def get_client(self, version=None, session=None):
version = version or self.VERSION
session = session or keystone_session.Session()
adapted = AdapterWithTimeout(
session=session, endpoint_override=self.get_base())
return client.Client(version, session=adapted)
redirect_uri = 'https://testuri.com'
scope = 'all_info'
scopes = [scope]
#create a consumer
consumer = keystone.oauth2.consumers.create(client_type='confidential',
redirect_uris=[redirect_uri],
grant_type='authorization_code',
scopes=scopes)
consumer_id = consumer.id
consumer_secret = consumer.secret
#store credentials
keystone.oauth2.authorization_codes.request_authorization(
consumer=consumer_id, redirect_uri=redirect_uri, scope=scope)
#grant authorization
authorization_code = keystone.oauth2.authorization_codes.authorize(
consumer=consumer_id, scopes=scopes)
#get an access token
access_token = keystone.oauth2.access_tokens.create(
consumer_id=consumer_id,
authorization_code=authorization_code.code,
redirect_uri=redirect_uri,
consumer_secret=consumer_secret)
# log in and get a keystone token
a = auth.OAuth2(url, access_token=access_token.access_token)
s = session.Session(auth=a)
keystone = client.Client(session=s)
keystone.users.list()
def create_keystone_session(cacert, insecure, **kwargs):
auth = auth_v2.Password(**kwargs)
return session.Session(auth=auth, cert=cacert, verify=not insecure)
def test_no_redirect(self):
session = client_session.Session(redirect=False)
self.setup_redirects()
resp = session.get(self.REDIRECT_CHAIN[0])
self.assertEqual(resp.status_code, 305)
self.assertEqual(resp.url, self.REDIRECT_CHAIN[0])
def test_service_url_raises_if_no_url_returned(self):
sess = client_session.Session(auth=AuthPlugin())
self.assertRaises(exceptions.EndpointNotFound,
sess.get, '/path',
endpoint_filter={'service_type': 'unknown',
'interface': 'public'})
def test_does_not_set_tcp_keepalive_on_custom_sessions(self):
mock_session = mock.Mock()
client_session.Session(session=mock_session)
self.assertFalse(mock_session.mount.called)
def test_basic_post_keeps_correct_method(self):
session = client_session.Session()
self.setup_redirects(method='POST', status_code=301)
resp = session.post(self.REDIRECT_CHAIN[-2])
self.assertResponse(resp)
def test_no_reauthenticate(self):
a = self._create_expired_auth_plugin(reauthenticate=False)
expired_auth_ref = a.auth_ref
s = session.Session(auth=a)
self.assertIs(expired_auth_ref, a.get_access(s))
def test_get_auth_properties(self):
a = self.create_auth_plugin()
s = session.Session()
self.assertEqual(self.user_id, a.get_user_id(s))
self.assertEqual(self.project_id, a.get_project_id(s))
ks_username = config.get('os_username')
ks_password = config.get('os_password')
project_name = config.get('os_project_name')
yaml_file = config.get('flavor_yaml_file')
ca_bundle = config.get('ca_bundle_file')
with open(yaml_file) as f:
flavors = yaml.safe_load(f)
f.close()
auth = v2.Password(auth_url=auth_url,
username=ks_username,
password=ks_password,
tenant_name=project_name)
sess = session.Session(auth=auth, verify=ca_bundle)
nova = client.Client("2", session=sess)
current = []
for f in nova.flavors.list(is_public=False):
current.append(f.name)
inyaml = []
for f in flavors['flavors']:
name = "%s.%sc.%sr.%sh" % (f['type'], f['cpu'], f['ram'], f['disk'])
if name in inyaml:
log.logger.debug(
"flavor %s is duplicate in flavor.yaml so it will be skipped" %
name)
def _get_keystone_session(**kwargs):
