Gitiles
Code Review Sign In
osm.etsi.org / osm / NBI / refs/heads/feature7106 / . / osm_nbi / authconn_keystone.py
blob: 518f47f79cf7e6f675bc3c6f9f87b89c88390a85 [file] [log] [blame]
# -*- coding: utf-8 -*-
# Copyright 2018 Whitestack, LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# For those usages not covered by the Apache License, Version 2.0 please
# contact: esousa@whitestack.com or glavado@whitestack.com
##
"""
AuthconnKeystone implements implements the connector for
Openstack Keystone and leverages the RBAC model, to bring
it for OSM.
"""
import time
__author__ = "Eduardo Sousa <esousa@whitestack.com>"
__date__ = "$27-jul-2018 23:59:59$"
from authconn import Authconn, AuthException, AuthconnOperationException
import logging
import requests
from keystoneauth1 import session
from keystoneauth1.identity import v3
from keystoneauth1.exceptions.base import ClientException
from keystoneauth1.exceptions.http import Conflict
from keystoneclient.v3 import client
from http import HTTPStatus
class AuthconnKeystone(Authconn):
def __init__(self, config):
Authconn.__init__(self, config)
self.logger = logging.getLogger("nbi.authenticator.keystone")
self.auth_url = "http://{0}:{1}/v3".format(config.get("auth_url", "keystone"), config.get("auth_port", "5000"))
self.user_domain_name = config.get("user_domain_name", "default")
self.admin_project = config.get("service_project", "service")
self.admin_username = config.get("service_username", "nbi")
self.admin_password = config.get("service_password", "nbi")
self.project_domain_name = config.get("project_domain_name", "default")
# Waiting for Keystone to be up
available = None
counter = 300
while available is None:
time.sleep(1)
try:
result = requests.get(self.auth_url)
available = True if result.status_code == 200 else None
except Exception:
counter -= 1
if counter == 0:
raise AuthException("Keystone not available after 300s timeout")
self.auth = v3.Password(user_domain_name=self.user_domain_name,
username=self.admin_username,
password=self.admin_password,
project_domain_name=self.project_domain_name,
project_name=self.admin_project,
auth_url=self.auth_url)
self.sess = session.Session(auth=self.auth)
self.keystone = client.Client(session=self.sess)
def authenticate_with_user_password(self, user, password):
"""
Authenticate a user using username and password.
:param user: username
:param password: password
:return: an unscoped token that grants access to project list
"""
try:
user_id = list(filter(lambda x: x.name == user, self.keystone.users.list()))[0].id
project_names = [project.name for project in self.keystone.projects.list(user=user_id)]
token = self.keystone.get_raw_token_from_identity_service(
auth_url=self.auth_url,
username=user,
password=password,
user_domain_name=self.user_domain_name,
project_domain_name=self.project_domain_name)
return token["auth_token"], project_names
except ClientException:
self.logger.exception("Error during user authentication using keystone. Method: basic")
raise AuthException("Error during user authentication using Keystone", http_code=HTTPStatus.UNAUTHORIZED)
def authenticate_with_token(self, token, project=None):
"""
Authenticate a user using a token. Can be used to revalidate the token
or to get a scoped token.
:param token: a valid token.
:param project: (optional) project for a scoped token.
:return: return a revalidated token, scoped if a project was passed or
the previous token was already scoped.
"""
try:
token_info = self.keystone.tokens.validate(token=token)
projects = self.keystone.projects.list(user=token_info["user"]["id"])
project_names = [project.name for project in projects]
new_token = self.keystone.get_raw_token_from_identity_service(
auth_url=self.auth_url,
token=token,
project_name=project,
user_domain_name=self.user_domain_name,
project_domain_name=self.project_domain_name)
return new_token["auth_token"], project_names
except ClientException:
self.logger.exception("Error during user authentication using keystone. Method: bearer")
raise AuthException("Error during user authentication using Keystone", http_code=HTTPStatus.UNAUTHORIZED)
def validate_token(self, token):
"""
Check if the token is valid.
:param token: token to validate
:return: dictionary with information associated with the token. If the
token is not valid, returns None.
"""
if not token:
return
try:
token_info = self.keystone.tokens.validate(token=token)
return token_info
except ClientException:
self.logger.exception("Error during token validation using keystone")
raise AuthException("Error during token validation using Keystone", http_code=HTTPStatus.UNAUTHORIZED)
def revoke_token(self, token):
"""
Invalidate a token.
:param token: token to be revoked
"""
try:
self.logger.info("Revoking token: " + token)
self.keystone.tokens.revoke_token(token=token)
return True
except ClientException:
self.logger.exception("Error during token revocation using keystone")
raise AuthException("Error during token revocation using Keystone", http_code=HTTPStatus.UNAUTHORIZED)
def get_project_list(self, token):
"""
Get all the projects associated with a user.
