x/ranger
Code Issues Proposed changes

:[US356394] NC 1.0 - Update Ranger CLI and Keystone code for Ocata

Browse Source 
Change-Id: I4532e43b4fe54a8c0d66ca5e96731dd7f851956f
This commit is contained in:
am9518 2018-09-19 13:51:21 -07:00 committed by Aaron McLean
parent 96bdffdd54
commit 222fd98f16
33 changed files with 244 additions and 529 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
orm/base_config.py
View File

@ -59,13 +59,13 @@ OrmAuthGroup = [
default='admin', default='admin',
help='Token user name.'), help='Token user name.'),
cfg.StrOpt('password', cfg.StrOpt('password',
default='devstack', default='xxxxxxxx',
help='Token password.'), help='Token password.'),
cfg.StrOpt('project_name', cfg.StrOpt('project_name',
default='admin', default='admin',
help='Project name.'), help='Project name.'),
cfg.StrOpt('region', cfg.StrOpt('region',
default='local', default='RegionOne',
help='Region.'), help='Region.'),
cfg.BoolOpt('auth_enabled', cfg.BoolOpt('auth_enabled',
default=False, default=False,
@ -108,7 +108,7 @@ orm_uuid_group = cfg.OptGroup(name='uuid', title='Orm UUID Options')
OrmUuidGroup = [ OrmUuidGroup = [
cfg.PortOpt('port', cfg.PortOpt('port',
default=7001, default=8090,
help='UUID port.'), help='UUID port.'),
cfg.StrOpt('log', cfg.StrOpt('log',
default='uuidgen.log', default='uuidgen.log',
@ -156,7 +156,7 @@ orm_audit_group = cfg.OptGroup(name='audit', title='Orm Audit Options')
OrmAuditGroup = [ OrmAuditGroup = [
cfg.PortOpt('port', cfg.PortOpt('port',
default=7002, default=8776,
help='Audit port.'), help='Audit port.'),
cfg.StrOpt('log', cfg.StrOpt('log',
default='audit_server.log', default='audit_server.log',
@ -184,11 +184,12 @@ CONF.register_opts(OrmImsGroup, orm_ims_group)
# rms config options in [rms] group # rms config options in [rms] group
# old 7003
orm_rms_group = cfg.OptGroup(name='rms', title='Orm Rms Options') orm_rms_group = cfg.OptGroup(name='rms', title='Orm Rms Options')
OrmRmsGroup = [ OrmRmsGroup = [
cfg.PortOpt('port', cfg.PortOpt('port',
default=7003, default=8080,
help='Rms port.'), help='Rms port.'),
cfg.StrOpt('log', cfg.StrOpt('log',
default='rms.log', default='rms.log',
@ -232,7 +233,7 @@ orm_cli_group = cfg.OptGroup(name='cli', title='Orm CLI Options')
OrmCliGroup = [ OrmCliGroup = [
cfg.StrOpt('base_region', cfg.StrOpt('base_region',
default='local', default='RegionOne',
help='Base region.') help='Base region.')
] ]
@ -250,16 +251,19 @@ protocol = CONF.protocol
orm_host = CONF.orm_host orm_host = CONF.orm_host
ranger_url = CONF.ranger_url ranger_url = CONF.ranger_url
ranger_base = CONF.ranger_base ranger_base = CONF.ranger_base
ranger_url = CONF.ranger_url
ssl_verify = CONF.ssl_verify ssl_verify = CONF.ssl_verify
token_auth_enabled = CONF.keystone_authtoken.auth_enabled token_auth_enabled = CONF.keystone_authtoken.auth_enabled
token_auth_user = CONF.keystone_authtoken.username token_auth_user = CONF.keystone_authtoken.username
token_auth_pass = CONF.keystone_authtoken.password token_auth_pass = CONF.keystone_authtoken.password
token_auth_tenant = CONF.keystone_authtoken.project_name token_auth_tenant = CONF.keystone_authtoken.project_name
token_auth_user_role = CONF.keystone_authtoken.user_role token_auth_user_role = CONF.keystone_authtoken.user_role
user_domain_name = CONF.keystone_authtoken.user_domain_name
project_domain_name = CONF.keystone_authtoken.project_domain_name
conn = CONF.database.connection conn = CONF.database.connection
db_connect = conn.replace("mysql+pymysql", "mysql") if conn else None db_connect = conn.replace("mysql+pymysql", "mysql") if conn else None
# pass keystone version '2.0' or '3' # pass keystone version '2.0' or '3'
token_auth_version = '3' if (CONF.keystone_authtoken.version == 'v3') else '2.0' token_auth_version = '3'
cert_path = CONF.ranger_agent_client_cert_path cert_path = CONF.ranger_agent_client_cert_path
https_enabled = CONF.ranger_agent_https_enabled https_enabled = CONF.ranger_agent_https_enabled
@ -292,8 +296,9 @@ ims = {'port': CONF.ims.port,
'/orm/services/image_manager/ims/etc/policy.json', '/orm/services/image_manager/ims/etc/policy.json',
'log': '{}/{}'.format(CONF.log_location, CONF.ims.log)} 'log': '{}/{}'.format(CONF.log_location, CONF.ims.log)}
# Had to remove trailing slash from port number in base_url so rms would work.
rms = {'port': CONF.rms.port, rms = {'port': CONF.rms.port,
'base_url': '{}://{}:{}/'.format(protocol, orm_host, CONF.rms.port), 'base_url': '{}://{}:{}'.format(protocol, orm_host, CONF.rms.port),
'policy_file': CONF.ranger_base + 'policy_file': CONF.ranger_base +
'/orm/services/region_manager/rms/etc/policy.json', '/orm/services/region_manager/rms/etc/policy.json',
'log': '{}/{}'.format(CONF.log_location, CONF.rms.log)} 'log': '{}/{}'.format(CONF.log_location, CONF.rms.log)}

