1 # Copyright (c) 2016 Cable Television Laboratories, Inc. ("CableLabs")
2 # and others. All rights reserved.
4 # Licensed under the Apache License, Version 2.0 (the "License");
5 # you may not use this file except in compliance with the License.
6 # You may obtain a copy of the License at:
8 # http://www.apache.org/licenses/LICENSE-2.0
10 # Unless required by applicable law or agreed to in writing, software
11 # distributed under the License is distributed on an "AS IS" BASIS,
12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 # See the License for the specific language governing permissions and
14 # limitations under the License.
17 from keystoneclient.client import Client
18 from keystoneauth1.identity import v3, v2
19 from keystoneauth1 import session
22 logger = logging.getLogger('keystone_utils')
27 def get_session_auth(os_creds):
29 Return the session auth for keystone session
30 :param os_creds: the OpenStack credentials (OSCreds) object
33 if os_creds.identity_api_version == 3:
34 auth = v3.Password(auth_url=os_creds.auth_url,
35 username=os_creds.username,
36 password=os_creds.password,
37 project_name=os_creds.project_name,
38 user_domain_id=os_creds.user_domain_id,
39 project_domain_id=os_creds.project_domain_id)
41 auth = v2.Password(auth_url=os_creds.auth_url,
42 username=os_creds.username,
43 password=os_creds.password,
44 tenant_name=os_creds.project_name)
48 def keystone_session(os_creds):
50 Creates a keystone session used for authenticating OpenStack clients
51 :param os_creds: The connection credentials to the OpenStack API
52 :return: the client object
54 logger.debug('Retrieving Keystone Session')
56 auth = get_session_auth(os_creds)
59 if os_creds.proxy_settings:
60 req_session = requests.Session()
61 req_session.proxies = {'http': os_creds.proxy_settings.host + ':' + os_creds.proxy_settings.port}
62 return session.Session(auth=auth, session=req_session,
63 verify=os_creds.cacert)
66 def keystone_client(os_creds):
68 Returns the keystone client
69 :param os_creds: the OpenStack credentials (OSCreds) object
72 return Client(version=os_creds.identity_api_version, session=keystone_session(os_creds))
75 def get_endpoint(os_creds, service_type, endpoint_type='publicURL'):
77 Returns the endpoint of specific service
78 :param os_creds: the OpenStack credentials (OSCreds) object
79 :param service_type: the type of specific service
80 :param endpoint_type: the type of endpoint
81 :return: the endpoint url
83 auth = get_session_auth(os_creds)
84 key_session = keystone_session(os_creds)
85 return key_session.get_endpoint(auth=auth, service_type=service_type, endpoint_type=endpoint_type)
88 def get_project(keystone=None, os_creds=None, project_name=None):
90 Returns the first project object or None if not found
91 :param keystone: the Keystone client
92 :param os_creds: the OpenStack credentials used to obtain the Keystone client if the keystone parameter is None
93 :param project_name: the name to query
94 :return: the ID or None
101 keystone = keystone_client(os_creds)
103 raise Exception('Cannot lookup project without the proper credentials')
105 if keystone.version == V2_VERSION:
106 projects = keystone.tenants.list()
108 projects = keystone.projects.list(**{'name': project_name})
110 for project in projects:
111 if project.name == project_name:
117 def create_project(keystone, project_settings):
120 :param keystone: the Keystone client
121 :param project_settings: the project configuration
124 if keystone.version == V2_VERSION:
125 return keystone.tenants.create(project_settings.name, project_settings.description, project_settings.enabled)
127 return keystone.projects.create(project_settings.name, project_settings.domain,
128 description=project_settings.description,
129 enabled=project_settings.enabled)
132 def delete_project(keystone, project):
135 :param keystone: the Keystone clien
136 :param project: the OpenStack project object
138 if keystone.version == V2_VERSION:
139 keystone.tenants.delete(project)
141 keystone.projects.delete(project)
144 def get_user(keystone, username, project_name=None):
146 Returns a user for a given name and optionally project
147 :param keystone: the keystone client
148 :param username: the username to lookup
149 :param project_name: the associated project (optional)
152 project = get_project(keystone=keystone, project_name=project_name)
155 users = keystone.users.list(tenant_id=project.id)
157 users = keystone.users.list()
160 if user.name == username:
166 def create_user(keystone, user_settings):
169 :param keystone: the Keystone client
170 :param user_settings: the user configuration
174 if user_settings.project_name:
175 project = get_project(keystone=keystone, project_name=user_settings.project_name)
177 if keystone.version == V2_VERSION:
180 project_id = project.id
181 return keystone.users.create(name=user_settings.name, password=user_settings.password,
182 email=user_settings.email, tenant_id=project_id, enabled=user_settings.enabled)
184 # TODO - need to support groups
185 return keystone.users.create(name=user_settings.name, password=user_settings.password,
186 email=user_settings.email, project=project,
187 # email=user_settings.email, project=project, group='default',
188 domain=user_settings.domain_name,
189 enabled=user_settings.enabled)
192 def delete_user(keystone, user):
195 :param keystone: the Keystone client
196 :param user: the OpenStack user object
198 keystone.users.delete(user)
201 def create_role(keystone, name):
203 Creates an OpenStack role
204 :param keystone: the keystone client
205 :param name: the role name
208 return keystone.roles.create(name)
211 def delete_role(keystone, role):
213 Deletes an OpenStack role
214 :param keystone: the keystone client
215 :param role: the role to delete
218 keystone.roles.delete(role)
221 def assoc_user_to_project(keystone, role, user, project):
223 Adds a user to a project
224 :param keystone: the Keystone client
225 :param role: the role used to join a project/user
226 :param user: the user to add to the project
227 :param project: the project to which to add a user
230 if keystone.version == V2_VERSION:
231 keystone.roles.add_user_role(user, role, tenant=project)
233 keystone.roles.grant(role, user=user, project=project)