def __init__(self, context): # If a trust_id is specified in the context, we immediately # authenticate so we can populate the context with a trust token # otherwise, we delay client authentication until needed to avoid # unnecessary calls to keystone. # # Note that when you obtain a token using a trust, it cannot be # used to reauthenticate and get another token, so we have to # get a new trust-token even if context.auth_token is set. # # - context.auth_url is expected to contain a versioned keystone # path, we will work with either a v2.0 or v3 path self.context = context self._client = None self._admin_client = None if self.context.auth_url: self.endpoint = self.context.auth_url.replace('v2.0', 'v3') else: # Import auth_token to have keystone_authtoken settings setup. importutils.import_module('keystonemiddleware.auth_token') self.endpoint = cfg.CONF.keystone_authtoken.auth_uri.replace( 'v2.0', 'v3') if self.context.trust_id: # Create a client with the specified trust_id, this # populates self.context.auth_token with a trust-scoped token self._client = self._v3_client_init()
def __init__(self, context): # If a trust_id is specified in the context, we immediately # authenticate so we can populate the context with a trust token # otherwise, we delay client authentication until needed to avoid # unnecessary calls to keystone. # # Note that when you obtain a token using a trust, it cannot be # used to reauthenticate and get another token, so we have to # get a new trust-token even if context.auth_token is set. # # - context.auth_url is expected to contain a versioned keystone # path, we will work with either a v2.0 or v3 path self.context = context self._client = None self._admin_client = None if self.context.auth_url: self.v3_endpoint = self.context.auth_url.replace('v2.0', 'v3') else: # Import auth_token to have keystone_authtoken settings setup. importutils.import_module('keystoneclient.middleware.auth_token') self.v3_endpoint = cfg.CONF.keystone_authtoken.auth_uri.replace( 'v2.0', 'v3') if self.context.trust_id: # Create a client with the specified trust_id, this # populates self.context.auth_token with a trust-scoped token self._client = self._v3_client_init()
def before(self, state): if not CONF.get('enable_authentication'): return # Skip authentication for public endpoints if AUTH.is_endpoint_public(state.request.path): return headers = state.request.headers user_id = headers.get('X-User-Id') if user_id is None: LOG.debug("X-User-Id header was not found in the request") raise Exception('Not authorized') roles = self._get_roles(state.request) project_id = headers.get('X-Project-Id') user_name = headers.get('X-User-Name', '') tenant_name = headers.get('X-Project') domain = headers.get('X-Domain-Name') project_domain_id = headers.get('X-Project-Domain-Id', '') user_domain_id = headers.get('X-User-Domain-Id', '') password = headers.get('X-Password', '') # Get the auth token try: recv_auth_token = headers.get('X-Auth-Token', headers.get( 'X-Storage-Token')) except ValueError: LOG.debug("No auth token found in the request.") raise Exception('Not authorized') auth_url = headers.get('X-Auth-Url') if auth_url is None: importutils.import_module('keystonemiddleware.auth_token') auth_url = cfg.CONF.keystone_authtoken.auth_uri auth_token_info = state.request.environ.get('keystone.token_info') identity_status = headers.get('X-Identity-Status') if identity_status == 'Confirmed': ctx = context.RequestContext(auth_token=recv_auth_token, auth_token_info=auth_token_info, user=user_id, tenant=project_id, domain=domain, user_domain=user_domain_id, project_domain=project_domain_id, user_name=user_name, roles=roles, auth_url=auth_url, password=password, tenant_name=tenant_name) state.request.security_context = ctx else: LOG.debug("The provided identity is not confirmed.") raise Exception('Not authorized. Identity not confirmed.') return
def _service_admin_creds(self): # Import auth_token to have keystone_authtoken settings setup. importutils.import_module('keystonemiddleware.auth_token') creds = { 'username': cfg.CONF.keystone_authtoken.admin_user, 'password': cfg.CONF.keystone_authtoken.admin_password, 'auth_url': self.endpoint, 'endpoint': self.endpoint, 'project_name': cfg.CONF.keystone_authtoken.admin_tenant_name} return creds
def _barbican_admin_init(self): # Import auth_token to have keystone_authtoken settings setup. importutils.import_module('keystoneclient.middleware.auth_token') keystone = barbicanauth.KeystoneAuthV2( auth_url=cfg.CONF.keystone_authtoken.auth_uri, username=cfg.CONF.keystone_authtoken.admin_user, password=cfg.CONF.keystone_authtoken.admin_password, tenant_name=cfg.CONF.keystone_authtoken.admin_tenant_name) return barbicanclient.Client(auth_plugin=keystone, insecure=self.insecure)
def _barbican_admin_init(self): # Import auth_token to have keystone_authtoken settings setup. importutils.import_module('keystonemiddleware.auth_token') auth = identity.v2.Password( auth_url=cfg.CONF.keystone_authtoken.auth_uri, username=cfg.CONF.keystone_authtoken.admin_user, password=cfg.CONF.keystone_authtoken.admin_password, tenant_name=cfg.CONF.keystone_authtoken.admin_tenant_name) sess = session.Session(auth=auth, verify=self.verify) return barbicanclient.Client(session=sess)