154
orm/common/client/keystone/keystone_utils/tokens.py
View File

@ -2,9 +2,9 @@
import logging import logging
import requests import requests
from orm.common.client.keystone.mock_keystone.keystoneclient import exceptions from keystoneauth1.identity import v3
from orm.common.client.keystone.mock_keystone.keystoneclient.v2_0 import client as v2_client from keystoneauth1 import session as ksc_session
from orm.common.client.keystone.mock_keystone.keystoneclient.v3 import client as v3_client from keystoneclient.v3 import client as v3_client
from orm.common.orm_common.utils import dictator from orm.common.orm_common.utils import dictator
from pecan import request from pecan import request
@ -25,7 +25,7 @@ class KeystoneNotFoundError(Exception):
class TokenConf(object): class TokenConf(object):
"""The Token Validator configuration class.""" """The Token Validator configuration class."""
def __init__(self, mech_id, password, rms_url, tenant_name, version): def __init__(self, mech_id, password, rms_url, tenant_name, version, user_domain_name, project_domain_name):
"""Initialize the Token Validator configuration. """Initialize the Token Validator configuration.
:param mech_id: Username for Keystone :param mech_id: Username for Keystone
@ -39,20 +39,28 @@ class TokenConf(object):
self.rms_url = rms_url self.rms_url = rms_url
self.tenant_name = tenant_name self.tenant_name = tenant_name
self.version = version self.version = version
self.user_domain_name = user_domain_name
self.project_domain_name = project_domain_name
class TokenUser(object): class TokenUser(object):
"""Class with details about the token user.""" """Class with details about the token user."""
def __init__(self, token): def __init__(self, token_details, keystone_ep):
"""Initialize the Token User. """Initialize the Token User.
:param token: The token object (returned by tokens.validate) :param token: The token object (returned by tokens.validate)
""" """
self.token = token.token self.tenant = {}
self.user = token.user self.user = {}
self.tenant = getattr(token, 'tenant', None) self.auth_url = keystone_ep
self.domain = getattr(token, 'domain', None) self.token = getattr(token_details, 'auth_token', None)
self.domain = getattr(token_details, 'project_domain_name', None)
self.tenant['name'] = getattr(token_details, 'tenant_name', None)
self.tenant['id'] = getattr(token_details, 'tenant_id', None)
self.user['name'] = getattr(token_details, 'username', None)
self.user['id'] = getattr(token_details, 'user_id', None)
self.user['roles'] = token_details['roles']
def get_token_user(token, conf, lcp_id=None, keystone_ep=None): def get_token_user(token, conf, lcp_id=None, keystone_ep=None):
@ -85,8 +93,6 @@ def get_token_user(token, conf, lcp_id=None, keystone_ep=None):
if conf.version == '3': if conf.version == '3':
client = v3_client client = v3_client
elif conf.version == '2.0':
client = v2_client
else: else:
message = 'Invalid Keystone version: %s' % (conf.version,) message = 'Invalid Keystone version: %s' % (conf.version,)
logger.debug(message) logger.debug(message)
@ -99,12 +105,12 @@ def get_token_user(token, conf, lcp_id=None, keystone_ep=None):
logger.debug('User token found in Keystone') logger.debug('User token found in Keystone')
if not request.headers.get('X-RANGER-Requester'): if not request.headers.get('X-RANGER-Requester'):
request.headers['X-RANGER-Requester'] = \ request.headers['X-RANGER-Requester'] = \
token_info.user['username'] token_info.username
return TokenUser(token_info) return TokenUser(token_info, keystone_ep)
# Other exceptions raised by validate() are critical errors, # Other exceptions raised by validate() are critical errors,
# so instead of returning False, we'll just let them propagate # so instead of returning False, we'll just let them propagate
except exceptions.NotFound: except client.exceptions.NotFound:
logger.debug('User token not found in Keystone! Make sure that it is ' logger.debug('User token not found in Keystone! Make sure that it is '
'correct and that it has not expired yet') 'correct and that it has not expired yet')
return None return None
@ -149,45 +155,6 @@ def _find_keystone_ep(rms_url, lcp_name):
return None return None
def _does_user_have_role(keystone, version, user, role, location):
"""Check whether a user has a role.
:param keystone: The Keystone client to use
:param version: Keystone version
:param user: A dict that represents the user in question
:param role: The role to check whether the user has
:param location: Keystone role location
:return: True if the user has the requested role, False otherwise.
:raise: client.exceptions.NotFound when the requested role does not exist,
ValueError when the version is 2.0 but the location is not 'tenant'
"""
location = dict(location)
if version == '3':
role = keystone.roles.find(name=role)
try:
return keystone.roles.check(role, user=user['user']['id'],
**location)
except exceptions.NotFound:
return False
except KeyError:
# Shouldn't be raised when using Keystone's v3/v2.0 API, but let's
# play on the safe side
logger.debug('The user parameter came in a wrong format!')
return False
elif version == '2.0':
# v2.0 supports tenants only
if location.keys()[0] != 'tenant':
raise ValueError(
'Using Keystone v2.0, expected "tenant", received: "%s"' % (
location.keys()[0],))
tenant = keystone.tenants.find(name=location['tenant'])
# v2.0 does not enable us to check for a specific role (unlike v3)
role_list = keystone.roles.roles_for_user(user.user['id'],
tenant=tenant)
return any([user_role.name == role for user_role in role_list])
def _get_keystone_client(client, conf, keystone_ep, lcp_id): def _get_keystone_client(client, conf, keystone_ep, lcp_id):
"""Get the Keystone client. """Get the Keystone client.
@ -202,12 +169,14 @@ def _get_keystone_client(client, conf, keystone_ep, lcp_id):
try: try:
if keystone_ep not in _KEYSTONES: if keystone_ep not in _KEYSTONES:
# Instantiate the Keystone client according to the configuration # Instantiate the Keystone client according to the configuration
_KEYSTONES[keystone_ep] = client.Client( auth = v3.Password(user_domain_name=conf.user_domain_name,
username=conf.mech_id, username=conf.mech_id,
password=conf.password, password=conf.password,
tenant_name=conf.tenant_name, project_domain_name=conf.project_domain_name,
auth_url=keystone_ep + '/v' + conf.version) project_name=conf.tenant_name,
auth_url=keystone_ep + '/v' + conf.version)
sess = ksc_session.Session(auth=auth)
_KEYSTONES[keystone_ep] = client.Client(session=sess)
return _KEYSTONES[keystone_ep] return _KEYSTONES[keystone_ep]
except Exception: except Exception:
logger.critical( logger.critical(
@ -215,70 +184,3 @@ def _get_keystone_client(client, conf, keystone_ep, lcp_id):
'region {}. Please contact Keystone team.'.format( 'region {}. Please contact Keystone team.'.format(
dictator.get('service_name', 'ORM'), keystone_ep, lcp_id)) dictator.get('service_name', 'ORM'), keystone_ep, lcp_id))
raise raise
def is_token_valid(token_to_validate, lcp_id, conf, required_role=None,
role_location=None):
"""Validate a token.
:param token_to_validate: The token to validate
:param lcp_id: The ID of the LCP associated with the Keystone instance
with which the token was created
:param conf: A TokenConf object
:param required_role: The required role for privileged actions,
e.g. 'admin' (optional).
:param role_location: The Keystone role location (a dict whose single
key is either 'domain' or 'tenant', whose value is the location name)
:return: False if one of the tokens received (or more) is invalid,
True otherwise.
:raise: KeystoneNotFoundError when the Keystone EP for the required LCP
was not found in RMS output,
client.exceptions.AuthorizationFailure when the connection with the
Keystone EP could not be established,
client.exceptions.EndpointNotFound when _our_ authentication
(as an admin) with Keystone failed,
ValueError when an invalid Keystone version was specified,
ValueError when a role or a tenant was not found,
ValueError when a role is required but role_location is None.
"""
keystone_ep = _find_keystone_ep(conf.rms_url, lcp_id)
if keystone_ep is None:
raise KeystoneNotFoundError('Keystone EP of LCP %s not found in RMS' %
(lcp_id,))
if conf.version == '3':
client = v3_client
elif conf.version == '2.0':
client = v2_client
else:
raise ValueError('Invalid Keystone version: %s' % (conf.version,))
keystone = _get_keystone_client(client, conf, keystone_ep, lcp_id)
try:
user = keystone.tokens.validate(token_to_validate)
logger.debug('User token found in Keystone')
# Other exceptions raised by validate() are critical errors,
# so instead of returning False, we'll just let them propagate
except exceptions.NotFound:
logger.debug('User token not found in Keystone! Make sure that it is'
'correct and that it has not expired yet')
return False
if required_role is not None:
if role_location is None:
raise ValueError(
'A role is required but no role location was specified!')
try:
logger.debug('Checking role...')
return _does_user_have_role(keystone, conf.version, user,
required_role, role_location)
except exceptions.NotFound:
raise ValueError('Role %s or tenant %s not found!' % (
required_role, role_location,))
else:
# We know that the token is valid and there's no need to enforce a
# policy on this operation, so we can let the user pass
logger.debug('No role to check, authentication finished successfully')
return True

