x
/
flame
Code Issues Proposed changes

Two way SSL connection with the identity service. 

Allow the user to establish a two way SSL connection by
adding the cert and key parameters in the client of
keystone manager

Change-Id: I4418a45a58139d63d23f1939be61e90d7cd6a062
This commit is contained in:
zarrouk 2017-01-04 15:00:43 +01:00
parent 1c858ea907
commit 63fb35354e
5 changed files with 49 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
README.rst
View File

@ -35,6 +35,7 @@ Usage
usage: flame [-h] [--username USERNAME] [--password PASSWORD] usage: flame [-h] [--username USERNAME] [--password PASSWORD]
[--project PROJECT] [--region REGION] [--auth_url AUTH_URL] [--project PROJECT] [--region REGION] [--auth_url AUTH_URL]
[--os-auth-token OS_AUTH_TOKEN] [--insecure] [--os-auth-token OS_AUTH_TOKEN] [--insecure]
[--os-cert <certification>] [--os-key <key>]
[--endpoint_type ENDPOINT_TYPE] [--exclude-servers] [--endpoint_type ENDPOINT_TYPE] [--exclude-servers]
[--exclude-volumes] [--exclude-keypairs] [--generate-stack-data] [--exclude-volumes] [--exclude-keypairs] [--generate-stack-data]
[--extract-ports] [--extract-ports]
@ -51,6 +52,12 @@ Usage
--auth_url AUTH_URL Authentication URL. Defaults to env[OS_AUTH_URL]. --auth_url AUTH_URL Authentication URL. Defaults to env[OS_AUTH_URL].
--os-auth-token OS_AUTH_TOKEN --os-auth-token OS_AUTH_TOKEN
User's auth token. Defaults to env[OS_AUTH_TOKEN]. User's auth token. Defaults to env[OS_AUTH_TOKEN].
--os-cert <certificate>
Path to user's certificate needed to establish
two-way SSL connection with the identity service.
Defaults to env[OS_CERT].
--os-key <key> Path to the user's certificate private key.
Defaults to env[OS_KEY].
--insecure Explicitly allow clients to perform"insecure" SSL --insecure Explicitly allow clients to perform"insecure" SSL
(https) requests. The server's certificate will not be (https) requests. The server's certificate will not be
verified against any certificate authorities. This verified against any certificate authorities. This
@ -76,6 +83,12 @@ To use Flame you can provide yours OpenStack credentials as arguments :
Or you can source your OpenStack RC file and use Flame without arguments. Or you can source your OpenStack RC file and use Flame without arguments.
To establish a two-way SSL connection with the identity service :
$flame --username arezmerita --os-auth-token keystonetoken \
--project project-arezmerita --auth_url http://<Keystone_host>:5000/v2.0
--os-cert <path/to/certificate> --os-key <path/to/key>
Flame can be used with either a login and password pair or a keystone Flame can be used with either a login and password pair or a keystone
token by exporting the OS_AUTH_TOKEN variable (the token is obtained token by exporting the OS_AUTH_TOKEN variable (the token is obtained
with keystone token-get). with keystone token-get).

13
doc/source/usage.rst
View File

@ -11,6 +11,7 @@ To use the CLI of flame::
usage: flame [-h] [--username USERNAME] [--password PASSWORD] usage: flame [-h] [--username USERNAME] [--password PASSWORD]
[--project PROJECT] [--region REGION] [--auth_url AUTH_URL] [--project PROJECT] [--region REGION] [--auth_url AUTH_URL]
[--os-auth-token OS_AUTH_TOKEN] [--insecure] [--os-auth-token OS_AUTH_TOKEN] [--insecure]
[--os-cert <certification>] [--os-key <key>]
[--endpoint_type ENDPOINT_TYPE] [--exclude-servers] [--endpoint_type ENDPOINT_TYPE] [--exclude-servers]
[--exclude-volumes] [--exclude-keypairs] [--generate-stack-data] [--exclude-volumes] [--exclude-keypairs] [--generate-stack-data]
[--extract-ports] [--extract-ports]
@ -27,6 +28,12 @@ To use the CLI of flame::
--auth_url AUTH_URL Authentication URL. Defaults to env[OS_AUTH_URL]. --auth_url AUTH_URL Authentication URL. Defaults to env[OS_AUTH_URL].
--os-auth-token OS_AUTH_TOKEN --os-auth-token OS_AUTH_TOKEN
User's auth token. Defaults to env[OS_AUTH_TOKEN]. User's auth token. Defaults to env[OS_AUTH_TOKEN].
--os-cert <certificate>
Path to user's certificate needed to establish
two-way SSL connection with the identity service.
Defaults to env[OS_CERT].
--os-key <key> Path to the user's certificate private key.
Defaults to env[OS_KEY].
--insecure Explicitly allow clients to perform"insecure" SSL --insecure Explicitly allow clients to perform"insecure" SSL
(https) requests. The server's certificate will not be (https) requests. The server's certificate will not be
verified against any certificate authorities. This verified against any certificate authorities. This
@ -55,6 +62,12 @@ Or a token and a tenant::
$ flame --username arezmerita --os-auth-token keystonetoken \ $ flame --username arezmerita --os-auth-token keystonetoken \
--project project-arezmerita --auth_url https://example.com/v2.0/ --project project-arezmerita --auth_url https://example.com/v2.0/
To establish a two-way SSL connection with the identity service ::
$flame --username arezmerita --os-auth-token keystonetoken \
--project project-arezmerita --auth_url https://example.com/v2.0/
--os-cert <path/to/certificate> --os-key <path/to/key>
Or you can source your OpenStack RC file and use Flame without arguments:: Or you can source your OpenStack RC file and use Flame without arguments::
$ source credential.rc $ source credential.rc

