def _get_client(auth_url=None, token=None, login_username=None, login_password=None, login_project_name=None,
login_project_domain_name=None, login_user_domain_name=None, login_domain_name=None,
insecure=False, ca_cert=None):
"""Return a ks_client client object"""
auth_plugin = None
if login_domain_name and login_project_name:
raise Exception("Token can be scoped either to project or domain. Use either domain or project")
if token:
auth_plugin = token_endpoint.Token(endpoint=auth_url, token=token)
else:
auth_plugin = v3.Password(auth_url=auth_url, username=login_username, password=login_password,
project_name=login_project_name, project_domain_name=login_project_domain_name,
user_domain_name=login_user_domain_name, domain_name=login_domain_name)
verify = False
if not insecure:
# Caller wants cert verification
verify = ca_cert or True
# Client cert is not supported now. Will add it later with cert=client_cert option
auth_session = session.Session(
auth=auth_plugin, verify=verify)
return v3client.Client(auth_url=auth_url, session=auth_session)
def _create_auth_plugin(self):
if self.auth_token_info:
auth_ref = access.AccessInfo.factory(body=self.auth_token_info,
auth_token=self.auth_token)
return access_plugin.AccessInfoPlugin(
auth_url=self.keystone_v3_endpoint,
auth_ref=auth_ref)
if self.auth_token:
# FIXME(jamielennox): This is broken but consistent. If you
# only have a token but don't load a service catalog then
# url_for wont work. Stub with the keystone endpoint so at
# least it might be right.
return token_endpoint.Token(endpoint=self.keystone_v3_endpoint,
token=self.auth_token)
if self.password:
return v3.Password(username=self.username,
password=self.password,
project_id=self.tenant_id,
user_domain_id=self.user_domain,
auth_url=self.keystone_v3_endpoint)
LOG.error(_LE("Keystone v3 API connection failed, no password "
"trust or auth_token!"))
raise exception.AuthorizationFailure()
def __init__(self, endpoint, **kwargs):
try:
from keystoneclient.v3 import client
from keystoneclient.auth import token_endpoint
from keystoneclient import session
from keystoneclient.auth.identity import v3
except ImportError:
if six.PY2:
apt_install(["python-keystoneclient"], fatal=True)
else:
apt_install(["python3-keystoneclient"], fatal=True)
from keystoneclient.v3 import client
from keystoneclient.auth import token_endpoint
from keystoneclient import session
from keystoneclient.auth.identity import v3
self.api_version = 3
token = kwargs.get("token", None)
if token:
auth = token_endpoint.Token(endpoint=endpoint, token=token)
sess = session.Session(auth=auth)
else:
auth = v3.Password(auth_url=endpoint,
user_id=kwargs.get("username"),
password=kwargs.get("password"),
project_id=kwargs.get("tenant_name"))
sess = session.Session(auth=auth)
self.api = client.Client(session=sess)
def test_token_endpoint_user_id(self):
a = token_endpoint.Token(self.TEST_URL, self.TEST_TOKEN)
s = session.Session()
# we can't know this information about this sort of plugin
self.assertIsNone(a.get_user_id(s))
self.assertIsNone(a.get_project_id(s))
def test_basic_case(self):
httpretty.register_uri(httpretty.GET, self.TEST_URL, body='body')
a = token_endpoint.Token(self.TEST_URL, self.TEST_TOKEN)
s = session.Session(auth=a)
data = s.get(self.TEST_URL, authenticated=True)
self.assertEqual(data.text, 'body')
self.assertRequestHeaderEqual('X-Auth-Token', self.TEST_TOKEN)
def test_basic_case(self):
self.requests.get(self.TEST_URL, text='body')
a = token_endpoint.Token(self.TEST_URL, self.TEST_TOKEN)
s = session.Session(auth=a)
data = s.get(self.TEST_URL, authenticated=True)
self.assertEqual(data.text, 'body')
self.assertRequestHeaderEqual('X-Auth-Token', self.TEST_TOKEN)
def test_client_params_default_interface(self):
opts = {
'auth': token_endpoint.Token('a', 'b'),
'service_name': uuid.uuid4().hex,
}
sess = session.Session()
cl = client.Client(session=sess, **opts)
self.assertEqual('public', cl._adapter.interface)
def __init__(self, auth_host, auth_port, auth_protocol, auth_admin_prefix,
admin_user, admin_password, admin_tenant_name, admin_token,
identity_uri, log):
log.warning(
_LW("Use of the auth_admin_prefix, auth_host, auth_port, "
"auth_protocol, identity_uri, admin_token, admin_user, "
"admin_password, and admin_tenant_name configuration options is "
"deprecated in favor of auth_plugin and related options and may "
"be removed in a future release."))
