| 1 |
|
# -*- coding: utf-8 -*- |
| 2 |
|
|
| 3 |
|
# Copyright 2018 Whitestack, LLC |
| 4 |
|
# |
| 5 |
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may |
| 6 |
|
# not use this file except in compliance with the License. You may obtain |
| 7 |
|
# a copy of the License at |
| 8 |
|
# |
| 9 |
|
# http://www.apache.org/licenses/LICENSE-2.0 |
| 10 |
|
# |
| 11 |
|
# Unless required by applicable law or agreed to in writing, software |
| 12 |
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
| 13 |
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
| 14 |
|
# License for the specific language governing permissions and limitations |
| 15 |
|
# under the License. |
| 16 |
|
# |
| 17 |
|
# For those usages not covered by the Apache License, Version 2.0 please |
| 18 |
|
# contact: esousa@whitestack.com or glavado@whitestack.com |
| 19 |
|
## |
| 20 |
|
|
| 21 |
1 |
""" |
| 22 |
|
AuthconnKeystone implements implements the connector for |
| 23 |
|
Openstack Keystone and leverages the RBAC model, to bring |
| 24 |
|
it for OSM. |
| 25 |
|
""" |
| 26 |
|
|
| 27 |
|
|
| 28 |
1 |
__author__ = ( |
| 29 |
|
"Eduardo Sousa <esousa@whitestack.com>, " |
| 30 |
|
"Pedro de la Cruz Ramos <pdelacruzramos@altran.com>" |
| 31 |
|
) |
| 32 |
1 |
__date__ = "$27-jul-2018 23:59:59$" |
| 33 |
|
|
| 34 |
1 |
from osm_nbi.authconn import ( |
| 35 |
|
Authconn, |
| 36 |
|
AuthException, |
| 37 |
|
AuthconnOperationException, |
| 38 |
|
AuthconnNotFoundException, |
| 39 |
|
AuthconnConflictException, |
| 40 |
|
) |
| 41 |
|
|
| 42 |
1 |
import logging |
| 43 |
1 |
import requests |
| 44 |
1 |
import time |
| 45 |
1 |
from keystoneauth1 import session |
| 46 |
1 |
from keystoneauth1.identity import v3 |
| 47 |
1 |
from keystoneauth1.exceptions.base import ClientException |
| 48 |
1 |
from keystoneauth1.exceptions.http import Conflict |
| 49 |
1 |
from keystoneclient.v3 import client |
| 50 |
1 |
from http import HTTPStatus |
| 51 |
1 |
from osm_nbi.validation import is_valid_uuid, validate_input, http_schema |
| 52 |
|
|
| 53 |
|
|
| 54 |
1 |
class AuthconnKeystone(Authconn): |
| 55 |
1 |
def __init__(self, config, db, role_permissions): |
| 56 |
0 |
Authconn.__init__(self, config, db, role_permissions) |
| 57 |
|
|
| 58 |
0 |
self.logger = logging.getLogger("nbi.authenticator.keystone") |
| 59 |
0 |
self.domains_id2name = {} |
| 60 |
0 |
self.domains_name2id = {} |
| 61 |
|
|
| 62 |
0 |
self.auth_url = config.get("auth_url") |
| 63 |
0 |
if config.get("auth_url"): |
| 64 |
0 |
validate_input(self.auth_url, http_schema) |
| 65 |
|
else: |
| 66 |
0 |
self.auth_url = "http://{0}:{1}/v3".format( |
| 67 |
|
config.get("auth_host", "keystone"), config.get("auth_port", "5000") |
| 68 |
|
) |
| 69 |
0 |
self.user_domain_name_list = config.get("user_domain_name", "default") |
| 70 |
0 |
self.user_domain_name_list = self.user_domain_name_list.split(",") |
| 71 |
|
# read only domain list |
| 72 |
0 |
self.user_domain_ro_list = [ |
| 73 |
|
x[:-3] for x in self.user_domain_name_list if x.endswith(":ro") |
| 74 |
|
] |
| 75 |
|
# remove the ":ro" |
| 76 |
0 |
self.user_domain_name_list = [ |
| 77 |
|
x if not x.endswith(":ro") else x[:-3] for x in self.user_domain_name_list |
| 78 |
|
] |
| 79 |
|
|
| 80 |
0 |
self.admin_project = config.get("service_project", "service") |
| 81 |
0 |
self.admin_username = config.get("service_username", "nbi") |
| 82 |
0 |
self.admin_password = config.get("service_password", "nbi") |
| 83 |
0 |
self.project_domain_name_list = config.get("project_domain_name", "default") |
| 84 |
0 |
self.project_domain_name_list = self.project_domain_name_list.split(",") |
| 85 |
0 |
if len(self.user_domain_name_list) != len(self.project_domain_name_list): |
| 86 |
0 |
raise ValueError( |
| 87 |
|
"Invalid configuration parameter fo authenticate. 'project_domain_name' and " |
| 88 |
|
"'user_domain_name' must be a comma-separated list with the same size. Revise " |
| 89 |
|
"configuration or/and 'OSMNBI_AUTHENTICATION_PROJECT_DOMAIN_NAME', " |
| 90 |
|
"'OSMNBI_AUTHENTICATION_USER_DOMAIN_NAME' Variables" |
| 91 |
|
) |
| 92 |
|
|
| 93 |
|
# Waiting for Keystone to be up |
| 94 |
0 |
available = None |
| 95 |
0 |
counter = 300 |
| 96 |
0 |
while available is None: |
| 97 |
0 |
time.sleep(1) |
| 98 |
0 |
try: |
| 99 |
0 |
result = requests.get(self.auth_url) |
| 100 |
0 |
available = True if result.status_code == 200 else None |
| 101 |
0 |
except Exception: |
| 102 |
0 |