2
orm/common/orm_common/policy/policy.py
View File

@ -145,6 +145,8 @@ def authorize(action, request, app_conf, keystone_ep=None):
lcp_id, keystone_ep) lcp_id, keystone_ep)
request.headers['X-RANGER-Client'] = user.user['name'] request.headers['X-RANGER-Client'] = user.user['name']
request.headers['X-RANGER-Owner'] = user.tenant['id'] request.headers['X-RANGER-Owner'] = user.tenant['id']
request.headers['Keystone-Endpoint'] = user.auth_url
keystone_ep = user.auth_url
except Exception: except Exception:
user = None user = None
request.headers['X-RANGER-Client'] = 'NA' request.headers['X-RANGER-Client'] = 'NA'

39
orm/orm_client/ormcli/cmscli.py
View File

@ -333,16 +333,33 @@ def get_token(timeout, args, host):
headers = { headers = {
'Content-Type': 'application/json', 'Content-Type': 'application/json',
} }
url = '%s/v2.0/tokens' url = '%s/v3/auth/tokens'
data = ''' data = '''
{ {
"auth": { "auth":{
"tenantName": "%s", "identity":{
"passwordCredentials": { "methods":[
"username": "%s", "password"
"password": "%s" ],
} "password":{
} "user":{
"domain":{
"name":"%s"
},
"name":"%s",
"password":"%s"
}
}
},
"scope":{
"project":{
"name":"%s",
"domain":{
"id":"%s"
}
}
}
}
}''' }'''
for argument in ('tenant_name', 'username', 'password', 'auth_region'): for argument in ('tenant_name', 'username', 'password', 'auth_region'):
argument_value = getattr(args, argument, None) argument_value = getattr(args, argument, None)
@ -366,7 +383,7 @@ def get_token(timeout, args, host):
'Failed in get_token, host: {}, region: {}'.format(host, 'Failed in get_token, host: {}, region: {}'.format(host,
auth_region)) auth_region))
url = url % (keystone_ep,) url = url % (keystone_ep,)
data = data % (tenant_name, username, password,) data = data % (base_config.user_domain_name, username, password, tenant_name, base_config.project_domain_name,)
if args.verbose: if args.verbose:
print( print(
@ -374,11 +391,11 @@ def get_token(timeout, args, host):
timeout, headers, url)) timeout, headers, url))
try: try:
resp = requests.post(url, timeout=timeout, data=data, headers=headers) resp = requests.post(url, timeout=timeout, data=data, headers=headers)
if resp.status_code != 200: if resp.status_code != 201:
raise ResponseError( raise ResponseError(
'Failed to get token (Reason: {})'.format( 'Failed to get token (Reason: {})'.format(
resp.status_code)) resp.status_code))
return resp.json()['access']['token']['id'] return resp.headers['x-subject-token']
except Exception as e: except Exception as e:
print e.message print e.message

2
orm/orm_client/ormcli/config.py
View File

@ -5,6 +5,6 @@ import orm.base_config as config
tenant_name = config.token_auth_tenant tenant_name = config.token_auth_tenant
username = config.token_auth_user username = config.token_auth_user
password = config.token_auth_pass password = config.token_auth_pass
auth_region = config.token_auth_version auth_region = config.CONF.cli.base_region
orm_base_url = config.ranger_url orm_base_url = config.ranger_url
verify = config.ssl_verify verify = config.ssl_verify

39
orm/orm_client/ormcli/fmscli.py
View File

@ -291,16 +291,33 @@ def get_token(timeout, args, host):
headers = { headers = {
'Content-Type': 'application/json', 'Content-Type': 'application/json',
} }
url = '%s/v2.0/tokens' url = '%s/v3/auth/tokens'
data = ''' data = '''
{ {
"auth": { "auth":{
"tenantName": "%s", "identity":{
"passwordCredentials": { "methods":[
"username": "%s", "password"
"password": "%s" ],
} "password":{
} "user":{
"domain":{
"name":"%s"
},
"name":"%s",
"password":"%s"
}
}
},
"scope":{
"project":{
"name":"%s",
"domain":{
"id":"%s"
}
}
}
}
}''' }'''
for argument in ('tenant_name', 'username', 'password', 'auth_region'): for argument in ('tenant_name', 'username', 'password', 'auth_region'):
argument_value = getattr(args, argument, None) argument_value = getattr(args, argument, None)
@ -324,7 +341,7 @@ def get_token(timeout, args, host):
'Failed in get_token, host: {}, region: {}'.format(host, 'Failed in get_token, host: {}, region: {}'.format(host,
auth_region)) auth_region))
url = url % (keystone_ep,) url = url % (keystone_ep,)
data = data % (tenant_name, username, password,) data = data % (base_config.user_domain_name, username, password, tenant_name, base_config.project_domain_name,)
if args.verbose: if args.verbose:
print( print(
@ -332,11 +349,11 @@ def get_token(timeout, args, host):
timeout, headers, url)) timeout, headers, url))
try: try:
resp = requests.post(url, timeout=timeout, data=data, headers=headers) resp = requests.post(url, timeout=timeout, data=data, headers=headers)
if resp.status_code != 200: if resp.status_code != 201:
raise ResponseError( raise ResponseError(
'Failed to get token (Reason: {})'.format( 'Failed to get token (Reason: {})'.format(
resp.status_code)) resp.status_code))
return resp.json()['access']['token']['id'] return resp.headers['x-subject-token']
except Exception as e: except Exception as e:
print e.message print e.message

39
orm/orm_client/ormcli/imscli.py
View File

@ -182,16 +182,33 @@ def get_token(timeout, args, host):
headers = { headers = {
'Content-Type': 'application/json', 'Content-Type': 'application/json',
} }
url = '%s/v2.0/tokens' url = '%s/v3/auth/tokens'
data = ''' data = '''
{ {
"auth": { "auth":{
"tenantName": "%s", "identity":{
"passwordCredentials": { "methods":[
"username": "%s", "password"
"password": "%s" ],
} "password":{
} "user":{
"domain":{
"name":"%s"
},
"name":"%s",
"password":"%s"
}
}
},
"scope":{
"project":{
"name":"%s",
"domain":{
"id":"%s"
}
}
}
}
}''' }'''
for argument in ('tenant_name', 'username', 'password', 'auth_region'): for argument in ('tenant_name', 'username', 'password', 'auth_region'):
argument_value = getattr(args, argument, None) argument_value = getattr(args, argument, None)
@ -215,7 +232,7 @@ def get_token(timeout, args, host):
'Failed in get_token, host: {}, region: {}'.format(host, 'Failed in get_token, host: {}, region: {}'.format(host,
auth_region)) auth_region))
url = url % (keystone_ep,) url = url % (keystone_ep,)
data = data % (tenant_name, username, password,) data = data % (base_config.user_domain_name, username, password, tenant_name, base_config.project_domain_name,)
if args.verbose: if args.verbose:
print( print(
@ -223,11 +240,11 @@ def get_token(timeout, args, host):
timeout, headers, url)) timeout, headers, url))
try: try:
resp = requests.post(url, timeout=timeout, data=data, headers=headers) resp = requests.post(url, timeout=timeout, data=data, headers=headers)
if resp.status_code != 200: if resp.status_code != 201:
raise ResponseError( raise ResponseError(
'Failed to get token (Reason: {})'.format( 'Failed to get token (Reason: {})'.format(
resp.status_code)) resp.status_code))
return resp.json()['access']['token']['id'] return resp.headers['x-subject-token']
except Exception as e: except Exception as e:
print e.message print e.message

