openstack/mistral
Code Issues Proposed changes

Abstract authentication function

Browse Source 
Abstract authentication function so plugins for other authentication
backends can be implemented in cases where keystone is not used. Currently,
mistral is hard coded to support keystone and keycloak. The domain/project
related trust that is specific to keystone is not addressed.

Change-Id: I21994ab20af519b2ba85efd7cbe043547988e5b3
Implements: blueprint mistral-abstract-auth
This commit is contained in:
Winson Chan 2016-09-15 23:37:30 +00:00
parent 90fa504646
commit f9c9ca8260
5 changed files with 161 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
mistral/auth/__init__.py Normal file
View File

@ -0,0 +1,53 @@
# Copyright 2016 - Brocade Communications Systems, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import abc
from oslo_config import cfg
from oslo_log import log as logging
import six
from stevedore import driver
from mistral import exceptions as exc
LOG = logging.getLogger(__name__)
_IMPL_AUTH_HANDLER = None
def get_auth_handler():
auth_type = cfg.CONF.auth_type
global _IMPL_AUTH_HANDLER
if not _IMPL_AUTH_HANDLER:
mgr = driver.DriverManager(
'mistral.auth',
auth_type,
invoke_on_load=True
)
_IMPL_AUTH_HANDLER = mgr.driver
return _IMPL_AUTH_HANDLER
@six.add_metaclass(abc.ABCMeta)
class AuthHandler(object):
"""Abstract base class for an authentication plugin."""
@abc.abstractmethod
def authenticate(self, req):
raise exc.UnauthorizedException()

56
mistral/auth/keycloak.py Normal file
View File

@ -0,0 +1,56 @@
# Copyright 2016 - Brocade Communications Systems, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from oslo_config import cfg
from oslo_log import log as logging
import pprint
import requests
from mistral import auth
LOG = logging.getLogger(__name__)
CONF = cfg.CONF
class KeycloakAuthHandler(auth.AuthHandler):
def authenticate(self, req):
realm_name = req.headers.get('X-Project-Id')
# NOTE(rakhmerov): There's a special endpoint for introspecting
# access tokens described in OpenID Connect specification but it's
# available in KeyCloak starting only with version 1.8.Final so we have
# to use user info endpoint which also takes exactly one parameter
# (access token) and replies with error if token is invalid.
user_info_endpoint = (
"%s/realms/%s/protocol/openid-connect/userinfo" %
(CONF.keycloak_oidc.auth_url, realm_name)
)
access_token = req.headers.get('X-Auth-Token')
resp = requests.get(
user_info_endpoint,
headers={"Authorization": "Bearer %s" % access_token},
verify=not CONF.keycloak_oidc.insecure
)
resp.raise_for_status()
LOG.debug(
"HTTP response from OIDC provider: %s" %
pprint.pformat(resp.json())
)

45
mistral/auth/keystone.py Normal file
View File

@ -0,0 +1,45 @@
# Copyright 2016 - Brocade Communications Systems, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from oslo_config import cfg
from oslo_log import log as logging
from mistral import auth
from mistral import exceptions as exc
LOG = logging.getLogger(__name__)
CONF = cfg.CONF
class KeystoneAuthHandler(auth.AuthHandler):
def authenticate(self, req):
# Note(nmakhotkin): Since we have deferred authentication,
# need to check for auth manually (check for corresponding
# headers according to keystonemiddleware docs.
identity_status = req.headers.get('X-Identity-Status')
service_identity_status = req.headers.get('X-Service-Identity-Status')
if (identity_status == 'Confirmed' or
service_identity_status == 'Confirmed'):
return
if req.headers.get('X-Auth-Token'):
msg = 'Auth token is invalid: %s' % req.headers['X-Auth-Token']
else:
msg = 'Authentication required'
raise exc.UnauthorizedException(msg)

57
mistral/context.py
View File

@ -22,9 +22,8 @@ from oslo_serialization import jsonutils
from osprofiler import profiler
import pecan
from pecan import hooks
import pprint
import requests
from mistral import auth
from mistral import exceptions as exc
from mistral import utils
@ -260,10 +259,8 @@ class AuthHook(hooks.PecanHook):
return
try:
if CONF.auth_type == 'keystone':
authenticate_with_keystone(state.request)
elif CONF.auth_type == 'keycloak-oidc':
authenticate_with_keycloak(state.request)
auth_handler = auth.get_auth_handler()
auth_handler.authenticate(state.request)
except Exception as e:
msg = "Failed to validate access token: %s" % str(e)
@ -274,54 +271,6 @@ class AuthHook(hooks.PecanHook):
)
def authenticate_with_keystone(req):
# Note(nmakhotkin): Since we have deferred authentication,
# need to check for auth manually (check for corresponding
# headers according to keystonemiddleware docs.
identity_status = req.headers.get('X-Identity-Status')
service_identity_status = req.headers.get('X-Service-Identity-Status')
if (identity_status == 'Confirmed' or
service_identity_status == 'Confirmed'):
return
if req.headers.get('X-Auth-Token'):
msg = 'Auth token is invalid: %s' % req.headers['X-Auth-Token']
else:
msg = 'Authentication required'
raise exc.UnauthorizedException(msg)
def authenticate_with_keycloak(req):
realm_name = req.headers.get('X-Project-Id')
# NOTE(rakhmerov): There's a special endpoint for introspecting
# access tokens described in OpenID Connect specification but it's
# available in KeyCloak starting only with version 1.8.Final so we have
# to use user info endpoint which also takes exactly one parameter
# (access token) and replies with error if token is invalid.
user_info_endpoint = (
"%s/realms/%s/protocol/openid-connect/userinfo" %
(CONF.keycloak_oidc.auth_url, realm_name)
)
access_token = req.headers.get('X-Auth-Token')
resp = requests.get(
user_info_endpoint,
headers={"Authorization": "Bearer %s" % access_token},
verify=not CONF.keycloak_oidc.insecure
)
resp.raise_for_status()
LOG.debug(
"HTTP response from OIDC provider: %s" %
pprint.pformat(resp.json())
)
class ContextHook(hooks.PecanHook):
def before(self, state):
set_ctx(context_from_headers_and_env(

4
setup.cfg
View File

@ -75,3 +75,7 @@ mistral.yaql_functions =
execution = mistral.utils.yaql_utils:execution_
env = mistral.utils.yaql_utils:env_
uuid = mistral.utils.yaql_utils:uuid_
mistral.auth =
keystone = mistral.auth.keystone:KeystoneAuthHandler
keycloak-oidc = mistral.auth.keycloak:KeycloakAuthHandler