9
flameclient/cmd.py
View File

@ -67,6 +67,14 @@ def main(args=None):
default=os.environ.get("OS_ENDPOINT_TYPE", default=os.environ.get("OS_ENDPOINT_TYPE",
"publicURL"), "publicURL"),
help="Defaults to env[OS_ENDPOINT_TYPE] or publicURL") help="Defaults to env[OS_ENDPOINT_TYPE] or publicURL")
parser.add_argument("--os-cert", type=str, metavar='<certificate>',
default=os.environ.get("OS_CERT"),
help="User's certificate. "
"Defaults to env[OS_CERT].")
parser.add_argument("--os-key", type=str, metavar='<key>',
default=os.environ.get("OS_KEY"),
help="User's key. "
"Defaults to env[OS_KEY].")
parser.add_argument('--exclude-servers', action='store_true', parser.add_argument('--exclude-servers', action='store_true',
default=False, default=False,
help="Do not export in template server resources") help="Do not export in template server resources")
@ -88,6 +96,7 @@ def main(args=None):
flame = client.Client(args.username, args.password, flame = client.Client(args.username, args.password,
args.project, args.auth_url, args.project, args.auth_url,
args.os_auth_token, args.os_auth_token,
cert=args.os_cert, key=args.os_key,
region_name=args.region, region_name=args.region,
endpoint_type=args.endpoint_type, endpoint_type=args.endpoint_type,
insecure=args.insecure) insecure=args.insecure)

15
flameclient/flame.py
View File

@ -107,13 +107,14 @@ class Resource(object):
class TemplateGenerator(object): class TemplateGenerator(object):
def __init__(self, username, password, tenant_name, auth_url, def __init__(self, username, password, tenant_name, auth_url,
auth_token=None, insecure=False, endpoint_type='publicURL', auth_token=None, cert=None, key=None, insecure=False,
region_name=None): endpoint_type='publicURL', region_name=None):
self.thread_pool = concurrent.futures.ThreadPoolExecutor(10) self.thread_pool = concurrent.futures.ThreadPoolExecutor(10)
self.generate_data = False self.generate_data = False
self._setup_templates() self._setup_templates()
self._setup_managers(username, password, tenant_name, auth_url, self._setup_managers(username, password, tenant_name, auth_url, cert,
insecure, endpoint_type, region_name, auth_token) key, insecure, endpoint_type, region_name,
auth_token)
def _setup_templates(self): def _setup_templates(self):
self.template = yaml.load(template_skeleton) self.template = yaml.load(template_skeleton)
@ -124,12 +125,12 @@ class TemplateGenerator(object):
self.stack_data['resources'] = {} self.stack_data['resources'] = {}
def _setup_managers(self, username, password, tenant_name, auth_url, def _setup_managers(self, username, password, tenant_name, auth_url,
insecure, endpoint_type, region_name=None, insecure, endpoint_type, cert=None, key=None,
auth_token=None): region_name=None, auth_token=None):
self.keystone = managers.KeystoneManager( self.keystone = managers.KeystoneManager(
username, password, username, password,
tenant_name, tenant_name,
auth_url, insecure, auth_url, cert, key, insecure,
endpoint_type, endpoint_type,
region_name=region_name, region_name=region_name,
auth_token=auth_token auth_token=auth_token

7
flameclient/managers.py
View File

@ -33,11 +33,14 @@ class KeystoneManager(object):
_client = None _client = None
def __init__(self, username, password, project, auth_url, insecure, def __init__(self, username, password, project, auth_url, insecure,
endpoint_type='publicURL', region_name=None, auth_token=None): endpoint_type='publicURL', cert=None, key=None,
region_name=None, auth_token=None):
self.username = username self.username = username
self.password = password self.password = password
self.project = project self.project = project
self.auth_url = auth_url self.auth_url = auth_url
self.cert = cert
self.key = key
self.insecure = insecure self.insecure = insecure
self.region_name = region_name self.region_name = region_name
self.endpoint_type = endpoint_type self.endpoint_type = endpoint_type
@ -54,6 +57,8 @@ class KeystoneManager(object):
password=self.password, password=self.password,
tenant_name=self.project, tenant_name=self.project,
auth_url=self.auth_url, auth_url=self.auth_url,
cert=self.cert,
key=self.key,
region_name=self.region_name, region_name=self.region_name,
insecure=self.insecure, insecure=self.insecure,
endpoint_type=self.endpoint_type, endpoint_type=self.endpoint_type,