# TODO(fabgia): the heavy lifting here should be really done by Keystone.
# Unfortunately Keystone does not support a richer method to perform
# discovery and return a single viable URL. A bug against Keystone has
# been filed: https://bugs.launchpad.net/python-keystoneclient/+bug/1330677
# first create a Keystone session
cacert = kwargs.pop('cacert', None)
cert = kwargs.pop('cert', None)
key = kwargs.pop('key', None)
insecure = kwargs.pop('insecure', False)
auth_url = kwargs.pop('auth_url', None)
project_id = kwargs.pop('project_id', None)
project_name = kwargs.pop('project_name', None)
if insecure:
verify = False
else:
verify = cacert or True
if cert and key:
# passing cert and key together is deprecated in favour of the
# requests lib form of having the cert and key as a tuple
cert = (cert, key)
# create the keystone client session
ks_session = session.Session(verify=verify, cert=cert)
v2_auth_url, v3_auth_url = _discover_auth_versions(ks_session, auth_url)
username = kwargs.pop('username', None)
user_id = kwargs.pop('user_id', None)
user_domain_name = kwargs.pop('user_domain_name', None)
user_domain_id = kwargs.pop('user_domain_id', None)
project_domain_name = kwargs.pop('project_domain_name', None)
project_domain_id = kwargs.pop('project_domain_id', None)
auth = None
use_domain = (user_domain_id or user_domain_name or
project_domain_id or project_domain_name)
use_v3 = v3_auth_url and (use_domain or (not v2_auth_url))
use_v2 = v2_auth_url and not use_domain
if use_v3:
# the auth_url as v3 specified
# e.g. http://no.where:5000/v3
# Keystone will return only v3 as viable option
auth = v3_auth.Password(
v3_auth_url,
username=username,
password=kwargs.pop('password', None),
user_id=user_id,
user_domain_name=user_domain_name,
user_domain_id=user_domain_id,
project_name=project_name,
project_id=project_id,
project_domain_name=project_domain_name,
project_domain_id=project_domain_id)
elif use_v2:
# the auth_url as v2 specified
# e.g. http://no.where:5000/v2.0
# Keystone will return only v2 as viable option
auth = v2_auth.Password(
v2_auth_url,
username,
kwargs.pop('password', None),
tenant_id=project_id,
tenant_name=project_name)
else:
raise exc.CommandError('Unable to determine the Keystone version '
'to authenticate with using the given '
'auth_url.')
ks_session.auth = auth
return ks_session
def login(username, project_id, password, region):
params_no_version = {
'username': username,
'project_id': project_id,
'auth_url': config.os_auth_url,
'user_domain_id': 'default',
'tenant_name': project_id,
'password': password,
'project_domain_id': 'default'
}
request_session = requests.session()
auth = auth_plugin.load_from_options(**params_no_version)
session = osc_session.Session(auth=auth,
session=request_session,
verify=True)
catalog = auth.get_auth_ref(session)['catalog']
nova_catalog = [
res for res in catalog
if res['type'] == 'compute' and res['endpoints'][0]['region'] == region
]
neutron_catalog = [
res for res in catalog
if res['type'] == 'network' and res['endpoints'][0]['region'] == region
]
cinder_catalog = [
res for res in catalog if res['type'] == 'volumev2'
and res['endpoints'][0]['region'] == region
]
glance_catalog = [
res for res in catalog
if res['type'] == 'image' and res['endpoints'][0]['region'] == region
]
final_nova_catalog = []
for res in nova_catalog:
for r in res['endpoints']:
if r['interface'] == 'public':
final_nova_catalog.append(r['url'])
final_neutron_catalog = []
for res in neutron_catalog:
for r in res['endpoints']:
if r['interface'] == 'public':
final_neutron_catalog.append(r['url'] + '/v2.0')
final_cinder_catalog = []
for res in cinder_catalog:
for r in res['endpoints']:
if r['interface'] == 'public':
final_cinder_catalog.append(r['url'])
final_glance_catalog = []
for res in glance_catalog:
for r in res['endpoints']:
if r['interface'] == 'public':
final_glance_catalog.append(r['url'])
return (session.get_token(), final_nova_catalog, final_neutron_catalog,
final_cinder_catalog, final_glance_catalog)
def test_400_api_connection(self):
"""Simple api calls to check service is up and responding"""
u.log.debug('Checking api functionality...')
