def setup_auth(self):
"""Set up authentication
This is deferred until authentication is actually attempted because
it gets in the way of things that do not require auth.
"""
# If no auth type is named by the user, select one based on
# the supplied options
self.auth_plugin_name = auth.select_auth_plugin(self._cli_options)
# Basic option checking to avoid unhelpful error messages
auth.check_valid_auth_options(self._cli_options, self.auth_plugin_name)
# Horrible hack alert...must handle prompt for null password if
# password auth is requested.
if (self.auth_plugin_name.endswith('password')
and not self._cli_options.auth.get('password', None)):
self._cli_options.os_password = self._pw_callback()
(auth_plugin, self._auth_params) = auth.build_auth_params(
self.auth_plugin_name,
self._cli_options,
)
# TODO(mordred): This is a usability improvement that's broadly useful
# We should port it back up into os-client-config.
default_domain = self._cli_options.default_domain
# NOTE(stevemar): If PROJECT_DOMAIN_ID or PROJECT_DOMAIN_NAME is
# present, then do not change the behaviour. Otherwise, set the
# PROJECT_DOMAIN_ID to 'OS_DEFAULT_DOMAIN' for better usability.
if (self._api_version.get('identity') == '3'
and self.auth_plugin_name.endswith('password')
and not self._auth_params.get('project_domain_id', None)
and not self.auth_plugin_name.startswith('v2')
and not self._auth_params.get('project_domain_name', None)):
self._auth_params['project_domain_id'] = default_domain
# NOTE(stevemar): If USER_DOMAIN_ID or USER_DOMAIN_NAME is present,
# then do not change the behaviour. Otherwise, set the USER_DOMAIN_ID
# to 'OS_DEFAULT_DOMAIN' for better usability.
if (self._api_version.get('identity') == '3'
and self.auth_plugin_name.endswith('password')
and not self.auth_plugin_name.startswith('v2')
and not self._auth_params.get('user_domain_id', None)
and not self._auth_params.get('user_domain_name', None)):
self._auth_params['user_domain_id'] = default_domain
# For compatibility until all clients can be updated
if 'project_name' in self._auth_params:
self._project_name = self._auth_params['project_name']
elif 'tenant_name' in self._auth_params:
self._project_name = self._auth_params['tenant_name']
LOG.info('Using auth plugin: %s' % self.auth_plugin_name)
LOG.debug('Using parameters %s' % self._auth_params)
self.auth = auth_plugin.load_from_options(**self._auth_params)
# needed by SAML authentication
request_session = requests.session()
self.session = osc_session.TimingSession(
auth=self.auth,
session=request_session,
verify=self._verify,
user_agent=USER_AGENT,
)
return
def setup_auth(self, required_scope=True):
"""Set up authentication
:param required_scope: indicate whether a scoped token is required
This is deferred until authentication is actually attempted because
it gets in the way of things that do not require auth.
"""
if self._auth_setup_completed:
return
# If no auth type is named by the user, select one based on
# the supplied options
self.auth_plugin_name = auth.select_auth_plugin(self._cli_options)
# Basic option checking to avoid unhelpful error messages
auth.check_valid_auth_options(self._cli_options,
self.auth_plugin_name,
required_scope=required_scope)
# Horrible hack alert...must handle prompt for null password if
# password auth is requested.
if (self.auth_plugin_name.endswith('password')
and not self._cli_options.auth.get('password')):
self._cli_options.auth['password'] = self._pw_callback()
(auth_plugin, self._auth_params) = auth.build_auth_params(
self.auth_plugin_name,
self._cli_options,
)
# TODO(mordred): This is a usability improvement that's broadly useful
# We should port it back up into os-client-config.
default_domain = self._cli_options.default_domain
# NOTE(stevemar): If PROJECT_DOMAIN_ID or PROJECT_DOMAIN_NAME is
# present, then do not change the behaviour. Otherwise, set the
# PROJECT_DOMAIN_ID to 'OS_DEFAULT_DOMAIN' for better usability.
if (self._api_version.get('identity') == '3'
and self.auth_plugin_name.endswith('password')
and not self._auth_params.get('project_domain_id')
and not self.auth_plugin_name.startswith('v2')
and not self._auth_params.get('project_domain_name')):
self._auth_params['project_domain_id'] = default_domain
# NOTE(stevemar): If USER_DOMAIN_ID or USER_DOMAIN_NAME is present,
# then do not change the behaviour. Otherwise, set the USER_DOMAIN_ID
# to 'OS_DEFAULT_DOMAIN' for better usability.
if (self._api_version.get('identity') == '3'
and self.auth_plugin_name.endswith('password')
and not self.auth_plugin_name.startswith('v2')
and not self._auth_params.get('user_domain_id')
and not self._auth_params.get('user_domain_name')):
self._auth_params['user_domain_id'] = default_domain
# NOTE(hieulq): If USER_DOMAIN_NAME, USER_DOMAIN_ID, PROJECT_DOMAIN_ID
# or PROJECT_DOMAIN_NAME is present and API_VERSION is 2.0, then
# ignore all domain related configs.
if (self._api_version.get('identity') == '2.0'
and self.auth_plugin_name.endswith('password')):
domain_props = [
'project_domain_name', 'project_domain_id', 'user_domain_name',
'user_domain_id'
]
for prop in domain_props:
if self._auth_params.pop(prop, None) is not None:
LOG.warning("Ignoring domain related configs " + prop +
" because identity API version is 2.0")
# For compatibility until all clients can be updated
if 'project_name' in self._auth_params:
self._project_name = self._auth_params['project_name']
elif 'tenant_name' in self._auth_params:
self._project_name = self._auth_params['tenant_name']
LOG.info('Using auth plugin: %s', self.auth_plugin_name)
LOG.debug('Using parameters %s',
strutils.mask_password(self._auth_params))
self.auth = auth_plugin.load_from_options(**self._auth_params)
# needed by SAML authentication
request_session = requests.session()
self.session = osc_session.TimingSession(
auth=self.auth,
session=request_session,
verify=self._verify,
cert=self._cert,
user_agent=USER_AGENT,
)
self._auth_setup_completed = True