# Copyright 2012 OpenStack Foundation
# Copyright 2012 Canonical Ltd.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import sqlalchemy
from sqlalchemy.sql import true
from keystone.catalog.backends import base
from keystone.common import driver_hints
from keystone.common import sql
from keystone.common import utils
import keystone.conf
from keystone import exception
from keystone.i18n import _
CONF = keystone.conf.CONF
[docs]
class Region(sql.ModelBase, sql.ModelDictMixinWithExtras):
__tablename__ = 'region'
attributes = ['id', 'description', 'parent_region_id']
id = sql.Column(sql.String(255), primary_key=True)
description = sql.Column(sql.String(255), nullable=False)
# NOTE(jaypipes): Right now, using an adjacency list model for
# storing the hierarchy of regions is fine, since
# the API does not support any kind of querying for
# more complex hierarchical queries such as "get me only
# the regions that are subchildren of this region", etc.
# If, in the future, such queries are needed, then it
# would be possible to add in columns to this model for
# "left" and "right" and provide support for a nested set
# model.
parent_region_id = sql.Column(sql.String(255), nullable=True)
extra = sql.Column(sql.JsonBlob())
endpoints = sqlalchemy.orm.relationship("Endpoint", backref="region")
[docs]
class Service(sql.ModelBase, sql.ModelDictMixinWithExtras):
__tablename__ = 'service'
attributes = ['id', 'type', 'enabled']
id = sql.Column(sql.String(64), primary_key=True)
type = sql.Column(sql.String(255))
enabled = sql.Column(
sql.Boolean,
nullable=False,
default=True,
server_default=sqlalchemy.sql.expression.true(),
)
extra = sql.Column(sql.JsonBlob())
endpoints = sqlalchemy.orm.relationship("Endpoint", backref="service")
[docs]
class Endpoint(sql.ModelBase, sql.ModelDictMixinWithExtras):
__tablename__ = 'endpoint'
attributes = [
'id',
'interface',
'region_id',
'service_id',
'url',
'legacy_endpoint_id',
'enabled',
]
id = sql.Column(sql.String(64), primary_key=True)
legacy_endpoint_id = sql.Column(sql.String(64))
interface = sql.Column(sql.String(8), nullable=False)
region_id = sql.Column(
sql.String(255),
sql.ForeignKey('region.id', ondelete='RESTRICT'),
nullable=True,
default=None,
)
service_id = sql.Column(
sql.String(64), sql.ForeignKey('service.id'), nullable=False
)
url = sql.Column(sql.Text(), nullable=False)
enabled = sql.Column(
sql.Boolean,
nullable=False,
default=True,
server_default=sqlalchemy.sql.expression.true(),
)
extra = sql.Column(sql.JsonBlob())
[docs]
@classmethod
def from_dict(cls, endpoint_dict):
"""Override from_dict to set enabled if missing."""
new_dict = endpoint_dict.copy()
if new_dict.get('enabled') is None:
new_dict['enabled'] = True
return super().from_dict(new_dict)
[docs]
class Catalog(base.CatalogDriverBase):
# Regions
[docs]
def list_regions(self, hints):
with sql.session_for_read() as session:
regions = session.query(Region)
regions = sql.filter_limit_query(Region, regions, hints)
return [s.to_dict() for s in list(regions)]
def _get_region(self, session, region_id):
ref = session.get(Region, region_id)
if not ref:
raise exception.RegionNotFound(region_id=region_id)
return ref
def _delete_child_regions(self, session, region_id, root_region_id):
"""Delete all child regions.
Recursively delete any region that has the supplied region
as its parent.
"""
children = session.query(Region).filter_by(parent_region_id=region_id)
for child in children:
if child.id == root_region_id:
# Hit a circular region hierarchy
return
self._delete_child_regions(session, child.id, root_region_id)
session.delete(child)
def _check_parent_region(self, session, region_ref):
"""Raise a NotFound if the parent region does not exist.
If the region_ref has a specified parent_region_id, check that
the parent exists, otherwise, raise a NotFound.