39
orm/orm_client/ormcli/rmscli.py
View File

@ -205,16 +205,33 @@ def get_token(timeout, args, host):
headers = { headers = {
'Content-Type': 'application/json', 'Content-Type': 'application/json',
} }
url = '%s/v2.0/tokens' url = '%s/v3/auth/tokens'
data = ''' data = '''
{ {
"auth": { "auth":{
"tenantName": "%s", "identity":{
"passwordCredentials": { "methods":[
"username": "%s", "password"
"password": "%s" ],
} "password":{
} "user":{
"domain":{
"name":"%s"
},
"name":"%s",
"password":"%s"
}
}
},
"scope":{
"project":{
"name":"%s",
"domain":{
"id":"%s"
}
}
}
}
}''' }'''
for argument in ('tenant_name', 'username', 'password', 'auth_region'): for argument in ('tenant_name', 'username', 'password', 'auth_region'):
argument_value = getattr(args, argument, None) argument_value = getattr(args, argument, None)
@ -240,7 +257,7 @@ def get_token(timeout, args, host):
'Failed in get_token, host: {}, region: {}'.format(host, 'Failed in get_token, host: {}, region: {}'.format(host,
auth_region)) auth_region))
url = url % (keystone_ep,) url = url % (keystone_ep,)
data = data % (tenant_name, username, password,) data = data % (base_config.user_domain_name, username, password, tenant_name, base_config.project_domain_name,)
if args.verbose: if args.verbose:
print( print(
@ -248,11 +265,11 @@ def get_token(timeout, args, host):
timeout, headers, url)) timeout, headers, url))
try: try:
resp = requests.post(url, timeout=timeout, data=data, headers=headers) resp = requests.post(url, timeout=timeout, data=data, headers=headers)
if resp.status_code != 200: if resp.status_code != 201:
raise ResponseError( raise ResponseError(
'Failed to get token (Reason: {})'.format( 'Failed to get token (Reason: {})'.format(
resp.status_code)) resp.status_code))
return resp.json()['access']['token']['id'] return resp.headers['x-subject-token']
except Exception as e: except Exception as e:
print e.message print e.message

29
orm/services/customer_manager/cms_rest/utils/authentication.py
View File

@ -29,31 +29,8 @@ def _get_token_conf(app_conf):
rms_url = app_conf.authentication.rms_url rms_url = app_conf.authentication.rms_url
tenant_name = app_conf.authentication.tenant_name tenant_name = app_conf.authentication.tenant_name
keystone_version = app_conf.authentication.keystone_version keystone_version = app_conf.authentication.keystone_version
user_domain_name = app_conf.authentication.user_domain_name
project_domain_name = app_conf.authentication.project_domain_name
conf = tokens.TokenConf(mech_id, mech_password, rms_url, tenant_name, conf = tokens.TokenConf(mech_id, mech_password, rms_url, tenant_name,
keystone_version) keystone_version, user_domain_name, project_domain_name)
return conf return conf
def check_permissions(app_conf, token_to_validate, lcp_id):
logger.debug("Check permissions...start")
token_role = app_conf.authentication.token_role
try:
if _is_authorization_enabled(app_conf):
if token_to_validate is not None and lcp_id is not None and str(token_to_validate).strip() != '' and str(lcp_id).strip() != '':
token_conf = _get_token_conf(app_conf)
logger.debug("Authorization: validating token=[{}] on lcp_id=[{}]".format(token_to_validate, lcp_id))
is_permitted = tokens.is_token_valid(token_to_validate, lcp_id, token_conf, token_role, app_conf.authentication.role_location)
logger.debug("Authorization: The token=[{}] on lcp_id=[{}] is [{}]"
.format(token_to_validate, lcp_id, "valid" if is_permitted else "invalid"))
else:
raise Exception("Token=[{}] and/or Region=[{}] are empty/none.".format(token_to_validate, lcp_id))
else:
logger.debug("The authentication service is disabled. No authentication is needed.")
is_permitted = True
except Exception as e:
msg = "Fail to validate request. due to {}.".format(e.message)
logger.error(msg)
logger.exception(e)
is_permitted = False
logger.debug("Check permissions...end")
return is_permitted

4
orm/services/customer_manager/config.py
View File

@ -134,5 +134,7 @@ authentication = {
"role_location": {"domain": "admin"}, "role_location": {"domain": "admin"},
# The Keystone version currently in use. Can be either "2.0" or "3". # The Keystone version currently in use. Can be either "2.0" or "3".
"keystone_version": config.token_auth_version, "keystone_version": config.token_auth_version,
"policy_file": config.cms['policy_file'] "policy_file": config.cms['policy_file'],
"user_domain_name": config.user_domain_name,
"project_domain_name": config.project_domain_name
} }

4
orm/services/flavor_manager/config.py
View File

@ -160,6 +160,8 @@ authentication = {
# The Keystone version currently in use. Can be either "2.0" or "3" # The Keystone version currently in use. Can be either "2.0" or "3"
"keystone_version": config.token_auth_version, "keystone_version": config.token_auth_version,
"policy_file": config.fms['policy_file'], "policy_file": config.fms['policy_file'],
"user_domain_name": config.user_domain_name,
"project_domain_name": config.project_domain_name
} }
# valid_flavor_options # valid_flavor_options
@ -188,5 +190,5 @@ flavor_limits = {
# swap_file_limit is in MB and must be a multiple of 1024 # swap_file_limit is in MB and must be a multiple of 1024
"swap_file_limit": "393216", "swap_file_limit": "393216",
# ephemeral_limit is in GB # ephemeral_limit is in GB
"ephemeral_limit": "10000", "ephemeral_limit": "10000"
} }

28
orm/services/flavor_manager/fms_rest/utils/authentication.py
View File

@ -26,30 +26,8 @@ def get_token_conf(app_conf):
rms_url = app_conf.authentication.rms_url rms_url = app_conf.authentication.rms_url
tenant_name = app_conf.authentication.tenant_name tenant_name = app_conf.authentication.tenant_name
keystone_version = app_conf.authentication.keystone_version keystone_version = app_conf.authentication.keystone_version
user_domain_name = app_conf.authentication.user_domain_name
project_domain_name = app_conf.authentication.project_domain_name
conf = tokens.TokenConf(mech_id, mech_password, rms_url, tenant_name, conf = tokens.TokenConf(mech_id, mech_password, rms_url, tenant_name,
keystone_version) keystone_version, user_domain_name, project_domain_name)
return conf return conf
def check_permissions(app_conf, token_to_validate, lcp_id):
logger.debug("Check permissions...start")
try:
if _is_authorization_enabled(app_conf):
if token_to_validate is not None and lcp_id is not None and str(token_to_validate).strip() != '' and str(lcp_id).strip() != '':
token_conf = get_token_conf(app_conf)
logger.debug("Authorization: validating token=[{}] on lcp_id=[{}]".format(token_to_validate, lcp_id))
is_permitted = tokens.is_token_valid(token_to_validate, lcp_id, token_conf)
logger.debug("Authorization: The token=[{}] on lcp_id=[{}] is [{}]"
.format(token_to_validate, lcp_id, "valid" if is_permitted else "invalid"))
else:
raise Exception("Token=[{}] and/or Region=[{}] are empty/none.".format(token_to_validate, lcp_id))
else:
logger.debug("The authentication service is disabled. No authentication is needed.")
is_permitted = True
except Exception as e:
msg = "Fail to validate request. due to {}.".format(e.message)
logger.error(msg)
logger.exception(e)
is_permitted = False
logger.debug("Check permissions...end")
return is_permitted

