plugin = ks_loading.load_auth_from_conf_options(CONF, IRONIC_GROUP.name) # If no plugin name is defined, load a v2Password plugin from the # deprecated, legacy auth options in [ironic] group. if auth_plugin is None: LOG.warning( _LW( "Couldn't find adequate authentication options " "under the [ironic] group of nova.conf. Falling " "to legacy auth options: admin_username, " "admin_password, admin_tenant_name and admin_url. " "Please note that these options are deprecated " "and won't be supported anymore in a future " "release." ) ) legacy_auth = { "username": CONF.ironic.admin_username, "password": CONF.ironic.admin_password, "tenant_name": CONF.ironic.admin_tenant_name, "auth_url": CONF.ironic.admin_url, } auth_plugin = identity.V2Password(**legacy_auth) return auth_plugin
def __init__(self, **kwargs): super(GnocchiStorage, self).__init__(**kwargs) conf = kwargs.get('conf') or ck_utils.load_conf( CONF.collect.metrics_conf) self.conf = validate_conf(conf) self.auth = ks_loading.load_auth_from_conf_options( CONF, GNOCCHI_STORAGE_OPTS) self.session = ks_loading.load_session_from_conf_options( CONF, GNOCCHI_STORAGE_OPTS, auth=self.auth) self._conn = gclient.Client( '1', session=self.session, adapter_options={'connect_retries': 3, 'interface': CONF.storage_gnocchi.interface}) self._archive_policy_name = ( CONF.storage_gnocchi.archive_policy_name) self._archive_policy_definition = json.loads( CONF.storage_gnocchi.archive_policy_definition) self._period = kwargs.get('period') or CONF.collect.period self._measurements = dict() self._resource_type_data = dict() self._init_resource_types()
def __init__(self): # FIXME(jamielennox): A notifier is being created for each Controller # and each Notifier is handling it's own auth. That means that we are # authenticating the exact same thing len(controllers) times. This # should be an easy thing to optimize. # FIXME(kevinbenton): remove this comment and the one above once the # switch to pecan is complete since only one notifier is constructed # in the pecan notification hook. auth = ks_loading.load_auth_from_conf_options(cfg.CONF, 'nova') session = ks_loading.load_session_from_conf_options( cfg.CONF, 'nova', auth=auth) extensions = [ ext for ext in nova_client.discover_extensions(NOVA_API_VERSION) if ext.name == "server_external_events"] self.nclient = nova_client.Client( NOVA_API_VERSION, session=session, region_name=cfg.CONF.nova.region_name, endpoint_type=cfg.CONF.nova.endpoint_type, extensions=extensions) self.batch_notifier = batch_notifier.BatchNotifier( cfg.CONF.send_events_interval, self.send_events) # register callbacks for events pertaining resources affecting Nova callback_resources = ( resources.FLOATING_IP, resources.PORT, ) for resource in callback_resources: registry.subscribe(self._send_nova_notification, resource, events.BEFORE_RESPONSE)
def _get_auth(self): if self.context.auth_token_info: access_info = ka_access.create(body=self.context.auth_token_info, auth_token=self.context.auth_token) auth = ka_access_plugin.AccessInfoPlugin(access_info) elif self.context.auth_token: auth = ka_v3.Token(auth_url=self.auth_url, token=self.context.auth_token) elif self.context.trust_id: auth_info = { 'auth_url': self.auth_url, 'username': self.context.user_name, 'password': self.context.password, 'user_domain_id': self.context.user_domain_id, 'user_domain_name': self.context.user_domain_name, 'trust_id': self.context.trust_id } auth = ka_v3.Password(**auth_info) elif self.context.is_admin: try: auth = ka_loading.load_auth_from_conf_options( CONF, ksconf.CFG_GROUP) except ka_exception.MissingRequiredOptions: auth = self._get_legacy_auth() else: msg = ('Keystone API connection failed: no password, ' 'trust_id or token found.') LOG.error(msg) raise exception.AuthorizationFailure(client='keystone', message='reason %s' % msg) return auth
def get_session(conf, requests_session=None): """Get an aodh service credentials auth session.""" auth_plugin = ka_loading.load_auth_from_conf_options(conf, CFG_GROUP) session = ka_loading.load_session_from_conf_options( conf, CFG_GROUP, auth=auth_plugin, session=requests_session ) return session
def get_session(requests_session=None): """Get a ceilometer service credentials auth session.""" auth_plugin = ka_loading.load_auth_from_conf_options(cfg.CONF, CFG_GROUP) session = ka_loading.load_session_from_conf_options( cfg.CONF, CFG_GROUP, auth=auth_plugin, session=requests_session ) return session
def get_trusted_token(trust_id): """Return a Keystone token using the given trust_id.""" auth_plugin = loading.load_auth_from_conf_options( cfg.CONF, TRUSTEE_CONF_GROUP, trust_id=trust_id) trust_session = session.Session(auth=auth_plugin) return trust_session.auth.get_access(trust_session).auth_token