"""
parent_region_id = region_ref.get('parent_region_id')
if parent_region_id is not None:
# This will raise NotFound if the parent doesn't exist,
# which is the behavior we want.
self._get_region(session, parent_region_id)
def _has_endpoints(self, session, region, root_region):
if region.endpoints is not None and len(region.endpoints) > 0:
return True
q = session.query(Region)
q = q.filter_by(parent_region_id=region.id)
for child in q.all():
if child.id == root_region.id:
# Hit a circular region hierarchy
return False
if self._has_endpoints(session, child, root_region):
return True
return False
[docs]
def get_region(self, region_id):
with sql.session_for_read() as session:
return self._get_region(session, region_id).to_dict()
[docs]
def delete_region(self, region_id):
with sql.session_for_write() as session:
ref = self._get_region(session, region_id)
if self._has_endpoints(session, ref, ref):
raise exception.RegionDeletionError(region_id=region_id)
self._delete_child_regions(session, region_id, region_id)
session.delete(ref)
[docs]
@sql.handle_conflicts(conflict_type='region')
def create_region(self, region_ref):
with sql.session_for_write() as session:
self._check_parent_region(session, region_ref)
region = Region.from_dict(region_ref)
session.add(region)
return region.to_dict()
[docs]
def update_region(self, region_id, region_ref):
with sql.session_for_write() as session:
self._check_parent_region(session, region_ref)
ref = self._get_region(session, region_id)
old_dict = ref.to_dict()
old_dict.update(region_ref)
self._ensure_no_circle_in_hierarchical_regions(old_dict)
new_region = Region.from_dict(old_dict)
for attr in Region.attributes:
if attr != 'id':
setattr(ref, attr, getattr(new_region, attr))
ref.extra = new_region.extra
return ref.to_dict()
# Services
[docs]
@driver_hints.truncated
def list_services(self, hints):
with sql.session_for_read() as session:
services = session.query(Service)
services = sql.filter_limit_query(Service, services, hints)
return [s.to_dict() for s in list(services)]
def _get_service(self, session, service_id):
ref = session.get(Service, service_id)
if not ref:
raise exception.ServiceNotFound(service_id=service_id)
return ref
[docs]
def get_service(self, service_id):
with sql.session_for_read() as session:
return self._get_service(session, service_id).to_dict()
[docs]
def delete_service(self, service_id):
with sql.session_for_write() as session:
ref = self._get_service(session, service_id)
session.query(Endpoint).filter_by(service_id=service_id).delete()
session.delete(ref)
[docs]
def create_service(self, service_id, service_ref):
with sql.session_for_write() as session:
service = Service.from_dict(service_ref)
session.add(service)
return service.to_dict()
[docs]
def update_service(self, service_id, service_ref):
with sql.session_for_write() as session:
ref = self._get_service(session, service_id)
old_dict = ref.to_dict()
old_dict.update(service_ref)
new_service = Service.from_dict(old_dict)
for attr in Service.attributes:
if attr != 'id':
setattr(ref, attr, getattr(new_service, attr))
ref.extra = new_service.extra
return ref.to_dict()
# Endpoints
[docs]
def create_endpoint(self, endpoint_id, endpoint):
with sql.session_for_write() as session:
endpoint_ref = Endpoint.from_dict(endpoint)
session.add(endpoint_ref)
return endpoint_ref.to_dict()
[docs]
def delete_endpoint(self, endpoint_id):
with sql.session_for_write() as session:
ref = self._get_endpoint(session, endpoint_id)
session.delete(ref)
def _get_endpoint(self, session, endpoint_id):
try:
return session.query(Endpoint).filter_by(id=endpoint_id).one()
except sql.NotFound:
raise exception.EndpointNotFound(endpoint_id=endpoint_id)
[docs]
def get_endpoint(self, endpoint_id):
with sql.session_for_read() as session:
return self._get_endpoint(session, endpoint_id).to_dict()
[docs]
@driver_hints.truncated
def list_endpoints(self, hints):
with sql.session_for_read() as session:
endpoints = session.query(Endpoint)
endpoints = sql.filter_limit_query(Endpoint, endpoints, hints)
return [e.to_dict() for e in list(endpoints)]
[docs]
def update_endpoint(self, endpoint_id, endpoint_ref):
with sql.session_for_write() as session:
ref = self._get_endpoint(session, endpoint_id)
old_dict = ref.to_dict()
old_dict.update(endpoint_ref)
new_endpoint = Endpoint.from_dict(old_dict)
for attr in Endpoint.attributes:
if attr != 'id':
setattr(ref, attr, getattr(new_endpoint, attr))
ref.extra = new_endpoint.extra
return ref.to_dict()
[docs]
def get_catalog(self, user_id, project_id):
"""Retrieve and format the V2 service catalog.
:param user_id: The id of the user who has been authenticated for
creating service catalog.
