Add a alarm notification using trusts

This patch adds a new alarm notifier which can be used to talk to an
endpoint using keystone authentication. This allows to do secure alarm
actions.

Change-Id: I634b96443eeaccbd736a812ab551b903c3972540
Implements: blueprint trust-alarm-notifier

2 files changed, 70 insertions, 1 deletions

diff --git a/ceilometer/alarm/notifier/rest.py b/ceilometer/alarm/notifier/rest.py
index b13befed..93a9f9c9 100644
--- a/ceilometer/alarm/notifier/rest.py
+++ b/ceilometer/alarm/notifier/rest.py
@@ -54,7 +54,8 @@ class RestAlarmNotifier(notifier.AlarmNotifier):
     """Rest alarm notifier."""
 
     @staticmethod
-    def notify(action, alarm_id, previous, current, reason, reason_data):
+    def notify(action, alarm_id, previous, current, reason, reason_data,
+               headers=None):
         LOG.info(_(
             "Notifying alarm %(alarm_id)s from %(previous)s "
             "to %(current)s with action %(action)s because "
@@ -65,6 +66,8 @@ class RestAlarmNotifier(notifier.AlarmNotifier):
                 'current': current, 'reason': reason,
                 'reason_data': reason_data}
         kwargs = {'data': jsonutils.dumps(body)}
+        if headers:
+            kwargs['headers'] = headers
 
         if action.scheme == 'https':
             default_verify = int(cfg.CONF.alarm.rest_notifier_ssl_verify)
diff --git a/ceilometer/alarm/notifier/trust.py b/ceilometer/alarm/notifier/trust.py
new file mode 100644
index 00000000..b3190b1b
--- /dev/null
+++ b/ceilometer/alarm/notifier/trust.py
@@ -0,0 +1,66 @@
+# -*- encoding: utf-8 -*-
+#
+# Copyright © 2014 eNovance
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+"""Rest alarm notifier with trusted authentication."""
+
+try:
+    import urllib.parse
+    SplitResult = urllib.parse.SplitResult
+except ImportError:
+    import urlparse
+    SplitResult = urlparse.SplitResult
+
+from keystoneclient.v3 import client as keystone_client
+from oslo.config import cfg
+
+from ceilometer.alarm import notifier
+
+
+class TrustRestAlarmNotifier(notifier.rest.RestAlarmNotifier):
+    """Notifier supporting keystone trust authentication.
+
+    This alarm notifier is intended to be used to call an endpoint using
+    keystone authentication. It uses the ceilometer service user to
+    authenticate using the trust ID provided.
+
+    The URL must be in the form trust+http://trust-id@host/action.
+    """
+
+    @staticmethod
+    def notify(action, alarm_id, previous, current, reason, reason_data):
+        trust_id = action.username
+
+        auth_url = cfg.CONF.service_credentials.os_auth_url.replace(
+            "v2.0", "v3")
+        client = keystone_client.Client(
+            username=cfg.CONF.service_credentials.os_username,
+            password=cfg.CONF.service_credentials.os_password,
+            cacert=cfg.CONF.service_credentials.os_cacert,
+            auth_url=auth_url,
+            region_name=cfg.CONF.service_credentials.os_region_name,
+            insecure=cfg.CONF.service_credentials.insecure,
+            trust_id=trust_id)
+
+        # Remove the fake user
+        netloc = action.netloc.split("@")[1]
+        # Remove the trust prefix
+        scheme = action.scheme[6:]
+
+        action = SplitResult(scheme, netloc, action.path, action.query,
+                             action.fragment)
+
+        headers = {'X-Auth-Token': client.auth_token}
+        notifier.rest.RestAlarmNotifier.notify(
+            action, alarm_id, previous, current, reason, reason_data, headers)