def _create_identity_server(self):
# NOTE(jamielennox): Loading Session here should be exactly the
# same as calling Session.load_from_conf_options(CONF, GROUP)
# however we can't do that because we have to use _conf_get to
# support the paste.ini options.
sess = session.Session.construct(dict(
cert=self._conf_get('certfile'),
key=self._conf_get('keyfile'),
cacert=self._conf_get('cafile'),
insecure=self._conf_get('insecure'),
timeout=self._conf_get('http_connect_timeout')
))
auth_plugin = self._get_auth_plugin()
adap = adapter.Adapter(
sess,
auth=auth_plugin,
service_type='identity',
interface='admin',
connect_retries=self._conf_get('http_request_max_retries'))
auth_version = self._conf_get('auth_version')
if auth_version is not None:
auth_version = discover.normalize_version_number(auth_version)
return _identity.IdentityServer(
self._LOG,
adap,
include_service_catalog=self._include_service_catalog,
requested_auth_version=auth_version)
def _create_identity_server(self):
# NOTE(jamielennox): Loading Session here should be exactly the
# same as calling Session.load_from_conf_options(CONF, GROUP)
# however we can't do that because we have to use _conf_get to
# support the paste.ini options.
sess = session.Session.construct(
dict(cert=self._conf_get('certfile'),
key=self._conf_get('keyfile'),
cacert=self._conf_get('cafile'),
insecure=self._conf_get('insecure'),
timeout=self._conf_get('http_connect_timeout'),
user_agent=self._build_useragent_string()))
auth_plugin = self._get_auth_plugin()
adap = adapter.Adapter(
sess,
auth=auth_plugin,
service_type='identity',
interface='admin',
region_name=self._conf_get('region_name'),
connect_retries=self._conf_get('http_request_max_retries'))
auth_version = self._conf_get('auth_version')
if auth_version is not None:
auth_version = discover.normalize_version_number(auth_version)
return _identity.IdentityServer(
self.log,
adap,
include_service_catalog=self._include_service_catalog,
requested_auth_version=auth_version)
def get_rate_projects(self):
keystone_version = discover.normalize_version_number('3')
auth_dispatch = {
(3, ): ('project', 'projects', 'list'),
(2, ): ('tenant', 'tenants', 'roles_for_user')
}
for auth_version, auth_version_mapping in six.iteritems(auth_dispatch):
if discover.version_match(auth_version, keystone_version):
return self._do_get_projects(auth_version_mapping)
msg = "Keystone version you've specified is not supported"
raise exceptions.VersionNotAvailable(msg)
def get_tenants(self, conf=None):
keystone_version = discover.normalize_version_number(
CONF.keystone_fetcher.keystone_version)
auth_dispatch = {
(3, ): ('project', 'projects', 'list'),
(2, ): ('tenant', 'tenants', 'roles_for_user')
}
for auth_version, auth_version_mapping in auth_dispatch.items():
if discover.version_match(auth_version, keystone_version):
return self._do_get_tenants(auth_version_mapping, conf)
msg = "Keystone version you've specified is not supported"
raise exceptions.VersionNotAvailable(msg)
def get_endpoint(self, session, interface=None, version=None, **kwargs):
"""Return an endpoint for the client.
There are no required keyword arguments to ``get_endpoint`` as a plugin
implementation should use best effort with the information available to
determine the endpoint.
:param session: The session object that the auth_plugin belongs to.
:type session: keystoneclient.session.Session
:param version: The version number required for this endpoint.
:type version: tuple or str
:param str interface: what visibility the endpoint should have.
:returns: The base URL that will be used to talk to the required
service or None if not available.