def _get_keystone_auth(trust_id=None): if not cfg.CONF[CFG_KEYSTONE_GROUP].auth_type: # Fallback to legacy v2 options if no auth_type is set. # If auth_type is set, it is possible to use the auth loader # from keystoneauth1. This is the same fallback as keystonemiddleware # uses. kwargs = { 'auth_url': cfg.CONF[CFG_KEYSTONE_GROUP].auth_uri.replace('v2.0', 'v3'), 'username': cfg.CONF[CFG_KEYSTONE_GROUP].admin_user, 'password': cfg.CONF[CFG_KEYSTONE_GROUP].admin_password, 'user_domain_name': "Default" } if not trust_id: kwargs['project_name'] = \ cfg.CONF[CFG_KEYSTONE_GROUP].admin_tenant_name kwargs['project_domain_name'] = "Default" else: kwargs['trust_id'] = trust_id auth = identity.Password(**kwargs) else: kwargs = {} if trust_id: # Remove project_name and project_id, since we need a trust scoped # auth object kwargs['project_name'] = None kwargs['project_domain_name'] = None kwargs['project_id'] = None kwargs['trust_id'] = trust_id auth = ka_loading.load_auth_from_conf_options( cfg.CONF, CFG_KEYSTONE_GROUP, **kwargs) return auth
def get_admin_session(): """Returns a keystone session from Mistral's service credentials.""" if CONF.keystone_authtoken.auth_type is None: auth = auth_plugins.Password( CONF.keystone_authtoken.www_authenticate_uri, username=CONF.keystone_authtoken.admin_user, password=CONF.keystone_authtoken.admin_password, project_name=CONF.keystone_authtoken.admin_tenant_name, # NOTE(jaosorior): Once mistral supports keystone v3 properly, we # can fetch the following values from the configuration. user_domain_name='Default', project_domain_name='Default') return ks_session.Session(auth=auth) else: auth = loading.load_auth_from_conf_options( CONF, 'keystone_authtoken' ) return loading.load_session_from_conf_options( CONF, 'keystone', auth=auth )
def trusts_auth_plugin(self): if self._trusts_auth_plugin: return self._trusts_auth_plugin self._trusts_auth_plugin = ks_loading.load_auth_from_conf_options( cfg.CONF, TRUSTEE_CONF_GROUP, trust_id=self.trust_id) if self._trusts_auth_plugin: return self._trusts_auth_plugin LOG.warning(_LW('Using the keystone_authtoken user as the heat ' 'trustee user directly is deprecated. Please add the ' 'trustee credentials you need to the %s section of ' 'your heat.conf file.') % TRUSTEE_CONF_GROUP) cfg.CONF.import_group('keystone_authtoken', 'keystonemiddleware.auth_token') trustee_user_domain = 'default' if 'user_domain_id' in cfg.CONF.keystone_authtoken: trustee_user_domain = cfg.CONF.keystone_authtoken.user_domain_id self._trusts_auth_plugin = generic.Password( username=cfg.CONF.keystone_authtoken.admin_user, password=cfg.CONF.keystone_authtoken.admin_password, user_domain_id=trustee_user_domain, auth_url=self.keystone_v3_endpoint, trust_id=self.trust_id) return self._trusts_auth_plugin
def __init__(self, user_plugin, user_project, user_roles): """Prepare all parameters and clients required to refresh token""" # step 1: create trust to ensure that we can always update token # trustor = user who made the request trustor_client = self._load_session(user_plugin) trustor_id = trustor_client.get_user_id() # get trustee user client that impersonates main user trustee_user_auth = ka_loading.load_auth_from_conf_options( CONF, 'keystone_authtoken') # save service user client because we need new service token # to refresh trust-scoped client later self.trustee_user_client = self._load_session(trustee_user_auth) trustee_id = self.trustee_user_client.get_user_id() self.trust_id = trustor_client.trusts.create(trustor_user=trustor_id, trustee_user=trustee_id, impersonation=True, role_names=user_roles, project=user_project).id LOG.debug("Trust %s has been created.", self.trust_id) # step 2: postpone trust-scoped client initialization # until we need to refresh the token self.trustee_client = None
def _get_auth_plugin(self): """Load an auth plugin from CONF options.""" # If an auth plugin name is defined in `auth_type` option of [ironic] # group, register its options and load it. auth_plugin = ks_loading.load_auth_from_conf_options(CONF, IRONIC_GROUP.name) return auth_plugin
def _get_auth(group, legacy_mapping=None, legacy_opts=None): try: auth = loading.load_auth_from_conf_options(CONF, group) except exceptions.MissingRequiredOptions: auth = _get_legacy_auth(group, legacy_mapping, legacy_opts) else: if auth is None: auth = _get_legacy_auth(group, legacy_mapping, legacy_opts) return auth
def get_neutron_client(*args, **kwargs): auth_plugin = ks_loading.load_auth_from_conf_options( cfg.CONF, kuryr_config.neutron_group.name) session = ks_loading.load_session_from_conf_options(cfg.CONF, 'neutron', auth=auth_plugin) return client.Client(session=session, auth=auth_plugin, endpoint_type=cfg.CONF.neutron.endpoint_type)
def prepare_service(argv=None, config_files=None, conf=None): oslo_i18n.enable_lazy() if argv is None: argv = sys.argv if conf is None: conf = cfg.ConfigOpts() conf.register_opts(OPTS) log.register_options(conf) db_options.set_defaults(conf) loading.register_auth_conf_options(conf, 'keystone_authtoken') conf(argv[1:], project='nabu', validate_default_values=True, version=nabu.__version__, default_config_files=config_files) loading.load_auth_from_conf_options(conf, 'keystone_authtoken') log.setup(conf, 'nabu') return conf