# This handles both keystone v2 and v3.
# For keystone v2 we need a user:
# - 'demo' user
# - has a project 'demo'
# - in the 'demo' project
# - with an 'admin' role
# For keystone v3 we need a user:
# - 'default' domain
# - 'demo' user
# - 'demo' project
# - 'admin' role -- to be able to delete.
# manila requires a user with creator or admin role on the project
# when creating a secret (which this test does). Therefore, we create
# a demo user, demo project, and then get a demo manila client and do
# the secret. ensure that the default domain is created.
if self._keystone_version == '2':
# find or create the 'demo' tenant (project)
tenant = self._find_or_create(
items=self.keystone.tenants.list(),
key=lambda t: t.name == 'demo',
create=lambda: self.keystone.tenants.create(
tenant_name="demo",
description="Demo for testing manila",
enabled=True))
# find or create the demo user
demo_user = self._find_or_create(
items=self.keystone.users.list(),
key=lambda u: u.name == 'demo',
create=lambda: self.keystone.users.create(
name='demo', password='******', tenant_id=tenant.id))
# find the admin role
# already be created - if not, then this will fail later.
admin_role = self._find_or_create(
items=self.keystone.roles.list(),
key=lambda r: r.name.lower() == 'admin',
create=lambda: None)
# grant the role if it isn't already created.
# now grant the creator role to the demo user.
self._find_or_create(
items=self.keystone.roles.roles_for_user(demo_user,
tenant=tenant),
key=lambda r: r.name.lower() == admin_role.name.lower(),
create=lambda: self.keystone.roles.add_user_role(
demo_user, admin_role, tenant=tenant))
# now we can finally get the manila client and create the secret
keystone_ep = self.keystone.service_catalog.url_for(
service_type='identity', endpoint_type='publicURL')
auth = keystone_identity.v2.Password(username=demo_user.name,
password='******',
tenant_name=tenant.name,
auth_url=keystone_ep)
else:
# find or create the 'default' domain
domain = self._find_or_create(
items=self.keystone.domains.list(),
key=lambda u: u.name == 'default',
create=lambda: self.keystone.domains.create(
"default",
description="domain for manila testing",
enabled=True))
# find or create the 'demo' user
demo_user = self._find_or_create(
items=self.keystone.users.list(domain=domain.id),
key=lambda u: u.name == 'demo',
create=lambda: self.keystone.users.create(
'demo',
domain=domain.id,
description="Demo user for manila tests",
enabled=True,
email="*****@*****.**",
password="******"))
# find or create the 'demo' project
demo_project = self._find_or_create(
items=self.keystone.projects.list(domain=domain.id),
key=lambda x: x.name == 'demo',
create=lambda: self.keystone.projects.create(
'demo',
domain=domain.id,
description='manila testing project',
enabled=True))
# create the role for the user - needs to be admin so that the
# secret can be deleted - note there is only one admin role, and it
# should already be created - if not, then this will fail later.
admin_role = self._find_or_create(
items=self.keystone.roles.list(),
key=lambda r: r.name.lower() == 'admin',
create=lambda: None)
