add keystone auth backend #1732
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,100 @@ | ||
| # Licensed to the StackStorm, Inc ('StackStorm') under one or more | ||
| # contributor license agreements. See the NOTICE file distributed with | ||
| # this work for additional information regarding copyright ownership. | ||
| # The ASF licenses this file to You under the Apache License, Version 2.0 | ||
| # (the "License"); you may not use this file except in compliance with | ||
| # the License. You may obtain a copy of the License at | ||
| # | ||
| # http://www.apache.org/licenses/LICENSE-2.0 | ||
| # | ||
| # Unless required by applicable law or agreed to in writing, software | ||
| # distributed under the License is distributed on an "AS IS" BASIS, | ||
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| # See the License for the specific language governing permissions and | ||
| # limitations under the License. | ||
|
|
||
|
|
||
| from st2common import log as logging | ||
| from st2auth.backends.base import BaseAuthenticationBackend | ||
| import requests | ||
|
|
||
| try: | ||
| from urlparse import urlparse | ||
| from urlparse import urljoin | ||
| except ImportError: | ||
| from urllib.parse import urlparse # pylint: disable=E0611 | ||
| from urllib.parse import urljoin # pylint: disable=E0611 | ||
|
|
||
| __all__ = [ | ||
| 'KeystoneAuthenticationBackend' | ||
| ] | ||
|
|
||
| LOG = logging.getLogger(__name__) | ||
|
|
||
|
|
||
| class KeystoneAuthenticationBackend(BaseAuthenticationBackend): | ||
| """ | ||
| Backend which reads authentication information from keystone | ||
|
|
||
| Note: This backend depends on the "requests" library. | ||
| """ | ||
|
|
||
| def __init__(self, keystone_url, keystone_version=2): | ||
| """ | ||
| :param keystone_url: Url of the Keystone server to authenticate against. | ||
| :type keystone_url: ``str`` | ||
| :param keystone_version: Keystone version to authenticate against (default to 2). | ||
| :type keystone_version: ``int`` | ||
| """ | ||
| url = urlparse(keystone_url) | ||
| if url.path != '' or url.query != '' or url.fragment != '': | ||
| raise Exception("The Keystone url {} does not seem to be correct.\n" | ||
| "Please only set the scheme+url+port " | ||
| "(e.x.: http://example.com:5000)".format(keystone_url)) | ||
| self._keystone_url = keystone_url | ||
| self._keystone_version = keystone_version | ||
|
There was a problem hiding this comment. Looks like this argument is unused and we only support v2 right now? If so, we should make that clear and throw if an unsupported version is provided. There was a problem hiding this comment. On a related note, it might be better to just use python-keystoneclient. Ideally, eventually we would also switch to using setup.py entry_points for plugins and provide plugins as separate Python packages with it's own requirements.txt file, but for now I'm OK with putting keystone-client dependency to the shared requirements.txt file. There was a problem hiding this comment. Actually, Im doing the v2/v3 split now and some other checks. I wanted the PR to go up quick due to the testing question. Re: keystone client. Totally against that tbh. It turns a simple authentication plugin with one dependency into dependency hell and also ties into a big external projects, while requests is one package with minimal dependencies and probably already installed on every decent python env which needs to do a network call. And this auth backend just needs to do one simple call. To have keystoneclient as dependency is overkill IMO. |
||
|
|
||
| def authenticate(self, username, password): | ||
| if self._keystone_version == 2: | ||
| creds = { | ||
|
There was a problem hiding this comment. Heh. _get_v2_creds() and _get_v3_creds() would have been nicer ;) |
||
| "auth": { | ||
| "passwordCredentials": { | ||
| "username": username, | ||
| "password": password | ||
| } | ||
| } | ||
| } | ||
| login = requests.post(urljoin(self._keystone_url, 'v2.0/tokens'), json=creds) | ||
|
|
||
| elif self._keystone_version == 3: | ||
| creds = { | ||
| "auth": { | ||
| "identity": { | ||
| "methods": [ | ||
| "password" | ||
| ], | ||
| "password": { | ||
| "domain": { | ||
| "id": "default" | ||
| }, | ||
| "user": { | ||
| "name": username, | ||
| "password": password | ||
| } | ||
| } | ||
| } | ||
| } | ||
| } | ||
| login = requests.post(urljoin(self._keystone_url, 'v3/auth/tokens'), json=creds) | ||
|
There was a problem hiding this comment. Just curious, is it v3.0 or just v3? I see v2.0 for the version 2 APIs :). <3 to openstack. There was a problem hiding this comment. Just v3. Its the openstack way (tm) of never agreeing to use the same thing from release to release :D |
||
| else: | ||
| raise Exception("Keystone version {} not supported".format(self._keystone_version)) | ||
|
|
||
| if login.status_code in [200, 201]: | ||
|
There was a problem hiding this comment. Minor style thing - |
||
| LOG.debug('Authentication for user "{}" successful'.format(username)) | ||
| return True | ||
| else: | ||
| LOG.debug('Authentication for user "{}" failed: {}'.format(username, login.content)) | ||
| return False | ||
|
|
||
| def get_user(self, username): | ||
| pass | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We depend on six so you can instead use:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IDD! Much easier!