182 lines
6.0 KiB
Python
182 lines
6.0 KiB
Python
# Copyright (c) 2016 Mirantis, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
import os
|
|
|
|
from keystoneauth1 import identity
|
|
from keystoneauth1 import loading as ka_loading
|
|
from keystoneclient.v3 import client as ks_client
|
|
from oslo_config import cfg
|
|
from oslo_log import log as logging
|
|
from oslo_log import versionutils
|
|
|
|
from murano.dsl import helpers
|
|
|
|
|
|
CFG_KEYSTONE_GROUP = 'keystone_authtoken'
|
|
CFG_MURANO_AUTH_GROUP = 'murano_auth'
|
|
LOG = logging.getLogger(__name__)
|
|
|
|
cfg.CONF.import_group(CFG_KEYSTONE_GROUP, 'keystonemiddleware.auth_token')
|
|
|
|
|
|
def _get_keystone_auth(trust_id=None):
|
|
kwargs = {}
|
|
if trust_id:
|
|
# Remove project_name and project_id, since we need a trust scoped
|
|
# auth object
|
|
kwargs['project_name'] = None
|
|
kwargs['project_domain_name'] = None
|
|
kwargs['project_id'] = None
|
|
kwargs['trust_id'] = trust_id
|
|
auth = ka_loading.load_auth_from_conf_options(
|
|
cfg.CONF,
|
|
CFG_MURANO_AUTH_GROUP,
|
|
**kwargs)
|
|
return auth
|
|
|
|
|
|
def _create_keystone_admin_client():
|
|
auth = _get_keystone_auth()
|
|
session = _get_session(auth=auth)
|
|
return ks_client.Client(session=session)
|
|
|
|
|
|
def get_client_session(execution_session=None, conf=None):
|
|
if not execution_session:
|
|
execution_session = helpers.get_execution_session()
|
|
trust_id = execution_session.trust_id
|
|
if trust_id is None:
|
|
return get_token_client_session(
|
|
token=execution_session.token,
|
|
project_id=execution_session.project_id)
|
|
auth = _get_keystone_auth(trust_id)
|
|
session = _get_session(auth=auth, conf_section=conf)
|
|
return session
|
|
|
|
|
|
def get_token_client_session(token=None, project_id=None, conf=None):
|
|
www_authenticate_uri = \
|
|
cfg.CONF[CFG_MURANO_AUTH_GROUP].www_authenticate_uri
|
|
if not www_authenticate_uri:
|
|
versionutils.report_deprecated_feature(
|
|
LOG, 'Please configure www_authenticate_uri in ' +
|
|
CFG_MURANO_AUTH_GROUP + 'group')
|
|
www_authenticate_uri = \
|
|
cfg.CONF[CFG_KEYSTONE_GROUP].www_authenticate_uri
|
|
if not (www_authenticate_uri.endswith('v2.0') or
|
|
www_authenticate_uri.endswith('v3')):
|
|
auth_url = os.path.join(www_authenticate_uri, 'v3')
|
|
elif www_authenticate_uri.endswith('v2.0'):
|
|
auth_url = www_authenticate_uri.replace('v2.0', 'v3')
|
|
else:
|
|
auth_url = www_authenticate_uri
|
|
|
|
if token is None or project_id is None:
|
|
execution_session = helpers.get_execution_session()
|
|
token = execution_session.token
|
|
project_id = execution_session.project_id
|
|
token_auth = identity.Token(
|
|
auth_url,
|
|
token=token,
|
|
project_id=project_id)
|
|
session = _get_session(auth=token_auth, conf_section=conf)
|
|
return session
|
|
|
|
|
|
def create_keystone_client(token=None, project_id=None, conf=None):
|
|
return ks_client.Client(session=get_token_client_session(
|
|
token=token, project_id=project_id, conf=conf))
|
|
|
|
|
|
def create_trust(trustee_token=None, trustee_project_id=None):
|
|
admin_client = _create_keystone_admin_client()
|
|
user_client = create_keystone_client(
|
|
token=trustee_token, project_id=trustee_project_id)
|
|
trustee_user = admin_client.session.auth.get_user_id(admin_client.session)
|
|
auth_ref = user_client.session.auth.get_access(user_client.session)
|
|
trustor_user = auth_ref.user_id
|
|
project = auth_ref.project_id
|
|
roles = auth_ref.role_names
|
|
trust = user_client.trusts.create(
|
|
trustor_user=trustor_user,
|
|
trustee_user=trustee_user,
|
|
impersonation=True,
|
|
role_names=roles,
|
|
project=project)
|
|
return trust.id
|
|
|
|
|
|
def delete_trust(session):
|
|
user_client = create_keystone_client(
|
|
token=session.token, project_id=session.project_id)
|
|
user_client.trusts.delete(session.trust_id)
|
|
|
|
|
|
def _get_config_option(conf_section, option_name, default=None):
|
|
if conf_section and hasattr(cfg.CONF[conf_section], option_name):
|
|
return getattr(cfg.CONF[conf_section], option_name)
|
|
return default
|
|
|
|
|
|
def _get_session(auth, conf_section=None):
|
|
# Fallback to murano_auth section for TLS parameters
|
|
# if no other conf_section supplied
|
|
if not conf_section:
|
|
conf_section = CFG_MURANO_AUTH_GROUP
|
|
session = ka_loading.load_session_from_conf_options(
|
|
auth=auth,
|
|
conf=cfg.CONF,
|
|
group=conf_section)
|
|
return session
|
|
|
|
|
|
def get_session_client_parameters(service_type=None,
|
|
region='',
|
|
interface=None,
|
|
service_name=None,
|
|
conf=None,
|
|
session=None,
|
|
execution_session=None):
|
|
if region == '':
|
|
region = cfg.CONF.home_region
|
|
result = {
|
|
'session': session or get_client_session(
|
|
execution_session=execution_session, conf=conf)
|
|
}
|
|
|
|
url = _get_config_option(conf, 'url')
|
|
if url:
|
|
result['endpoint_override'] = url
|
|
else:
|
|
if not interface:
|
|
interface = _get_config_option(conf, 'endpoint_type')
|
|
result.update({
|
|
'service_type': service_type,
|
|
'service_name': service_name,
|
|
'interface': interface,
|
|
'region_name': region
|
|
})
|
|
return result
|
|
|
|
|
|
def get_user(uid):
|
|
client = _create_keystone_admin_client()
|
|
return client.users.get(uid).to_dict()
|
|
|
|
|
|
def get_project(pid):
|
|
client = _create_keystone_admin_client()
|
|
return client.projects.get(pid).to_dict()
|