:param token: valid token
:return: list of projects
"""
try:
token_info = self.keystone.tokens.validate(token=token)
projects = self.keystone.projects.list(user=token_info["user"]["id"])
project_names = [project.name for project in projects]
return project_names
except ClientException:
self.logger.exception("Error during user project listing using keystone")
raise AuthException("Error during user project listing using Keystone", http_code=HTTPStatus.UNAUTHORIZED)
def get_role_list(self, token):
"""
Get role list for a scoped project.
:param token: scoped token.
:return: returns the list of roles for the user in that project. If
the token is unscoped it returns None.
"""
try:
token_info = self.keystone.tokens.validate(token=token)
roles_info = self.keystone.roles.list(user=token_info["user"]["id"], project=token_info["project"]["id"])
roles = [role.name for role in roles_info]
return roles
except ClientException:
self.logger.exception("Error during user role listing using keystone")
raise AuthException("Error during user role listing using Keystone", http_code=HTTPStatus.UNAUTHORIZED)
def create_user(self, user, password):
"""
Create a user.
:param user: username.
:param password: password.
:raises AuthconnOperationException: if user creation failed.
"""
try:
self.keystone.users.create(user, password=password, domain=self.user_domain_name)
except ClientException:
self.logger.exception("Error during user creation using keystone")
raise AuthconnOperationException("Error during user creation using Keystone")
def change_password(self, user, new_password):
"""
Change the user password.
:param user: username.
:param new_password: new password.
:raises AuthconnOperationException: if user password change failed.
"""
try:
user_obj = list(filter(lambda x: x.name == user, self.keystone.users.list()))[0]
self.keystone.users.update(user_obj, password=new_password)
except ClientException:
self.logger.exception("Error during user password update using keystone")
raise AuthconnOperationException("Error during user password update using Keystone")
def delete_user(self, user):
"""
Delete user.
:param user: username.
:raises AuthconnOperationException: if user deletion failed.
"""
try:
user_obj = list(filter(lambda x: x.name == user, self.keystone.users.list()))[0]
self.keystone.users.delete(user_obj)
except ClientException:
self.logger.exception("Error during user deletion using keystone")
raise AuthconnOperationException("Error during user deletion using Keystone")
def create_role(self, role):
"""
Create a role.
:param role: role name.
:raises AuthconnOperationException: if role creation failed.
"""
try:
self.keystone.roles.create(role)
except Conflict as ex:
self.logger.info("Duplicate entry: %s", str(ex))
except ClientException:
self.logger.exception("Error during role creation using keystone")
raise AuthconnOperationException("Error during role creation using Keystone")
def delete_role(self, role):
"""
Delete a role.
:param role: role name.
:raises AuthconnOperationException: if role deletion failed.
"""
try:
role_obj = list(filter(lambda x: x.name == role, self.keystone.roles.list()))[0]
self.keystone.roles.delete(role_obj)
except ClientException:
self.logger.exception("Error during role deletion using keystone")
raise AuthconnOperationException("Error during role deletion using Keystone")
def create_project(self, project):
"""
Create a project.
:param project: project name.
:raises AuthconnOperationException: if project creation failed.
"""
try:
self.keystone.project.create(project, self.project_domain_name)
except ClientException:
self.logger.exception("Error during project creation using keystone")
raise AuthconnOperationException("Error during project creation using Keystone")
def delete_project(self, project):
"""
Delete a project.
:param project: project name.
:raises AuthconnOperationException: if project deletion failed.
"""
try:
project_obj = list(filter(lambda x: x.name == project, self.keystone.projects.list()))[0]
self.keystone.project.delete(project_obj)
except ClientException:
self.logger.exception("Error during project deletion using keystone")
raise AuthconnOperationException("Error during project deletion using Keystone")
def assign_role_to_user(self, user, project, role):
"""
Assigning a role to a user in a project.
:param user: username.
:param project: project name.
:param role: role name.
:raises AuthconnOperationException: if role assignment failed.
"""
try:
user_obj = list(filter(lambda x: x.name == user, self.keystone.users.list()))[0]
project_obj = list(filter(lambda x: x.name == project, self.keystone.projects.list()))[0]
role_obj = list(filter(lambda x: x.name == role, self.keystone.roles.list()))[0]
self.keystone.roles.grant(role_obj, user=user_obj, project=project_obj)
except ClientException:
self.logger.exception("Error during user role assignment using keystone")
raise AuthconnOperationException("Error during user role assignment using Keystone")
def remove_role_from_user(self, user, project, role):
"""
Remove a role from a user in a project.
:param user: username.
:param project: project name.
:param role: role name.
:raises AuthconnOperationException: if role assignment revocation failed.
"""
try:
user_obj = list(filter(lambda x: x.name == user, self.keystone.users.list()))[0]
project_obj = list(filter(lambda x: x.name == project, self.keystone.projects.list()))[0]
role_obj = list(filter(lambda x: x.name == role, self.keystone.roles.list()))[0]
self.keystone.roles.revoke(role_obj, user=user_obj, project=project_obj)
except ClientException:
self.logger.exception("Error during user role revocation using keystone")
raise AuthconnOperationException("Error during user role revocation using Keystone")