# NOTE(jamielennox): it does appear here that our default arguments
# are backwards. We need to do it this way so that we can handle the
# same deprecation strategy for CONF and the conf variable.
if not identity_uri:
log.warning(
_LW('Configuring admin URI using auth fragments. '
'This is deprecated, use \'identity_uri\''
' instead.'))
if ':' in auth_host:
# Note(dzyu) it is an IPv6 address, so it needs to be wrapped
# with '[]' to generate a valid IPv6 URL, based on
# http://www.ietf.org/rfc/rfc2732.txt
auth_host = '[%s]' % auth_host
identity_uri = '%s://%s:%s' % (auth_protocol, auth_host, auth_port)
if auth_admin_prefix:
identity_uri = '%s/%s' % (identity_uri,
auth_admin_prefix.strip('/'))
self._identity_uri = identity_uri.rstrip('/')
# FIXME(jamielennox): Yes. This is wrong. We should be determining the
# plugin to use based on a combination of discovery and inputs. Much
# of this can be changed when we get keystoneclient 0.10. For now this
# hardcoded path is EXACTLY the same as the original auth_token did.
auth_url = '%s/v2.0' % self._identity_uri
if admin_token:
log.warning(
_LW("The admin_token option in the auth_token middleware is "
"deprecated and should not be used. The admin_user and "
"admin_password options should be used instead. The "
"admin_token option may be removed in a future release."))
self._plugin = token_endpoint.Token(auth_url, admin_token)
else:
self._plugin = v2.Password(auth_url,
username=admin_user,
password=admin_password,
tenant_name=admin_tenant_name)
self._LOG = log
self._discover = None
def _get_session(self, auth=None, endpoint=None):
endpoint = endpoint or self._get_endpoint()
from keystoneclient.auth import token_endpoint
from keystoneclient import session as ks_session
kc = self.keystone()
if auth is None:
auth = token_endpoint.Token(endpoint, kc.auth_token)
return ks_session.Session(auth=auth, verify=self.endpoint.insecure)
def _get_session(self, auth=None, endpoint=None):
from keystoneclient.auth import token_endpoint
from keystoneclient import session as ks_session
if auth is None:
endpoint = endpoint or self._get_endpoint()
kc = self.keystone()
auth = token_endpoint.Token(endpoint, kc.auth_token)
verify = self.credential.cacert or not self.credential.insecure
return ks_session.Session(auth=auth,
verify=verify,
timeout=CONF.openstack_client_http_timeout)
def test_basic_endpoint_case(self):
self.stub_url(httpretty.GET, ['p'], body='body')
a = token_endpoint.Token(self.TEST_URL, self.TEST_TOKEN)
s = session.Session(auth=a)
data = s.get('/p',
authenticated=True,
endpoint_filter={'service': 'identity'})
self.assertEqual(self.TEST_URL, a.get_endpoint(s))
self.assertEqual('body', data.text)
self.assertRequestHeaderEqual('X-Auth-Token', self.TEST_TOKEN)
def _mock_client_delete_token(self, user, token, url=None):
if not url:
url = settings.OPENSTACK_KEYSTONE_URL
plugin = token_endpoint.Token(
endpoint=url, token=self.data.unscoped_access_info.auth_token)
client = self.ks_client_module.Client(session=mox.IsA(session.Session),
auth=plugin)
client.tokens = self.mox.CreateMockAnything()
client.tokens.delete(token=token)
return client
def _get_client(auth_url=None, token=None, insecure=False, ca_cert=None):
"""Return a ks_client client object"""
auth_plugin = token_endpoint.Token(endpoint=auth_url, token=token)
if not insecure:
