ironic.common.keystone module

Central place for handling Keystone authorization and service lookup.

ironic.common.keystone.get_adapter(group, **adapter_kwargs)[source]

Loads adapter from options in a configuration file section.

The adapter_kwargs will be passed directly to keystoneauth1 Adapter and will override the values loaded from config. Consult keystoneauth1 docs for available adapter options.

Parameters:

group – name of the config section to load adapter options from

ironic.common.keystone.get_auth(group, **auth_kwargs)[source]

Loads auth plugin from options in a configuration file section.

The auth_kwargs will be passed directly to keystoneauth1 auth plugin and will override the values loaded from config. Note that the accepted kwargs will depend on auth plugin type as defined by [group]auth_type option. Consult keystoneauth1 docs for available auth plugins and their options.

Parameters:

group – name of the config section to load auth plugin options from

ironic.common.keystone.get_endpoint(group, **adapter_kwargs)[source]

Get an endpoint from an adapter.

The adapter_kwargs will be passed directly to keystoneauth1 Adapter and will override the values loaded from config. Consult keystoneauth1 docs for available adapter options.

Parameters:

group – name of the config section to load adapter options from

Raises:

CatalogNotFound if the endpoint is not found

ironic.common.keystone.get_service_auth(context, endpoint, service_auth, only_service_auth=False)[source]

Create auth plugin wrapping both user and service auth.

When properly configured and using auth_token middleware, requests with valid service auth will not fail if the user token is expired.

Ideally we would use the plugin provided by auth_token middleware however this plugin isn’t serialized yet.

Parameters:
  • context – The RequestContext instance from which the user auth_token is extracted.

  • endpoint – The requested endpoint to be utilized.

  • service_auth – The service authentication credentals to be used.

  • only_service_auth – Boolean, default False. When set to True, the resulting Service token pair is generated as if it originates from the user itself. Useful to cast admin level operations which are launched by Ironic itself, as opposed to user initiated requests.

Returns:

Returns a service token via the ServiceTokenAuthWrapper class.

ironic.common.keystone.get_session(group, **session_kwargs)[source]

Loads session object from options in a configuration file section.

The session_kwargs will be passed directly to keystoneauth1 Session and will override the values loaded from config. Consult keystoneauth1 docs for available options.

Parameters:

group – name of the config section to load session options from

ironic.common.keystone.ks_exceptions(f)[source]

Wraps keystoneclient functions and centralizes exception handling.