:param project_id: The id of the project. 'project_id' will be None
in the case this being called to create a catalog to go in a
domain scoped token. In this case, any endpoint that requires
a project_id as part of their URL will be skipped (as would a whole
service if, as a consequence, it has no valid endpoints).
:returns: A nested dict representing the service catalog or an
empty dict.
"""
substitutions = dict(CONF.items())
substitutions.update({'user_id': user_id})
silent_keyerror_failures = []
if project_id:
substitutions.update(
{'tenant_id': project_id, 'project_id': project_id}
)
else:
silent_keyerror_failures = ['tenant_id', 'project_id']
with sql.session_for_read() as session:
endpoints = (
session.query(Endpoint)
.options(sql.joinedload(Endpoint.service))
.filter(Endpoint.enabled == true())
.all()
)
catalog = {}
for endpoint in endpoints:
if not endpoint.service['enabled']:
continue
try:
formatted_url = utils.format_url(
endpoint['url'],
substitutions,
silent_keyerror_failures=silent_keyerror_failures,
)
if formatted_url is not None:
url = formatted_url
else:
continue
except exception.MalformedEndpoint: # nosec(tkelsey)
continue # this failure is already logged in format_url()
region = endpoint['region_id']
service_type = endpoint.service['type']
default_service = {
'id': endpoint['id'],
'name': endpoint.service.extra.get('name', ''),
'publicURL': '',
}
catalog.setdefault(region, {})
catalog[region].setdefault(service_type, default_service)
interface_url = '{}URL'.format(endpoint['interface'])
catalog[region][service_type][interface_url] = url
return catalog
[docs]
def get_v3_catalog(self, user_id, project_id):
"""Retrieve and format the current V3 service catalog.
:param user_id: The id of the user who has been authenticated for
creating service catalog.
:param project_id: The id of the project. 'project_id' will be None in
the case this being called to create a catalog to go in a domain
scoped token. In this case, any endpoint that requires a
project_id as part of their URL will be skipped.
:returns: A list representing the service catalog or an empty list
"""
d = dict(CONF.items())
d.update({'user_id': user_id})
silent_keyerror_failures = []
if project_id:
d.update({'tenant_id': project_id, 'project_id': project_id})
else:
silent_keyerror_failures = ['tenant_id', 'project_id']
with sql.session_for_read() as session:
services = (
session.query(Service)
.filter(Service.enabled == true())
.options(sql.joinedload(Service.endpoints))
.all()
)
def make_v3_endpoints(endpoints):
for endpoint in (
ep.to_dict() for ep in endpoints if ep.enabled
):
del endpoint['service_id']
del endpoint['legacy_endpoint_id']
del endpoint['enabled']
endpoint['region'] = endpoint['region_id']
try:
formatted_url = utils.format_url(
endpoint['url'],
d,
silent_keyerror_failures=silent_keyerror_failures,
)
if formatted_url:
endpoint['url'] = formatted_url
else:
continue
except exception.MalformedEndpoint: # nosec(tkelsey)
# this failure is already logged in format_url()
continue
yield endpoint
# TODO(davechen): If there is service with no endpoints, we should
# skip the service instead of keeping it in the catalog,
# see bug #1436704.
def make_v3_service(svc):
eps = list(make_v3_endpoints(svc.endpoints))
service = {'endpoints': eps, 'id': svc.id, 'type': svc.type}
service['name'] = svc.extra.get('name', '')
return service
# Build the unfiltered catalog, this is the catalog that is
# returned if endpoint filtering is not performed and the
# option of `return_all_endpoints_if_no_filter` is set to true.
catalog_ref = [make_v3_service(svc) for svc in services]
# Filter the `catalog_ref` above by any project-endpoint
# association configured by endpoint filter.
filtered_endpoints = {}
if project_id:
filtered_endpoints = (
self.catalog_api.list_endpoints_for_project(project_id)
)
# endpoint filter is enabled, only return the filtered endpoints.
if filtered_endpoints:
filtered_ids = list(filtered_endpoints.keys())
# This is actually working on the copy of `catalog_ref` since
# the index will be shifted if remove/add any entry for the
# original one.
for service in catalog_ref[:]:
endpoints = service['endpoints']
for endpoint in endpoints[:]:
endpoint_id = endpoint['id']
# remove the endpoint that is not associated with
# the project.
if endpoint_id not in filtered_ids:
service['endpoints'].remove(endpoint)
continue
# remove the disabled endpoint from the list.
if not filtered_endpoints[endpoint_id]['enabled']:
service['endpoints'].remove(endpoint)
# NOTE(davechen): The service will not be included in the
# catalog if the service doesn't have any endpoint when
# endpoint filter is enabled, this is inconsistent with
# full catalog that is returned when endpoint filter is
# disabled.
if not service.get('endpoints'):
catalog_ref.remove(service)