counter -= 1 |
| 103 |
0 |
if counter == 0: |
| 104 |
0 |
raise AuthException("Keystone not available after 300s timeout") |
| 105 |
|
|
| 106 |
0 |
self.auth = v3.Password( |
| 107 |
|
user_domain_name=self.user_domain_name_list[0], |
| 108 |
|
username=self.admin_username, |
| 109 |
|
password=self.admin_password, |
| 110 |
|
project_domain_name=self.project_domain_name_list[0], |
| 111 |
|
project_name=self.admin_project, |
| 112 |
|
auth_url=self.auth_url, |
| 113 |
|
) |
| 114 |
0 |
self.sess = session.Session(auth=self.auth) |
| 115 |
0 |
self.keystone = client.Client( |
| 116 |
|
session=self.sess, endpoint_override=self.auth_url |
| 117 |
|
) |
| 118 |
|
|
| 119 |
1 |
def authenticate(self, credentials, token_info=None): |
| 120 |
|
""" |
| 121 |
|
Authenticate a user using username/password or token_info, plus project |
| 122 |
|
:param credentials: dictionary that contains: |
| 123 |
|
username: name, id or None |
| 124 |
|
password: password or None |
| 125 |
|
project_id: name, id, or None. If None first found project will be used to get an scope token |
| 126 |
|
project_domain_name: (Optional) To use a concrete domain for the project |
| 127 |
|
user_domain_name: (Optional) To use a concrete domain for the project |
| 128 |
|
other items are allowed and ignored |
| 129 |
|
:param token_info: previous token_info to obtain authorization |
| 130 |
|
:return: the scoped token info or raises an exception. The token is a dictionary with: |
| 131 |
|
_id: token string id, |
| 132 |
|
username: username, |
| 133 |
|
project_id: scoped_token project_id, |
| 134 |
|
project_name: scoped_token project_name, |
| 135 |
|
expires: epoch time when it expires, |
| 136 |
|
|
| 137 |
|
""" |
| 138 |
0 |
username = None |
| 139 |
0 |
user_id = None |
| 140 |
0 |
project_id = None |
| 141 |
0 |
project_name = None |
| 142 |
0 |
if credentials.get("project_domain_name"): |
| 143 |
0 |
project_domain_name_list = (credentials["project_domain_name"],) |
| 144 |
|
else: |
| 145 |
0 |
project_domain_name_list = self.project_domain_name_list |
| 146 |
0 |
if credentials.get("user_domain_name"): |
| 147 |
0 |
user_domain_name_list = (credentials["user_domain_name"],) |
| 148 |
|
else: |
| 149 |
0 |
user_domain_name_list = self.user_domain_name_list |
| 150 |
|
|
| 151 |
0 |
for index, project_domain_name in enumerate(project_domain_name_list): |
| 152 |
0 |
user_domain_name = user_domain_name_list[index] |
| 153 |
0 |
try: |
| 154 |
0 |
if credentials.get("username"): |
| 155 |
0 |
if is_valid_uuid(credentials["username"]): |
| 156 |
0 |
user_id = credentials["username"] |
| 157 |
|
else: |
| 158 |
0 |
username = credentials["username"] |
| 159 |
|
|
| 160 |
|
# get an unscoped token firstly |
| 161 |
0 |
unscoped_token = self.keystone.get_raw_token_from_identity_service( |
| 162 |
|
auth_url=self.auth_url, |
| 163 |
|
user_id=user_id, |
| 164 |
|
username=username, |
| 165 |
|
password=credentials.get("password"), |
| 166 |
|
user_domain_name=user_domain_name, |
| 167 |
|
project_domain_name=project_domain_name, |
| 168 |
|
) |
| 169 |
0 |
elif token_info: |
| 170 |
0 |
unscoped_token = self.keystone.tokens.validate( |
| 171 |
|
token=token_info.get("_id") |
| 172 |
|
) |
| 173 |
|
else: |
| 174 |
0 |
raise AuthException( |
| 175 |
|
"Provide credentials: username/password or Authorization Bearer token", |
| 176 |
|
http_code=HTTPStatus.UNAUTHORIZED, |
| 177 |
|
) |
| 178 |
|
|
| 179 |
0 |
if not credentials.get("project_id"): |
| 180 |
|
# get first project for the user |
| 181 |
0 |
project_list = self.keystone.projects.list( |
| 182 |
|
user=unscoped_token["user"]["id"] |
| 183 |
|
) |
| 184 |
0 |
if not project_list: |
| 185 |
0 |
raise AuthException( |
| 186 |
|
"The user {} has not any project and cannot be used for authentication".format( |
| 187 |
|
credentials.get("username") |
| 188 |
|
), |
| 189 |
|
http_code=HTTPStatus.UNAUTHORIZED, |
| 190 |
|
) |
| 191 |
0 |
project_id = project_list[0].id |
| 192 |
|
else: |
| 193 |
0 |
if is_valid_uuid(credentials["project_id"]): |
| 194 |
0 |
project_id = credentials["project_id"] |
| 195 |
|
else: |
| 196 |
0 |
project_name = credentials["project_id"] |
| 197 |
|
|
| 198 |
0 |
scoped_token = self.keystone.get_raw_token_from_identity_service( |
| 199 |
|
auth_url=self.auth_url, |
| 200 |
|
project_name=project_name, |
| 201 |
|
project_id=project_id, |
| 202 |
|
user_domain_name=user_domain_name, |
| 203 |
|
project_domain_name=project_domain_name, |