def get_session(conf, requests_session=None, group=None, timeout=None): """Get a ceilometer service credentials auth session.""" group = group or DEFAULT_GROUP auth_plugin = ka_loading.load_auth_from_conf_options(conf, group) kwargs = {'auth': auth_plugin, 'session': requests_session} if timeout is not None: kwargs['timeout'] = timeout session = ka_loading.load_session_from_conf_options(conf, group, **kwargs) return session
def __init__(self): # A dict, keyed by the resource provider UUID, of ResourceProvider # objects that will have their inventories and allocations tracked by # the placement API for the compute host self._resource_providers = {} auth_plugin = keystone.load_auth_from_conf_options(CONF, "placement") self._client = session.Session(auth=auth_plugin) # TODO(sdague): use this to disable fully when we don't find # the endpoint. self._disabled = False
def __init__(self): auth = ks_loading.load_auth_from_conf_options(cfg.CONF, 'nova') session = ks_loading.load_session_from_conf_options( cfg.CONF, 'nova', auth=auth) self.nclient = nclient.Client( n_nova.NOVA_API_VERSION, session=session, region_name=cfg.CONF.nova.region_name, endpoint_type=cfg.CONF.nova.endpoint_type)
def __init__(self): auth = ks_loading.load_auth_from_conf_options(cfg.CONF, 'nova') session = ks_loading.load_session_from_conf_options(cfg.CONF, 'nova', auth=auth) extensions = [ ext for ext in nova_client.discover_extensions(NOVA_API_VERSION, only_contrib=True) if ext.name == "server_external_events" ] self.nclient = nova_client.Client( api_versions.APIVersion(NOVA_API_VERSION), session=session, region_name=cfg.CONF.nova.region_name, endpoint_type=cfg.CONF.nova.endpoint_type, extensions=extensions) self.batch_notifier = batch_notifier.BatchNotifier( cfg.CONF.send_events_interval, self.send_events)
def _create_client(self): """Create the HTTP session accessing the placement service.""" # Flush _resource_providers and aggregates so we start from a # clean slate. self._resource_providers = {} self._provider_aggregate_map = {} # TODO(lajoskatona): perhaps not the best to override config options, # actually the abused keystoneauth1 options are: # auth_type (used for deciding for NoAuthClient) and auth_section # (used for communicating the url for the NoAuthClient) if self._conf.placement.auth_type == 'noauth': return NoAuthClient(self._conf.placement.auth_section) else: auth_plugin = keystone.load_auth_from_conf_options( self._conf, 'placement') return keystone.load_session_from_conf_options( self._conf, 'placement', auth=auth_plugin, additional_headers={'accept': 'application/json'})
def _get_clients(self): p_client = placement_client.PlacementAPIClient( cfg.CONF, openstack_api_version='placement 1.1') n_auth = ks_loading.load_auth_from_conf_options(cfg.CONF, 'nova') n_session = ks_loading.load_session_from_conf_options(cfg.CONF, 'nova', auth=n_auth) extensions = [ ext for ext in nova_client.discover_extensions(NOVA_API_VERSION) if ext.name == "server_external_events" ] n_client = nova_client.Client( NOVA_API_VERSION, session=n_session, region_name=cfg.CONF.nova.region_name, endpoint_type=cfg.CONF.nova.endpoint_type, extensions=extensions) return p_client, n_client
def __init__(self, transformers, **kwargs): super(MonascaCollector, self).__init__(transformers, **kwargs) self.t_cloudkitty = self.transformers['CloudKittyFormatTransformer'] self.auth = ks_loading.load_auth_from_conf_options( CONF, COLLECTOR_MONASCA_OPTS) self.session = ks_loading.load_session_from_conf_options( CONF, COLLECTOR_MONASCA_OPTS, auth=self.auth) self.ks_client = ks_client.Client(session=self.session) self.mon_endpoint = self._get_monasca_endpoint() if not self.mon_endpoint: raise EndpointNotFound() self._conn = mclient.Client( api_version=MONASCA_API_VERSION, session=self.session, endpoint=self.mon_endpoint)
def get_admin_session(): """Returns a keystone session from Mistral's service credentials.""" if CONF.keystone_authtoken.auth_type is None: auth = auth_plugins.Password( CONF.keystone_authtoken.www_authenticate_uri, username=CONF.keystone_authtoken.admin_user, password=CONF.keystone_authtoken.admin_password, project_name=CONF.keystone_authtoken.admin_tenant_name, # NOTE(jaosorior): Once mistral supports keystone v3 properly, we # can fetch the following values from the configuration. user_domain_name='Default', project_domain_name='Default') return ks_session.Session(auth=auth) else: auth = loading.load_auth_from_conf_options(CONF, 'keystone_authtoken') return loading.load_session_from_conf_options(CONF, 'keystone', auth=auth)
