24 | 24 |
from cryptography import x509 as cryptography_x509
|
25 | 25 |
from keystoneauth1 import identity
|
26 | 26 |
from keystoneauth1 import loading
|
|
27 |
from keystoneauth1 import service_token
|
27 | 28 |
from keystoneauth1 import session
|
28 | 29 |
from oslo_config import cfg
|
29 | 30 |
from oslo_log import log as logging
|
|
79 | 80 |
cfg.StrOpt('barbican_region_name',
|
80 | 81 |
default=None,
|
81 | 82 |
help='Specifies the region of the chosen endpoint.'),
|
82 | |
|
|
83 |
cfg.BoolOpt('send_service_user_token',
|
|
84 |
default=False,
|
|
85 |
help="""
|
|
86 |
When True, if sending a user token to a REST API, also send a service token.
|
|
87 |
|
|
88 |
Nova often reuses the user token provided to the nova-api to talk to other REST
|
|
89 |
APIs, such as Cinder, Glance and Neutron. It is possible that while the user
|
|
90 |
token was valid when the request was made to Nova, the token may expire before
|
|
91 |
it reaches the other service. To avoid any failures, and to make it clear it is
|
|
92 |
Nova calling the service on the user's behalf, we include a service token along
|
|
93 |
with the user token. Should the user's token have expired, a valid service
|
|
94 |
token ensures the REST API request will still be accepted by the keystone
|
|
95 |
middleware.
|
|
96 |
"""),
|
83 | 97 |
]
|
84 | 98 |
|
|
99 |
|
85 | 100 |
_BARBICAN_OPT_GROUP = 'barbican'
|
|
101 |
_BARBICAN_SERVICE_USER_OPT_GROUP = 'barbican_service_user'
|
86 | 102 |
|
87 | 103 |
LOG = logging.getLogger(__name__)
|
88 | 104 |
|
|
97 | 113 |
self.conf.register_opts(_barbican_opts, group=_BARBICAN_OPT_GROUP)
|
98 | 114 |
loading.register_session_conf_options(self.conf, _BARBICAN_OPT_GROUP)
|
99 | 115 |
|
|
116 |
loading.register_session_conf_options(self.conf,
|
|
117 |
_BARBICAN_SERVICE_USER_OPT_GROUP)
|
|
118 |
loading.register_auth_conf_options(self.conf,
|
|
119 |
_BARBICAN_SERVICE_USER_OPT_GROUP)
|
|
120 |
|
100 | 121 |
def _get_barbican_client(self, context):
|
101 | 122 |
"""Creates a client to connect to the Barbican service.
|
102 | 123 |
|
|
143 | 164 |
|
144 | 165 |
def _get_keystone_auth(self, context):
|
145 | 166 |
if context.__class__.__name__ == 'KeystonePassword':
|
146 | |
return identity.Password(
|
|
167 |
auth = identity.Password(
|
147 | 168 |
auth_url=context.auth_url,
|
148 | 169 |
username=context.username,
|
149 | 170 |
password=context.password,
|
|
159 | 180 |
project_domain_name=context.project_domain_name,
|
160 | 181 |
reauthenticate=context.reauthenticate)
|
161 | 182 |
elif context.__class__.__name__ == 'KeystoneToken':
|
162 | |
return identity.Token(
|
|
183 |
auth = identity.Token(
|
163 | 184 |
auth_url=context.auth_url,
|
164 | 185 |
token=context.token,
|
165 | 186 |
trust_id=context.trust_id,
|
|
174 | 195 |
# projects begin to use utils.credential_factory
|
175 | 196 |
elif context.__class__.__name__ == 'RequestContext':
|
176 | 197 |
if getattr(context, 'get_auth_plugin', None):
|
177 | |
return context.get_auth_plugin()
|
|
198 |
auth = context.get_auth_plugin()
|
178 | 199 |
else:
|
179 | |
return identity.Token(
|
|
200 |
auth = identity.Token(
|
180 | 201 |
auth_url=self.conf.barbican.auth_endpoint,
|
181 | 202 |
token=context.auth_token,
|
182 | 203 |
project_id=context.project_id,
|
|
188 | 209 |
"KeystoneToken, or RequestContext.")
|
189 | 210 |
LOG.error(msg)
|
190 | 211 |
raise exception.Forbidden(reason=msg)
|
|
212 |
|
|
213 |
if self.conf.barbican.send_service_user_token:
|
|
214 |
service_auth = loading.load_auth_from_conf_options(
|
|
215 |
self.conf,
|
|
216 |
group=_BARBICAN_SERVICE_USER_OPT_GROUP)
|
|
217 |
auth = service_token.ServiceTokenAuthWrapper(
|
|
218 |
user_auth=auth,
|
|
219 |
service_auth=service_auth)
|
|
220 |
|
|
221 |
return auth
|
191 | 222 |
|
192 | 223 |
def _get_barbican_endpoint(self, auth, sess):
|
193 | 224 |
if self.conf.barbican.barbican_endpoint:
|
|
652 | 683 |
return objects
|
653 | 684 |
|
654 | 685 |
def list_options_for_discovery(self):
|
655 | |
return [(_BARBICAN_OPT_GROUP, _barbican_opts)]
|
|
686 |
barbican_service_user_opts = loading.get_session_conf_options()
|
|
687 |
barbican_service_user_opts += loading.get_auth_common_conf_options()
|
|
688 |
|
|
689 |
return [
|
|
690 |
(_BARBICAN_OPT_GROUP, _barbican_opts),
|
|
691 |
(_BARBICAN_SERVICE_USER_OPT_GROUP, barbican_service_user_opts),
|
|
692 |
]
|