summaryrefslogtreecommitdiff
path: root/keystoneclient/client.py
diff options
context:
space:
mode:
Diffstat (limited to 'keystoneclient/client.py')
-rw-r--r--keystoneclient/client.py293
1 files changed, 231 insertions, 62 deletions
diff --git a/keystoneclient/client.py b/keystoneclient/client.py
index bc2cae6..f017bc8 100644
--- a/keystoneclient/client.py
+++ b/keystoneclient/client.py
@@ -48,40 +48,160 @@ class HTTPClient(object):
endpoint=None, token=None, cacert=None, key=None,
cert=None, insecure=False, original_ip=None, debug=False,
auth_ref=None, use_keyring=False, force_new_token=False,
- stale_duration=None):
+ stale_duration=None, user_id=None, user_domain_id=None,
+ user_domain_name=None, domain_id=None, domain_name=None,
+ project_id=None, project_name=None, project_domain_id=None,
+ project_domain_name=None):
"""Construct a new http client
- @param: timeout the request libary timeout in seconds (default None)
+ :param string user_id: User ID for authentication. (optional)
+ :param string username: Username for authentication. (optional)
+ :param string user_domain_id: User's domain ID for authentication.
+ (optional)
+ :param string user_domain_name: User's domain name for authentication.
+ (optional)
+ :param string password: Password for authentication. (optional)
+ :param string domain_id: Domain ID for domain scoping. (optional)
+ :param string domain_name: Domain name for domain scoping. (optional)
+ :param string project_id: Project ID for project scoping. (optional)
+ :param string project_name: Project name for project scoping.
+ (optional)
+ :param string project_domain_id: Project's domain ID for project
+ scoping. (optional)
+ :param string project_domain_name: Project's domain name for project
+ scoping. (optional)
+ :param string auth_url: Identity service endpoint for authorization.
+ :param string region_name: Name of a region to select when choosing an
+ endpoint from the service catalog.
+ :param integer timeout: Allows customization of the timeout for client
+ http requests. (optional)
+ :param string endpoint: A user-supplied endpoint URL for the identity
+ service. Lazy-authentication is possible for
+ API service calls if endpoint is set at
+ instantiation. (optional)
+ :param string token: Token for authentication. (optional)
+ :param string cacert: Path to the Privacy Enhanced Mail (PEM) file
+ which contains the trusted authority X.509
+ certificates needed to established SSL connection
+ with the identity service. (optional)
+ :param string key: Path to the Privacy Enhanced Mail (PEM) file which
+ contains the unencrypted client private key needed
+ to established two-way SSL connection with the
+ identity service. (optional)
+ :param string cert: Path to the Privacy Enhanced Mail (PEM) file which
+ contains the corresponding X.509 client certificate
+ needed to established two-way SSL connection with
+ the identity service. (optional)
+ :param boolean insecure: Does not perform X.509 certificate validation
+ when establishing SSL connection with identity
+ service. default: False (optional)
+ :param string original_ip: The original IP of the requesting user
+ which will be sent to identity service in a
+ 'Forwarded' header. (optional)
+ :param boolean debug: Enables debug logging of all request and
+ responses to identity service.
+ default False (optional)
+ :param dict auth_ref: To allow for consumers of the client to manage
+ their own caching strategy, you may initialize a
+ client with a previously captured auth_reference
+ (token). If there are keyword arguments passed
+ that also exist in auth_ref, the value from the
+ argument will take precedence.
+ :param boolean use_keyring: Enables caching auth_ref into keyring.
+ default: False (optional)
+ :param boolean force_new_token: Keyring related parameter, forces
+ request for new token.
+ default: False (optional)
+ :param integer stale_duration: Gap in seconds to determine if token
+ from keyring is about to expire.
+ default: 30 (optional)
+ :param string tenant_name: Tenant name. (optional)
+ The tenant_name keyword argument is
+ deprecated, use project_name instead.