| 204 |
|
token=unscoped_token["auth_token"], |
| 205 |
|
) |
| 206 |
|
|
| 207 |
0 |
auth_token = { |
| 208 |
|
"_id": scoped_token.auth_token, |
| 209 |
|
"id": scoped_token.auth_token, |
| 210 |
|
"user_id": scoped_token.user_id, |
| 211 |
|
"username": scoped_token.username, |
| 212 |
|
"project_id": scoped_token.project_id, |
| 213 |
|
"project_name": scoped_token.project_name, |
| 214 |
|
"project_domain_name": scoped_token.project_domain_name, |
| 215 |
|
"user_domain_name": scoped_token.user_domain_name, |
| 216 |
|
"expires": scoped_token.expires.timestamp(), |
| 217 |
|
"issued_at": scoped_token.issued.timestamp(), |
| 218 |
|
} |
| 219 |
|
|
| 220 |
0 |
return auth_token |
| 221 |
0 |
except ClientException as e: |
| 222 |
0 |
if ( |
| 223 |
|
index >= len(user_domain_name_list) - 1 |
| 224 |
|
or index >= len(project_domain_name_list) - 1 |
| 225 |
|
): |
| 226 |
|
# if last try, launch exception |
| 227 |
|
# self.logger.exception("Error during user authentication using keystone: {}".format(e)) |
| 228 |
0 |
raise AuthException( |
| 229 |
|
"Error during user authentication using Keystone: {}".format(e), |
| 230 |
|
http_code=HTTPStatus.UNAUTHORIZED, |
| 231 |
|
) |
| 232 |
|
|
| 233 |
1 |
def validate_token(self, token): |
| 234 |
|
""" |
| 235 |
|
Check if the token is valid. |
| 236 |
|
|
| 237 |
|
:param token: token id to be validated |
| 238 |
|
:return: dictionary with information associated with the token: |
| 239 |
|
"expires": |
| 240 |
|
"_id": token_id, |
| 241 |
|
"project_id": project_id, |
| 242 |
|
"username": , |
| 243 |
|
"roles": list with dict containing {name, id} |
| 244 |
|
If the token is not valid an exception is raised. |
| 245 |
|
""" |
| 246 |
0 |
if not token: |
| 247 |
0 |
return |
| 248 |
|
|
| 249 |
0 |
try: |
| 250 |
0 |
token_info = self.keystone.tokens.validate(token=token) |
| 251 |
0 |
ses = { |
| 252 |
|
"_id": token_info["auth_token"], |
| 253 |
|
"id": token_info["auth_token"], |
| 254 |
|
"project_id": token_info["project"]["id"], |
| 255 |
|
"project_name": token_info["project"]["name"], |
| 256 |
|
"user_id": token_info["user"]["id"], |
| 257 |
|
"username": token_info["user"]["name"], |
| 258 |
|
"roles": token_info["roles"], |
| 259 |
|
"expires": token_info.expires.timestamp(), |
| 260 |
|
"issued_at": token_info.issued.timestamp(), |
| 261 |
|
} |
| 262 |
|
|
| 263 |
0 |
return ses |
| 264 |
0 |
except ClientException as e: |
| 265 |
|
# self.logger.exception("Error during token validation using keystone: {}".format(e)) |
| 266 |
0 |
raise AuthException( |
| 267 |
|
"Error during token validation using Keystone: {}".format(e), |
| 268 |
|
http_code=HTTPStatus.UNAUTHORIZED, |
| 269 |
|
) |
| 270 |
|
|
| 271 |
1 |
def revoke_token(self, token): |
| 272 |
|
""" |
| 273 |
|
Invalidate a token. |
| 274 |
|
|
| 275 |
|
:param token: token to be revoked |
| 276 |
|
""" |
| 277 |
0 |
try: |
| 278 |
0 |
self.logger.info("Revoking token: " + token) |
| 279 |
0 |
self.keystone.tokens.revoke_token(token=token) |
| 280 |
|
|
| 281 |
0 |
return True |
| 282 |
0 |
except ClientException as e: |
| 283 |
|
# self.logger.exception("Error during token revocation using keystone: {}".format(e)) |
| 284 |
0 |
raise AuthException( |
| 285 |
|
"Error during token revocation using Keystone: {}".format(e), |
| 286 |
|
http_code=HTTPStatus.UNAUTHORIZED, |
| 287 |
|
) |
| 288 |
|
|
| 289 |
1 |
def _get_domain_id(self, domain_name, fail_if_not_found=True): |
| 290 |
|
""" |
| 291 |
|
Get the domain id from the domain_name |
| 292 |
|
:param domain_name: Can be the name or id |
| 293 |
|
:param fail_if_not_found: If False it returns None instead of raising an exception if not found |
| 294 |
|
:return: str or None/exception if domain is not found |
| 295 |
|
""" |
| 296 |
0 |
domain_id = self.domains_name2id.get(domain_name) |
| 297 |
0 |
if not domain_id: |
| 298 |
0 |
self._get_domains() |
| 299 |
0 |
domain_id = self.domains_name2id.get(domain_name) |
| 300 |
0 |
if not domain_id and domain_name in self.domains_id2name: |
| 301 |
|
# domain_name is already an id |
| 302 |
0 |
return domain_name |
| 303 |
0 |
if not domain_id and fail_if_not_found: |
| 304 |
0 |
raise AuthconnNotFoundException( |
| 305 |
|
"Domain {} cannot be found".format(domain_name) |
| 306 |
|
) |
| 307 |
0 |
return domain_id |
| 308 |
|
|
| 309 |
1 |
def _get_domains(self): |
| 310 |
|
""" |
| 311 |
|
Obtain a dictionary with domain_id to domain_name, stored at self.domains_id2name |