# Caller wants cert verification
verify = ca_cert or True
# Client cert is not supported now.
# Will add it later with cert=client_cert option
auth_session = session.Session(auth=auth_plugin, verify=verify)
return v3client.Client(auth_url=auth_url, session=auth_session)
def get_project_list(*args, **kwargs):
sess = kwargs.get('session') or get_session()
auth_url = fix_auth_url_version(kwargs['auth_url'])
auth = token_endpoint.Token(auth_url, kwargs['token'])
client = get_keystone_client().Client(session=sess, auth=auth)
if get_keystone_version() < 3:
projects = client.tenants.list()
else:
projects = client.projects.list(user=kwargs.get('user_id'))
projects.sort(key=lambda project: project.name.lower())
return projects
def _do_discovery_call(self, token=None, **kwargs):
self.requests_mock.get(BASE_URL, status_code=300, text=V3_VERSION_LIST)
if not token:
token = uuid.uuid4().hex
url = 'http://testurl'
a = token_endpoint.Token(url, token)
s = session.Session(auth=a)
# will default to true as there is a plugin on the session
discover.Discover(s, auth_url=BASE_URL, **kwargs)
self.assertEqual(BASE_URL, self.requests_mock.last_request.url)
def get_clients(context):
global _SESSION
if not _SESSION:
_SESSION = session.Session()
auth = token_endpoint.Token(CONF.designate.url, context.auth_token)
client = d_client.Client(session=_SESSION, auth=auth)
admin_auth = password.Password(
auth_url=CONF.designate.admin_auth_url,
username=CONF.designate.admin_username,
password=CONF.designate.admin_password,
tenant_name=CONF.designate.admin_tenant_name,
tenant_id=CONF.designate.admin_tenant_id)
admin_client = d_client.Client(session=_SESSION, auth=admin_auth)
return client, admin_client
def barbicanclient(request):
region = request.user.services_region
endpoint = base.url_for(request, 'key-manager')
auth_url, _ = auth_utils.fix_auth_url_version_prefix(
settings.OPENSTACK_KEYSTONE_URL)
auth = token_endpoint.Token(auth_url, request.user.token.id)
insecure = getattr(settings, 'OPENSTACK_SSL_NO_VERIFY', False)
cacert = getattr(settings, 'OPENSTACK_SSL_CACERT', None)
