Source code for octavia.certificates.common.auth.barbican_acl
# Copyright (c) 2014 Rackspace US, Inc
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
"""
Barbican ACL auth class for Barbican certificate handling
"""
from barbicanclient import client as barbican_client
from keystoneauth1 import session
from keystoneauth1 import token_endpoint
from oslo_config import cfg
from oslo_log import log as logging
from oslo_utils import excutils
from octavia.certificates.common import barbican as barbican_common
from octavia.common import keystone
LOG = logging.getLogger(__name__)
CONF = cfg.CONF
[docs]
class BarbicanACLAuth(barbican_common.BarbicanAuth):
_barbican_client = None
[docs]
@classmethod
def get_barbican_client(cls, project_id=None):
if not cls._barbican_client:
try:
ksession = keystone.KeystoneSession()
cls._barbican_client = barbican_client.Client(
session=ksession.get_session(),
region_name=CONF.certificates.region_name,
interface=CONF.certificates.endpoint_type
)
except Exception:
with excutils.save_and_reraise_exception():
LOG.exception("Error creating Barbican client")
return cls._barbican_client
[docs]
@classmethod
def ensure_secret_access(cls, context, ref):
# get a normal session
ksession = keystone.KeystoneSession()
user_id = ksession.get_service_user_id()
# use barbican client to set the ACLs
bc = cls.get_barbican_client_user_auth(context)
acl = bc.acls.get(ref)
read_oper = acl.get('read')
if user_id not in read_oper.users:
read_oper.users.append(user_id)
acl.submit()
[docs]
@classmethod
def revoke_secret_access(cls, context, ref):
# get a normal session
ksession = keystone.KeystoneSession()
user_id = ksession.get_service_user_id()
# use barbican client to set the ACLs
bc = cls.get_barbican_client_user_auth(context)
acl = bc.acls.get(ref)
read_oper = acl.get('read')
if user_id in read_oper.users:
read_oper.users.remove(user_id)
acl.submit()
[docs]
@classmethod
def get_barbican_client_user_auth(cls, context):
barbican_endpoint = CONF.certificates.endpoint
if not barbican_endpoint:
ksession = keystone.KeystoneSession().get_session()
endpoint_data = ksession.get_endpoint_data(
service_type='key-manager',
region_name=CONF.certificates.region_name,
interface=CONF.certificates.endpoint_type)
barbican_endpoint = endpoint_data.catalog_url
auth_token = token_endpoint.Token(barbican_endpoint,
context.auth_token)
user_session = session.Session(
auth=auth_token,
verify=CONF.certificates.ca_certificates_file)
return barbican_client.Client(
session=user_session,
endpoint=barbican_endpoint)