def _get_auth(self): if self.context.is_admin or self.context.trust_id: try: auth = ka_loading.load_auth_from_conf_options(CONF, CFG_GROUP) except ka_exception.MissingRequiredOptions: auth = self._get_legacy_auth() elif self.context.auth_token_info: access_info = ka_access.create(body=self.context.auth_token_info, auth_token=self.context.auth_token) auth = ka_access_plugin.AccessInfoPlugin(access_info) elif self.context.auth_token: auth = ka_v3.Token(auth_url=self.auth_url, token=self.context.auth_token) else: LOG.error( _LE('Keystone API connection failed: no password, ' 'trust_id or token found.')) raise exception.AuthorizationFailure() return auth
def __init__(self, **kwargs): super(GnocchiStorage, self).__init__(**kwargs) self.auth = ks_loading.load_auth_from_conf_options( CONF, GNOCCHI_STORAGE_OPTS) self.session = ks_loading.load_session_from_conf_options( CONF, GNOCCHI_STORAGE_OPTS, auth=self.auth) self._conn = gclient.Client('1', session=self.session, adapter_options={ 'connect_retries': 3, 'interface': CONF.storage_gnocchi.interface }) self._measures = {} self._archive_policy_name = (CONF.storage_gnocchi.archive_policy_name) self._archive_policy_definition = json.loads( CONF.storage_gnocchi.archive_policy_definition) self._period = METRICS_CONF['period'] if "period" in kwargs: self._period = kwargs["period"]
def get_ironic_client(context=None): session = ks_loading.load_session_from_conf_options(CONF, 'ironic') service_auth = ks_loading.load_auth_from_conf_options(CONF, 'ironic') # use user context if provided user_auth = None if context: endpoint = ks_loading.load_adapter_from_conf_options( CONF, 'ironic', session=session, auth=service_auth).get_endpoint() user_auth = service_token.ServiceTokenAuthWrapper( user_auth=token_endpoint.Token(endpoint, context.auth_token), service_auth=service_auth) sess = ks_loading.load_session_from_conf_options(CONF, 'ironic', auth=user_auth or service_auth) kwargs = {'os_ironic_api_version': '1.65'} cli = ironic_client.get_client(1, session=sess, **kwargs) return cli
def _v3_client_init(self): kwargs = {'auth_url': self.endpoint, 'endpoint': self.endpoint} # Note try trust_id first, as we can't reuse auth_token in that case if self.context.trust_id is not None: # We got a trust_id, so we use the admin credentials # to authenticate with the trust_id so we can use the # trust impersonating the trustor user. kwargs.update(self._service_admin_creds()) kwargs['trust_id'] = self.context.trust_id kwargs.pop('project_name') auth = ka_loading.load_auth_from_conf_options( cfg.CONF, 'keystone_authtoken', **kwargs) elif self.context.auth_token is not None: kwargs['token'] = self.context.auth_token kwargs['project_id'] = self.context.tenant auth = identity.Token(auth_url=kwargs['auth_url'], token=kwargs['token'], project_id=kwargs['project_id']) else: LOG.error( _("Keystone v3 API connection failed, no password " "trust or auth_token!")) raise exception.AuthorizationFailure() session = ks_session.Session(auth=auth) client = kc_v3.Client(session=session) client.auth_ref = client.session.auth.get_access(client.session) # If we are authenticating with a trust set the context auth_token # with the trust scoped token if 'trust_id' in kwargs: # Sanity check if not client.auth_ref.trust_scoped: LOG.error(_("trust token re-scoping failed!")) raise exception.AuthorizationFailure() # All OK so update the context with the token self.context.auth_token = client.auth_ref.auth_token self.context.auth_url = self.endpoint self.context.user = client.auth_ref.user_id self.context.tenant = client.auth_ref.project_id self.context.user_name = client.auth_ref.username return client
def _get_conf_client(context): """Retrieve a neutron client connection using conf parameters. :param context: request context, instance of ironic.common.context.RequestContext :returns: A neutron client. """ auth = ks_loading.load_auth_from_conf_options(CONF, 'neutron') session = ks_loading.load_session_from_conf_options( CONF, 'neutron', auth=auth) endpoint = keystone.get_endpoint('neutron', session=session, auth=auth) return clientv20.Client(session=session, auth=auth, endpoint_override=endpoint, retries=CONF.neutron.retries, global_request_id=context.global_id, timeout=CONF.neutron.request_timeout)
def __init__(self): super(GnocchiFetcher, self).__init__() adapter_options = {'connect_retries': 3} if CONF.fetcher_gnocchi.gnocchi_auth_type == 'keystone': auth_plugin = ks_loading.load_auth_from_conf_options( CONF, FETCHER_GNOCCHI_OPTS, ) adapter_options['interface'] = CONF.fetcher_gnocchi.interface else: auth_plugin = gauth.GnocchiBasicPlugin( user=CONF.fetcher_gnocchi.gnocchi_user, endpoint=CONF.fetcher_gnocchi.gnocchi_endpoint, ) adapter_options['region_name'] = CONF.fetcher_gnocchi.region_name self._conn = gclient.Client( '1', session_options={'auth': auth_plugin}, adapter_options=adapter_options, )