def _service_admin_creds(self): # Import auth_token to have keystone_authtoken settings setup. importutils.import_module('keystonemiddleware.auth_token') creds = { 'username': cfg.CONF.keystone_authtoken.admin_user, 'password': cfg.CONF.keystone_authtoken.admin_password, 'auth_url': self.endpoint, 'endpoint': self.endpoint, 'project_name': cfg.CONF.keystone_authtoken.admin_tenant_name } return creds
def before(self, state): if not CONF.get('enable_authentication'): return # Do not proceed for triggers as they use non authenticated service regexp = re.compile('^/v[0-9]+/public/') if regexp.match(state.request.path): return headers = state.request.headers user_id = headers.get('X-User-Id') if user_id is None: LOG.debug("X-User-Id header was not found in the request") raise Exception('Not authorized') roles = self._get_roles(state.request) project_id = headers.get('X-Project-Id') user_name = headers.get('X-User-Name', '') domain = headers.get('X-Domain-Name') project_domain_id = headers.get('X-Project-Domain-Id', '') user_domain_id = headers.get('X-User-Domain-Id', '') # Get the auth token try: recv_auth_token = headers.get('X-Auth-Token', headers.get( 'X-Storage-Token')) except ValueError: LOG.debug("No auth token found in the request.") raise Exception('Not authorized') auth_url = headers.get('X-Auth-Url') if auth_url is None: importutils.import_module('keystoneclient.middleware.auth_token') auth_url = cfg.CONF.keystone_authtoken.auth_uri auth_token_info = state.request.environ.get('keystone.token_info') identity_status = headers.get('X-Identity-Status') if identity_status == 'Confirmed': ctx = context.RequestContext(auth_token=recv_auth_token, auth_token_info=auth_token_info, user=user_id, tenant=project_id, domain=domain, user_domain=user_domain_id, project_domain=project_domain_id, user_name=user_name, roles=roles, auth_url=auth_url) state.request.security_context = ctx else: LOG.debug("The provided identity is not confirmed.") raise Exception('Not authorized. Identity not confirmed.') return
def _get_impl(): """Delay import of rpc_backend until configuration is loaded.""" global _RPCIMPL if _RPCIMPL is None: try: _RPCIMPL = importutils.import_module(CONF.rpc_backend) except ImportError: # For backwards compatibility with older nova config. impl = CONF.rpc_backend.replace('nova.rpc', 'nova.openstack.common.rpc') _RPCIMPL = importutils.import_module(impl) return _RPCIMPL
def before(self, state): if not CONF.get('enable_authentication'): return # Do not proceed for triggers as they use non authenticated service regexp = re.compile('^/v[0-9]+/public/') if regexp.match(state.request.path): return headers = state.request.headers user_id = headers.get('X-User-Id') if user_id is None: LOG.debug("X-User-Id header was not found in the request") raise Exception('Not authorized') roles = self._get_roles(state.request) project_id = headers.get('X-Project-Id') user_name = headers.get('X-User-Name', '') domain = headers.get('X-Domain-Name') project_domain_id = headers.get('X-Project-Domain-Id', '') user_domain_id = headers.get('X-User-Domain-Id', '') # Get the auth token try: recv_auth_token = headers.get('X-Auth-Token', headers.get('X-Storage-Token')) except ValueError: LOG.debug("No auth token found in the request.") raise Exception('Not authorized') auth_url = headers.get('X-Auth-Url') if auth_url is None: importutils.import_module('keystoneclient.middleware.auth_token') auth_url = cfg.CONF.keystone_authtoken.auth_uri auth_token_info = state.request.environ.get('keystone.token_info') identity_status = headers.get('X-Identity-Status') if identity_status == 'Confirmed': ctx = context.RequestContext(auth_token=recv_auth_token, auth_token_info=auth_token_info, user=user_id, tenant=project_id, domain=domain, user_domain=user_domain_id, project_domain=project_domain_id, user_name=user_name, roles=roles, auth_url=auth_url) state.request.security_context = ctx else: LOG.debug("The provided identity is not confirmed.") raise Exception('Not authorized. Identity not confirmed.') return
def load(): """Ensure that the object model is initialized.""" registry.clear() backend_name = CONF.database.backend backend_path = _BACKEND_MAPPING.get(backend_name, backend_name) backend_mod = importutils.import_module(backend_path) backend_mod.load()
def __init__(self, backend_mapping=None): if backend_mapping is None: backend_mapping = {} backend_name = CONF.database.backend # Import the untranslated name if we don't have a # mapping. backend_path = backend_mapping.get(backend_name, backend_name) backend_mod = importutils.import_module(backend_path) self.__backend = backend_mod.get_backend()
