diff options
author | WuKong <rebirthmonkey@gmail.com> | 2015-07-01 08:54:55 +0200 |
---|---|---|
committer | WuKong <rebirthmonkey@gmail.com> | 2015-07-01 08:54:55 +0200 |
commit | 03bf0c32a0c656d4b91bebedc87a005e6d7563bb (patch) | |
tree | 7ab486ea98c8255bd28b345e9fd5b54d1b31c802 /keystonemiddleware-moon/keystonemiddleware/auth_token/_auth.py | |
parent | 53d12675bc07feb552492df2d01fcd298167c363 (diff) |
migrate openstack hook to opnfv
Change-Id: I1e828dae38820fdff93966e57691b344af01140f
Signed-off-by: WuKong <rebirthmonkey@gmail.com>
Diffstat (limited to 'keystonemiddleware-moon/keystonemiddleware/auth_token/_auth.py')
-rw-r--r-- | keystonemiddleware-moon/keystonemiddleware/auth_token/_auth.py | 181 |
1 files changed, 181 insertions, 0 deletions
diff --git a/keystonemiddleware-moon/keystonemiddleware/auth_token/_auth.py b/keystonemiddleware-moon/keystonemiddleware/auth_token/_auth.py new file mode 100644 index 00000000..acc32ca5 --- /dev/null +++ b/keystonemiddleware-moon/keystonemiddleware/auth_token/_auth.py @@ -0,0 +1,181 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import logging + +from keystoneclient import auth +from keystoneclient.auth.identity import v2 +from keystoneclient.auth import token_endpoint +from keystoneclient import discover +from oslo_config import cfg + +from keystonemiddleware.auth_token import _base +from keystonemiddleware.i18n import _, _LW + + +_LOG = logging.getLogger(__name__) + + +class AuthTokenPlugin(auth.BaseAuthPlugin): + + def __init__(self, auth_host, auth_port, auth_protocol, auth_admin_prefix, + admin_user, admin_password, admin_tenant_name, admin_token, + identity_uri, log): + # NOTE(jamielennox): it does appear here that our default arguments + # are backwards. We need to do it this way so that we can handle the + # same deprecation strategy for CONF and the conf variable. + if not identity_uri: + log.warning(_LW('Configuring admin URI using auth fragments. ' + 'This is deprecated, use \'identity_uri\'' + ' instead.')) + + if ':' in auth_host: + # Note(dzyu) it is an IPv6 address, so it needs to be wrapped + # with '[]' to generate a valid IPv6 URL, based on + # http://www.ietf.org/rfc/rfc2732.txt + auth_host = '[%s]' % auth_host + + identity_uri = '%s://%s:%s' % (auth_protocol, + auth_host, + auth_port) + + if auth_admin_prefix: + identity_uri = '%s/%s' % (identity_uri, + auth_admin_prefix.strip('/')) + + self._identity_uri = identity_uri.rstrip('/') + + # FIXME(jamielennox): Yes. This is wrong. We should be determining the + # plugin to use based on a combination of discovery and inputs. Much + # of this can be changed when we get keystoneclient 0.10. For now this + # hardcoded path is EXACTLY the same as the original auth_token did. + auth_url = '%s/v2.0' % self._identity_uri + + if admin_token: + log.warning(_LW( + "The admin_token option in the auth_token middleware is " + "deprecated and should not be used. The admin_user and " + "admin_password options should be used instead. The " + "admin_token option may be removed in a future release.")) + self._plugin = token_endpoint.Token(auth_url, admin_token) + else: + self._plugin = v2.Password(auth_url, + username=admin_user, + password=admin_password, + tenant_name=admin_tenant_name) + + self._LOG = log + self._discover = None + + def get_token(self, *args, **kwargs): + return self._plugin.get_token(*args, **kwargs) + + def get_endpoint(self, session, interface=None, version=None, **kwargs): + """Return an endpoint for the client. + + There are no required keyword arguments to ``get_endpoint`` as a plugin + implementation should use best effort with the information available to + determine the endpoint. + + :param session: The session object that the auth_plugin belongs to. + :type session: keystoneclient.session.Session + :param tuple version: The version number required for this endpoint. + :param str interface: what visibility the endpoint should have. + + :returns: The base URL that will be used to talk to the required + service or None if not available. + :rtype: string + """ + if interface == auth.AUTH_INTERFACE: + return self._identity_uri + + if not version: + # NOTE(jamielennox): This plugin can only be used within auth_token + # and auth_token will always provide version= with requests. + return None + + if not self._discover: + self._discover = discover.Discover(session, + auth_url=self._identity_uri, + authenticated=False) + + if not self._discover.url_for(version): + # NOTE(jamielennox): The requested version is not supported by the + # identity server. + return None + + # NOTE(jamielennox): for backwards compatibility here we don't + # actually use the URL from discovery we hack it up instead. :( + if version[0] == 2: + return '%s/v2.0' % self._identity_uri + elif version[0] == 3: + return '%s/v3' % self._identity_uri + + # NOTE(jamielennox): This plugin will only get called from auth_token + # middleware. The middleware should never request a version that the + # plugin doesn't know how to handle. + msg = _('Invalid version asked for in auth_token plugin') + raise NotImplementedError(msg) + + def invalidate(self): + return self._plugin.invalidate() + + @classmethod + def get_options(cls): + options = super(AuthTokenPlugin, cls).get_options() + + options.extend([ + cfg.StrOpt('auth_admin_prefix', + default='', + help='Prefix to prepend at the beginning of the path. ' + 'Deprecated, use identity_uri.'), + cfg.StrOpt('auth_host', + default='127.0.0.1', + help='Host providing the admin Identity API endpoint. ' + 'Deprecated, use identity_uri.'), + cfg.IntOpt('auth_port', + default=35357, + help='Port of the admin Identity API endpoint. ' + 'Deprecated, use identity_uri.'), + cfg.StrOpt('auth_protocol', + default='https', + help='Protocol of the admin Identity API endpoint ' + '(http or https). Deprecated, use identity_uri.'), + cfg.StrOpt('identity_uri', + default=None, + help='Complete admin Identity API endpoint. This ' + 'should specify the unversioned root endpoint ' + 'e.g. https://localhost:35357/'), + cfg.StrOpt('admin_token', + secret=True, + help='This option is deprecated and may be removed in ' + 'a future release. Single shared secret with the ' + 'Keystone configuration used for bootstrapping a ' + 'Keystone installation, or otherwise bypassing ' + 'the normal authentication process. This option ' + 'should not be used, use `admin_user` and ' + '`admin_password` instead.'), + cfg.StrOpt('admin_user', + help='Service username.'), + cfg.StrOpt('admin_password', + secret=True, + help='Service user password.'), + cfg.StrOpt('admin_tenant_name', + default='admin', + help='Service tenant name.'), + ]) + + return options + + +auth.register_conf_options(cfg.CONF, _base.AUTHTOKEN_GROUP) +AuthTokenPlugin.register_conf_options(cfg.CONF, _base.AUTHTOKEN_GROUP) |