# now grant the creator role to the demo user.
try:
self.keystone.roles.check(role=admin_role,
user=demo_user,
project=demo_project)
except keystoneclient.exceptions.NotFound:
# create it if it isn't found
self.keystone.roles.grant(role=admin_role,
user=demo_user,
project=demo_project)
# now we can finally get the manila client and create the secret
keystone_ep = self.keystone.service_catalog.url_for(
service_type='identity', endpoint_type='publicURL')
auth = keystone_identity.v3.Password(
user_domain_name=domain.name,
username=demo_user.name,
password='******',
project_domain_name=domain.name,
project_name=demo_project.name,
auth_url=keystone_ep)
# Now we carry on with common v2 and v3 code
sess = keystone_session.Session(auth=auth)
# Authenticate admin with manila endpoint
manila_ep = self.keystone.service_catalog.url_for(
service_type='key-manager', endpoint_type='publicURL')
manila = manila_client.Client(session=sess, endpoint=manila_ep)
# now create the secret.
my_secret = manila.secrets.create()
my_secret.name = u'Random plain text password'
my_secret.payload = u'password'
my_secret_ref = my_secret.store()
assert (my_secret_ref is not None)
# and now delete the secret
my_secret.delete()
u.log.debug('OK')
def getKeystoneSession(config, project):
return keystonesession.Session(
auth=keystoneauth.Password(auth_url=config['nova_api_url'],
username=config['username'],
password=config['password'],
tenant_name=project))
def test_not_found(self):
session = client_session.Session()
self.stub_url('GET', status_code=404)
self.assertRaises(exceptions.NotFound, session.get, self.TEST_URL)
def setUp(self):
super(GenericAuthPluginTests, self).setUp()
self.auth = GenericPlugin()
self.session = session.Session(auth=self.auth)
def test_server_error(self):
session = client_session.Session()
self.stub_url('GET', status_code=500)
self.assertRaises(exceptions.InternalServerError,
session.get, self.TEST_URL)
def main():
argparser = argparse.ArgumentParser()
argparser.add_argument('--debug',
help='Turn on debug logging',
action='store_true')
argparser.add_argument(
'--project',
default='admin-monitoring',
help='Set project to test creation for',
)
argparser.add_argument(
'--keyfile',
default='',
help='Path to SSH key file for verification',
)
argparser.add_argument(
'--user',
default='',
help='Set username (Expected to be the same across all backends)',
)
argparser.add_argument(
'--prepend',
default='test-create',
help='String to add to beginning of instance names',
)
argparser.add_argument(
'--max-pool',
default=1,
type=int,
help='Allow this many instances',
)
argparser.add_argument('--preserve-leaks',
help='Never delete failed VMs',
action='store_true')
argparser.add_argument(
'--keystone-url',
default="http://cloudcontrol1003.wikimedia.org:35357/v3",
help='Auth url for token and service discovery',
)
argparser.add_argument(
'--interval',
default=600,
type=int,
help='Seconds delay for daemon (default: 600 [10m])',
)
argparser.add_argument(
'--creation-timeout',
default=180,
type=int,
help='Allow this long for creation to succeed.',
)
argparser.add_argument(
'--ssh-timeout',
default=180,
type=int,
help='Allow this long for SSH to succeed.',
)
argparser.add_argument(
'--puppet-timeout',
default=120,
type=int,
help='Allow this long for Puppet to succeed.',
)
argparser.add_argument(
'--deletion-timeout',
default=120,
type=int,
help='Allow this long for delete to succeed.',
)
argparser.add_argument(
'--image',
default='debian-8.10-jessie',
help='Image to use',
)
argparser.add_argument(
'--flavor',
default='m1.small',
help='Flavor to use',
)
argparser.add_argument('--skip-puppet',