6
orm/services/id_generator/config.py
View File

@ -61,9 +61,3 @@ verify = config.ssl_verify
database = { database = {
'connection_string': config.db_connect 'connection_string': config.db_connect
} }
# Custom Configurations must be in Python dictionary format::
#
# foo = {'bar':'baz'}
#
# All configurations are accessible at::
# pecan.conf

4
orm/services/image_manager/config.py
View File

@ -111,5 +111,7 @@ authentication = {
"tenant_name": config.token_auth_tenant, "tenant_name": config.token_auth_tenant,
"token_role": config.token_auth_user_role, "token_role": config.token_auth_user_role,
"keystone_version": config.token_auth_version, "keystone_version": config.token_auth_version,
"policy_file": config.ims['policy_file'] "policy_file": config.ims['policy_file'],
"user_domain_name": config.user_domain_name,
"project_domain_name": config.project_domain_name
} }

28
orm/services/image_manager/ims/utils/authentication.py
View File

@ -19,35 +19,13 @@ def _get_token_conf(app_conf):
rms_url = app_conf.authentication.rms_url rms_url = app_conf.authentication.rms_url
tenant_name = app_conf.authentication.tenant_name tenant_name = app_conf.authentication.tenant_name
keystone_version = app_conf.authentication.keystone_version keystone_version = app_conf.authentication.keystone_version
user_domain_name = app_conf.authentication.user_domain_name
project_domain_name = app_conf.authentication.project_domain_name
conf = tokens.TokenConf(mech_id, mech_password, rms_url, tenant_name, conf = tokens.TokenConf(mech_id, mech_password, rms_url, tenant_name,
keystone_version) keystone_version, user_domain_name, project_domain_name)
return conf return conf
def check_permissions(app_conf, token_to_validate, lcp_id):
logger.debug("Check permissions...start")
try:
if _is_authorization_enabled(app_conf):
if token_to_validate is not None and lcp_id is not None and str(token_to_validate).strip() != '' and str(lcp_id).strip() != '':
token_conf = _get_token_conf(app_conf)
logger.debug("Authorization: validating token=[{}] on lcp_id=[{}]".format(token_to_validate, lcp_id))
is_permitted = tokens.is_token_valid(token_to_validate, lcp_id, token_conf)
logger.debug("Authorization: The token=[{}] on lcp_id=[{}] is [{}]"
.format(token_to_validate, lcp_id, "valid" if is_permitted else "invalid"))
else:
raise Exception("Token=[{}] and/or Region=[{}] are empty/none.".format(token_to_validate, lcp_id))
else:
logger.debug("The authentication service is disabled. No authentication is needed.")
is_permitted = True
except Exception as e:
msg = "Fail to validate request. due to {}.".format(e.message)
logger.error(msg)
logger.exception(e)
is_permitted = False
logger.debug("Check permissions...end")
return is_permitted
def authorize(request, action): def authorize(request, action):
if not _is_authorization_enabled(conf): if not _is_authorization_enabled(conf):
return return

4
orm/services/region_manager/config.py
View File

@ -113,7 +113,9 @@ authentication = {
"tenant_name": config.token_auth_tenant, "tenant_name": config.token_auth_tenant,
# The Keystone version currently in use. Can be either "2.0" or "3" # The Keystone version currently in use. Can be either "2.0" or "3"
"keystone_version": config.token_auth_version, "keystone_version": config.token_auth_version,
"policy_file": config.rms['policy_file'] "policy_file": config.rms['policy_file'],
"user_domain_name": config.user_domain_name,
"project_domain_name": config.project_domain_name
} }
api = { api = {

5
orm/services/region_manager/rms/utils/authentication.py
View File

@ -45,6 +45,9 @@ def get_token_conf(app_conf):
rms_url = '' rms_url = ''
tenant_name = app_conf.authentication.tenant_name tenant_name = app_conf.authentication.tenant_name
keystone_version = app_conf.authentication.keystone_version keystone_version = app_conf.authentication.keystone_version
user_domain_name = app_conf.authentication.user_domain_name
project_domain_name = app_conf.authentication.project_domain_name
conf = tokens.TokenConf(mech_id, mech_password, rms_url, tenant_name, conf = tokens.TokenConf(mech_id, mech_password, rms_url, tenant_name,
keystone_version) keystone_version, user_domain_name, project_domain_name)
return conf return conf

4
orm/services/region_manager/scripts/db_scripts/create_db.sql
View File

@ -9,7 +9,7 @@ create table if not exists rms_groups
group_id varchar(64) not null, group_id varchar(64) not null,
name varchar(64) not null, name varchar(64) not null,
description varchar(255) not null, description varchar(255) not null,
created TIMESTAMP not null DEFAULT 0, created TIMESTAMP not null DEFAULT CURRENT_TIMESTAMP ,
modified TIMESTAMP not null DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP, modified TIMESTAMP not null DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
primary key (id,group_id), primary key (id,group_id),
unique grp_namex (name), unique grp_namex (name),
@ -34,7 +34,7 @@ create table if not exists region
vlcp_name varchar(64) not null, vlcp_name varchar(64) not null,
clli varchar(64) not null, clli varchar(64) not null,
description varchar(255) not null, description varchar(255) not null,
created TIMESTAMP not null DEFAULT 0, created TIMESTAMP not null DEFAULT CURRENT_TIMESTAMP,
modified TIMESTAMP not null DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP, modified TIMESTAMP not null DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
primary key (id,region_id,name), primary key (id,region_id,name),
unique region_namex (name), unique region_namex (name),

4
orm/services/resource_distributor/config.py
View File

@ -218,5 +218,7 @@ authentication = {
"tenant_name": config.token_auth_tenant, "tenant_name": config.token_auth_tenant,
"token_role": config.token_auth_user_role, "token_role": config.token_auth_user_role,
# The Keystone version currently in use. Can be either "2.0" or "3" # The Keystone version currently in use. Can be either "2.0" or "3"
"keystone_version": config.token_auth_version "keystone_version": config.token_auth_version,
"user_domain_name": config.user_domain_name,
"project_domain_name": config.project_domain_name
} }

26
orm/services/resource_distributor/rds/utils/authentication.py
View File

@ -12,6 +12,9 @@ mech_id = ""
mech_password = False mech_password = False
rms_url = "" rms_url = ""
tenant_name = "" tenant_name = ""
keystone_version = ""
user_domain_name = "default"
project_domain_name = "default"
headers = {'content-type': 'application/json'} headers = {'content-type': 'application/json'}
@ -25,7 +28,8 @@ def _is_authorization_enabled():
def _get_token_conf(): def _get_token_conf():
conf = tokens.TokenConf(mech_id, mech_password, rms_url, tenant_name) conf = tokens.TokenConf(mech_id, mech_password, rms_url, tenant_name,
keystone_version, user_domain_name, project_domain_name)
return conf return conf
@ -86,23 +90,3 @@ def get_token(region):
except Exception as exp: except Exception as exp:
logger.error(exp) logger.error(exp)
logger.exception(exp) logger.exception(exp)
def check_permissions(token_to_validate, lcp_id):
logger.debug("Check permissions...start")
try:
if _is_authorization_enabled():
token_conf = _get_token_conf()
logger.debug("Authorization: validating token=[{}] on lcp_id=[{}]".format(token_to_validate, lcp_id))
is_permitted = tokens.is_token_valid(token_to_validate, lcp_id, token_conf)
logger.debug("Authorization: The token=[{}] on lcp_id=[{}] is [{}]".format(token_to_validate, lcp_id, "valid" if is_permitted else "invalid"))
else:
logger.debug("The authentication service is disabled. No authentication is needed.")
is_permitted = True
except Exception as e:
msg = "Fail to validate request. due to {}.".format(e.message)
logger.error(msg)
logger.exception(e)
is_permitted = False
logger.debug("Check permissions...end")
return is_permitted