:rtype: string
"""
if interface == auth.AUTH_INTERFACE:
return self._identity_uri
if not version:
# NOTE(jamielennox): This plugin can only be used within auth_token
# and auth_token will always provide version= with requests.
return None
if not self._discover:
self._discover = discover.Discover(session,
auth_url=self._identity_uri,
authenticated=False)
if not self._discover.url_for(version):
# NOTE(jamielennox): The requested version is not supported by the
# identity server.
return None
# NOTE(jamielennox): for backwards compatibility here we don't
# actually use the URL from discovery we hack it up instead. :(
# NOTE(blk-u): Normalizing the version is a workaround for bug 1450272.
# This can be removed once that's fixed. Also fix the docstring for the
# version parameter to be just "tuple".
version = discover.normalize_version_number(version)
if discover.version_match((2, 0), version):
return '%s/v2.0' % self._identity_uri
elif discover.version_match((3, 0), version):
return '%s/v3' % self._identity_uri
# NOTE(jamielennox): This plugin will only get called from auth_token
# middleware. The middleware should never request a version that the
# plugin doesn't know how to handle.
msg = _('Invalid version asked for in auth_token plugin')
raise NotImplementedError(msg)
def get_endpoint(self, session, interface=None, version=None, **kwargs):
"""Return an endpoint for the client.
There are no required keyword arguments to ``get_endpoint`` as a plugin
implementation should use best effort with the information available to
determine the endpoint.
:param session: The session object that the auth_plugin belongs to.
:type session: keystoneclient.session.Session
:param version: The version number required for this endpoint.
:type version: tuple or str
:param str interface: what visibility the endpoint should have.
:returns: The base URL that will be used to talk to the required
service or None if not available.
:rtype: string
"""
if interface == auth.AUTH_INTERFACE:
return self._identity_uri
if not version:
# NOTE(jamielennox): This plugin can only be used within auth_token
# and auth_token will always provide version= with requests.
return None
if not self._discover:
self._discover = discover.Discover(session, auth_url=self._identity_uri, authenticated=False)
if not self._discover.url_for(version):
# NOTE(jamielennox): The requested version is not supported by the
# identity server.
return None
# NOTE(jamielennox): for backwards compatibility here we don't
# actually use the URL from discovery we hack it up instead. :(
# NOTE(blk-u): Normalizing the version is a workaround for bug 1450272.
# This can be removed once that's fixed. Also fix the docstring for the
# version parameter to be just "tuple".
version = discover.normalize_version_number(version)
if discover.version_match((2, 0), version):
return "%s/v2.0" % self._identity_uri
elif discover.version_match((3, 0), version):
return "%s/v3" % self._identity_uri
# NOTE(jamielennox): This plugin will only get called from auth_token
# middleware. The middleware should never request a version that the
# plugin doesn't know how to handle.
msg = _("Invalid version asked for in auth_token plugin")
raise NotImplementedError(msg)
def get_tenants(self):
keystone_version = discover.normalize_version_number(
CONF.keystone_fetcher.keystone_version)
if discover.version_match((2,), keystone_version):
tenant_list = self.admin_ks.tenants.list()
else:
tenant_list = self.admin_ks.projects.list()
my_user_id = self.session.get_user_id()
for tenant in tenant_list[:]:
if discover.version_match((2,), keystone_version):
roles = self.admin_ks.roles.roles_for_user(
my_user_id,
tenant)
else:
roles = self.admin_ks.roles.list(user=my_user_id,
project=tenant)
if 'rating' not in [role.name for role in roles]:
tenant_list.remove(tenant)
return [tenant.id for tenant in tenant_list]
def _create_identity_server(self):
# NOTE(jamielennox): Loading Session here should be exactly the
# same as calling Session.load_from_conf_options(CONF, GROUP)
# however we can't do that because we have to use _conf_get to
# support the paste.ini options.
# tomograph.start("AuthProtocol", "create IS", "127.0.0.1", 0)
sess = session.Session.construct(
dict(
cert=self._conf_get("certfile"),
key=self._conf_get("keyfile"),
cacert=self._conf_get("cafile"),
insecure=self._conf_get("insecure"),
timeout=self._conf_get("http_connect_timeout"),
user_agent=self._build_useragent_string(),
)
)
# tomograph.annotate("construct session", "AuthProtocol")
auth_plugin = self._get_auth_plugin()
adap = adapter.Adapter(
sess,
auth=auth_plugin,
service_type="identity",
interface="admin",
connect_retries=self._conf_get("http_request_max_retries"),
)
# tomograph.annotate("create adapter", "AuthProtocol")
auth_version = self._conf_get("auth_version")
if auth_version is not None:
auth_version = discover.normalize_version_number(auth_version)
return _identity.IdentityServer(
self.log, adap, include_service_catalog=self._include_service_catalog, requested_auth_version=auth_version
)
