cd1a412408
The auth config hook can have credentials in it so we have to mask the config before logging it. To avoid doing the work of masking the password if we aren't going to log it, there is a conditional put around the actual debug statement. Change-Id: I8e626672ec94fc837610216bccb4354dbdedca17 Closes-Bug: #1630822
262 lines
10 KiB
Python
262 lines
10 KiB
Python
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
#
|
|
|
|
"""OpenStackConfig subclass for argument compatibility"""
|
|
|
|
import logging
|
|
|
|
from os_client_config import config
|
|
from os_client_config import exceptions as occ_exceptions
|
|
from oslo_utils import strutils
|
|
import six
|
|
|
|
|
|
LOG = logging.getLogger(__name__)
|
|
|
|
|
|
# Sublcass OpenStackConfig in order to munge config values
|
|
# before auth plugins are loaded
|
|
class OSC_Config(config.OpenStackConfig):
|
|
|
|
# TODO(dtroyer): Once os-client-config with pw_func argument is in
|
|
# global-requirements we can remove __init()__
|
|
def __init__(
|
|
self,
|
|
config_files=None,
|
|
vendor_files=None,
|
|
override_defaults=None,
|
|
force_ipv4=None,
|
|
envvar_prefix=None,
|
|
secure_files=None,
|
|
pw_func=None,
|
|
):
|
|
ret = super(OSC_Config, self).__init__(
|
|
config_files=config_files,
|
|
vendor_files=vendor_files,
|
|
override_defaults=override_defaults,
|
|
force_ipv4=force_ipv4,
|
|
envvar_prefix=envvar_prefix,
|
|
secure_files=secure_files,
|
|
)
|
|
|
|
# NOTE(dtroyer): This will be pushed down into os-client-config
|
|
# The default is there is no callback, the calling
|
|
# application must specify what to use, typically
|
|
# it will be osc_lib.shell.prompt_for_password()
|
|
if '_pw_callback' not in vars(self):
|
|
# Set the default if it doesn't already exist
|
|
self._pw_callback = None
|
|
if pw_func is not None:
|
|
# Set the passed in value
|
|
self._pw_callback = pw_func
|
|
|
|
return ret
|
|
|
|
def _auth_select_default_plugin(self, config):
|
|
"""Select a default plugin based on supplied arguments
|
|
|
|
Migrated from auth.select_auth_plugin()
|
|
"""
|
|
|
|
identity_version = config.get('identity_api_version', '')
|
|
|
|
if config.get('username', None) and not config.get('auth_type', None):
|
|
if identity_version == '3':
|
|
config['auth_type'] = 'v3password'
|
|
elif identity_version.startswith('2'):
|
|
config['auth_type'] = 'v2password'
|
|
else:
|
|
# let keystoneauth figure it out itself
|
|
config['auth_type'] = 'password'
|
|
elif config.get('token', None) and not config.get('auth_type', None):
|
|
if identity_version == '3':
|
|
config['auth_type'] = 'v3token'
|
|
elif identity_version.startswith('2'):
|
|
config['auth_type'] = 'v2token'
|
|
else:
|
|
# let keystoneauth figure it out itself
|
|
config['auth_type'] = 'token'
|
|
else:
|
|
# The ultimate default is similar to the original behaviour,
|
|
# but this time with version discovery
|
|
if not config.get('auth_type', None):
|
|
config['auth_type'] = 'password'
|
|
|
|
LOG.debug("Auth plugin %s selected" % config['auth_type'])
|
|
return config
|
|
|
|
def _auth_v2_arguments(self, config):
|
|
"""Set up v2-required arguments from v3 info
|
|
|
|
Migrated from auth.build_auth_params()
|
|
"""
|
|
|
|
if ('auth_type' in config and config['auth_type'].startswith("v2")):
|
|
if 'project_id' in config['auth']:
|
|
config['auth']['tenant_id'] = config['auth']['project_id']
|
|
if 'project_name' in config['auth']:
|
|
config['auth']['tenant_name'] = config['auth']['project_name']
|
|
return config
|
|
|
|
def _auth_v2_ignore_v3(self, config):
|
|
"""Remove v3 arguemnts if present for v2 plugin
|
|
|
|
Migrated from clientmanager.setup_auth()
|
|
"""
|
|
|
|
# NOTE(hieulq): If USER_DOMAIN_NAME, USER_DOMAIN_ID, PROJECT_DOMAIN_ID
|
|
# or PROJECT_DOMAIN_NAME is present and API_VERSION is 2.0, then
|
|
# ignore all domain related configs.
|
|
if (config.get('identity_api_version', '').startswith('2') and
|
|
config.get('auth_type', None).endswith('password')):
|
|
domain_props = [
|
|
'project_domain_id',
|
|
'project_domain_name',
|
|
'user_domain_id',
|
|
'user_domain_name',
|
|
]
|
|
for prop in domain_props:
|
|
if config['auth'].pop(prop, None) is not None:
|
|
LOG.warning("Ignoring domain related config " +
|
|
prop + " because identity API version is 2.0")
|
|
return config
|
|
|
|
def _auth_default_domain(self, config):
|
|
"""Set a default domain from available arguments
|
|
|
|
Migrated from clientmanager.setup_auth()
|
|
"""
|
|
|
|
identity_version = config.get('identity_api_version', '')
|
|
auth_type = config.get('auth_type', None)