help='Turn off Puppet validation',
action='store_true')
argparser.add_argument('--skip-dns',
help='Turn off DNS validation',
action='store_true')
argparser.add_argument(
'--dns-resolvers',
help='Comma separated list of nameservers',
default='208.80.154.143,208.80.154.24',
)
argparser.add_argument('--skip-ssh',
help='Turn off basic SSH validation',
action='store_true')
argparser.add_argument('--pause-for-deletion',
help='Wait for user input before deletion',
action='store_true')
argparser.add_argument('--skip-deletion',
help='Leave instance behind',
action='store_true')
argparser.add_argument(
'--virthost',
default=None,
help='Specify a particular host to launch on, e.g. labvirt1001. Default'
'behavior is to use the standard scheduling pool.',
)
argparser.add_argument(
'--adhoc-command',
default='',
help='Specify a command over SSH prior to deletion',
)
argparser.add_argument(
'--network',
default='',
help='Specify a Neutron network for VMs',
)
argparser.add_argument(
'--statsd',
default='statsd.eqiad.wmnet',
help='Send statistics to statsd endpoint',
)
args = argparser.parse_args()
logging.basicConfig(format='%(asctime)s %(levelname)s %(message)s',
level=logging.DEBUG if args.debug else logging.INFO)
if args.adhoc_command and args.skip_ssh:
logging.error("cannot skip SSH with adhoc command specified")
sys.exit(1)
try:
with open(args.keyfile, 'r') as f:
f.read()
except:
logging.error("keyfile {} cannot be read".format(args.keyfile))
sys.exit(1)
pw = os.environ.get('OS_PASSWORD')
region = os.environ.get('OS_REGION_NAME')
user = os.environ.get('OS_USERNAME') or args.user
project = os.environ.get('OS_PROJECT_ID') or args.project
if not all([user, pw, project]):
logging.error('Set username and password environment variables')
sys.exit(1)
def stat(metric, value):
metric_prepend = 'servers.{}.nova'.format(socket.gethostname())
submit_stat(args.statsd, 8125, metric_prepend, metric, value)
while True:
loop_start = round(time.time(), 2)
auth = generic.Password(auth_url=args.keystone_url,
username=user,
password=pw,
user_domain_name='Default',
project_domain_name='Default',
project_name=project)
sess = keystone_session.Session(auth=auth)
nova_conn = nova_client.Client('2', session=sess, region_name=region)
prepend = args.prepend
epoch = int(time.time())
name = '{}-{}'.format(prepend, epoch)
exist = nova_conn.servers.list()
logging.debug(exist)
prependinstances = [
server for server in exist if server.human_id.startswith(prepend)
]
pexist_count = len(prependinstances)
stat('instances.count', pexist_count)
stat('instances.max', args.max_pool)
# If we're pushing up against max_pool, delete the oldest server
if not args.preserve_leaks and pexist_count >= args.max_pool - 1:
logging.warning("There are {} leaked instances with prepend {}; "
"cleaning up".format(pexist_count, prepend))
servers = sorted(prependinstances,
key=lambda server: server.human_id)
servers[0].delete()
if pexist_count >= args.max_pool:
# If the cleanup in the last two cycles didn't get us anywhere,
# best to just bail out so we stop trampling on the API.
logging.error(
"max server(s) with prepend {} -- skipping creation".format(
prepend))
continue
cimage = nova_conn.images.find(name=args.image)
cflavor = nova_conn.flavors.find(name=args.flavor)
try:
vc, server = verify_create(nova_conn, name, cimage, cflavor,
args.creation_timeout, args.network,
args.virthost)
stat('verify.creation', vc)
if 'public' in server.addresses:
addr = server.addresses['public'][0]['addr']
if not addr.startswith('10.'):
raise Exception("Bad address of {}".format(addr))
else:
addr = server.addresses['lan-flat-cloudinstances2b'][0]['addr']