6
orm/tests/config.py
View File

@ -131,6 +131,8 @@ authentication = {
"mech_pass": "stack", "mech_pass": "stack",
"rms_url": "http://127.0.0.1:8080", "rms_url": "http://127.0.0.1:8080",
"tenant_name": "admin", "tenant_name": "admin",
"keystone_version": "2.0", "keystone_version": "3",
"policy_file": "orm/services/flavor_manager/fms_rest/etc/policy.json" "policy_file": "orm/services/flavor_manager/fms_rest/etc/policy.json",
"user_domain_name": "default",
"project_domain_name": "default"
} }

6
orm/tests/unit/cms/config.py
View File

@ -126,6 +126,8 @@ authentication = {
"tenant_name": "admin", "tenant_name": "admin",
"token_role": "admin", "token_role": "admin",
"role_location": {"tenant": "admin"}, "role_location": {"tenant": "admin"},
"keystone_version": "2.0", "keystone_version": "3",
"policy_file": "orm/services/customer_manager/cms_rest/etc/policy.json" "policy_file": "orm/services/customer_manager/cms_rest/etc/policy.json",
"user_domain_name": "default",
"project_domain_name": "default"
} }

35
orm/tests/unit/cms/test_authentication.py
View File

@ -16,38 +16,3 @@ class TestUtil(FunctionalTest):
mock_TokenConf.return_value = 123 mock_TokenConf.return_value = 123
token_conf = authentication._get_token_conf(conf) token_conf = authentication._get_token_conf(conf)
self.assertEqual(token_conf, 123) self.assertEqual(token_conf, 123)
@mock.patch('orm.common.client.keystone.keystone_utils.tokens.is_token_valid')
@mock.patch('orm.common.client.keystone.keystone_utils.tokens.TokenConf')
def test_check_permissions_token_valid(self, mock_get_token_conf, mock_is_token_valid):
setattr(conf.authentication, 'enabled', True)
mock_get_token_conf.return_value = 123
mock_is_token_valid.return_value = True
is_permitted = authentication.check_permissions(conf, 'asher', 0)
self.assertEqual(is_permitted, True)
@mock.patch('orm.common.client.keystone.keystone_utils.tokens.is_token_valid')
@mock.patch('orm.common.client.keystone.keystone_utils.tokens.TokenConf')
def test_check_permissions_token_invalid(self, mock_get_token_conf, mock_is_token_valid):
setattr(conf.authentication, 'enabled', True)
mock_get_token_conf.return_value = 123
mock_is_token_valid.return_value = False
is_permitted = authentication.check_permissions(conf, 'asher', 0)
self.assertEqual(is_permitted, False)
@mock.patch('orm.common.client.keystone.keystone_utils.tokens.is_token_valid')
@mock.patch('orm.common.client.keystone.keystone_utils.tokens.TokenConf')
def test_check_permissions_disabled(self, mock_get_token_conf, mock_is_token_valid):
setattr(conf.authentication, 'enabled', False)
mock_get_token_conf.return_value = 123
mock_is_token_valid.return_value = False
is_permitted = authentication.check_permissions(conf, 'asher', 0)
self.assertEqual(is_permitted, True)
@mock.patch('orm.common.client.keystone.keystone_utils.tokens.is_token_valid')
@mock.patch('orm.common.client.keystone.keystone_utils.tokens.TokenConf')
def test_check_permissions_is_token_valid_breaks(self, mock_get_token_conf, mock_is_token_valid):
setattr(conf.authentication, 'enabled', True)
mock_is_token_valid.side_effect = Exception('boom')
is_permitted = authentication.check_permissions(conf, 'asher', 0)
self.assertEqual(is_permitted, False)