+ :param string tenant_id: Tenant id. (optional)
+ The tenant_id keyword argument is
+ deprecated, use project_id instead.
"""
- self.version = 'v2.0'
# set baseline defaults
+
+ self.user_id = None
self.username = None
- self.tenant_id = None
- self.tenant_name = None
+ self.user_domain_id = None
+ self.user_domain_name = None
+
+ self.domain_id = None
+ self.domain_name = None
+
+ self.project_id = None
+ self.project_name = None
+ self.project_domain_id = None
+ self.project_domain_name = None
+
self.auth_url = None
self.management_url = None
- if timeout is not None:
- self.timeout = float(timeout)
- else:
- self.timeout = None
+ self.timeout = float(timeout) if timeout is not None else None
+
# if loading from a dictionary passed in via auth_ref,
# load values from AccessInfo parsing that dictionary
- self.auth_ref = access.AccessInfo(**auth_ref) if auth_ref else None
- if self.auth_ref:
+ if auth_ref:
+ self.auth_ref = access.AccessInfo.factory(**auth_ref)
+ self.version = self.auth_ref.version
+ self.user_id = self.auth_ref.user_id
self.username = self.auth_ref.username
- self.tenant_id = self.auth_ref.tenant_id
- self.tenant_name = self.auth_ref.tenant_name
+ self.user_domain_id = self.auth_ref.user_domain_id
+ self.domain_id = self.auth_ref.domain_id
+ self.domain_name = self.auth_ref.domain_name
+ self.project_id = self.auth_ref.project_id
+ self.project_name = self.auth_ref.project_name
+ self.project_domain_id = self.auth_ref.project_domain_id
self.auth_url = self.auth_ref.auth_url[0]
self.management_url = self.auth_ref.management_url[0]
+ self.auth_token = self.auth_ref.auth_token
+ else:
+ self.auth_ref = None
+
# allow override of the auth_ref defaults from explicit
# values provided to the client
- if username:
- self.username = username
+
+ # apply deprecated variables first, so modern variables override them
if tenant_id:
- self.tenant_id = tenant_id
+ self.project_id = tenant_id
if tenant_name:
- self.tenant_name = tenant_name
+ self.project_name = tenant_name
+
+ # user-related attributes
+ self.password = password
+ if user_id:
+ self.user_id = user_id
+ if username:
+ self.username = username
+ if user_domain_id:
+ self.user_domain_id = user_domain_id
+ elif not (user_id or user_domain_name):
+ self.user_domain_id = 'default'
+ if user_domain_name:
+ self.user_domain_name = user_domain_name
+
+ # domain-related attributes
+ if domain_id:
+ self.domain_id = domain_id
+ if domain_name:
+ self.domain_name = domain_name
+
+ # project-related attributes
+ if project_id:
+ self.project_id = project_id
+ if project_name:
+ self.project_name = project_name
+ if project_domain_id:
+ self.project_domain_id = project_domain_id
+ elif not (project_id or project_domain_name):
+ self.project_domain_id = 'default'
+ if project_domain_name:
+ self.project_domain_name = project_domain_name
+
+ # endpoint selection
if auth_url:
self.auth_url = auth_url.rstrip('/')
if token:
@@ -90,9 +210,9 @@ class HTTPClient(object):
self.auth_token_from_user = None
if endpoint:
self.management_url = endpoint.rstrip('/')
- self.password = password
- self.original_ip = original_ip
self.region_name = region_name
+
+ self.original_ip = original_ip
if cacert:
self.verify_cert = cacert
else:
@@ -138,20 +258,55 @@ class HTTPClient(object):
def auth_token(self):
del self.auth_token_from_user
+ @property
+ def service_catalog(self):
+ """Returns this client's service catalog."""
+ return self.auth_ref.service_catalog
+
+ def has_service_catalog(self):
+ """Returns True if this client provides a service catalog."""
+ return self.auth_ref.has_service_catalog()
+
+ @property
+ def tenant_id(self):
+ """Provide read-only backwards compatibility for tenant_id.