| 312 |
|
and from domain_name to domain_id, sored at self.domains_name2id |
| 313 |
|
:return: None. Exceptions are ignored |
| 314 |
|
""" |
| 315 |
0 |
try: |
| 316 |
0 |
domains = self.keystone.domains.list() |
| 317 |
0 |
self.domains_id2name = {x.id: x.name for x in domains} |
| 318 |
0 |
self.domains_name2id = {x.name: x.id for x in domains} |
| 319 |
0 |
except Exception: |
| 320 |
0 |
pass |
| 321 |
|
|
| 322 |
1 |
def create_user(self, user_info): |
| 323 |
|
""" |
| 324 |
|
Create a user. |
| 325 |
|
|
| 326 |
|
:param user_info: full user info. |
| 327 |
|
:raises AuthconnOperationException: if user creation failed. |
| 328 |
|
:return: returns the id of the user in keystone. |
| 329 |
|
""" |
| 330 |
0 |
try: |
| 331 |
0 |
if ( |
| 332 |
|
user_info.get("domain_name") |
| 333 |
|
and user_info["domain_name"] in self.user_domain_ro_list |
| 334 |
|
): |
| 335 |
0 |
raise AuthconnConflictException( |
| 336 |
|
"Cannot create a user in the read only domain {}".format( |
| 337 |
|
user_info["domain_name"] |
| 338 |
|
) |
| 339 |
|
) |
| 340 |
|
|
| 341 |
0 |
new_user = self.keystone.users.create( |
| 342 |
|
user_info["username"], |
| 343 |
|
password=user_info["password"], |
| 344 |
|
domain=self._get_domain_id( |
| 345 |
|
user_info.get("domain_name", self.user_domain_name_list[0]) |
| 346 |
|
), |
| 347 |
|
_admin=user_info["_admin"], |
| 348 |
|
) |
| 349 |
0 |
if "project_role_mappings" in user_info.keys(): |
| 350 |
0 |
for mapping in user_info["project_role_mappings"]: |
| 351 |
0 |
self.assign_role_to_user( |
| 352 |
|
new_user, mapping["project"], mapping["role"] |
| 353 |
|
) |
| 354 |
0 |
return {"username": new_user.name, "_id": new_user.id} |
| 355 |
0 |
except Conflict as e: |
| 356 |
|
# self.logger.exception("Error during user creation using keystone: {}".format(e)) |
| 357 |
0 |
raise AuthconnOperationException(e, http_code=HTTPStatus.CONFLICT) |
| 358 |
0 |
except ClientException as e: |
| 359 |
|
# self.logger.exception("Error during user creation using keystone: {}".format(e)) |
| 360 |
0 |
raise AuthconnOperationException( |
| 361 |
|
"Error during user creation using Keystone: {}".format(e) |
| 362 |
|
) |
| 363 |
|
|
| 364 |
1 |
def update_user(self, user_info): |
| 365 |
|
""" |
| 366 |
|
Change the user name and/or password. |
| 367 |
|
|
| 368 |
|
:param user_info: user info modifications |
| 369 |
|
:raises AuthconnOperationException: if change failed. |
| 370 |
|
""" |
| 371 |
0 |
try: |
| 372 |
0 |
user = user_info.get("_id") or user_info.get("username") |
| 373 |
0 |
try: |
| 374 |
0 |
user_obj = self.keystone.users.get(user) |
| 375 |
0 |
except Exception: |
| 376 |
0 |
user_obj = None |
| 377 |
0 |
if not user_obj: |
| 378 |
0 |
for user_domain in self.user_domain_name_list: |
| 379 |
0 |
domain_id = self._get_domain_id( |
| 380 |
|
user_domain, fail_if_not_found=False |
| 381 |
|
) |
| 382 |
0 |
if not domain_id: |
| 383 |
0 |
continue |
| 384 |
0 |
user_obj_list = self.keystone.users.list( |
| 385 |
|
name=user, domain=domain_id |
| 386 |
|
) |
| 387 |
0 |
if user_obj_list: |
| 388 |
0 |
user_obj = user_obj_list[0] |
| 389 |
0 |
break |
| 390 |
|
else: # user not found |
| 391 |
0 |
raise AuthconnNotFoundException("User '{}' not found".format(user)) |
| 392 |
|
|
| 393 |
0 |
user_id = user_obj.id |
| 394 |
0 |
domain_id = user_obj.domain_id |
| 395 |
0 |
domain_name = self.domains_id2name.get(domain_id) |
| 396 |
|
|
| 397 |
0 |
if domain_name in self.user_domain_ro_list: |
| 398 |
0 |
if user_info.get("password") or user_info.get("username"): |
| 399 |
0 |
raise AuthconnConflictException( |
| 400 |
|
"Cannot update the user {} belonging to a read only domain {}".format( |
| 401 |
|
user, domain_name |
| 402 |
|
) |
| 403 |
|
) |
| 404 |
|
|
| 405 |
0 |
elif ( |
| 406 |
|
user_info.get("password") |
| 407 |
|
or user_info.get("username") |
| 408 |
|
or user_info.get("add_project_role_mappings") |
| 409 |
|
or user_info.get("remove_project_role_mappings") |
| 410 |
|
): |
| 411 |
|
# if user_index>0, it is an external domain, that should not be updated |
| 412 |
0 |
ctime = ( |
| 413 |
|
user_obj._admin.get("created", 0) |
| 414 |
|
if hasattr(user_obj, "_admin") |
| 415 |
|
else 0 |
| 416 |
|
) |
| 417 |
0 |
try: |
| 418 |
0 |
self.keystone.users.update( |
| 419 |
|
user_id, |
| 420 |
|
password=user_info.get("password"), |
| 421 |
|
name=user_info.get("username"), |
| 422 |
|
