0787710c24
Service token will be passed along with user token to communicate with services when dealing with long running tasks like Create volume snapshot. Partial-Implements: blueprint use-service-tokens Change-Id: Id95beae0a46ab492756e0108039fefb28f4f0b69
74 lines
2.4 KiB
Python
74 lines
2.4 KiB
Python
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
|
|
from keystoneauth1 import loading as ks_loading
|
|
from keystoneauth1 import service_token
|
|
from oslo_config import cfg
|
|
|
|
from cinder import exception
|
|
|
|
CONF = cfg.CONF
|
|
_SERVICE_AUTH = None
|
|
|
|
SERVICE_USER_GROUP = 'service_user'
|
|
|
|
service_user = cfg.OptGroup(
|
|
SERVICE_USER_GROUP,
|
|
title='Service token authentication type options',
|
|
help="""
|
|
Configuration options for service to service authentication using a service
|
|
token. These options allow to send a service token along with the
|
|
user's token when contacting external REST APIs.
|
|
"""
|
|
)
|
|
service_user_opts = [
|
|
cfg.BoolOpt('send_service_user_token',
|
|
default=False,
|
|
help="""
|
|
When True, if sending a user token to an REST API, also send a service token.
|
|
""")
|
|
]
|
|
|
|
CONF.register_group(service_user)
|
|
CONF.register_opts(service_user_opts, group=service_user)
|
|
|
|
ks_loading.register_session_conf_options(CONF, SERVICE_USER_GROUP)
|
|
ks_loading.register_auth_conf_options(CONF, SERVICE_USER_GROUP)
|
|
|
|
|
|
def reset_globals():
|
|
"""For async unit test consistency."""
|
|
global _SERVICE_AUTH
|
|
_SERVICE_AUTH = None
|
|
|
|
|
|
def get_auth_plugin(context, auth=None):
|
|
if auth:
|
|
user_auth = auth
|
|
else:
|
|
user_auth = context.get_auth_plugin()
|
|
|
|
if CONF.service_user.send_service_user_token:
|
|
global _SERVICE_AUTH
|
|
if not _SERVICE_AUTH:
|
|
_SERVICE_AUTH = ks_loading.load_auth_from_conf_options(
|
|
CONF, group=SERVICE_USER_GROUP)
|
|
if _SERVICE_AUTH is None:
|
|
# This can happen if no auth_type is specified, which probably
|
|
# means there's no auth information in the [service_user] group
|
|
raise exception.ServiceUserTokenNoAuth()
|
|
return service_token.ServiceTokenAuthWrapper(
|
|
user_auth=user_auth, service_auth=_SERVICE_AUTH)
|
|
|
|
return user_auth
|