Basic Keystone Auth support

Note: This has been verified as working by the end customer
2015-07-13 12:34:32 +03:00 · 2015-07-13 12:34:32 +03:00 · 066637f496
commit 066637f496
parent eb612d606c
6 changed files with 151 additions and 1 deletions
--- a/util/config/validator.py
+++ b/util/config/validator.py
@ -7,7 +7,7 @@ import OpenSSL
 import logging

 from fnmatch import fnmatch
-from data.users import LDAPConnection, ExternalJWTAuthN, LDAPUsers
+from data.users import LDAPConnection, ExternalJWTAuthN, LDAPUsers, KeystoneUsers
 from flask import Flask
 from flask.ext.mail import Mail, Message
 from data.database import validate_database_url, User
@ -352,6 +352,40 @@ def _validate_jwt(config, password):
                     'OR JWT auth is misconfigured.') % (username, err_msg))


+def _validate_keystone(config, password):
+  """ Validates the Keystone authentication system. """
+  if config.get('AUTHENTICATION_TYPE', 'Database') != 'Keystone':
+    return
+
+  auth_url = config.get('KEYSTONE_AUTH_URL')
+  admin_username = config.get('KEYSTONE_ADMIN_USERNAME')
+  admin_password = config.get('KEYSTONE_ADMIN_PASSWORD')
+  admin_tenant = config.get('KEYSTONE_ADMIN_TENANT')
+
+  if not auth_url:
+    raise Exception('Missing authentication URL')
+
+  if not admin_username:
+    raise Exception('Missing admin username')
+
+  if not admin_password:
+    raise Exception('Missing admin password')
+
+  if not admin_tenant:
+    raise Exception('Missing admin tenant')
+
+  users = KeystoneUsers(auth_url, admin_username, admin_password, admin_tenant)
+
+  # Verify that the superuser exists. If not, raise an exception.
+  username = get_authenticated_user().username
+
+  (result, err_msg) = users.verify_user(username, password)
+  if not result:
+    raise Exception(('Verification of superuser %s failed: %s \n\nThe user either does not ' +
+                     'exist in the remote authentication system ' +
+                     'OR Keystone auth is misconfigured.') % (username, err_msg))
+
+
 _VALIDATORS = {
  'database': _validate_database,
  'redis': _validate_redis,
@ -365,4 +399,5 @@ _VALIDATORS = {
  'ssl': _validate_ssl,
  'ldap': _validate_ldap,
  'jwt': _validate_jwt,
+  'keystone': _validate_keystone,
 }