_admin={"created": ctime, "modified": time.time()}, |
| 423 |
|
) |
| 424 |
0 |
except Exception as e: |
| 425 |
0 |
if user_info.get("username") or user_info.get("password"): |
| 426 |
0 |
raise AuthconnOperationException( |
| 427 |
|
"Error during username/password change: {}".format(str(e)) |
| 428 |
|
) |
| 429 |
0 |
self.logger.error( |
| 430 |
|
"Error during updating user profile: {}".format(str(e)) |
| 431 |
|
) |
| 432 |
|
|
| 433 |
0 |
for mapping in user_info.get("remove_project_role_mappings", []): |
| 434 |
0 |
self.remove_role_from_user( |
| 435 |
|
user_obj, mapping["project"], mapping["role"] |
| 436 |
|
) |
| 437 |
0 |
for mapping in user_info.get("add_project_role_mappings", []): |
| 438 |
0 |
self.assign_role_to_user(user_obj, mapping["project"], mapping["role"]) |
| 439 |
0 |
except ClientException as e: |
| 440 |
|
# self.logger.exception("Error during user password/name update using keystone: {}".format(e)) |
| 441 |
0 |
raise AuthconnOperationException( |
| 442 |
|
"Error during user update using Keystone: {}".format(e) |
| 443 |
|
) |
| 444 |
|
|
| 445 |
1 |
def delete_user(self, user_id): |
| 446 |
|
""" |
| 447 |
|
Delete user. |
| 448 |
|
|
| 449 |
|
:param user_id: user identifier. |
| 450 |
|
:raises AuthconnOperationException: if user deletion failed. |
| 451 |
|
""" |
| 452 |
0 |
try: |
| 453 |
0 |
user_obj = self.keystone.users.get(user_id) |
| 454 |
0 |
domain_id = user_obj.domain_id |
| 455 |
0 |
domain_name = self.domains_id2name.get(domain_id) |
| 456 |
0 |
if domain_name in self.user_domain_ro_list: |
| 457 |
0 |
raise AuthconnConflictException( |
| 458 |
|
"Cannot delete user {} belonging to a read only domain {}".format( |
| 459 |
|
user_id, domain_name |
| 460 |
|
) |
| 461 |
|
) |
| 462 |
|
|
| 463 |
0 |
result, detail = self.keystone.users.delete(user_id) |
| 464 |
0 |
if result.status_code != 204: |
| 465 |
0 |
raise ClientException("error {} {}".format(result.status_code, detail)) |
| 466 |
0 |
return True |
| 467 |
0 |
except ClientException as e: |
| 468 |
|
# self.logger.exception("Error during user deletion using keystone: {}".format(e)) |
| 469 |
0 |
raise AuthconnOperationException( |
| 470 |
|
"Error during user deletion using Keystone: {}".format(e) |
| 471 |
|
) |
| 472 |
|
|
| 473 |
1 |
def get_user_list(self, filter_q=None): |
| 474 |
|
""" |
| 475 |
|
Get user list. |
| 476 |
|
|
| 477 |
|
:param filter_q: dictionary to filter user list by one or several |
| 478 |
|
_id: |
| 479 |
|
name (username is also admitted). If a user id is equal to the filter name, it is also provided |
| 480 |
|
domain_id, domain_name |
| 481 |
|
:return: returns a list of users. |
| 482 |
|
""" |
| 483 |
0 |
try: |
| 484 |
0 |
self._get_domains() |
| 485 |
0 |
filter_name = filter_domain = None |
| 486 |
0 |
if filter_q: |
| 487 |
0 |
filter_name = filter_q.get("name") or filter_q.get("username") |
| 488 |
0 |
if filter_q.get("domain_name"): |
| 489 |
0 |
filter_domain = self._get_domain_id( |
| 490 |
|
filter_q["domain_name"], fail_if_not_found=False |
| 491 |
|
) |
| 492 |
|
# If domain is not found, use the same name to obtain an empty list |
| 493 |
0 |
filter_domain = filter_domain or filter_q["domain_name"] |
| 494 |
0 |
if filter_q.get("domain_id"): |
| 495 |
0 |
filter_domain = filter_q["domain_id"] |
| 496 |
|
|
| 497 |
0 |
users = self.keystone.users.list(name=filter_name, domain=filter_domain) |
| 498 |
|
# get users from user_domain_name_list[1:], because it will not be provided in case of LDAP |
| 499 |
0 |
if filter_domain is None and len(self.user_domain_name_list) > 1: |
| 500 |
0 |
for user_domain in self.user_domain_name_list[1:]: |
| 501 |
0 |
domain_id = self._get_domain_id( |
| 502 |
|
user_domain, fail_if_not_found=False |
| 503 |
|
) |
| 504 |
0 |
if not domain_id: |
| 505 |
0 |
continue |
| 506 |
|
# find if users of this domain are already provided. In this case ignore |
| 507 |
0 |
for u in users: |
| 508 |
0 |
if u.domain_id == domain_id: |
| 509 |
0 |
break |
| 510 |
|
else: |
| 511 |
0 |
users += self.keystone.users.list( |
| 512 |
|
name=filter_name, domain=domain_id |
| 513 |
|
) |
| 514 |
|
|
| 515 |
|
# if filter name matches a user id, provide it also |
| 516 |
0 |
if filter_name: |
| 517 |
0 |
try: |
| 518 |
0 |
user_obj = self.keystone.users.get(filter_name) |
| 519 |
0 |
if user_obj not in users: |
| 520 |
0 |
users.append(user_obj) |
| 521 |
0 |
except Exception: |
| 522 |
0 |
pass |
| 523 |
|
|
| 524 |