def __init__(self, *args, **kwargs): super(GnocchiStorage, self).__init__(*args, **kwargs) adapter_options = {'connect_retries': 3} if CONF.storage_gnocchi.gnocchi_auth_type == 'keystone': auth_plugin = ks_loading.load_auth_from_conf_options( CONF, 'storage_gnocchi', ) adapter_options['interface'] = CONF.storage_gnocchi.api_interface else: auth_plugin = gauth.GnocchiBasicPlugin( user=CONF.storage_gnocchi.gnocchi_user, endpoint=CONF.storage_gnocchi.gnocchi_endpoint, ) self._conn = gclient.Client( '1', session_options={'auth': auth_plugin}, adapter_options=adapter_options, ) self._cacher = GnocchiResourceCacher()
def __init__(self, **kwargs): super(MonascaCollector, self).__init__(**kwargs) self.auth = ks_loading.load_auth_from_conf_options( CONF, COLLECTOR_MONASCA_OPTS) self.session = ks_loading.load_session_from_conf_options( CONF, COLLECTOR_MONASCA_OPTS, auth=self.auth) self.ks_client = ks_client.Client( session=self.session, interface=CONF.collector_monasca.interface, ) self.mon_endpoint = self._get_monasca_endpoint() if not self.mon_endpoint: raise EndpointNotFound() self._conn = mclient.Client( api_version=MONASCA_API_VERSION, session=self.session, endpoint=self.mon_endpoint)
def __call__(self, req): # NOTE(ralonsoh): this method uses Nova Keystone user to retrieve the # project because (1) it is allowed to retrieve the projects and (2) # Neutron avoids adding another user section in the configuration # (Nova user will be always used). global _NOVA_CONNECTION project = req.params.get('project_id') or req.params.get('tenant_id') if project: if not _NOVA_CONNECTION: auth = ks_loading.load_auth_from_conf_options(cfg.CONF, 'nova') keystone_session = ks_loading.load_session_from_conf_options( cfg.CONF, 'nova', auth=auth) _NOVA_CONNECTION = connection.Connection( session=keystone_session, oslo_conf=cfg.CONF, connect_retries=cfg.CONF.http_retries) if not _NOVA_CONNECTION.get_project(project): return webob.exc.HTTPNotFound( comment='Project %s does not exist' % project) return req.get_response(self.application)
def get_clients(context): global _SESSION if not _SESSION: _SESSION = loading.load_session_from_conf_options( CONF, 'designate') auth = token_endpoint.Token(CONF.designate.url, context.auth_token) client = d_client.Client(session=_SESSION, auth=auth) if CONF.designate.auth_type: admin_auth = loading.load_auth_from_conf_options( CONF, 'designate') else: admin_auth = password.Password( auth_url=CONF.designate.admin_auth_url, username=CONF.designate.admin_username, password=CONF.designate.admin_password, tenant_name=CONF.designate.admin_tenant_name, tenant_id=CONF.designate.admin_tenant_id) admin_client = d_client.Client(session=_SESSION, auth=admin_auth) return client, admin_client
def _get_auth(self): #LOG.debug('KeystoneClient _get_auth xxx is_admin=%s,auth_token=%s,auth_token_info=%s', self.context.is_admin, self.context.auth_token,self.context.auth_token_info) if self.context.is_admin: auth = ka_loading.load_auth_from_conf_options(CONF, CFG_GROUP) #LOG.debug('KeystoneClient _get_auth xxx auth=%s', auth.__dict__); elif self.context.auth_token_info: #LOG.debug('KeystoneClient _get_auth xxx auth_token_info inside'); access_info = ka_access.create(body=self.context.auth_token_info, auth_token=self.context.auth_token) auth = ka_access_plugin.AccessInfoPlugin(access_info) elif self.context.auth_token: #LOG.debug('KeystoneClient _get_auth xxx auth_token inside'); auth = ka_v3.Token(auth_url=self.auth_url, token=self.context.auth_token) else: msg = ('Keystone API connection failed: no password, ' 'trust_id or token found.') LOG.error(msg) raise exception.AuthorizationFailure(client='keystone', message='reason %s' % msg) #LOG.debug('KeystoneClient _get_auth xxx final auth=%s', auth); return auth
def get_clients(context): global _SESSION if not _SESSION: _SESSION = loading.load_session_from_conf_options(CONF, 'designate') auth = token_endpoint.Token(CONF.designate.url, context.auth_token) client = d_client.Client(session=_SESSION, auth=auth) if CONF.designate.auth_type: admin_auth = loading.load_auth_from_conf_options(CONF, 'designate') else: # TODO(tkajinam): Make this fail when admin_* parameters are removed. admin_auth = password.Password( auth_url=CONF.designate.admin_auth_url, username=CONF.designate.admin_username, password=CONF.designate.admin_password, tenant_name=CONF.designate.admin_tenant_name, tenant_id=CONF.designate.admin_tenant_id) admin_client = d_client.Client(session=_SESSION, auth=admin_auth, endpoint_override=CONF.designate.url) return client, admin_client
def _admin_client(trust_id=None): if CONF.keystone_authtoken.auth_type is None: auth_url = CONF.keystone_authtoken.www_authenticate_uri project_name = CONF.keystone_authtoken.admin_tenant_name # You can't use trust and project together if trust_id: project_name = None cl = ks_client.Client(username=CONF.keystone_authtoken.admin_user, password=CONF.keystone_authtoken.admin_password, project_name=project_name, auth_url=auth_url, trusts=trust_id) cl.management_url = auth_url return cl else: kwargs = {} if trust_id: # Remove domain_id, domain_name, project_name and project_id, # since we need a trust scoped auth object kwargs['domain_id'] = None kwargs['domain_name'] = None kwargs['project_name'] = None kwargs['project_domain_name'] = None kwargs['project_id'] = None kwargs['trust_id'] = trust_id auth = loading.load_auth_from_conf_options(CONF, 'keystone_authtoken', **kwargs) sess = loading.load_session_from_conf_options(CONF, 'keystone', auth=auth) return ks_client.Client(session=sess)