def _import_module(mod_str): try: if mod_str.startswith('bin.'): imp.load_source(mod_str[4:], os.path.join('bin', mod_str[4:])) return sys.modules[mod_str[4:]] else: return importutils.import_module(mod_str) except Exception as e: sys.stderr.write("Error importing module %s: %s\n" % (mod_str, str(e))) return None
def _import_module(mod_str): try: if mod_str.startswith("bin."): imp.load_source(mod_str[4:], os.path.join("bin", mod_str[4:])) return sys.modules[mod_str[4:]] else: return importutils.import_module(mod_str) except ImportError as ie: sys.stderr.write("%s\n" % str(ie)) return None except Exception: return None
def _get_drivers(): """Instantiate, cache, and return drivers based on the CONF.""" global _drivers if _drivers is None: _drivers = {} for notification_driver in CONF.notification_driver: try: driver = importutils.import_module(notification_driver) _drivers[notification_driver] = driver except ImportError: LOG.exception(_("Failed to load notifier %s. " "These notifications will not be sent.") % notification_driver) return _drivers.values()
def deserialize_remote_exception(conf, data): failure = jsonutils.loads(str(data)) trace = failure.get('tb', []) message = failure.get('message', "") + "\n" + "\n".join(trace) name = failure.get('class') module = failure.get('module') # NOTE(ameade): We DO NOT want to allow just any module to be imported, in # order to prevent arbitrary code execution. if module not in conf.allowed_rpc_exception_modules: return RemoteError(name, failure.get('message'), trace) try: mod = importutils.import_module(module) klass = getattr(mod, name) if not issubclass(klass, Exception): raise TypeError("Can only deserialize Exceptions") failure = klass(*failure.get('args', []), **failure.get('kwargs', {})) except (AttributeError, TypeError, ImportError): return RemoteError(name, failure.get('message'), trace) ex_type = type(failure) str_override = lambda self: message new_ex_type = type(ex_type.__name__ + _REMOTE_POSTFIX, (ex_type, ), { '__str__': str_override, '__unicode__': str_override }) new_ex_type.__module__ = '%s%s' % (module, _REMOTE_POSTFIX) try: # NOTE(ameade): Dynamically create a new exception type and swap it in # as the new type for the exception. This only works on user defined # Exceptions and not core python exceptions. This is important because # we cannot necessarily change an exception message so we must override # the __str__ method. failure.__class__ = new_ex_type except TypeError: # NOTE(ameade): If a core exception then just add the traceback to the # first exception argument. failure.args = (message, ) + failure.args[1:] return failure
def deserialize_remote_exception(conf, data): failure = jsonutils.loads(str(data)) trace = failure.get('tb', []) message = failure.get('message', "") + "\n" + "\n".join(trace) name = failure.get('class') module = failure.get('module') # NOTE(ameade): We DO NOT want to allow just any module to be imported, in # order to prevent arbitrary code execution. if module not in conf.allowed_rpc_exception_modules: return RemoteError(name, failure.get('message'), trace) try: mod = importutils.import_module(module) klass = getattr(mod, name) if not issubclass(klass, Exception): raise TypeError("Can only deserialize Exceptions") failure = klass(*failure.get('args', []), **failure.get('kwargs', {})) except (AttributeError, TypeError, ImportError): return RemoteError(name, failure.get('message'), trace) ex_type = type(failure) str_override = lambda self: message new_ex_type = type(ex_type.__name__ + _REMOTE_POSTFIX, (ex_type,), {'__str__': str_override, '__unicode__': str_override}) new_ex_type.__module__ = '%s%s' % (module, _REMOTE_POSTFIX) try: # NOTE(ameade): Dynamically create a new exception type and swap it in # as the new type for the exception. This only works on user defined # Exceptions and not core python exceptions. This is important because # we cannot necessarily change an exception message so we must override # the __str__ method. failure.__class__ = new_ex_type except TypeError: # NOTE(ameade): If a core exception then just add the traceback to the # first exception argument. failure.args = (message,) + failure.args[1:] return failure
def __get_backend(self): """Get the actual backend. May be a module or an instance of a class. Doesn't matter to us. We do this synchronized as it's possible multiple greenthreads started very quickly trying to do DB calls and eventlet can switch threads before self.__backend gets assigned. """ if self.__backend: # Another thread assigned it return self.__backend backend_name = CONF.database.backend self.__use_tpool = CONF.database.use_tpool if self.__use_tpool: from eventlet import tpool self.__tpool = tpool # Import the untranslated name if we don't have a # mapping. backend_path = self.__backend_mapping.get(backend_name, backend_name) backend_mod = importutils.import_module(backend_path) self.__backend = backend_mod.get_backend() return self.__backend
def load(): base.reset_obj_classes() backend_name = CONF.database.backend backend_path = _BACKEND_MAPPING.get(backend_name, backend_name) backend_mod = importutils.import_module(backend_path) backend_mod.load()