def get_endpoint(self, session, interface=None, version=None, **kwargs):
"""Return an endpoint for the client.
There are no required keyword arguments to ``get_endpoint`` as a plugin
implementation should use best effort with the information available to
determine the endpoint.
:param session: The session object that the auth_plugin belongs to.
:type session: keystoneclient.session.Session
:param version: The version number required for this endpoint.
:type version: tuple or str
:param str interface: what visibility the endpoint should have.
:returns: The base URL that will be used to talk to the required
service or None if not available.
:rtype: string
"""
if interface == auth.AUTH_INTERFACE:
return self._identity_uri
if not version:
# NOTE(jamielennox): This plugin can only be used within auth_token
# and auth_token will always provide version= with requests.
return None
if not self._discover:
self._discover = discover.Discover(session,
auth_url=self._identity_uri,
authenticated=False)
if not self._discover.url_for(version):
# NOTE(jamielennox): The requested version is not supported by the
# identity server.
return None
# NOTE(jamielennox): for backwards compatibility here we don't
# actually use the URL from discovery we hack it up instead. :(
# NOTE(blk-u): Normalizing the version is a workaround for bug 1450272.
# This can be removed once that's fixed. Also fix the docstring for the
# version parameter to be just "tuple".
version = discover.normalize_version_number(version)
if discover.version_match((2, 0), version):
return '%s/v2.0' % self._identity_uri
elif discover.version_match((3, 0), version):
return '%s/v3' % self._identity_uri
# NOTE(jamielennox): This plugin will only get called from auth_token
# middleware. The middleware should never request a version that the
# plugin doesn't know how to handle.
msg = _('Invalid version asked for in auth_token plugin')
raise NotImplementedError(msg)
def get_endpoint(self, session, interface=None, version=None, **kwargs):
"""Return an endpoint for the client.
There are no required keyword arguments to ``get_endpoint`` as a plugin
implementation should use best effort with the information available to
determine the endpoint.
:param session: The session object that the auth_plugin belongs to.
:type session: keystoneclient.session.Session
:param version: The version number required for this endpoint.
:type version: tuple or str
:param str interface: what visibility the endpoint should have.
:returns: The base URL that will be used to talk to the required
service or None if not available.
:rtype: string
"""
if interface == auth.AUTH_INTERFACE:
return self._identity_uri
if not version:
# NOTE(jamielennox): This plugin can only be used within auth_token
# and auth_token will always provide version= with requests.
return None
if not self._discover:
self._discover = discover.Discover(session, auth_url=self._identity_uri, authenticated=False)
if not self._discover.url_for(version):
# NOTE(jamielennox): The requested version is not supported by the
# identity server.
return None
# NOTE(jamielennox): for backwards compatibility here we don't
# actually use the URL from discovery we hack it up instead. :(
# NOTE(blk-u): Normalizing the version is a workaround for bug 1450272.
# This can be removed once that's fixed. Also fix the docstring for the
# version parameter to be just "tuple".
version = discover.normalize_version_number(version)
if discover.version_match((2, 0), version):
return "%s/v2.0" % self._identity_uri
elif discover.version_match((3, 0), version):
return "%s/v3" % self._identity_uri
# NOTE(jamielennox): This plugin will only get called from auth_token
# middleware. The middleware should never request a version that the
# plugin doesn't know how to handle.
msg = _("Invalid version asked for in auth_token plugin")
raise NotImplementedError(msg)
def get_tenants(self):
keystone_version = discover.normalize_version_number(
CONF.keystone_fetcher.keystone_version)
if discover.version_match((2,), keystone_version):
tenant_list = self.admin_ks.tenants.list()
else:
tenant_list = self.admin_ks.projects.list()
my_user_id = self.session.get_user_id()
for tenant in tenant_list[:]:
if discover.version_match((2,), keystone_version):
roles = self.admin_ks.roles.roles_for_user(
my_user_id,
tenant)
else:
roles = self.admin_ks.roles.list(user=my_user_id,
project=tenant)
if 'rating' not in [role.name for role in roles]:
tenant_list.remove(tenant)
return [tenant.id for tenant in tenant_list]
def create_plugin(self, session, version, url, raw_status=None):
if discover.version_match((2,), version):
if self._user_domain_id or self._user_domain_name:
# If you specify any domain parameters it won't work so quit.
return None
return v2.Password(auth_url=url,
user_id=self._user_id,
username=self._username,
password=self._password,
**self._v2_params)
elif discover.version_match((3,), version):
return v3.Password(auth_url=url,
user_id=self._user_id,
username=self._username,
user_domain_id=self._user_domain_id,
user_domain_name=self._user_domain_name,
password=self._password,
**self._v3_params)
def get_rate_projects(self):
keystone_version = discover.normalize_version_number('3')
auth_dispatch = {
(3, ): ('project', 'projects', 'list'),
(2, ): ('tenant', 'tenants', 'roles_for_user')
}
for auth_version, auth_version_mapping in six.iteritems(auth_dispatch):
if discover.version_match(auth_version, keystone_version):
return self._do_get_projects(auth_version_mapping)
msg = "Keystone version you've specified is not supported"
raise exceptions.VersionNotAvailable(msg)
def get_tenants(self, conf=None):
keystone_version = discover.normalize_version_number(
CONF.keystone_fetcher.keystone_version)
auth_dispatch = {
(3, ): ('project', 'projects', 'list'),
(2, ): ('tenant', 'tenants', 'roles_for_user')
}
for auth_version, auth_version_mapping in auth_dispatch.items():
if discover.version_match(auth_version, keystone_version):
return self._do_get_tenants(auth_version_mapping, conf)
msg = "Keystone version you've specified is not supported"
raise exceptions.VersionNotAvailable(msg)
def _do_create_plugin(self, session):
plugin = None
try:
disc = self.get_discovery(session,
self.auth_url,
authenticated=False)
except (exceptions.DiscoveryFailure,
exceptions.HTTPError,
exceptions.ConnectionError):
LOG.warn(_LW('Discovering versions from the identity service '
'failed when creating the password plugin. '
'Attempting to determine version from URL.'))
url_parts = urlparse.urlparse(self.auth_url)
path = url_parts.path.lower()
if path.startswith('/v2.0') and not self._has_domain_scope:
plugin = self.create_plugin(session, (2, 0), self.auth_url)
elif path.startswith('/v3'):
plugin = self.create_plugin(session, (3, 0), self.auth_url)
else:
disc_data = disc.version_data()
for data in disc_data:
version = data['version']
if (discover.version_match((2,), version) and
self._has_domain_scope):
# NOTE(jamielennox): if there are domain parameters there
# is no point even trying against v2 APIs.
continue
plugin = self.create_plugin(session,
version,
data['url'],
raw_status=data['raw_status'])
if plugin:
break
if plugin:
return plugin
# so there were no URLs that i could use for auth of any version.
msg = _('Could not determine a suitable URL for the plugin')
raise exceptions.DiscoveryFailure(msg)
def _get_strategy_class(self):
if self._requested_auth_version:
# A specific version was requested.
if discover.version_match(_V3RequestStrategy.AUTH_VERSION,
self._requested_auth_version):
return _V3RequestStrategy
# The version isn't v3 so we don't know what to do. Just assume V2.
return _V2RequestStrategy
# Specific version was not requested then we fall through to
# discovering available versions from the server
for klass in _REQUEST_STRATEGIES:
if self._adapter.get_endpoint(version=klass.AUTH_VERSION):
msg = _LI('Auth Token confirmed use of %s apis')
self._LOG.info(msg, self._requested_auth_version)
return klass
versions = ['v%d.%d' % s.AUTH_VERSION for s in _REQUEST_STRATEGIES]
self._LOG.error(_LE('No attempted versions [%s] supported by server'),
', '.join(versions))
msg = _('No compatible apis supported by server')
raise exc.ServiceError(msg)
def _get_strategy_class(self):
if self._requested_auth_version:
# A specific version was requested.
if discover.version_match(_V3RequestStrategy.AUTH_VERSION,
self._requested_auth_version):
return _V3RequestStrategy
# The version isn't v3 so we don't know what to do. Just assume V2.
return _V2RequestStrategy
# Specific version was not requested then we fall through to
# discovering available versions from the server
for klass in _REQUEST_STRATEGIES:
if self._adapter.get_endpoint(version=klass.AUTH_VERSION):
msg = _LI('Auth Token confirmed use of %s apis')
self._LOG.info(msg, self._requested_auth_version)
return klass
versions = ['v%d.%d' % s.AUTH_VERSION for s in _REQUEST_STRATEGIES]
self._LOG.error(_LE('No attempted versions [%s] supported by server'),
', '.join(versions))
msg = _('No compatible apis supported by server')
raise exc.ServiceError(msg)
def create_nova_connection(options):
nova = None
try:
from novaclient import client
from novaclient.exceptions import NotAcceptable
except ImportError:
fail_usage("Nova not found or not accessible")
from keystoneauth1 import loading
from keystoneauth1 import session
from keystoneclient import discover
# Prefer the oldest and strip the leading 'v'
keystone_versions = discover.available_versions(options["--auth-url"])
keystone_version = keystone_versions[0]['id'][1:]
kwargs = dict(auth_url=options["--auth-url"],
username=options["--username"],
password=options["--password"])
if discover.version_match("2", keystone_version):
kwargs["tenant_name"] = options["--tenant-name"]
elif discover.version_match("3", keystone_version):
kwargs["project_name"] = options["--tenant-name"]
kwargs["user_domain_name"] = options["--user-domain"]
kwargs["project_domain_name"] = options["--project-domain"]
loader = loading.get_plugin_loader('password')
keystone_auth = loader.load_from_options(**kwargs)
keystone_session = session.Session(auth=keystone_auth,
verify=(not options["--insecure"]))
versions = ["2.11", "2"]
for version in versions:
clientargs = inspect.getargspec(client.Client).varargs
# Some versions of Openstack prior to Ocata only
# supported positional arguments for username,
# password, and tenant.
#
# Versions since Ocata only support named arguments.
#
# So we need to use introspection to figure out how to
# create a Nova client.
#
# Happy days
#
if clientargs:
# OSP < 11
# ArgSpec(args=['version', 'username', 'password', 'project_id', 'auth_url'],
# varargs=None,
# keywords='kwargs', defaults=(None, None, None, None))
nova = client.Client(
version,
None, # User
None, # Password
None, # Tenant
None, # Auth URL
insecure=options["--insecure"],
region_name=options["--region-name"],
endpoint_type=options["--endpoint-type"],
session=keystone_session,
auth=keystone_auth,
http_log_debug="--verbose" in options)
else:
# OSP >= 11
# ArgSpec(args=['version'], varargs='args', keywords='kwargs', defaults=None)
nova = client.Client(version,
region_name=options["--region-name"],
endpoint_type=options["--endpoint-type"],
session=keystone_session,
auth=keystone_auth,
http_log_debug="--verbose" in options)
try:
nova.hypervisors.list()
return nova
except NotAcceptable as e:
logging.warning(e)
except Exception as e:
logging.warning("Nova connection failed. %s: %s" %
(e.__class__.__name__, e))
logging.warning(
"Couldn't obtain a supported connection to nova, tried: %s\n" %
repr(versions))
return None
def create_nova_connection(options):
nova = None
try:
from novaclient import client
from novaclient.exceptions import NotAcceptable
except ImportError:
fail_usage("Nova not found or not accessible")
from keystoneauth1 import loading
from keystoneauth1 import session
from keystoneclient import discover
# Prefer the oldest and strip the leading 'v'
keystone_versions = discover.available_versions(options["--auth-url"])
keystone_version = keystone_versions[0]['id'][1:]
kwargs = dict(
auth_url=options["--auth-url"],
username=options["--username"],
password=options["--password"]
)
if discover.version_match("2", keystone_version):
kwargs["tenant_name"] = options["--tenant-name"]
elif discover.version_match("3", keystone_version):
kwargs["project_name"] = options["--tenant-name"]
kwargs["user_domain_name"] = options["--user-domain"]
kwargs["project_domain_name"] = options["--project-domain"]
loader = loading.get_plugin_loader('password')
keystone_auth = loader.load_from_options(**kwargs)
keystone_session = session.Session(auth=keystone_auth, verify=(not options["--insecure"]))
versions = [ "2.11", "2" ]
for version in versions:
clientargs = inspect.getargspec(client.Client).varargs
# Some versions of Openstack prior to Ocata only
# supported positional arguments for username,
# password, and tenant.
#
# Versions since Ocata only support named arguments.
#
# So we need to use introspection to figure out how to
# create a Nova client.
#
# Happy days
#
if clientargs:
# OSP < 11
# ArgSpec(args=['version', 'username', 'password', 'project_id', 'auth_url'],
# varargs=None,
# keywords='kwargs', defaults=(None, None, None, None))
nova = client.Client(version,
None, # User
None, # Password
None, # Tenant
None, # Auth URL
insecure=options["--insecure"],
region_name=options["--region-name"],
endpoint_type=options["--endpoint-type"],
session=keystone_session, auth=keystone_auth,
http_log_debug=options.has_key("--verbose"))
else:
# OSP >= 11
# ArgSpec(args=['version'], varargs='args', keywords='kwargs', defaults=None)
nova = client.Client(version,
region_name=options["--region-name"],
endpoint_type=options["--endpoint-type"],
session=keystone_session, auth=keystone_auth,
http_log_debug=options.has_key("--verbose"))
try:
nova.hypervisors.list()
return nova
except NotAcceptable as e:
logging.warning(e)
except Exception as e:
logging.warning("Nova connection failed. %s: %s" % (e.__class__.__name__, e))
logging.warning("Couldn't obtain a supported connection to nova, tried: %s\n" % repr(versions))
return None
def create_plugin(self, session, version, url, raw_status=None):
if discover.version_match((2, ), version):
return v2.Token(url, self._token, **self._v2_params)
elif discover.version_match((3, ), version):
return v3.Token(url, self._token, **self._v3_params)