def __init__(self): v3_kwargs = { "username": CONF.read_option('keystone_authtoken', 'username'), "password": CONF.read_option('keystone_authtoken', 'password'), "project_name": CONF.read_option('keystone_authtoken', 'project_name'), "user_domain_name": CONF.read_option('keystone_authtoken', 'user_domain_name'), "project_domain_name": CONF.read_option('keystone_authtoken', 'project_domain_name'), "auth_url": CONF.read_option('keystone_authtoken', 'auth_url'), "region_name": CONF.read_option('keystone_authtoken', 'region_name'), } auth_plugin = loading.load_auth_from_conf_options( conf, "gnocchi_credentials") self.gn_client = gn_client.Client( session_options={'auth': auth_plugin})
def __init__(self): # FIXME(jamielennox): A notifier is being created for each Controller # and each Notifier is handling it's own auth. That means that we are # authenticating the exact same thing len(controllers) times. This # should be an easy thing to optimize. auth = ks_loading.load_auth_from_conf_options(cfg.CONF, 'nova') session = ks_loading.load_session_from_conf_options(cfg.CONF, 'nova', auth=auth) extensions = [ ext for ext in nova_client.discover_extensions(NOVA_API_VERSION) if ext.name == "server_external_events" ] self.nclient = nova_client.Client( NOVA_API_VERSION, session=session, region_name=cfg.CONF.nova.region_name, extensions=extensions) self.batch_notifier = batch_notifier.BatchNotifier( cfg.CONF.send_events_interval, self.send_events)
def _get_keystone_auth(trust_id=None): if not cfg.CONF[CFG_MURANO_AUTH_GROUP].auth_type: # Fallback to legacy v2 options in keystone_authtoken # if no auth_type is set. # If auth_type is set, it is possible to use the auth loader # from keystoneauth1. This is the same fallback as keystonemiddleware # uses. versionutils.report_deprecated_feature( LOG, 'Please update configuration in ' + CFG_MURANO_AUTH_GROUP + ' group') auth_uri = cfg.CONF[CFG_KEYSTONE_GROUP].auth_uri username = cfg.CONF[CFG_KEYSTONE_GROUP].admin_user password = cfg.CONF[CFG_KEYSTONE_GROUP].admin_password project_name = cfg.CONF[CFG_KEYSTONE_GROUP].admin_tenant_name kwargs = { 'auth_url': auth_uri.replace('v2.0', 'v3'), 'username': username, 'password': password, 'user_domain_name': 'Default' } if not trust_id: kwargs['project_name'] = project_name kwargs['project_domain_name'] = 'Default' else: kwargs['trust_id'] = trust_id auth = identity.Password(**kwargs) else: kwargs = {} if trust_id: # Remove project_name and project_id, since we need a trust scoped # auth object kwargs['project_name'] = None kwargs['project_domain_name'] = None kwargs['project_id'] = None kwargs['trust_id'] = trust_id auth = ka_loading.load_auth_from_conf_options(cfg.CONF, CFG_MURANO_AUTH_GROUP, **kwargs) return auth
def __init__(self, transformers, **kwargs): super(GnocchiCollector, self).__init__(transformers, **kwargs) self.t_gnocchi = self.transformers['GnocchiTransformer'] self.t_cloudkitty = self.transformers['CloudKittyFormatTransformer'] adapter_options = {'connect_retries': 3} if CONF.gnocchi_collector.gnocchi_auth_type == 'keystone': auth_plugin = ks_loading.load_auth_from_conf_options( CONF, 'gnocchi_collector', ) adapter_options['interface'] = CONF.gnocchi_collector.interface else: auth_plugin = gauth.GnocchiBasicPlugin( user=CONF.gnocchi_collector.gnocchi_user, endpoint=CONF.gnocchi_collector.gnocchi_endpoint, ) self._conn = gclient.Client( '1', session_options={'auth': auth_plugin}, adapter_options=adapter_options, )
def __init__(self, **kwargs): super(GnocchiStorage, self).__init__(**kwargs) conf = kwargs.get('conf') or ck_utils.load_conf( CONF.collect.metrics_conf) self.conf = validate_conf(conf) self.auth = ks_loading.load_auth_from_conf_options( CONF, GNOCCHI_STORAGE_OPTS) self.session = ks_loading.load_session_from_conf_options( CONF, GNOCCHI_STORAGE_OPTS, auth=self.auth) self._conn = gclient.Client('1', session=self.session, adapter_options={ 'connect_retries': 3, 'interface': CONF.storage_gnocchi.interface }) self._archive_policy_name = (CONF.storage_gnocchi.archive_policy_name) self._archive_policy_definition = json.loads( CONF.storage_gnocchi.archive_policy_definition) self._period = kwargs.get('period') or CONF.collect.period self._measurements = dict() self._resource_type_data = dict() self._init_resource_types()
