64
64
'Filename of private key in credentials zip')
65
65
flags.DEFINE_string('credential_cert_file', 'cert.pem',
66
66
'Filename of certificate in credentials zip')
67
flags.DEFINE_string('credential_rc_file', 'novarc',
68
'Filename of rc in credentials zip')
69
flags.DEFINE_string('credential_cert_subject',
70
'/C=US/ST=California/L=MountainView/O=AnsoLabs/'
71
'OU=NovaDev/CN=%s-%s',
72
'Subject for certificate for users')
67
flags.DEFINE_string('credential_rc_file', '%src',
68
'Filename of rc in credentials zip, %s will be '
69
'replaced by name of the region (nova by default)')
73
70
flags.DEFINE_string('auth_driver', 'nova.auth.dbdriver.DbDriver',
74
71
'Driver that auth manager uses')
545
542
network_ref = db.project_get_network(context.get_admin_context(),
546
Project.safe_id(project))
543
Project.safe_id(project), False)
548
if not network_ref['vpn_public_port']:
549
raise exception.NotFound(_('project network data has not '
551
547
return (network_ref['vpn_public_address'],
552
548
network_ref['vpn_public_port'])
629
625
def get_key_pairs(context):
630
626
return db.key_pair_get_all_by_user(context.elevated(), context.user_id)
632
def get_credentials(self, user, project=None):
628
def get_credentials(self, user, project=None, use_dmz=True):
633
629
"""Get credential zip for user in project"""
634
630
if not isinstance(user, User):
635
631
user = self.get_user(user)
636
632
if project is None:
637
633
project = user.id
638
634
pid = Project.safe_id(project)
639
rc = self.__generate_rc(user.access, user.secret, pid)
640
private_key, signed_cert = self._generate_x509_cert(user.id, pid)
635
private_key, signed_cert = crypto.generate_x509_cert(user.id, pid)
642
637
tmpdir = tempfile.mkdtemp()
643
638
zf = os.path.join(tmpdir, "temp.zip")
644
639
zippy = zipfile.ZipFile(zf, 'w')
645
zippy.writestr(FLAGS.credential_rc_file, rc)
640
if use_dmz and FLAGS.region_list:
642
for item in FLAGS.region_list:
643
region, _sep, region_host = item.partition("=")
644
regions[region] = region_host
646
regions = {'nova': FLAGS.cc_host}
647
for region, host in regions.iteritems():
648
rc = self.__generate_rc(user.access,
653
zippy.writestr(FLAGS.credential_rc_file % region, rc)
646
655
zippy.writestr(FLAGS.credential_key_file, private_key)
647
656
zippy.writestr(FLAGS.credential_cert_file, signed_cert)
650
(vpn_ip, vpn_port) = self.get_project_vpn_data(project)
651
except exception.NotFound:
658
(vpn_ip, vpn_port) = self.get_project_vpn_data(project)
654
660
configfile = open(FLAGS.vpn_client_template, "r")
655
661
s = string.Template(configfile.read())
663
669
logging.warn(_("No vpn data for project %s"), pid)
665
zippy.writestr(FLAGS.ca_file, crypto.fetch_ca(user.id))
671
zippy.writestr(FLAGS.ca_file, crypto.fetch_ca(pid))
667
673
with open(zf, 'rb') as f:
668
674
read_buffer = f.read()
670
676
shutil.rmtree(tmpdir)
671
677
return read_buffer
673
def get_environment_rc(self, user, project=None):
679
def get_environment_rc(self, user, project=None, use_dmz=True):
674
680
"""Get credential zip for user in project"""
675
681
if not isinstance(user, User):
676
682
user = self.get_user(user)
677
683
if project is None:
678
684
project = user.id
679
685
pid = Project.safe_id(project)
680
return self.__generate_rc(user.access, user.secret, pid)
686
return self.__generate_rc(user.access, user.secret, pid, use_dmz)
683
def __generate_rc(access, secret, pid):
689
def __generate_rc(access, secret, pid, use_dmz=True, host=None):
684
690
"""Generate rc file for user"""
692
cc_host = FLAGS.cc_dmz
694
cc_host = FLAGS.cc_host
695
# NOTE(vish): Always use the dmz since it is used from inside the
697
s3_host = FLAGS.s3_dmz
685
701
rc = open(FLAGS.credentials_template).read()
686
702
rc = rc % {'access': access,
688
704
'secret': secret,
689
'ec2': FLAGS.ec2_url,
690
's3': 'http://%s:%s' % (FLAGS.s3_host, FLAGS.s3_port),
705
'ec2': '%s://%s:%s%s' % (FLAGS.ec2_prefix,
709
's3': 'http://%s:%s' % (s3_host, FLAGS.s3_port),
691
710
'nova': FLAGS.ca_file,
692
711
'cert': FLAGS.credential_cert_file,
693
712
'key': FLAGS.credential_key_file}
696
def _generate_x509_cert(self, uid, pid):
697
"""Generate x509 cert for user"""
698
(private_key, csr) = crypto.generate_x509_cert(
699
self.__cert_subject(uid))
700
# TODO(joshua): This should be async call back to the cloud controller
701
signed_cert = crypto.sign_csr(csr, pid)
702
return (private_key, signed_cert)
705
def __cert_subject(uid):
706
"""Helper to generate cert subject"""
707
return FLAGS.credential_cert_subject % (uid, utils.isotime())