# If 'insecure' is True, 'verify' is False in all cases; otherwise
# pass the cacert path if it is present, or True if no cacert.
verify = not insecure and (cacert or True)
return barbican_client.Client(session=session.Session(auth=auth,
verify=verify),
endpoint=endpoint,
region_name=region)
def troveclient(request):
insecure = getattr(settings, 'OPENSTACK_SSL_NO_VERIFY', False)
cacert = getattr(settings, 'OPENSTACK_SSL_CACERT', None)
endpoint_type = getattr(settings, 'OPENSTACK_ENDPOINT_TYPE', 'publicURL')
region = request.user.services_region
endpoint = base.url_for(request, 'database')
auth_url, _ = auth_utils.fix_auth_url_version_prefix(
settings.OPENSTACK_KEYSTONE_URL)
auth = token_endpoint.Token(auth_url, request.user.token.id)
verify = not insecure and (cacert or True)
t_client = client.Client(session=session.Session(auth=auth, verify=verify),
service_type='database',
endpoint_type=endpoint_type,
region_name=region,
endpoint_override=endpoint)
return t_client
def get_keystone_client(auth_token):
sess = init_keystone_session()
url = CONF['keystone_authtoken']['auth_uri']
# Create token to get available service version
generic_token = token.Token(url, token=auth_token)
generic_token.reauthenticate = False
version = generic_token.get_auth_ref(sess)['version']
# update auth url aith version if needed
if version not in url.split('/'):
url = url + '/' + version
# create endpoint token using right url and provided auth token
auth = token_endpoint.Token(url, auth_token)
# create keystone client
if version == 'v3':
k_client = client_3.Client(session=sess, auth=auth)
else:
k_client = client_2_0.Client(session=sess, auth=auth)
return k_client
def delete_token(endpoint, token_id):
"""Delete a token."""
utils.remove_project_cache(token_id)
try:
endpoint = utils.fix_auth_url_version(endpoint)
session = utils.get_session()
auth_plugin = token_endpoint.Token(endpoint=endpoint, token=token_id)
client = utils.get_keystone_client().Client(session=session,
auth=auth_plugin)
if utils.get_keystone_version() >= 3:
client.tokens.revoke_token(token=token_id)
else:
client.tokens.delete(token=token_id)
LOG.info('Deleted token %s' % token_id)
except keystone_exceptions.ClientException:
LOG.info('Could not delete token')
def test_client_params(self):
opts = {
'auth': token_endpoint.Token('a', 'b'),
'connect_retries': 50,
'endpoint_override': uuid.uuid4().hex,
'interface': uuid.uuid4().hex,
'region_name': uuid.uuid4().hex,
'service_name': uuid.uuid4().hex,
'user_agent': uuid.uuid4().hex,
}
sess = session.Session()
cl = client.Client(session=sess, **opts)
for k, v in six.iteritems(opts):
self.assertEqual(v, getattr(cl._adapter, k))
self.assertEqual('identity', cl._adapter.service_type)
self.assertEqual((3, 0), cl._adapter.version)
def get_clients(context):
global _SESSION
if not _SESSION:
if CONF.designate.insecure:
verify = False
else:
verify = CONF.designate.ca_cert or True
_SESSION = session.Session(verify=verify)
auth = token_endpoint.Token(CONF.designate.url, context.auth_token)
client = d_client.Client(session=_SESSION, auth=auth)
admin_auth = password.Password(
auth_url=CONF.designate.admin_auth_url,
username=CONF.designate.admin_username,
password=CONF.designate.admin_password,
tenant_name=CONF.designate.admin_tenant_name,
tenant_id=CONF.designate.admin_tenant_id)
admin_client = d_client.Client(session=_SESSION, auth=admin_auth)
return client, admin_client
def make_client(instance):
client_class = utils.get_client_class(API_NAME,
instance._api_version[API_NAME],
API_VERSIONS)
LOG.debug('instantiating KDS client: %s' % client_class)
s = session.Session.construct({
'verify': instance._verify,
'cacert': instance._cacert,
'insecure': instance._insecure
})
if instance._url:
s.auth = token_endpoint.Token(instance._url, instance._token)
else:
s.auth = v2_auth.Password(instance._auth_url,
instance._username,
instance._password,
tenant_id=instance._project_id,