0 |
users = [ |
| 525 |
|
{ |
| 526 |
|
"username": user.name, |
| 527 |
|
"_id": user.id, |
| 528 |
|
"id": user.id, |
| 529 |
|
"_admin": user.to_dict().get("_admin", {}), # TODO: REVISE |
| 530 |
|
"domain_name": self.domains_id2name.get(user.domain_id), |
| 531 |
|
} |
| 532 |
|
for user in users |
| 533 |
|
if user.name != self.admin_username |
| 534 |
|
] |
| 535 |
|
|
| 536 |
0 |
if filter_q and filter_q.get("_id"): |
| 537 |
0 |
users = [user for user in users if filter_q["_id"] == user["_id"]] |
| 538 |
|
|
| 539 |
0 |
for user in users: |
| 540 |
0 |
user["project_role_mappings"] = [] |
| 541 |
0 |
user["projects"] = [] |
| 542 |
0 |
projects = self.keystone.projects.list(user=user["_id"]) |
| 543 |
0 |
for project in projects: |
| 544 |
0 |
user["projects"].append(project.name) |
| 545 |
|
|
| 546 |
0 |
roles = self.keystone.roles.list( |
| 547 |
|
user=user["_id"], project=project.id |
| 548 |
|
) |
| 549 |
0 |
for role in roles: |
| 550 |
0 |
prm = { |
| 551 |
|
"project": project.id, |
| 552 |
|
"project_name": project.name, |
| 553 |
|
"role_name": role.name, |
| 554 |
|
"role": role.id, |
| 555 |
|
} |
| 556 |
0 |
user["project_role_mappings"].append(prm) |
| 557 |
|
|
| 558 |
0 |
return users |
| 559 |
0 |
except ClientException as e: |
| 560 |
|
# self.logger.exception("Error during user listing using keystone: {}".format(e)) |
| 561 |
0 |
raise AuthconnOperationException( |
| 562 |
|
"Error during user listing using Keystone: {}".format(e) |
| 563 |
|
) |
| 564 |
|
|
| 565 |
1 |
def get_role_list(self, filter_q=None): |
| 566 |
|
""" |
| 567 |
|
Get role list. |
| 568 |
|
|
| 569 |
|
:param filter_q: dictionary to filter role list by _id and/or name. |
| 570 |
|
:return: returns the list of roles. |
| 571 |
|
""" |
| 572 |
0 |
try: |
| 573 |
0 |
filter_name = None |
| 574 |
0 |
if filter_q: |
| 575 |
0 |
filter_name = filter_q.get("name") |
| 576 |
0 |
roles_list = self.keystone.roles.list(name=filter_name) |
| 577 |
|
|
| 578 |
0 |
roles = [ |
| 579 |
|
{ |
| 580 |
|
"name": role.name, |
| 581 |
|
"_id": role.id, |
| 582 |
|
"_admin": role.to_dict().get("_admin", {}), |
| 583 |
|
"permissions": role.to_dict().get("permissions", {}), |
| 584 |
|
} |
| 585 |
|
for role in roles_list |
| 586 |
|
if role.name != "service" |
| 587 |
|
] |
| 588 |
|
|
| 589 |
0 |
if filter_q and filter_q.get("_id"): |
| 590 |
0 |
roles = [role for role in roles if filter_q["_id"] == role["_id"]] |
| 591 |
|
|
| 592 |
0 |
return roles |
| 593 |
0 |
except ClientException as e: |
| 594 |
|
# self.logger.exception("Error during user role listing using keystone: {}".format(e)) |
| 595 |
0 |
raise AuthException( |
| 596 |
|
"Error during user role listing using Keystone: {}".format(e), |
| 597 |
|
http_code=HTTPStatus.UNAUTHORIZED, |
| 598 |
|
) |
| 599 |
|
|
| 600 |
1 |
def create_role(self, role_info): |
| 601 |
|
""" |
| 602 |
|
Create a role. |
| 603 |
|
|
| 604 |
|
:param role_info: full role info. |
| 605 |
|
:raises AuthconnOperationException: if role creation failed. |
| 606 |
|
""" |
| 607 |
0 |
try: |
| 608 |
0 |
result = self.keystone.roles.create( |
| 609 |
|
role_info["name"], |
| 610 |
|
permissions=role_info.get("permissions"), |
| 611 |
|
_admin=role_info.get("_admin"), |
| 612 |
|
) |
| 613 |
0 |
return result.id |
| 614 |
0 |
except Conflict as ex: |
| 615 |
0 |
raise AuthconnConflictException(str(ex)) |
| 616 |
0 |
except ClientException as e: |
| 617 |
|
# self.logger.exception("Error during role creation using keystone: {}".format(e)) |
| 618 |
0 |
raise AuthconnOperationException( |
| 619 |
|
"Error during role creation using Keystone: {}".format(e) |
| 620 |
|
) |
| 621 |
|
|
| 622 |
1 |
def delete_role(self, role_id): |
| 623 |
|
""" |
| 624 |
|
Delete a role. |
| 625 |
|
|
| 626 |
|
:param role_id: role identifier. |
| 627 |
|
:raises AuthconnOperationException: if role deletion failed. |
| 628 |
|
""" |
| 629 |
0 |
try: |
| 630 |
0 |
result, detail = self.keystone.roles.delete(role_id) |
| 631 |
|
|
| 632 |
0 |
if result.status_code != 204: |
| 633 |
0 |
raise ClientException("error {} {}".format(result.status_code, detail)) |
| 634 |
|
|
| 635 |
0 |
return True |
| 636 |
0 |
except ClientException as e: |
| 637 |
|
# self.logger.exception("Error during role deletion using keystone: {}".format(e)) |
| 638 |
0 |
raise AuthconnOperationException( |
| 639 |
|
"Error during role deletion using Keystone: {}".format(e) |
| 640 |
|
) |
| 641 |
|
|
| 642 |