|
|
|
|
# TODO(mordred): This is a usability improvement that's broadly useful
|
|
# We should port it back up into os-client-config.
|
|
default_domain = config.get('default_domain', None)
|
|
if (identity_version == '3' and
|
|
not auth_type.startswith('v2') and
|
|
default_domain):
|
|
|
|
# NOTE(stevemar): If PROJECT_DOMAIN_ID or PROJECT_DOMAIN_NAME is
|
|
# present, then do not change the behaviour. Otherwise, set the
|
|
# PROJECT_DOMAIN_ID to 'OS_DEFAULT_DOMAIN' for better usability.
|
|
if (
|
|
not config['auth'].get('project_domain_id') and
|
|
not config['auth'].get('project_domain_name')
|
|
):
|
|
config['auth']['project_domain_id'] = default_domain
|
|
|
|
# NOTE(stevemar): If USER_DOMAIN_ID or USER_DOMAIN_NAME is present,
|
|
# then do not change the behaviour. Otherwise, set the
|
|
# USER_DOMAIN_ID to 'OS_DEFAULT_DOMAIN' for better usability.
|
|
# NOTE(aloga): this should only be set if there is a username.
|
|
# TODO(dtroyer): Move this to os-client-config after the plugin has
|
|
# been loaded so we can check directly if the options are accepted.
|
|
if (
|
|
auth_type in ("password", "v3password", "v3totp") and
|
|
not config['auth'].get('user_domain_id') and
|
|
not config['auth'].get('user_domain_name')
|
|
):
|
|
config['auth']['user_domain_id'] = default_domain
|
|
return config
|
|
|
|
def auth_config_hook(self, config):
|
|
"""Allow examination of config values before loading auth plugin
|
|
|
|
OpenStackClient will override this to perform additional chacks
|
|
on auth_type.
|
|
"""
|
|
|
|
config = self._auth_select_default_plugin(config)
|
|
config = self._auth_v2_arguments(config)
|
|
config = self._auth_v2_ignore_v3(config)
|
|
config = self._auth_default_domain(config)
|
|
|
|
if LOG.isEnabledFor(logging.DEBUG):
|
|
LOG.debug("auth_config_hook(): %s",
|
|
strutils.mask_password(six.text_type(config)))
|
|
return config
|
|
|
|
def load_auth_plugin(self, config):
|
|
"""Get auth plugin and validate args"""
|
|
|
|
loader = self._get_auth_loader(config)
|
|
config = self._validate_auth(config, loader)
|
|
auth_plugin = loader.load_from_options(**config['auth'])
|
|
return auth_plugin
|
|
|
|
def _validate_auth_ksc(self, config, cloud, fixed_argparse=None):
|
|
"""Old compatibility hack for OSC, no longer needed/wanted"""
|
|
return config
|
|
|
|
def _validate_auth(self, config, loader, fixed_argparse=None):
|
|
"""Validate auth plugin arguments"""
|
|
# May throw a keystoneauth1.exceptions.NoMatchingPlugin
|
|
|
|
plugin_options = loader.get_options()
|
|
|
|
msgs = []
|
|
prompt_options = []
|
|
for p_opt in plugin_options:
|
|
# if it's in config, win, move it and kill it from config dict
|
|
# if it's in config.auth but not in config we're good
|
|
# deprecated loses to current
|
|
# provided beats default, deprecated or not
|
|
winning_value = self._find_winning_auth_value(p_opt, config)
|
|
if not winning_value:
|
|
winning_value = self._find_winning_auth_value(
|
|
p_opt, config['auth'])
|
|
|
|
# if the plugin tells us that this value is required
|
|
# then error if it's doesn't exist now
|
|
if not winning_value and p_opt.required:
|
|
msgs.append(
|
|
'Missing value {auth_key}'
|
|
' required for auth plugin {plugin}'.format(
|
|
auth_key=p_opt.name, plugin=config.get('auth_type'),
|
|
)
|
|
)
|
|
|
|
# Clean up after ourselves
|
|
for opt in [p_opt.name] + [o.name for o in p_opt.deprecated]:
|
|
opt = opt.replace('-', '_')
|
|
config.pop(opt, None)
|
|
config['auth'].pop(opt, None)
|
|
|
|
if winning_value:
|
|
# Prefer the plugin configuration dest value if the value's key
|
|
# is marked as depreciated.
|
|
if p_opt.dest is None:
|
|
config['auth'][p_opt.name.replace('-', '_')] = (
|
|
winning_value)
|
|
else:
|
|
config['auth'][p_opt.dest] = winning_value
|
|
|
|
# See if this needs a prompting
|
|
if (
|
|
'prompt' in vars(p_opt) and
|
|
p_opt.prompt is not None and
|
|
p_opt.dest not in config['auth'] and
|
|
self._pw_callback is not None
|
|
):
|
|
# Defer these until we know all required opts are present
|
|
prompt_options.append(p_opt)
|
|
|
|
if msgs:
|
|
raise occ_exceptions.OpenStackConfigException('\n'.join(msgs))
|
|
else:
|
|
for p_opt in prompt_options:
|
|
config['auth'][p_opt.dest] = self._pw_callback(p_opt.prompt)
|
|
|
|
return config
|