tenant_name=instance._project_name)
return client_class(s)
def test_client_params(self):
with self.deprecations.expect_deprecations_here():
sess = session.Session()
auth = token_endpoint.Token('a', 'b')
opts = {
'auth': auth,
'connect_retries': 50,
'endpoint_override': uuid.uuid4().hex,
'interface': uuid.uuid4().hex,
'region_name': uuid.uuid4().hex,
'service_name': uuid.uuid4().hex,
'user_agent': uuid.uuid4().hex,
}
cl = client.Client(session=sess, **opts)
for k, v in opts.items():
self.assertEqual(v, getattr(cl._adapter, k))
self.assertEqual('identity', cl._adapter.service_type)
self.assertEqual((3, 0), cl._adapter.version)
def _get_client(auth_url=None,
token=None,
login_username=None,
login_password=None,
login_project_name=None,
login_project_domain_name=None,
login_user_domain_name=None,
login_domain_name=None,
insecure=False,
ca_cert=None):
"""Return a ks_client client object"""
auth_plugin = None
if login_domain_name and login_project_name:
raise Exception(
"Token can be scoped either to project or domain. Use either domain or project"
)
if token:
auth_plugin = token_endpoint.Token(endpoint=auth_url, token=token)
else:
auth_plugin = v3.Password(
auth_url=auth_url,
username=login_username,
password=login_password,
project_name=login_project_name,
project_domain_name=login_project_domain_name,
user_domain_name=login_user_domain_name,
domain_name=login_domain_name)
verify = not insecure
# if insecure = False, it will use cert from default locaiton if cacert is not specified
auth_session = session.Session(auth=auth_plugin,
verify=verify,
cert=ca_cert)
return v3client.Client(auth_url=auth_url, session=auth_session)
def _get_endpoint_from_keystone(self, cxt):
auth = token_endpoint.Token(cfg.CONF.client.identity_url,
cxt.auth_token)
sess = session.Session(auth=auth)
cli = keystone_client.Client(session=sess)
service_id_name_map = {}
for service in cli.services.list():
service_dict = service.to_dict()
service_id_name_map[service_dict['id']] = service_dict['name']
region_service_endpoint_map = {}
for endpoint in cli.endpoints.list():
endpoint_dict = endpoint.to_dict()
if endpoint_dict['interface'] != 'public':
continue
region_id = endpoint_dict['region']
service_id = endpoint_dict['service_id']
url = endpoint_dict['url']
service_name = service_id_name_map[service_id]
if region_id not in region_service_endpoint_map:
region_service_endpoint_map[region_id] = {}
region_service_endpoint_map[region_id][service_name] = url
return region_service_endpoint_map
def _mock_unscoped_client_with_token(self, user, unscoped):
plugin = token_endpoint.Token(settings.OPENSTACK_KEYSTONE_URL,
unscoped.auth_token)
return self.ks_client_module.Client(session=mox.IsA(session.Session),
auth=plugin)
def __init__(self, endpoint, token):
self.api_version = 3
keystone_auth_v3 = token_endpoint.Token(endpoint=endpoint, token=token)
keystone_session_v3 = session.Session(auth=keystone_auth_v3)
self.api = keystoneclient_v3.Client(session=keystone_session_v3)
def _create_session_client(self):
auth = token_endpoint.Token(self.endpoint, self.token)
sess = session.Session(auth=auth)
return http.SessionClient(sess)
from keystoneclient.auth import token_endpoint
from keystoneclient import session
from placementclient import client
session = session.Session()
my_token = '26800d75c2ae451d8af1ff4f020d6743'
url = 'http://192.168.33.12:8778/'
auth = token_endpoint.Token(url, my_token)
my_client = client.Client('1', session=session, auth=auth)
resource_provider = {
'name': 'subnet-d08efb3d-ba36-42ca-ac2a-850b23ad8d10',
'uuid': 'd08efb3d-ba36-42ca-ac2a-850b23ad8d10'
}
inventory = {
'total': 256,
'reserved': 5,
'min_unit': 1,
'max_unit': 1,
'step_size': 1,
'allocation_ratio': 1.0,
'resource_class': 'IPV4_ADDRESS'
}
aggregates = [
'21d7c4aa-d0b6-41b1-8513-12a1eac17c0c',
'b455ae1f-5f4e-4b19-9384-4989aff5fee9'
]
import pdb
pdb.set_trace()
my_client.resource_providers.list()