1 |
def update_role(self, role_info): |
| 643 |
|
""" |
| 644 |
|
Change the name of a role |
| 645 |
|
:param role_info: full role info |
| 646 |
|
:return: None |
| 647 |
|
""" |
| 648 |
0 |
try: |
| 649 |
0 |
rid = role_info["_id"] |
| 650 |
0 |
if not is_valid_uuid(rid): # Is this required? |
| 651 |
0 |
role_obj_list = self.keystone.roles.list(name=rid) |
| 652 |
0 |
if not role_obj_list: |
| 653 |
0 |
raise AuthconnNotFoundException("Role '{}' not found".format(rid)) |
| 654 |
0 |
rid = role_obj_list[0].id |
| 655 |
0 |
self.keystone.roles.update( |
| 656 |
|
rid, |
| 657 |
|
name=role_info["name"], |
| 658 |
|
permissions=role_info.get("permissions"), |
| 659 |
|
_admin=role_info.get("_admin"), |
| 660 |
|
) |
| 661 |
0 |
except ClientException as e: |
| 662 |
|
# self.logger.exception("Error during role update using keystone: {}".format(e)) |
| 663 |
0 |
raise AuthconnOperationException( |
| 664 |
|
"Error during role updating using Keystone: {}".format(e) |
| 665 |
|
) |
| 666 |
|
|
| 667 |
1 |
def get_project_list(self, filter_q=None): |
| 668 |
|
""" |
| 669 |
|
Get all the projects. |
| 670 |
|
|
| 671 |
|
:param filter_q: dictionary to filter project list. |
| 672 |
|
:return: list of projects |
| 673 |
|
""" |
| 674 |
0 |
try: |
| 675 |
0 |
self._get_domains() |
| 676 |
0 |
filter_name = filter_domain = None |
| 677 |
0 |
if filter_q: |
| 678 |
0 |
filter_name = filter_q.get("name") |
| 679 |
0 |
if filter_q.get("domain_name"): |
| 680 |
0 |
filter_domain = self.domains_name2id.get(filter_q["domain_name"]) |
| 681 |
0 |
if filter_q.get("domain_id"): |
| 682 |
0 |
filter_domain = filter_q["domain_id"] |
| 683 |
|
|
| 684 |
0 |
projects = self.keystone.projects.list( |
| 685 |
|
name=filter_name, domain=filter_domain |
| 686 |
|
) |
| 687 |
|
|
| 688 |
0 |
projects = [ |
| 689 |
|
{ |
| 690 |
|
"name": project.name, |
| 691 |
|
"_id": project.id, |
| 692 |
|
"_admin": project.to_dict().get("_admin", {}), # TODO: REVISE |
| 693 |
|
"quotas": project.to_dict().get("quotas", {}), # TODO: REVISE |
| 694 |
|
"domain_name": self.domains_id2name.get(project.domain_id), |
| 695 |
|
} |
| 696 |
|
for project in projects |
| 697 |
|
] |
| 698 |
|
|
| 699 |
0 |
if filter_q and filter_q.get("_id"): |
| 700 |
0 |
projects = [ |
| 701 |
|
project for project in projects if filter_q["_id"] == project["_id"] |
| 702 |
|
] |
| 703 |
|
|
| 704 |
0 |
return projects |
| 705 |
0 |
except ClientException as e: |
| 706 |
|
# self.logger.exception("Error during user project listing using keystone: {}".format(e)) |
| 707 |
0 |
raise AuthException( |
| 708 |
|
"Error during user project listing using Keystone: {}".format(e), |
| 709 |
|
http_code=HTTPStatus.UNAUTHORIZED, |
| 710 |
|
) |
| 711 |
|
|
| 712 |
1 |
def create_project(self, project_info): |
| 713 |
|
""" |
| 714 |
|
Create a project. |
| 715 |
|
|
| 716 |
|
:param project_info: full project info. |
| 717 |
|
:return: the internal id of the created project |
| 718 |
|
:raises AuthconnOperationException: if project creation failed. |
| 719 |
|
""" |
| 720 |
0 |
try: |
| 721 |
0 |
result = self.keystone.projects.create( |
| 722 |
|
project_info["name"], |
| 723 |
|
domain=self._get_domain_id( |
| 724 |
|
project_info.get("domain_name", self.project_domain_name_list[0]) |
| 725 |
|
), |
| 726 |
|
_admin=project_info["_admin"], |
| 727 |
|
quotas=project_info.get("quotas", {}), |
| 728 |
|
) |
| 729 |
0 |
return result.id |
| 730 |
0 |
except ClientException as e: |
| 731 |
|
# self.logger.exception("Error during project creation using keystone: {}".format(e)) |
| 732 |
0 |
raise AuthconnOperationException( |
| 733 |
|
"Error during project creation using Keystone: {}".format(e) |
| 734 |
|
) |
| 735 |
|
|
| 736 |
1 |
def delete_project(self, project_id): |
| 737 |
|
""" |
| 738 |
|
Delete a project. |
| 739 |
|
|
| 740 |
|
:param project_id: project identifier. |
| 741 |
|
:raises AuthconnOperationException: if project deletion failed. |
| 742 |
|
""" |
| 743 |
0 |
try: |
| 744 |
|
# projects = self.keystone.projects.list() |
| 745 |
|
# project_obj = [project for project in projects if project.id == project_id][0] |
| 746 |
|
# result, _ = self.keystone.projects.delete(project_obj) |
| 747 |
|
|
| 748 |
0 |
result, detail = self.keystone.projects.delete(project_id) |
| 749 |
0 |
if result.status_code != 204: |
| 750 |
0 |
raise ClientException("error {} {}".format(result.status_code, detail)) |
| 751 |
|
|
| 752 |
0 |
