Abstract authentication function

Abstract authentication function so plugins for other authentication
backends can be implemented in cases where keystone is not used. Currently,
mistral is hard coded to support keystone and keycloak. The domain/project
related trust that is specific to keystone is not addressed.

Change-Id: I21994ab20af519b2ba85efd7cbe043547988e5b3
Implements: blueprint mistral-abstract-auth
This commit is contained in:
Winson Chan 2016-09-15 23:37:30 +00:00
parent 90fa504646
commit f9c9ca8260
5 changed files with 161 additions and 54 deletions

53
mistral/auth/__init__.py Normal file
View File

@ -0,0 +1,53 @@
# Copyright 2016 - Brocade Communications Systems, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import abc
from oslo_config import cfg
from oslo_log import log as logging
import six
from stevedore import driver
from mistral import exceptions as exc
LOG = logging.getLogger(__name__)
_IMPL_AUTH_HANDLER = None
def get_auth_handler():
auth_type = cfg.CONF.auth_type
global _IMPL_AUTH_HANDLER
if not _IMPL_AUTH_HANDLER:
mgr = driver.DriverManager(
'mistral.auth',
auth_type,
invoke_on_load=True
)
_IMPL_AUTH_HANDLER = mgr.driver
return _IMPL_AUTH_HANDLER
@six.add_metaclass(abc.ABCMeta)
class AuthHandler(object):
"""Abstract base class for an authentication plugin."""
@abc.abstractmethod
def authenticate(self, req):
raise exc.UnauthorizedException()

56
mistral/auth/keycloak.py Normal file
View File

@ -0,0 +1,56 @@
# Copyright 2016 - Brocade Communications Systems, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from oslo_config import cfg
from oslo_log import log as logging
import pprint
import requests
from mistral import auth
LOG = logging.getLogger(__name__)
CONF = cfg.CONF
class KeycloakAuthHandler(auth.AuthHandler):
def authenticate(self, req):
realm_name = req.headers.get('X-Project-Id')
# NOTE(rakhmerov): There's a special endpoint for introspecting
# access tokens described in OpenID Connect specification but it's
# available in KeyCloak starting only with version 1.8.Final so we have
# to use user info endpoint which also takes exactly one parameter
# (access token) and replies with error if token is invalid.
user_info_endpoint = (
"%s/realms/%s/protocol/openid-connect/userinfo" %
(CONF.keycloak_oidc.auth_url, realm_name)
)
access_token = req.headers.get('X-Auth-Token')
resp = requests.get(
user_info_endpoint,
headers={"Authorization": "Bearer %s" % access_token},
verify=not CONF.keycloak_oidc.insecure
)
resp.raise_for_status()
LOG.debug(
"HTTP response from OIDC provider: %s" %
pprint.pformat(resp.json())
)

45
mistral/auth/keystone.py Normal file
View File

@ -0,0 +1,45 @@
# Copyright 2016 - Brocade Communications Systems, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from oslo_config import cfg
from oslo_log import log as logging
from mistral import auth
from mistral import exceptions as exc
LOG = logging.getLogger(__name__)
CONF = cfg.CONF
class KeystoneAuthHandler(auth.AuthHandler):
def authenticate(self, req):
# Note(nmakhotkin): Since we have deferred authentication,
# need to check for auth manually (check for corresponding
# headers according to keystonemiddleware docs.
identity_status = req.headers.get('X-Identity-Status')
service_identity_status = req.headers.get('X-Service-Identity-Status')
if (identity_status == 'Confirmed' or
service_identity_status == 'Confirmed'):
return
if req.headers.get('X-Auth-Token'):
msg = 'Auth token is invalid: %s' % req.headers['X-Auth-Token']
else:
msg = 'Authentication required'
raise exc.UnauthorizedException(msg)

View File

@ -22,9 +22,8 @@ from oslo_serialization import jsonutils
from osprofiler import profiler from osprofiler import profiler
import pecan import pecan
from pecan import hooks from pecan import hooks
import pprint
import requests
from mistral import auth
from mistral import exceptions as exc from mistral import exceptions as exc
from mistral import utils from mistral import utils
@ -260,10 +259,8 @@ class AuthHook(hooks.PecanHook):
return return
try: try:
if CONF.auth_type == 'keystone': auth_handler = auth.get_auth_handler()
authenticate_with_keystone(state.request) auth_handler.authenticate(state.request)
elif CONF.auth_type == 'keycloak-oidc':
authenticate_with_keycloak(state.request)
except Exception as e: except Exception as e:
msg = "Failed to validate access token: %s" % str(e) msg = "Failed to validate access token: %s" % str(e)
@ -274,54 +271,6 @@ class AuthHook(hooks.PecanHook):
) )
def authenticate_with_keystone(req):
# Note(nmakhotkin): Since we have deferred authentication,
# need to check for auth manually (check for corresponding
# headers according to keystonemiddleware docs.
identity_status = req.headers.get('X-Identity-Status')
service_identity_status = req.headers.get('X-Service-Identity-Status')
if (identity_status == 'Confirmed' or
service_identity_status == 'Confirmed'):
return
if req.headers.get('X-Auth-Token'):
msg = 'Auth token is invalid: %s' % req.headers['X-Auth-Token']
else:
msg = 'Authentication required'
raise exc.UnauthorizedException(msg)
def authenticate_with_keycloak(req):
realm_name = req.headers.get('X-Project-Id')
# NOTE(rakhmerov): There's a special endpoint for introspecting
# access tokens described in OpenID Connect specification but it's
# available in KeyCloak starting only with version 1.8.Final so we have
# to use user info endpoint which also takes exactly one parameter
# (access token) and replies with error if token is invalid.
user_info_endpoint = (
"%s/realms/%s/protocol/openid-connect/userinfo" %
(CONF.keycloak_oidc.auth_url, realm_name)
)
access_token = req.headers.get('X-Auth-Token')
resp = requests.get(
user_info_endpoint,
headers={"Authorization": "Bearer %s" % access_token},
verify=not CONF.keycloak_oidc.insecure
)
resp.raise_for_status()
LOG.debug(
"HTTP response from OIDC provider: %s" %
pprint.pformat(resp.json())
)
class ContextHook(hooks.PecanHook): class ContextHook(hooks.PecanHook):
def before(self, state): def before(self, state):
set_ctx(context_from_headers_and_env( set_ctx(context_from_headers_and_env(

View File

@ -75,3 +75,7 @@ mistral.yaql_functions =
execution = mistral.utils.yaql_utils:execution_ execution = mistral.utils.yaql_utils:execution_
env = mistral.utils.yaql_utils:env_ env = mistral.utils.yaql_utils:env_
uuid = mistral.utils.yaql_utils:uuid_ uuid = mistral.utils.yaql_utils:uuid_
mistral.auth =
keystone = mistral.auth.keystone:KeystoneAuthHandler
keycloak-oidc = mistral.auth.keycloak:KeycloakAuthHandler