if not addr.startswith('172.'):
raise Exception("Bad address of {}".format(addr))
if not args.skip_dns:
host = '{}.{}.eqiad.wmnet'.format(server.name,
server.tenant_id)
dnsd = args.dns_resolvers.split(',')
vdns = verify_dns(host, dnsd, timeout=2.0)
stat('verify.dns', vdns)
if not args.skip_ssh:
vs = verify_ssh(addr, user, args.keyfile, args.ssh_timeout)
stat('verify.ssh', vs)
if args.adhoc_command:
sshout = run_remote(addr,
user,
args.keyfile,
args.adhoc_command,
debug=args.debug)
logging.debug(sshout)
if not args.skip_puppet:
ps, puppetrun = verify_puppet(addr, user, args.keyfile,
args.puppet_timeout)
stat('verify.puppet', ps)
categories = ['changes', 'events', 'resources', 'time']
for d in categories:
for k, v in puppetrun[d].iteritems():
stat('puppet.{}.{}'.format(d, k), v)
if args.pause_for_deletion:
logging.info("Pausing for deletion")
get_verify('continue with deletion', 'Not a valid response',
['y'])
if not args.skip_deletion:
vd = verify_deletion(nova_conn, server, args.deletion_timeout)
if not args.pause_for_deletion:
stat('verify.deletion', vd)
loop_end = time.time()
stat('verify.fullstack', round(loop_end - loop_start, 2))
if not args.interval:
return
stat('verify.success', 1)
except:
logging.exception("{} failed, leaking".format(name))
stat('verify.success', 0)
time.sleep(args.interval)
def test_basic_get(self):
session = client_session.Session()
self.setup_redirects()
resp = session.get(self.REDIRECT_CHAIN[-2])
self.assertResponse(resp)
help='datacenter for operations, to calculate FQDNs. Default is eqiad',
default="eqiad"
)
args = argparser.parse_args()
config = ScriptConfig(args.datacenter, args.destination, args.mysql_password,
args.nova_db_server, args.nova_db)
logging.basicConfig(format="%(filename)s: %(levelname)s: %(message)s",
level=logging.INFO, stream=sys.stdout)
sshargs = ["ssh", "-i", "/root/.ssh/compute-hosts-key",
"nova@%s" % config.destination_fqdn, "true"]
r = subprocess.call(sshargs)
if r:
logging.error("remote execution failed; this whole enterprise is doomed.")
exit(1)
auth = generic.Password(
auth_url=args.nova_url,
username=args.nova_user,
password=args.nova_pass,
user_domain_name='Default',
project_domain_name='Default',
project_name='admin')
session = keystone_session.Session(auth=auth)
instance = NovaInstance(session, args.instanceid, region=args.region)
instance.migrate(config)
logging.shutdown()
def test_redirect_forever(self):
session = client_session.Session(redirect=True)
self.setup_redirects()
resp = session.get(self.REDIRECT_CHAIN[0])
self.assertResponse(resp)
self.assertTrue(len(resp.history), len(self.REDIRECT_CHAIN))
def new_client(self):
self.session = session.Session()
self.session.auth = v2.Password(self.identity_url, 'xx', 'xx')
return v3client.Client(session=self.session)
def test_service_url_raises_if_no_auth_plugin(self):
sess = client_session.Session()
self.assertRaises(exceptions.MissingAuthPlugin,
sess.get, '/path',
endpoint_filter={'service_type': 'compute',
'interface': 'public'})
def get_keystone_session():
cred = get_keystone_creds()
auth = v3.Password(**cred)
return ksc_session.Session(auth=auth)
def test_user_and_project_id(self):
auth = AuthPlugin()
sess = client_session.Session(auth=auth)
self.assertEqual(auth.TEST_USER_ID, sess.get_user_id())
self.assertEqual(auth.TEST_PROJECT_ID, sess.get_project_id())
def get_session(auth_url,
endpoint,
domain_id,
domain_name,
project_id,
project_name,
project_domain_name,
project_domain_id,
username,
user_id,
password,
user_domain_id,
user_domain_name,
token,
insecure,
cacert,
all_tenants=False,
edit_managed=False):