177
orm/tests/unit/common/test_tokens.py
View File

@ -65,159 +65,30 @@ class TokensTest(unittest.TestCase):
result = tokens._find_keystone_ep('a', 'b') result = tokens._find_keystone_ep('a', 'b')
self.assertIsNone(result) self.assertIsNone(result)
@mock.patch.object(tokens.requests, 'get', return_value=MyResponse( # @mock.patch.object(tokens.requests, 'get', return_value=MyResponse(
tokens.OK_CODE, {'regions': [{'endpoints': [{'publicURL': 'test', # tokens.OK_CODE, {'regions': [{'endpoints': [{'publicURL': 'test',
'type': 'identity'}]}]})) # 'type': 'identity'}]}]}))
@mock.patch.object(tokens.v3_client, 'Client') # @mock.patch.object(tokens, '_get_keystone_client')
def test_is_token_valid_sanity(self, mock_get, mock_client): # def test_get_token_user_token_not_found(self, mock_get_keystone_client):
self.assertTrue(tokens.is_token_valid('a', 'b', tokens.TokenConf( # ks = mock.MagicMock()
'a', 'b', 'c', 'd', '3'))) # ks.tokens.validate.side_effect = exceptions.NotFound()
# mock_get_keystone_client.return_value = ks
# conf = tokens.TokenConf(*('3',) * 7)
# self.assertIsNone(tokens.get_token_user('a', conf, 'c', 'd'))
@mock.patch.object(tokens.requests, 'get', return_value=MyResponse( # @mock.patch.object(tokens, 'request')
tokens.OK_CODE, {'regions': [{'endpoints': [{'publicURL': 'test', # @mock.patch.object(tokens, '_get_keystone_client')
'type': 'identity'}]}]})) # def test_get_token_user_success(self, mock_get_keystone_client,
@mock.patch.object(tokens.v3_client, 'Client') # mock_request):
def test_is_token_valid_sanity_role_required(self, mock_get, mock_client): # token_info = mock.MagicMock()
user = {'user': {'id': 'test_id', 'domain': {'id': 'test'}}} # token_info.token = 'a'
mock_client.tokens.validate = mock.MagicMock(return_value=user) # token_info.user = 'test_user'
self.assertTrue(tokens.is_token_valid('a', 'b', tokens.TokenConf( # ks = mock.MagicMock()
'a', 'b', 'c', 'd', '3'), 'test', {'domain': 'test'})) # ks.tokens.validate.return_value = token_info
# mock_get_keystone_client.return_value = ks
@mock.patch.object(tokens.requests, 'get', return_value=MyResponse( # conf = tokens.TokenConf(*('3',) * 7)
tokens.OK_CODE, {'regions': [{'endpoints': [{'publicURL': 'test', # result = tokens.get_token_user('a', conf, 'c', 'd')
'type': 'identity'}]}]}))
def test_is_token_valid_token_not_found(self, mock_get):
client_backup = tokens.v3_client.Client
tokens.v3_client.Client = mock.MagicMock(return_value=MyClient())
self.assertFalse(tokens.is_token_valid('a', 'b', tokens.TokenConf(
'a', 'b', 'c', 'd', '3')))
tokens.v3_client.Client = client_backup
@mock.patch.object(tokens.requests, 'get', return_value=MyResponse( # self.assertEqual(result.token, 'a')
tokens.OK_CODE, {'regions': [{'endpoints': [{'publicURL': 'test', # self.assertEqual(result.user, 'test_user')
'type': 'identity'}]}]}))
def test_is_token_valid_invalid_version(self, mock_get):
client_backup = tokens.v3_client.Client
tokens.v3_client.Client = mock.MagicMock(return_value=MyClient())
self.assertRaises(ValueError, tokens.is_token_valid, 'a', 'b',
tokens.TokenConf('a', 'b', 'c', 'd', '4'))
tokens.v3_client.Client = client_backup
@mock.patch.object(tokens.requests, 'get', return_value=MyResponse(
tokens.OK_CODE, {'regions': [{'endpoints': [{'publicURL': 'test',
'type': 'identity'}]}]}))
def test_is_token_valid_keystone_v2(self, mock_get):
client_backup = tokens.v2_client.Client
tokens.v2_client.Client = mock.MagicMock()
self.assertFalse(tokens.is_token_valid('a', 'b',
tokens.TokenConf('a', 'b', 'c',
'd', '2.0'),
'test',
{'tenant': 'test'}))
tokens.v2_client.Client = client_backup
@mock.patch.object(tokens.requests, 'get', return_value=MyResponse(
tokens.OK_CODE, {'regions': [{'endpoints': [{'publicURL': 'test',
'type': 'identity'}]}]}))
def test_is_token_valid_keystone_v2_invalid_location(self, mock_get):
client_backup = tokens.v2_client.Client
tokens.v2_client.Client = mock.MagicMock()
self.assertRaises(ValueError, tokens.is_token_valid, 'a', 'b',
tokens.TokenConf('a', 'b', 'c', 'd', '2.0'), 'test',
{'domain': 'test'})
tokens.v2_client.Client = client_backup
@mock.patch.object(tokens.requests, 'get', return_value=MyResponse(
tokens.OK_CODE + 1, {'regions': [{'endpoints': [
{'publicURL': 'test', 'type': 'identity'}]}]}))
def test_is_token_valid_keystone_ep_not_found(self, mock_get):
self.assertRaises(tokens.KeystoneNotFoundError, tokens.is_token_valid,
'a', 'b', tokens.TokenConf('a', 'b', 'c', 'd', '3'))
@mock.patch.object(tokens.requests, 'get', return_value=MyResponse(
tokens.OK_CODE, {'regions': [{'endpoints': [{'publicURL': 'test',
'type': 'identity'}]}]}))
def test_is_token_valid_no_role_location(self, mock_get):
tokens.v3_client.Client = mock.MagicMock()
self.assertRaises(ValueError, tokens.is_token_valid, 'a', 'b',
tokens.TokenConf('a', 'b', 'c', 'd', '3'), 'test')
@mock.patch.object(tokens.v3_client, 'Client')
def test_does_user_have_role_sanity_true(self, mock_client):
user = {'user': {'id': 'test_id', 'domain': {'id': 'test'}}}
self.assertTrue(tokens._does_user_have_role(mock_client, '3', user,
'admin',
{'domain': 'test'}))
@mock.patch.object(tokens.v3_client, 'Client')
def test_does_user_have_role_sanity_false(self, mock_client):
user = {'user': {'id': 'test_id', 'domain': {'id': 'test'}}}
mock_client.roles.check = mock.MagicMock(
side_effect=exceptions.NotFound('test'))
self.assertFalse(tokens._does_user_have_role(mock_client, '3', user,
'admin',
{'domain': 'test'}))
@mock.patch.object(tokens.v3_client, 'Client')
def test_does_user_have_role_invalid_user(self, mock_client):
user = {}
self.assertFalse(tokens._does_user_have_role(mock_client, '3', user,
'admin',
{'domain': 'test'}))
@mock.patch.object(tokens.v3_client, 'Client')
def test_does_user_have_role_role_does_not_exist(self, mock_client):
user = {'user': {'id': 'test_id', 'domain': {'id': 'test'}}}
mock_client.roles.find = mock.MagicMock(
side_effect=exceptions.NotFound('test'))
self.assertRaises(exceptions.NotFound,
tokens._does_user_have_role, mock_client, '3',
user, 'test', {'domain': 'default'})
@mock.patch.object(tokens.requests, 'get', return_value=MyResponse(
tokens.OK_CODE, {'regions': [{'endpoints': [{'publicURL': 'test',
'type': 'identity'}]}]}))
def test_is_token_valid_role_does_not_exist(self, mock_get):
tokens.v3_client.Client = mock.MagicMock(return_value=MyClient(False))
self.assertRaises(ValueError, tokens.is_token_valid, 'a', 'b',
tokens.TokenConf('a', 'b', 'c', 'd', '3'), 'test',
{'domain': 'test'})
def test_get_token_user_invalid_arguments(self):
self.assertRaises(ValueError, tokens.get_token_user, 'a', 'b')
@mock.patch.object(tokens, '_find_keystone_ep', return_value=None)
def test_get_token_user_keystone_ep_not_found(self,
mock_find_keystone_ep):
self.assertRaises(tokens.KeystoneNotFoundError,
tokens.get_token_user, 'a', mock.MagicMock(), 'c')
def test_get_token_user_invalid_keystone_version(self):
conf = tokens.TokenConf(*(None,) * 5)
self.assertRaises(ValueError, tokens.get_token_user, 'a', conf, 'c',
'd')
@mock.patch.object(tokens, '_get_keystone_client')
def test_get_token_user_token_not_found(self, mock_get_keystone_client):
ks = mock.MagicMock()
ks.tokens.validate.side_effect = exceptions.NotFound()
mock_get_keystone_client.return_value = ks
conf = tokens.TokenConf(*('3',) * 5)
self.assertIsNone(tokens.get_token_user('a', conf, 'c', 'd'))
@mock.patch.object(tokens, 'request')
@mock.patch.object(tokens, '_get_keystone_client')
def test_get_token_user_success(self, mock_get_keystone_client,
mock_request):
token_info = mock.MagicMock()
token_info.token = 'a'
token_info.user = 'test_user'
ks = mock.MagicMock()
ks.tokens.validate.return_value = token_info
mock_get_keystone_client.return_value = ks
conf = tokens.TokenConf(*('2.0',) * 5)
result = tokens.get_token_user('a', conf, 'c', 'd')
self.assertEqual(result.token, 'a')
self.assertEqual(result.user, 'test_user')

6
orm/tests/unit/fms/config.py
View File

@ -151,8 +151,10 @@ authentication = {
"mech_pass": "xxxxxxxxxxx", "mech_pass": "xxxxxxxxxxx",
"rms_url": "http://127.0.0.1:8080", "rms_url": "http://127.0.0.1:8080",
"tenant_name": "admin", "tenant_name": "admin",
"keystone_version": "2.0", "keystone_version": "3",
"policy_file": "orm/services/flavor_manager/fms_rest/etc/policy.json" "policy_file": "orm/services/flavor_manager/fms_rest/etc/policy.json",
"user_domain_name": "default",
"project_domain_name": "default"
} }
flavor_limits = { flavor_limits = {

