Skip to main content

A limited OpenStack Identity API v3 client in Python (with fewer dependencies)

Project description

keystone-light implements a Python interface to a very limited subset of the OpenStack Identity API v3.

Initial goal: access to OpenStack Swift, using the Identity API v3, but with a lot fewer dependencies.

As of this writing, the python-keystoneclient requires keystoneauth1 and oslo.*, which in turn require some more. We only require the ubiquitous requests (and PyYAML), which you generally already have installed anyway.

Example usage

#!/usr/bin/env python3
from urllib.parse import urljoin

import requests
from keystone_light import Cloud, CloudsYamlConfig, PermissionDenied


def get_projects(cloud):
    "Yields projects, sorted by domain and project name"
    domains = cloud.get_domains()
    for domain in sorted(domains, key=(lambda x: x.name)):
        if domain.name == 'Default':
            # print('WARN: skipping domain Default (fixme?)')
            continue

        projects = domain.get_projects()
        for project in sorted(projects, key=(lambda x: x.name)):
            project.domain = domain
            yield project

def _give_us_project_perms_through_admin_group(project):
    """
    Make sure we are in the *-admin group. Make sure the *-admin
    group has permissions on the project.
    """
    cloud = project.cloud
    dom_admin_group = project.domain.get_admin_group()

    # First check if we're member of the group at all.
    token = cloud.get_system_token()
    auth_headers = {'X-Auth-Token': str(token)}
    try:
        # FIXME: Undocumented access to system_token!
        user_id = token.data['user']['id']
        assert user_id and isinstance(user_id, str), user_id
    except KeyError:
        raise ValueError('missing user.id?', token.data)

    # Are we in the *-admin group?
    url = urljoin(
        cloud.base_url,
        '/v3/groups/{group_id}/users/{user_id}'.format(
            group_id=dom_admin_group.id, user_id=user_id))
    out = requests.head(url, headers=auth_headers)
    if out.status_code == 404:
        # Add us to the group.
        out = requests.put(url, headers=auth_headers)
        assert out.status_code == 204, (
            'PUT', url, out.status_code, out.text)
        # Double check.
        out = requests.head(url, headers=auth_headers)
    assert out.status_code == 204, (
        'HEAD', url, out.status_code, out.text)

    # Grant *-admin power to the project.
    admin_role = cloud.get_role(name='admin')  # or 'reader'
    url = urljoin(
        cloud.base_url,
        '/v3/projects/{project_id}/groups/{group_id}/roles/{role_id}'.format(
            project_id=project.id, group_id=dom_admin_group.id,
            role_id=admin_role.id))
    out = requests.put(url, headers=auth_headers)
    assert out.status_code in (201, 204), (
        'PUT', url, out.status_code, out.text)

def get_swift_stat_ensuring_permissions(project):
    "Get Swift v1 stat on a project (previously: tenant)"
    try:
        stat = project.get_swift().get_stat()
    except PermissionDenied:
        # We don't have permission to access the project? Upgrade the
        # permissions and try again.
        _give_us_project_perms_through_admin_group(project)
    else:
        return stat

    # Try again. Should succeed now, with the added permissions.
    try:
        stat = project.get_swift().get_stat()
    except PermissionDenied as e:
        raise MyPermissionDenied(
            'EPERM on {domain}.{project}: {exc} {exc_args}'.format(
                domain=project.domain.name, project=project.name,
                exc=e.__class__.__name__, exc_args=e.args)) from e
    else:
        return stat


# Take config from ~/.config/openstack/clouds.yaml and select
# 'my-cloud-admin', like the openstack(1) --os-cloud option.
config = CloudsYamlConfig('my-cloud-admin')
cloud = Cloud(config)
for project in get_projects(cloud):
    swift_stat = get_swift_stat_ensuring_permissions(project)
    print('{:15s} {:23s} {:21d} B ({} objects, {} containers)'.format(
        project.domain.name[0:15], project.name,
        int(swift_stat['X-Account-Bytes-Used']),
        swift_stat['X-Account-Object-Count'],
        swift_stat['X-Account-Container-Count']))

Example output

$ python3 example.py
domainx         project                  3489 B (2 objects, 1 containers)
domainx         otherproject       1455042022 B (267 objects, 1 containers)
...

Swift Example usage

from keystone_light import Cloud, DirectConfig

KEYSTONE_URL = 'https://<DOMAIN>:<USER>:<PASS>@KEYSTONE'
SWIFT_PROJECT = '<DOMAIN>:<PROJECT>'
SWIFT_CONTAINER = 'some-container'

config = DirectConfig(KEYSTONE_URI)
project = Cloud(config).get_current_project()
assert project.get_fullname() == SWIFT_PROJECT, project.get_fullname()

swift = project.get_swift()
container = swift.get_container(SWIFT_CONTAINER)

# (Re-)upload file:
filename = ('bloblet.bin' if False else 'blobzilla.bin')
with open(filename, 'rb') as fp:
    try:
        container.delete(filename)
    except FileNotFoundError:
        pass
    # TIP: Use ChunkIteratorIOBaseWrapper(fp) if the input file
    # is a pipe/stream.
    container.put(filename, fp)

# Download file:
filename2 = '{}.retrieved'.format(filename)
with container.get(filename) as response, \
        open(filename2, 'wb') as fp:
    for chunk in response.iter_content(chunk_size=8192):
        fp.write(chunk)

# Check and compare:
with open(filename, 'rb') as fp, \
        open(filename2, 'rb') as fp2:
    buf = buf2 = True
    while buf and buf2:
        buf = fp.read(8192)
        buf2 = fp2.read(8192)
        assert buf == buf2
    assert buf == buf2

And an example with timing:

from timeit import timeit

# ...

# Download file:
filename2 = '{}.retrieved'.format(filename)
def _get():
    with container.get(filename) as response, \
            open(filename2, 'wb') as fp:
        for chunk in response.iter_content(chunk_size=8192):
            fp.write(chunk)
print('{:7.3f} GET'.format(timeit(number=1, stmt=_get)))

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

keystone-light-1.3.tar.gz (15.5 kB view details)

Uploaded Source

File details

Details for the file keystone-light-1.3.tar.gz.

File metadata

  • Download URL: keystone-light-1.3.tar.gz
  • Upload date:
  • Size: 15.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.3.0 pkginfo/1.7.0 requests/2.22.0 setuptools/45.2.0 requests-toolbelt/0.9.1 tqdm/4.57.0 CPython/3.8.5

File hashes

Hashes for keystone-light-1.3.tar.gz
Algorithm Hash digest
SHA256 0b3939eb8f26482809fdf9fe82312f2382af2c0697b9b32bb7cfaefb7ba14daf
MD5 0d801a295db2024ae97bc3f2be7e1d09
BLAKE2b-256 4482e6131abd8e5054f4bd37e800a143242dc89339c431362ed2b066ee1f06c4

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page