# When it arrives here it means it's domain scoped token (
# `project_id` is not set) or it's a project scoped token
# but the endpoint filtering is not performed.
# Both of them tell us the endpoint filtering is not enabled, so
# check the option of `return_all_endpoints_if_no_filter`, it will
# judge whether a full unfiltered catalog or a empty service
# catalog will be returned.
elif not CONF.endpoint_filter.return_all_endpoints_if_no_filter:
return []
return catalog_ref
[docs]
@sql.handle_conflicts(conflict_type='project_endpoint')
def add_endpoint_to_project(self, endpoint_id, project_id):
with sql.session_for_write() as session:
endpoint_filter_ref = ProjectEndpoint(
endpoint_id=endpoint_id, project_id=project_id
)
session.add(endpoint_filter_ref)
def _get_project_endpoint_ref(self, session, endpoint_id, project_id):
endpoint_filter_ref = session.get(
ProjectEndpoint, (endpoint_id, project_id)
)
if endpoint_filter_ref is None:
msg = _(
'Endpoint %(endpoint_id)s not found in project '
'%(project_id)s'
) % {'endpoint_id': endpoint_id, 'project_id': project_id}
raise exception.NotFound(msg)
return endpoint_filter_ref
[docs]
def check_endpoint_in_project(self, endpoint_id, project_id):
with sql.session_for_read() as session:
self._get_project_endpoint_ref(session, endpoint_id, project_id)
[docs]
def remove_endpoint_from_project(self, endpoint_id, project_id):
with sql.session_for_write() as session:
endpoint_filter_ref = self._get_project_endpoint_ref(
session, endpoint_id, project_id
)
session.delete(endpoint_filter_ref)
[docs]
def list_endpoints_for_project(self, project_id):
with sql.session_for_read() as session:
query = session.query(ProjectEndpoint)
query = query.filter_by(project_id=project_id)
endpoint_filter_refs = query.all()
return [ref.to_dict() for ref in endpoint_filter_refs]
[docs]
def list_projects_for_endpoint(self, endpoint_id):
with sql.session_for_read() as session:
query = session.query(ProjectEndpoint)
query = query.filter_by(endpoint_id=endpoint_id)
endpoint_filter_refs = query.all()
return [ref.to_dict() for ref in endpoint_filter_refs]
[docs]
def delete_association_by_endpoint(self, endpoint_id):
with sql.session_for_write() as session:
query = session.query(ProjectEndpoint)
query = query.filter_by(endpoint_id=endpoint_id)
query.delete(synchronize_session=False)
[docs]
def delete_association_by_project(self, project_id):
with sql.session_for_write() as session:
query = session.query(ProjectEndpoint)
query = query.filter_by(project_id=project_id)
query.delete(synchronize_session=False)
[docs]
def create_endpoint_group(self, endpoint_group_id, endpoint_group):
with sql.session_for_write() as session:
endpoint_group_ref = EndpointGroup.from_dict(endpoint_group)
session.add(endpoint_group_ref)
return endpoint_group_ref.to_dict()
def _get_endpoint_group(self, session, endpoint_group_id):
endpoint_group_ref = session.get(EndpointGroup, endpoint_group_id)
if endpoint_group_ref is None:
raise exception.EndpointGroupNotFound(
endpoint_group_id=endpoint_group_id
)
return endpoint_group_ref
[docs]
def get_endpoint_group(self, endpoint_group_id):
with sql.session_for_read() as session:
endpoint_group_ref = self._get_endpoint_group(
session, endpoint_group_id
)
return endpoint_group_ref.to_dict()
[docs]
def update_endpoint_group(self, endpoint_group_id, endpoint_group):
with sql.session_for_write() as session:
endpoint_group_ref = self._get_endpoint_group(
session, endpoint_group_id
)
old_endpoint_group = endpoint_group_ref.to_dict()
old_endpoint_group.update(endpoint_group)
new_endpoint_group = EndpointGroup.from_dict(old_endpoint_group)
for attr in EndpointGroup.mutable_attributes:
setattr(
endpoint_group_ref, attr, getattr(new_endpoint_group, attr)
)
return endpoint_group_ref.to_dict()
[docs]
def delete_endpoint_group(self, endpoint_group_id):
with sql.session_for_write() as session:
endpoint_group_ref = self._get_endpoint_group(
session, endpoint_group_id