return True |
| 753 |
0 |
except ClientException as e: |
| 754 |
|
# self.logger.exception("Error during project deletion using keystone: {}".format(e)) |
| 755 |
0 |
raise AuthconnOperationException( |
| 756 |
|
"Error during project deletion using Keystone: {}".format(e) |
| 757 |
|
) |
| 758 |
|
|
| 759 |
1 |
def update_project(self, project_id, project_info): |
| 760 |
|
""" |
| 761 |
|
Change the name of a project |
| 762 |
|
:param project_id: project to be changed |
| 763 |
|
:param project_info: full project info |
| 764 |
|
:return: None |
| 765 |
|
""" |
| 766 |
0 |
try: |
| 767 |
0 |
self.keystone.projects.update( |
| 768 |
|
project_id, |
| 769 |
|
name=project_info["name"], |
| 770 |
|
_admin=project_info["_admin"], |
| 771 |
|
quotas=project_info.get("quotas", {}), |
| 772 |
|
) |
| 773 |
0 |
except ClientException as e: |
| 774 |
|
# self.logger.exception("Error during project update using keystone: {}".format(e)) |
| 775 |
0 |
raise AuthconnOperationException( |
| 776 |
|
"Error during project update using Keystone: {}".format(e) |
| 777 |
|
) |
| 778 |
|
|
| 779 |
1 |
def assign_role_to_user(self, user_obj, project, role): |
| 780 |
|
""" |
| 781 |
|
Assigning a role to a user in a project. |
| 782 |
|
|
| 783 |
|
:param user_obj: user object, obtained with keystone.users.get or list. |
| 784 |
|
:param project: project name. |
| 785 |
|
:param role: role name. |
| 786 |
|
:raises AuthconnOperationException: if role assignment failed. |
| 787 |
|
""" |
| 788 |
0 |
try: |
| 789 |
0 |
try: |
| 790 |
0 |
project_obj = self.keystone.projects.get(project) |
| 791 |
0 |
except Exception: |
| 792 |
0 |
project_obj_list = self.keystone.projects.list(name=project) |
| 793 |
0 |
if not project_obj_list: |
| 794 |
0 |
raise AuthconnNotFoundException( |
| 795 |
|
"Project '{}' not found".format(project) |
| 796 |
|
) |
| 797 |
0 |
project_obj = project_obj_list[0] |
| 798 |
|
|
| 799 |
0 |
try: |
| 800 |
0 |
role_obj = self.keystone.roles.get(role) |
| 801 |
0 |
except Exception: |
| 802 |
0 |
role_obj_list = self.keystone.roles.list(name=role) |
| 803 |
0 |
if not role_obj_list: |
| 804 |
0 |
raise AuthconnNotFoundException("Role '{}' not found".format(role)) |
| 805 |
0 |
role_obj = role_obj_list[0] |
| 806 |
|
|
| 807 |
0 |
self.keystone.roles.grant(role_obj, user=user_obj, project=project_obj) |
| 808 |
0 |
except ClientException as e: |
| 809 |
|
# self.logger.exception("Error during user role assignment using keystone: {}".format(e)) |
| 810 |
0 |
raise AuthconnOperationException( |
| 811 |
|
"Error during role '{}' assignment to user '{}' and project '{}' using " |
| 812 |
|
"Keystone: {}".format(role, user_obj.name, project, e) |
| 813 |
|
) |
| 814 |
|
|
| 815 |
1 |
def remove_role_from_user(self, user_obj, project, role): |
| 816 |
|
""" |
| 817 |
|
Remove a role from a user in a project. |
| 818 |
|
|
| 819 |
|
:param user_obj: user object, obtained with keystone.users.get or list. |
| 820 |
|
:param project: project name or id. |
| 821 |
|
:param role: role name or id. |
| 822 |
|
|
| 823 |
|
:raises AuthconnOperationException: if role assignment revocation failed. |
| 824 |
|
""" |
| 825 |
0 |
try: |
| 826 |
0 |
try: |
| 827 |
0 |
project_obj = self.keystone.projects.get(project) |
| 828 |
0 |
except Exception: |
| 829 |
0 |
project_obj_list = self.keystone.projects.list(name=project) |
| 830 |
0 |
if not project_obj_list: |
| 831 |
0 |
raise AuthconnNotFoundException( |
| 832 |
|
"Project '{}' not found".format(project) |
| 833 |
|
) |
| 834 |
0 |
project_obj = project_obj_list[0] |
| 835 |
|
|
| 836 |
0 |
try: |
| 837 |
0 |
role_obj = self.keystone.roles.get(role) |
| 838 |
0 |
except Exception: |
| 839 |
0 |
role_obj_list = self.keystone.roles.list(name=role) |
| 840 |
0 |
if not role_obj_list: |
| 841 |
0 |
raise AuthconnNotFoundException("Role '{}' not found".format(role)) |
| 842 |
0 |
role_obj = role_obj_list[0] |
| 843 |
|
|
| 844 |
0 |
self.keystone.roles.revoke(role_obj, user=user_obj, project=project_obj) |
| 845 |
0 |
except ClientException as e: |
| 846 |
|
# self.logger.exception("Error during user role revocation using keystone: {}".format(e)) |
| 847 |
0 |
raise AuthconnOperationException( |
| 848 |
|
"Error during role '{}' revocation to user '{}' and project '{}' using " |
| 849 |
|
"Keystone: {}".format(role, user_obj.name, project, e) |
| 850 |
|
) |
![[Jenkins]](/jenkins/static/c06f6c43/images/jenkins-header-logo-v2.svg){kind=logo}