def _load_ks_session(conf): """Load session. This is either an authenticated session or a requests session, depending on what's configured. """ global _ADMIN_AUTH global _SESSION if not _ADMIN_AUTH: _ADMIN_AUTH = ks_loading.load_auth_from_conf_options( conf, nova.conf.vendordata.vendordata_group.name) if not _ADMIN_AUTH: LOG.warning('Passing insecure dynamic vendordata requests ' 'because of missing or incorrect service account ' 'configuration.') if not _SESSION: _SESSION = ks_loading.load_session_from_conf_options( conf, nova.conf.vendordata.vendordata_group.name, auth=_ADMIN_AUTH) return _SESSION
def get_session_and_auth(context, **kwargs): """Get session and auth parameters :param context: action context :return: dict to be used as kwargs for client serviceinitialization """ if not context: raise AssertionError('context is mandatory') if context.trust_id: kwargs['project_name'] = None kwargs['project_domain_name'] = None kwargs['project_id'] = None kwargs['trust_id'] = context.trust_id kwargs.pop('service_name') auth = loading.load_auth_from_conf_options(CONF, 'keystone_authtoken', **kwargs) session = loading.load_session_from_conf_options(CONF, 'keystone', auth=auth) else: project_endpoint = get_endpoint_for_project(context, **kwargs) endpoint = format_url(project_endpoint.url, { 'tenant_id': context.project_id, 'project_id': context.project_id }) auth = SimpleToken(endpoint=endpoint, token=context.auth_token) auth_uri = context.auth_uri or CONF.keystone_authtoken.auth_uri ks_auth = SimpleToken(endpoint=auth_uri, token=context.auth_token) session = ks_session.Session(auth=ks_auth, verify=_determine_verify(context)) return {"session": session, "auth": auth}
def test_conf_loaded(self): token = uuid.uuid4().hex endpoint_filter = {'service_type': 'compute', 'service_name': 'nova', 'version': (2, 1)} loader = self.useLoadingFixture(token=token) url = loader.get_endpoint('/path', **endpoint_filter) m = self.requests_mock.get(url) auth = loading.load_auth_from_conf_options(self.conf_fixture.conf, self.GROUP) sess = session.Session(auth=auth) self.assertEqual(self.AUTH_TYPE, auth.auth_type) sess.get('/path', endpoint_filter=endpoint_filter) self.assertTrue(m.called_once) self.assertTrue(token, m.last_request.headers['X-Auth-Token']) self.assertEqual(loader.project_id, sess.get_project_id()) self.assertEqual(loader.user_id, sess.get_user_id())
def get_ksa_adapter(service_type, ksa_auth=None, ksa_session=None, min_version=None, max_version=None): """Construct a keystoneauth1 Adapter for a given service type. We expect to find a conf group whose name corresponds to the service_type's project according to the service-types-authority. That conf group must provide at least ksa adapter options. Depending how the result is to be used, ksa auth and/or session options may also be required, or the relevant parameter supplied. A raise_exc=False adapter is returned, meaning responses >=400 return the Response object rather than raising an exception. This behavior can be overridden on a per-request basis by setting raise_exc=True. :param service_type: String name of the service type for which the Adapter is to be constructed. :param ksa_auth: A keystoneauth1 auth plugin. If not specified, we attempt to find one in ksa_session. Failing that, we attempt to load one from the conf. :param ksa_session: A keystoneauth1 Session. If not specified, we attempt to load one from the conf. :param min_version: The minimum major version of the adapter's endpoint, intended to be used as the lower bound of a range with max_version. If min_version is given with no max_version it is as if max version is 'latest'. :param max_version: The maximum major version of the adapter's endpoint, intended to be used as the upper bound of a range with min_version. :return: A keystoneauth1 Adapter object for the specified service_type. :raise: ConfGroupForServiceTypeNotFound If no conf group name could be found for the specified service_type. """ # Get the conf group corresponding to the service type. confgrp = _SERVICE_TYPES.get_project_name(service_type) if not confgrp or not hasattr(CONF, confgrp): # Try the service type as the conf group. This is necessary for e.g. # placement, while it's still part of the nova project. # Note that this might become the first thing we try if/as we move to # using service types for conf group names in general. confgrp = service_type if not confgrp or not hasattr(CONF, confgrp): raise exception.ConfGroupForServiceTypeNotFound(stype=service_type) # Ensure we have an auth. # NOTE(efried): This could be None, and that could be okay - e.g. if the # result is being used for get_endpoint() and the conf only contains # endpoint_override. if not ksa_auth: if ksa_session and ksa_session.auth: ksa_auth = ksa_session.auth else: ksa_auth = ks_loading.load_auth_from_conf_options(CONF, confgrp) if not ksa_session: ksa_session = ks_loading.load_session_from_conf_options(CONF, confgrp, auth=ksa_auth) return ks_loading.load_adapter_from_conf_options(CONF, confgrp, session=ksa_session, auth=ksa_auth, min_version=min_version, max_version=max_version, raise_exc=False)