)
self._delete_endpoint_group_association_by_endpoint_group(
session, endpoint_group_id
)
session.delete(endpoint_group_ref)
[docs]
def get_endpoint_group_in_project(self, endpoint_group_id, project_id):
with sql.session_for_read() as session:
ref = self._get_endpoint_group_in_project(
session, endpoint_group_id, project_id
)
return ref.to_dict()
[docs]
@sql.handle_conflicts(conflict_type='project_endpoint_group')
def add_endpoint_group_to_project(self, endpoint_group_id, project_id):
with sql.session_for_write() as session:
# Create a new Project Endpoint group entity
endpoint_group_project_ref = ProjectEndpointGroupMembership(
endpoint_group_id=endpoint_group_id, project_id=project_id
)
session.add(endpoint_group_project_ref)
def _get_endpoint_group_in_project(
self, session, endpoint_group_id, project_id
):
endpoint_group_project_ref = session.get(
ProjectEndpointGroupMembership, (endpoint_group_id, project_id)
)
if endpoint_group_project_ref is None:
msg = _('Endpoint Group Project Association not found')
raise exception.NotFound(msg)
else:
return endpoint_group_project_ref
[docs]
def list_endpoint_groups(self, hints):
with sql.session_for_read() as session:
query = session.query(EndpointGroup)
endpoint_group_refs = sql.filter_limit_query(
EndpointGroup, query, hints
)
return [e.to_dict() for e in endpoint_group_refs]
[docs]
def list_endpoint_groups_for_project(self, project_id):
with sql.session_for_read() as session:
query = session.query(ProjectEndpointGroupMembership)
query = query.filter_by(project_id=project_id)
endpoint_group_refs = query.all()
return [ref.to_dict() for ref in endpoint_group_refs]
[docs]
def remove_endpoint_group_from_project(
self, endpoint_group_id, project_id
):
with sql.session_for_write() as session:
endpoint_group_project_ref = self._get_endpoint_group_in_project(
session, endpoint_group_id, project_id
)
session.delete(endpoint_group_project_ref)
[docs]
def list_projects_associated_with_endpoint_group(self, endpoint_group_id):
with sql.session_for_read() as session:
query = session.query(ProjectEndpointGroupMembership)
query = query.filter_by(endpoint_group_id=endpoint_group_id)
endpoint_group_refs = query.all()
return [ref.to_dict() for ref in endpoint_group_refs]
def _delete_endpoint_group_association_by_endpoint_group(
self, session, endpoint_group_id
):
query = session.query(ProjectEndpointGroupMembership)
query = query.filter_by(endpoint_group_id=endpoint_group_id)
query.delete()
[docs]
def delete_endpoint_group_association_by_project(self, project_id):
with sql.session_for_write() as session:
query = session.query(ProjectEndpointGroupMembership)
query = query.filter_by(project_id=project_id)
query.delete()
[docs]
class ProjectEndpoint(sql.ModelBase, sql.ModelDictMixin):
"""project-endpoint relationship table."""
__tablename__ = 'project_endpoint'
attributes = ['endpoint_id', 'project_id']
endpoint_id = sql.Column(sql.String(64), primary_key=True, nullable=False)
project_id = sql.Column(sql.String(64), primary_key=True, nullable=False)
[docs]
class EndpointGroup(sql.ModelBase, sql.ModelDictMixin):
"""Endpoint Groups table."""
__tablename__ = 'endpoint_group'
attributes = ['id', 'name', 'description', 'filters']
mutable_attributes = frozenset(['name', 'description', 'filters'])
id = sql.Column(sql.String(64), primary_key=True)
name = sql.Column(sql.String(255), nullable=False)
description = sql.Column(sql.Text, nullable=True)
filters = sql.Column(sql.JsonBlob(), nullable=False)
[docs]
class ProjectEndpointGroupMembership(sql.ModelBase, sql.ModelDictMixin):
"""Project to Endpoint group relationship table."""
__tablename__ = 'project_endpoint_group'
attributes = ['endpoint_group_id', 'project_id']
endpoint_group_id = sql.Column(
sql.String(64), sql.ForeignKey('endpoint_group.id'), nullable=False
)
project_id = sql.Column(sql.String(64), nullable=False)
__table_args__ = (
sql.PrimaryKeyConstraint('endpoint_group_id', 'project_id'),
)