# NOTE: all_tenants and edit_managed are here for backwards compat
# reasons, do not add additional modifiers here.
session = ks_session.Session()
# Build + Attach Authentication Plugin
auth_args = {
'auth_url': auth_url,
'domain_id': domain_id,
'domain_name': domain_name,
'project_id': project_id,
'project_name': project_name,
'project_domain_name': project_domain_name,
'project_domain_id': project_domain_id,
}
if token and endpoint:
session.auth = token_endpoint.Token(endpoint, token)
elif token:
auth_args.update({'token': token})
session.auth = generic.Token(**auth_args)
else:
auth_args.update({
'username': username,
'user_id': user_id,
'password': password,
'user_domain_id': user_domain_id,
'user_domain_name': user_domain_name,
})
session.auth = generic.Password(**auth_args)
# SSL/TLS Server Cert Verification
if insecure is True:
session.verify = False
else:
session.verify = cacert
# NOTE: all_tenants and edit_managed are here for backwards compat
# reasons, do not add additional modifiers here.
session.all_tenants = all_tenants
session.edit_managed = edit_managed
return session
def _create_session_client(self):
auth = token_endpoint.Token(self.endpoint, self.token)
sess = session.Session(auth=auth)
return http.SessionClient(sess)
def get_insecure_session(self):
session = self._sessions.get(SESSION_TYPE_INSECURE)
if not session:
session = keystone.Session(verify=False)
self._set_session(SESSION_TYPE_INSECURE, session)
return session
def setUp(self):
super(TestObjectAPIv1, self).setUp()
sess = session.Session()
self.api = object_store.APIv1(session=sess, endpoint=FAKE_URL)
self.requests_mock = self.useFixture(fixture.Fixture())
def __call__(self, req):
request_id = common_context.generate_request_id()
# NOTE(alevine) We need to calculate the hash here because
# subsequent access to request modifies the req.body so the hash
# calculation will yield invalid results.
body_hash = hashlib.sha256(req.body).hexdigest()
signature = self._get_signature(req)
if not signature:
msg = _("Signature not provided")
return faults.ec2_error_response(request_id,
"AuthFailure",
msg,
status=400)
access = self._get_access(req)
if not access:
msg = _("Access key not provided")
return faults.ec2_error_response(request_id,
"AuthFailure",
msg,
status=400)
if 'X-Amz-Signature' in req.params or 'Authorization' in req.headers:
params = {}
else:
# Make a copy of args for authentication and signature verification
params = dict(req.params)
# Not part of authentication args
params.pop('Signature', None)
cred_dict = {
'access': access,
'signature': signature,
'host': req.host,
'verb': req.method,
'path': req.path,
'params': params,
# python3 takes only keys fo json from headers object
'headers': {k: req.headers[k]
for k in req.headers},
'body_hash': body_hash
}
token_url = CONF.keystone_ec2_tokens_url
if "ec2" in token_url:
creds = {'ec2Credentials': cred_dict}
else:
creds = {'auth': {'OS-KSEC2:ec2Credentials': cred_dict}}
creds_json = jsonutils.dumps(creds)
headers = {'Content-Type': 'application/json'}
response = requests.request('POST',
token_url,
data=creds_json,
headers=headers)
status_code = response.status_code
if status_code != 200:
msg = response.reason
return faults.ec2_error_response(request_id,
"AuthFailure",
msg,
status=status_code)
try:
auth_ref = keystone_access.AccessInfo.factory(resp=response,
body=response.json())
except (NotImplementedError, KeyError):
LOG.exception(_("Keystone failure"))
msg = _("Failure communicating with keystone")
return faults.ec2_error_response(request_id,
"AuthFailure",
msg,
status=400)
auth = keystone_identity_access.AccessInfoPlugin(auth_ref)
session = keystone_session.Session(auth=auth)
remote_address = req.remote_addr
if CONF.use_forwarded_for:
remote_address = req.headers.get('X-Forwarded-For', remote_address)
ctxt = context.RequestContext(auth_ref.user_id,
auth_ref.project_id,
request_id=request_id,
user_name=auth_ref.username,
project_name=auth_ref.project_name,
remote_address=remote_address,
session=session,
api_version=req.params.get('Version'))
req.environ['ec2api.context'] = ctxt
return self.application