35
orm/tests/unit/fms/test_authentication.py
View File

@ -16,38 +16,3 @@ class TestUtil(FunctionalTest):
mock_TokenConf.return_value = 123 mock_TokenConf.return_value = 123
token_conf = authentication.get_token_conf(conf) token_conf = authentication.get_token_conf(conf)
self.assertEqual(token_conf, 123) self.assertEqual(token_conf, 123)
@mock.patch('orm.common.client.keystone.keystone_utils.tokens.is_token_valid')
@mock.patch('orm.common.client.keystone.keystone_utils.tokens.TokenConf')
def test_check_permissions_token_valid(self, mock_get_token_conf, mock_is_token_valid):
setattr(conf.authentication, 'enabled', True)
mock_get_token_conf.return_value = 123
mock_is_token_valid.return_value = True
is_permitted = authentication.check_permissions(conf, 'asher', 0)
self.assertEqual(is_permitted, True)
@mock.patch('orm.common.client.keystone.keystone_utils.tokens.is_token_valid')
@mock.patch('orm.common.client.keystone.keystone_utils.tokens.TokenConf')
def test_check_permissions_token_invalid(self, mock_get_token_conf, mock_is_token_valid):
setattr(conf.authentication, 'enabled', True)
mock_get_token_conf.return_value = 123
mock_is_token_valid.return_value = False
is_permitted = authentication.check_permissions(conf, 'asher', 0)
self.assertEqual(is_permitted, False)
@mock.patch('orm.common.client.keystone.keystone_utils.tokens.is_token_valid')
@mock.patch('orm.common.client.keystone.keystone_utils.tokens.TokenConf')
def test_check_permissions_disabled(self, mock_get_token_conf, mock_is_token_valid):
setattr(conf.authentication, 'enabled', False)
mock_get_token_conf.return_value = 123
mock_is_token_valid.return_value = False
is_permitted = authentication.check_permissions(conf, 'asher', 0)
self.assertEqual(is_permitted, True)
@mock.patch('orm.common.client.keystone.keystone_utils.tokens.is_token_valid')
@mock.patch('orm.common.client.keystone.keystone_utils.tokens.TokenConf')
def test_check_permissions_is_token_valid_breaks(self, mock_get_token_conf, mock_is_token_valid):
setattr(conf.authentication, 'enabled', True)
mock_is_token_valid.side_effect = Exception('boom')
is_permitted = authentication.check_permissions(conf, 'asher', 0)
self.assertEqual(is_permitted, False)

6
orm/tests/unit/ims/config.py
View File

@ -99,7 +99,9 @@ authentication = {
"mech_pass": "stack", "mech_pass": "stack",
"rms_url": "http://127.0.0.1:8080", "rms_url": "http://127.0.0.1:8080",
"tenant_name": "admin", "tenant_name": "admin",
"keystone_version": "2.0", "keystone_version": "3",
"token_role": "admin", "token_role": "admin",
"policy_file": "orm/services/image_manager/ims/etc/policy.json" "policy_file": "orm/services/image_manager/ims/etc/policy.json",
"user_domain_name": "default",
"project_domain_name": "default"
} }

2
orm/tests/unit/ormcli/test_cmscli.py
View File

@ -92,7 +92,7 @@ class CmsTests(TestCase):
def test_get_token_errors(self, mock_post, mock_get_keystone_ep): def test_get_token_errors(self, mock_post, mock_get_keystone_ep):
# Bad status code # Bad status code
my_response = mock.MagicMock() my_response = mock.MagicMock()
my_response.status_code = 201 my_response.status_code = 200
mock_post.return_value = my_response mock_post.return_value = my_response
self.assertRaises(cmscli.ConnectionError, cmscli.get_token, self.assertRaises(cmscli.ConnectionError, cmscli.get_token,
3, mock.MagicMock(), 'c') 3, mock.MagicMock(), 'c')

2
orm/tests/unit/ormcli/test_fmscli.py
View File

@ -102,7 +102,7 @@ class FmsTests(TestCase):
def test_get_token_errors(self, mock_post, mock_get_keystone_ep): def test_get_token_errors(self, mock_post, mock_get_keystone_ep):
# Bad status code # Bad status code
my_response = mock.MagicMock() my_response = mock.MagicMock()
my_response.status_code = 201 my_response.status_code = 200
mock_post.return_value = my_response mock_post.return_value = my_response
self.assertRaises(fmscli.ConnectionError, fmscli.get_token, self.assertRaises(fmscli.ConnectionError, fmscli.get_token,
3, mock.MagicMock(), 'c') 3, mock.MagicMock(), 'c')

2
orm/tests/unit/ormcli/test_imscli.py
View File

@ -103,7 +103,7 @@ class ImsTests(TestCase):
def test_get_token_errors(self, mock_post, mock_get_keystone_ep): def test_get_token_errors(self, mock_post, mock_get_keystone_ep):
# Bad status code # Bad status code
my_response = mock.MagicMock() my_response = mock.MagicMock()
my_response.status_code = 201 my_response.status_code = 200
mock_post.return_value = my_response mock_post.return_value = my_response
self.assertRaises(imscli.ConnectionError, imscli.get_token, self.assertRaises(imscli.ConnectionError, imscli.get_token,
3, mock.MagicMock(), 'c') 3, mock.MagicMock(), 'c')

2
orm/tests/unit/ormcli/test_rmscli.py
View File

@ -81,7 +81,7 @@ class RmsTests(TestCase):
def test_get_token_errors(self, mock_post, mock_get_keystone_ep): def test_get_token_errors(self, mock_post, mock_get_keystone_ep):
# Bad status code # Bad status code
my_response = mock.MagicMock() my_response = mock.MagicMock()
my_response.status_code = 201 my_response.status_code = 200
mock_post.return_value = my_response mock_post.return_value = my_response
self.assertRaises(rmscli.ConnectionError, rmscli.get_token, self.assertRaises(rmscli.ConnectionError, rmscli.get_token,
3, mock.MagicMock(), 'c') 3, mock.MagicMock(), 'c')

6
orm/tests/unit/rms/config.py
View File

@ -41,6 +41,8 @@ authentication = {
"mech_pass": "stack", "mech_pass": "stack",
"tenant_name": "admin", "tenant_name": "admin",
# The Keystone version currently in use. Can be either "2.0" or "3" # The Keystone version currently in use. Can be either "2.0" or "3"
"keystone_version": "2.0", "keystone_version": "3",
"policy_file": "/opt/app/orm/rms/rms/etc/policy.json" "policy_file": "/opt/app/orm/rms/rms/etc/policy.json",
"user_domain_name": "default",
"project_domain_name": "default"
} }

7
requirements.txt
View File

@ -6,7 +6,7 @@ gittle>=0.5.0 # MIT
pbr>=2.0 # Apache-2.0 pbr>=2.0 # Apache-2.0
pecan>=1.3.2 pecan>=1.3.2
netifaces==0.10.4 netifaces==0.10.4
SQLAlchemy==0.9.7 SQLAlchemy==1.2.11
WSME>=0.6 WSME>=0.6
MySQL-python==1.2.5 MySQL-python==1.2.5
requests==2.6.0 requests==2.6.0
@ -15,4 +15,7 @@ oslo.serialization
oslo.config>=4.6.0 # Apache-2.0 oslo.config>=4.6.0 # Apache-2.0
oslo.policy oslo.policy
oslo.log>=3.30.0 # Apache-2.0 oslo.log>=3.30.0 # Apache-2.0
sqlalchemy-migrate>=0.9.6 sqlalchemy-migrate>=0.11.0
keystoneauth1==2.18.0
keystonemiddleware==4.14.0
python-keystoneclient==3.10.0