keystone 的pam认证方式

from __future__ import absolute_import
import pdb

try:
    import pam
except ImportError:
    pam = None
    import PAM

from keystone import identity


def PAM_authenticate(username, password):
    def _pam_conv(auth, query_list):
        resp = []

        for query, q_type in query_list:
            if q_type in [PAM.PAM_PROMPT_ECHO_ON, PAM.PAM_PROMPT_ECHO_OFF]:
                resp.append((password, 0))
            elif q_type in [PAM.PAM_PROMPT_ERROR_MSG,
                            PAM.PAM_PROMPT_TEXT_INFO]:
                resp.append(('', 0))

        return resp

    auth = PAM.pam()
    auth.start('passwd')
    auth.set_item(PAM.PAM_USER, username)
    auth.set_item(PAM.PAM_CONV, _pam_conv)

    try:
        auth.authenticate()
        auth.acct_mgmt()
    except PAM.error:
        raise AssertionError('Invalid user / password')

    return True


class PamIdentity(identity.Driver):
    """Very basic identity based on PAM.

    Tenant is always the same as User, root user has admin role.
    """

    def authenticate(self, user_id, tenant_id, password):
	if user_id in ['nova', 'glance', 'cinder']:
		metadata = {}
		metadata['roles'] = ['admin']
		tenant = {'enabled': True, 'description': None, 'name': 'service', 'id': 'service'}
		user = {'id': user_id, 'name': user_id, 'enabled': True, 'email':'openstack@openstack.com', 'tenantId':'service'}
		return (user, tenant, metadata)
	else:
	        auth = pam.authenticate if pam else PAM_authenticate
        	if auth(user_id, password):
	            metadata = {}
        	    if user_id == 'root':
                	metadata['is_admin'] = True

	            tenant = None
		    user = {'id': user_id, 'name': user_id, 'enabled': 'true', 'email':user_id, 'tenantId':None}
        	    return (user, tenant, metadata)

    def get_tenant(self, tenant_id):
	if tenant_id == 'service':
		return {'enabled': True, 'description': None, 'name': 'service', 'id': 'service'}
	else:
		return {'enabled': True, 'description': None, 'name': tenant_id, 'id': tenant_id}

    def get_tenant_by_name(self, tenant_name):
	if tenant_name == 'service':
		return {'enabled': True, 'description': None, 'name': 'service', 'id': 'service'}
	else:
		return {'enabled': True, 'description': None, 'name': tenant_name, 'id': tenant_name}

    def get_user(self, user_id):
	if user_id in ['nova', 'glance', 'cinder']:
		return {'id': user_id, 'name': user_id, 'enabled': 'True', 'email':'test@test.com', 'tenantId':'service'}
	else:
        	return {'id': user_id, 'name': user_id, 'enabled': 'True', 'email':user_id, 'tenantId':user_id}

    def get_user_by_name(self, user_name):
	if user_name in ['nova', 'glance', 'cinder']:
		return {'id': user_name, 'name': user_name, 'enabled': 'True', 'email':'test@test.com', 'tenantId':'service'}
	else:
	        return {'id': user_name, 'name': user_name, 'enabled': 'True', 'email':user_name, 'tenantId':user_name}

    def get_role(self, role_id):
	if role_id == 'admin':
		return {'id':role_id, 'name':'admin'}
#	return {'id':role_id, 'name':role_id}	

    def list_users(self):
        raise NotImplementedError()

    def list_roles(self):
        raise NotImplementedError()

    def add_user_to_tenant(self, tenant_id, user_id):
        raise NotImplementedError()
        pass

    def remove_user_from_tenant(self, tenant_id, user_id):
        pass
        raise NotImplementedError()

    def get_tenants(self):
	return [{'enabled': True, 'description': None, 'name': 'service', 'id': 'service'}]

    def get_tenants_for_user(self, user_id):
        return [user_id]

    def get_roles_for_user_and_tenant(self, user_id, tenant_id):
        raise NotImplementedError()

    def add_role_to_user_and_tenant(self, user_id, tenant_id, role_id):
        raise NotImplementedError()

    def remove_role_from_user_and_tenant(self, user_id, tenant_id, role_id):
        raise NotImplementedError()

    def create_user(self, user_id, user):
        raise NotImplementedError()

    def update_user(self, user_id, user):
        raise NotImplementedError()

    def delete_user(self, user_id):
        raise NotImplementedError()

    def create_tenant(self, tenant_id, tenant):
        raise NotImplementedError()

    def update_tenant(self, tenant_id, tenant):
        raise NotImplementedError()

    def delete_tenant(self, tenant_id, tenant):
        raise NotImplementedError()

    def get_metadata(self, user_id, tenant_id):
        metadata = {}
    #    if user_id == 'root':# or user_id == 'nova' or user_id == 'glance':
     #       metadata['is_admin'] = True
#	metadata['roles'] = ['admin']
        return metadata

    def create_metadata(self, user_id, tenant_id, metadata):
        raise NotImplementedError()

    def update_metadata(self, user_id, tenant_id, metadata):
        raise NotImplementedError()

    def delete_metadata(self, user_id, tenant_id, metadata):
        raise NotImplementedError()

    def create_role(self, role_id, role):
        raise NotImplementedError()

    def update_role(self, role_id, role):
        raise NotImplementedError()

    def delete_role(self, role_id):
        raise NotImplementedError()

keystone本身其实已经集成了pam认证方式,但是存在一些问题。

pam.py


评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值