+ This is deprecated, use project_id instead.
+ """
+ return self.project_id
+
+ @property
+ def tenant_name(self):
+ """Provide read-only backwards compatibility for tenant_name.
+ This is deprecated, use project_name instead.
+ """
+ return self.project_name
+
def authenticate(self, username=None, password=None, tenant_name=None,
- tenant_id=None, auth_url=None, token=None):
- """ Authenticate user.
+ tenant_id=None, auth_url=None, token=None,
+ user_id=None, domain_name=None, domain_id=None,
+ project_name=None, project_id=None, user_domain_id=None,
+ user_domain_name=None, project_domain_id=None,
+ project_domain_name=None):
+ """Authenticate user.
Uses the data provided at instantiation to authenticate against
- the Keystone server. This may use either a username and password
+ the Identity server. This may use either a username and password
or token for authentication. If a tenant name or id was provided
then the resulting authenticated client will be scoped to that
tenant and contain a service catalog of available endpoints.
With the v2.0 API, if a tenant name or ID is not provided, the
- authenication token returned will be 'unscoped' and limited in
+ authentication token returned will be 'unscoped' and limited in
capabilities until a fully-scoped token is acquired.
+ With the v3 API, if a domain name or id was provided then the resulting
+ authenticated client will be scoped to that domain. If a project name
+ or ID is not provided, and the authenticating user has a default
+ project configured, the authentication token returned will be 'scoped'
+ to the default project. Otherwise, the authentication token returned
+ will be 'unscoped' and limited in capabilities until a fully-scoped
+ token is acquired.
+
If successful, sets the self.auth_ref and self.auth_token with
the returned token. If not already set, will also set
self.management_url from the details provided in the token.
@@ -173,10 +328,18 @@ class HTTPClient(object):
"""
auth_url = auth_url or self.auth_url
+ user_id = user_id or self.user_id
username = username or self.username
password = password or self.password
- tenant_name = tenant_name or self.tenant_name
- tenant_id = tenant_id or self.tenant_id
+
+ user_domain_id = user_domain_id or self.user_domain_id
+ user_domain_name = user_domain_name or self.user_domain_name
+ domain_id = domain_id or self.domain_id
+ domain_name = domain_name or self.domain_name
+ project_id = project_id or tenant_id or self.project_id
+ project_name = project_name or tenant_name or self.project_name
+ project_domain_id = project_domain_id or self.project_domain_id
+ project_domain_name = project_domain_name or self.project_domain_name
if not token:
token = self.auth_token_from_user
@@ -184,21 +347,27 @@ class HTTPClient(object):
self.auth_ref.will_expire_soon(self.stale_duration)):
token = self.auth_ref.auth_token
- (keyring_key, auth_ref) = self.get_auth_ref_from_keyring(auth_url,
- username,
- tenant_name,
- tenant_id,
- token)
+ kwargs = {
+ 'auth_url': auth_url,
+ 'user_id': user_id,
+ 'username': username,
+ 'user_domain_id': user_domain_id,
+ 'user_domain_name': user_domain_name,
+ 'domain_id': domain_id,
+ 'domain_name': domain_name,
+ 'project_id': project_id,
+ 'project_name': project_name,
+ 'project_domain_id': project_domain_id,
+ 'project_domain_name': project_domain_name,
+ 'token': token
+ }
+ (keyring_key, auth_ref) = self.get_auth_ref_from_keyring(**kwargs)
new_token_needed = False
if auth_ref is None or self.force_new_token:
new_token_needed = True
- raw_token = self.get_raw_token_from_identity_service(auth_url,
- username,
- password,
- tenant_name,
- tenant_id,
- token)
- self.auth_ref = access.AccessInfo(**raw_token)
+ kwargs['password'] = password
+ resp, body = self.get_raw_token_from_identity_service(**kwargs)
+ self.auth_ref = access.AccessInfo.factory(resp, body)
else:
self.auth_ref = auth_ref
self.process_token()
@@ -206,23 +375,18 @@ class HTTPClient(object):
self.store_auth_ref_into_keyring(keyring_key)
return True
- def _build_keyring_key(self, auth_url, username, tenant_name,
- tenant_id, token):
- """ Create a unique key for keyring.