def get_session(): """Get a vitrage service credentials auth session.""" auth_plugin = ka_loading.load_auth_from_conf_options(CONF, CFG_GROUP) return ka_loading.load_session_from_conf_options(CONF, CFG_GROUP, auth=auth_plugin)
def _build_auth_details(self): #keystone self._authn_token = None if cfg.CONF.auth_strategy == 'keystone': kcfg = cfg.CONF.keystone_authtoken #Keystone SSL Support self._ksinsecure=kcfg.insecure kscertfile=kcfg.certfile kskeyfile=kcfg.keyfile kscafile=kcfg.cafile self._use_ks_certs = False if (cfg.CONF.keystone_authtoken.auth_protocol == _DEFAULT_SECURE_SERVER_CONNECT and kscafile): certs = [kscafile] if kscertfile and kskeyfile: certs = [kscertfile, kskeyfile, kscafile] self._kscertbundle = cfgmutils.getCertKeyCaBundle( _DEFAULT_KS_CERT_BUNDLE,certs) self._use_ks_certs = True auth_uri = kcfg.auth_uri or '' try: auth_type = kcfg.auth_type except cfg.NoSuchOptError: auth_type = None auth_version = kcfg.auth_version self.ks_sess = None if ('v2.0' in auth_uri.split('/') or auth_version == 'v2.0' or not auth_type): body = '{"auth":{"passwordCredentials":{' body += ' "username": "******",' % (kcfg.admin_user) body += ' "password": "******"},' % (kcfg.admin_password) body += ' "tenantName":"%s"}}' % (kcfg.admin_tenant_name) self._authn_body = body self._authn_token = cfg.CONF.keystone_authtoken.admin_token try: auth_token_url = cfg.CONF.APISERVER.auth_token_url except cfg.NoSuchOptError: auth_token_url = None if auth_token_url: self._keystone_url = auth_token_url else: self._keystone_url = "%s://%s:%s%s" % ( cfg.CONF.keystone_authtoken.auth_protocol, cfg.CONF.keystone_authtoken.auth_host, cfg.CONF.keystone_authtoken.auth_port, "/v2.0/tokens") else: from keystoneauth1 import session from keystoneauth1 import loading as ks_loading self.auth_plugin = ks_loading.load_auth_from_conf_options( cfg.CONF, 'keystone_authtoken') if self._ksinsecure: self.ks_sess = session.Session(auth=self.auth_plugin, verify=False) elif not self._ksinsecure and self._use_ks_certs: self.ks_sess = session.Session(auth=self.auth_plugin, verify=self._kscertbundle) else: self.ks_sess = session.Session(auth=self.auth_plugin) #API Server SSL support self._apiusessl=cfg.CONF.APISERVER.use_ssl self._apiinsecure=cfg.CONF.APISERVER.insecure apicertfile=cfg.CONF.APISERVER.certfile apikeyfile=cfg.CONF.APISERVER.keyfile apicafile=cfg.CONF.APISERVER.cafile if self._apiusessl: self._apiserverconnect=_DEFAULT_SECURE_SERVER_CONNECT else: self._apiserverconnect=_DEFAULT_SERVER_CONNECT self._use_api_certs = False if self._apiusessl and apicafile: certs = [apicafile] if apicertfile and apikeyfile: certs = [apicertfile, apikeyfile, apicafile] self._apicertbundle = cfgmutils.getCertKeyCaBundle( _DEFAULT_API_CERT_BUNDLE,certs) self._use_api_certs = True
def novaclient(context, privileged_user=False, timeout=None, api_version=None): """Returns a Nova client @param privileged_user: If True, use the account from configuration (requires 'auth_type' and the other usual Keystone authentication options to be set in the [nova] section) @param timeout: Number of seconds to wait for an answer before raising a Timeout exception (None to disable) @param api_version: api version of nova """ if privileged_user and CONF[NOVA_GROUP].auth_type: LOG.debug('Creating Keystone auth plugin from conf') n_auth = ks_loading.load_auth_from_conf_options(CONF, NOVA_GROUP) elif privileged_user and CONF.os_privileged_user_name: # Fall back to the deprecated os_privileged_xxx settings. # TODO(gyurco): Remove it after Pike. if CONF.os_privileged_user_auth_url: url = CONF.os_privileged_user_auth_url else: url = _get_identity_endpoint_from_sc(context) LOG.debug( 'Creating Keystone password plugin from legacy settings ' 'using URL: %s', url) n_auth = identity.Password(auth_url=url, username=CONF.os_privileged_user_name, password=CONF.os_privileged_user_password, project_name=CONF.os_privileged_user_tenant, project_domain_id=context.project_domain, user_domain_id=context.user_domain) else: if CONF[NOVA_GROUP].token_auth_url: url = CONF[NOVA_GROUP].token_auth_url else: url = _get_identity_endpoint_from_sc(context) LOG.debug('Creating Keystone token plugin using URL: %s', url) n_auth = identity.Token(auth_url=url, token=context.auth_token, project_name=context.project_name, project_domain_id=context.project_domain) keystone_session = ks_loading.load_session_from_conf_options(CONF, NOVA_GROUP, auth=n_auth) c = nova_client.Client(api_versions.APIVersion(api_version or NOVA_API_VERSION), session=keystone_session, insecure=CONF[NOVA_GROUP].insecure, timeout=timeout, region_name=CONF[NOVA_GROUP].region_name, endpoint_type=CONF[NOVA_GROUP].interface, cacert=CONF[NOVA_GROUP].cafile, global_request_id=context.global_id, extensions=nova_extensions) try: c.set_timings_max_len(CONF.nova_client.max_timing_buffer) except AttributeError as e: LOG.error( 'fix_cinder_memory_leak was not applied to ' 'nova_client: %s', e) return c