"Fossies" - the Fresh Open Source Software Archive

Member "glance-19.0.0/glance/common/trust_auth.py" (16 Oct 2019, 4451 Bytes) of package /linux/misc/openstack/glance-19.0.0.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Python source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. For more information about "trust_auth.py" see the Fossies "Dox" file reference documentation and the last Fossies "Diffs" side-by-side code changes report: 16.0.1_vs_18.0.0.

    1 # Copyright (c) 2015 Mirantis, Inc.
    2 #
    3 #    Licensed under the Apache License, Version 2.0 (the "License"); you may
    4 #    not use this file except in compliance with the License. You may obtain
    5 #    a copy of the License at
    6 #
    7 #         http://www.apache.org/licenses/LICENSE-2.0
    8 #
    9 #    Unless required by applicable law or agreed to in writing, software
   10 #    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
   11 #    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
   12 #    License for the specific language governing permissions and limitations
   13 #    under the License.
   14 
   15 from keystoneauth1 import exceptions as ka_exceptions
   16 from keystoneauth1 import loading as ka_loading
   17 from oslo_config import cfg
   18 from oslo_log import log as logging
   19 
   20 CONF = cfg.CONF
   21 CONF.register_opt(cfg.IntOpt('timeout'), group='keystone_authtoken')
   22 
   23 LOG = logging.getLogger(__name__)
   24 
   25 
   26 class TokenRefresher(object):
   27     """Class that responsible for token refreshing with trusts"""
   28 
   29     def __init__(self, user_plugin, user_project, user_roles):
   30         """Prepare all parameters and clients required to refresh token"""
   31         # step 1: create trust to ensure that we can always update token
   32 
   33         # trustor = user who made the request
   34         trustor_client = self._load_session(user_plugin)
   35         trustor_id = trustor_client.get_user_id()
   36 
   37         # get trustee user client that impersonates main user
   38         trustee_user_auth = ka_loading.load_auth_from_conf_options(
   39             CONF, 'keystone_authtoken')
   40         # save service user client because we need new service token
   41         # to refresh trust-scoped client later
   42         self.trustee_user_client = self._load_session(trustee_user_auth)
   43 
   44         trustee_id = self.trustee_user_client.get_user_id()
   45 
   46         self.trust_id = trustor_client.trusts.create(trustor_user=trustor_id,
   47                                                      trustee_user=trustee_id,
   48                                                      impersonation=True,
   49                                                      role_names=user_roles,
   50                                                      project=user_project).id
   51         LOG.debug("Trust %s has been created.", self.trust_id)
   52 
   53         # step 2: postpone trust-scoped client initialization
   54         # until we need to refresh the token
   55         self.trustee_client = None
   56 
   57     def refresh_token(self):
   58         """Receive new token if user need to update old token
   59 
   60         :return: new token that can be used for authentication
   61         """
   62         LOG.debug("Requesting the new token with trust %s", self.trust_id)
   63         if self.trustee_client is None:
   64             self.trustee_client = self._refresh_trustee_client()
   65         try:
   66             return self.trustee_client.get_token()
   67         except ka_exceptions.Unauthorized:
   68             # in case of Unauthorized exceptions try to refresh client because
   69             # service user token may expired
   70             self.trustee_client = self._refresh_trustee_client()
   71             return self.trustee_client.get_token()
   72 
   73     def release_resources(self):
   74         """Release keystone resources required for refreshing"""
   75 
   76         try:
   77             if self.trustee_client is None:
   78                 self._refresh_trustee_client().trusts.delete(self.trust_id)
   79             else:
   80                 self.trustee_client.trusts.delete(self.trust_id)
   81         except ka_exceptions.Unauthorized:
   82             # service user token may expire when we are trying to delete token
   83             # so need to update client to ensure that this is not the reason
   84             # of failure
   85             self.trustee_client = self._refresh_trustee_client()
   86             self.trustee_client.trusts.delete(self.trust_id)
   87 
   88     def _refresh_trustee_client(self):
   89         # Remove project_name and project_id, since we need a trust scoped
   90         # auth object
   91         kwargs = {
   92             'project_name': None,
   93             'project_domain_name': None,
   94             'project_id': None,
   95             'trust_id': self.trust_id
   96         }
   97 
   98         trustee_auth = ka_loading.load_auth_from_conf_options(
   99             CONF, 'keystone_authtoken', **kwargs)
  100 
  101         return self._load_session(trustee_auth)
  102 
  103     @staticmethod
  104     def _load_session(plugin):
  105         # load ksa session from auth settings and user plugin
  106         sess = ka_loading.load_session_from_conf_options(
  107             CONF, 'keystone_authtoken', auth=plugin)
  108         return sess