+ def _build_keyring_key(self, **kwargs):
+ """Create a unique key for keyring.
Used to store and retrieve auth_ref from keyring.
+ Returns a slash-separated string of values ordered by key name.
+
"""
- keys = [auth_url, username, tenant_name, tenant_id, token]
- for index, key in enumerate(keys):
- if key is None:
- keys[index] = '?'
- keyring_key = '/'.join(keys)
- return keyring_key
+ return '/'.join([kwargs[k] or '?' for k in sorted(kwargs.keys())])
- def get_auth_ref_from_keyring(self, auth_url, username, tenant_name,
- tenant_id, token):
- """ Retrieve auth_ref from keyring.
+ def get_auth_ref_from_keyring(self, **kwargs):
+ """Retrieve auth_ref from keyring.
If auth_ref is found in keyring, (keyring_key, auth_ref) is returned.
Otherwise, (keyring_key, None) is returned.
@@ -234,9 +398,7 @@ class HTTPClient(object):
keyring_key = None
auth_ref = None
if self.use_keyring:
- keyring_key = self._build_keyring_key(auth_url, username,
- tenant_name, tenant_id,
- token)
+ keyring_key = self._build_keyring_key(**kwargs)
try:
auth_ref = keyring.get_password("keystoneclient_auth",
keyring_key)
@@ -252,7 +414,7 @@ class HTTPClient(object):
return (keyring_key, auth_ref)
def store_auth_ref_into_keyring(self, keyring_key):
- """ Store auth_ref into keyring.
+ """Store auth_ref into keyring.
"""
if self.use_keyring:
@@ -264,30 +426,36 @@ class HTTPClient(object):
_logger.warning("Failed to store token into keyring %s" % (e))
def process_token(self):
- """ Extract and process information from the new auth_ref.
+ """Extract and process information from the new auth_ref.
"""
raise NotImplementedError
def get_raw_token_from_identity_service(self, auth_url, username=None,
password=None, tenant_name=None,
- tenant_id=None, token=None):
- """ Authenticate against the Identity API and get a token.
+ tenant_id=None, token=None,
+ user_id=None, user_domain_id=None,
+ user_domain_name=None,
+ domain_id=None, domain_name=None,
+ project_id=None, project_name=None,
+ project_domain_id=None,
+ project_domain_name=None):
+ """Authenticate against the Identity API and get a token.
Not implemented here because auth protocols should be API
version-specific.
Expected to authenticate or validate an existing authentication
reference already associated with the client. Invoking this call
- *always* makes a call to the Keystone.
+ *always* makes a call to the Identity service.
- :returns: ``raw token``
+ :returns: (``resp``, ``body``)
"""
raise NotImplementedError
def _extract_service_catalog(self, url, body):
- """ Set the client's service catalog from the response data.
+ """Set the client's service catalog from the response data.
Not implemented here because data returned may be API
version-specific.
@@ -334,7 +502,7 @@ class HTTPClient(object):
return self.auth_ref.has_service_catalog()
def request(self, url, method, **kwargs):
- """ Send an http request with the specified characteristics.
+ """Send an http request with the specified characteristics.
Wrapper around requests.request to handle tasks such as
setting headers, JSON encoding/decoding, and error handling.
@@ -392,9 +560,10 @@ class HTTPClient(object):
return resp, body
def _cs_request(self, url, method, **kwargs):
- """ Makes an authenticated request to keystone endpoint by
+ """Makes an authenticated request to keystone endpoint by
concatenating self.management_url and url and passing in method and
- any associated kwargs. """
+ any associated kwargs.
+ """
is_management = kwargs.pop('management', True)