This auth module is intended to allow OpenStack client-tools to select from a variety of authentication strategies, including NoAuth (the default), and Keystone (an identity management system).
> auth_plugin = AuthPlugin(creds)
> auth_plugin.authenticate()
> auth_plugin.auth_token abcdefg
> auth_plugin.management_url http://service_endpoint/
Bases: glance.common.auth.BaseStrategy
Authenticate with the Keystone service.
There are a few scenarios to consider here:
Select an endpoint from the service catalog
We search the full service catalog for services matching both type and region. If the client supplied no region then any ‘image’ endpoint is considered a match. There must be one – and only one – successful match in the catalog, otherwise we will raise an exception.
Bases: object
A base client class
Setups the connection based on the given url.
The form is:
<http|https>://<host>:port/doc_root
Make a request, returning an HTTP response object.
Parameters: |
|
---|---|
Returns: | HTTP response object |
Bases: httplib.HTTPSConnection
Class to make a HTTPS connection, with support for full client-based SSL Authentication
Connect to a host on a given (SSL) port. If ca_file is pointing somewhere, use it to check Server Certificate.
Redefined/copied and extended from httplib.py:1105 (Python 2.6.x). This is needed to pass cert_reqs=ssl.CERT_REQUIRED as parameter to ssl.wrap_socket(), which forces SSL to check server certificate against our client certificate.
Routines for configuring Glance
Builds and returns a WSGI app from a paste config file.
We assume the last config file specified in the supplied ConfigOpts object is the paste config file, if conf_file is None.
Parameters: |
|
---|---|
Raises: | RuntimeError when config file cannot be located or application cannot be loaded from config file |
Routines for URL-safe encrypting/decrypting
Decrypts URL-safe base64 encoded ciphertext. On Python 3, the result is decoded from UTF-8.
Parameters: |
|
---|---|
Returns: | Resulting plaintext |
Encrypts plaintext. Resulting ciphertext will contain URL-safe characters. If plaintext is Unicode, encode it to UTF-8 before encryption.
Parameters: |
|
---|---|
Returns: | Resulting ciphertext |
Glance exception subclasses
Bases: glance.common.exception.Invalid
Bases: glance.common.exception.Duplicate
Bases: glance.common.exception.Duplicate
Bases: glance.common.exception.Duplicate
Bases: glance.common.exception.Forbidden
Bases: glance.common.exception.Invalid
Bases: glance.common.exception.Invalid
Bases: glance.common.exception.Invalid
Bases: glance.common.exception.GlanceException
Bases: glance.common.exception.ArtifactLoadError
Bases: glance.common.exception.NotFound
Bases: glance.common.exception.NotFound
Bases: glance.common.exception.NotFound
Bases: glance.common.exception.Invalid
Bases: glance.common.exception.Invalid
Bases: glance.common.exception.GlanceException
Bases: glance.common.exception.GlanceException
Bases: glance.common.exception.GlanceException
Bases: glance.common.exception.GlanceException
Bases: glance.common.exception.GlanceException
Bases: glance.common.exception.GlanceException
Bases: glance.common.exception.GlanceException
Bases: glance.common.exception.GlanceException
Bases: glance.common.exception.GlanceException
Bases: glance.common.exception.GlanceException
Bases: glance.common.exception.GlanceException
Bases: glance.common.exception.GlanceException
Bases: glance.common.exception.GlanceException
Bases: glance.common.exception.Duplicate
Bases: glance.common.exception.GlanceException
Bases: glance.common.exception.Forbidden
Bases: exceptions.Exception
Base Glance Exception
To correctly use this class, inherit from it and define a ‘message’ property. That message will get printf’d with the keyword arguments provided to the constructor.
Bases: glance.common.exception.LimitExceeded
Bases: glance.common.exception.LimitExceeded
Bases: glance.common.exception.NotFound
Bases: glance.common.exception.LimitExceeded
Bases: glance.common.exception.GlanceException
Bases: glance.common.exception.LimitExceeded
Bases: glance.common.exception.TaskException, glance.common.exception.Invalid
Bases: glance.common.exception.GlanceException
Bases: glance.common.exception.Invalid
Bases: glance.common.exception.Invalid
Bases: glance.common.exception.Invalid
Bases: glance.common.exception.Invalid
Bases: glance.common.exception.GlanceException
Bases: glance.common.exception.Invalid
Bases: glance.common.exception.Invalid
Bases: glance.common.exception.Invalid
Bases: glance.common.exception.JsonPatchException
Bases: glance.common.exception.JsonPatchException
Bases: glance.common.exception.GlanceException
Bases: glance.common.exception.Invalid
Bases: glance.common.exception.Invalid
Bases: glance.common.exception.Invalid
Bases: glance.common.exception.GlanceException
Bases: glance.common.exception.Invalid
Bases: glance.common.exception.Invalid
Bases: glance.common.exception.Invalid
Bases: glance.common.exception.TaskException, glance.common.exception.Invalid
Bases: glance.common.exception.TaskException, glance.common.exception.Invalid
Bases: glance.common.exception.TaskException, glance.common.exception.Invalid
Bases: glance.common.exception.Invalid
Bases: glance.common.exception.GlanceException
Bases: glance.common.exception.GlanceException
Bases: glance.common.exception.GlanceException
Bases: glance.common.exception.Duplicate
Bases: glance.common.exception.Duplicate
Bases: glance.common.exception.Duplicate
Bases: glance.common.exception.Duplicate
Bases: glance.common.exception.Duplicate
Bases: glance.common.exception.Duplicate
Bases: glance.common.exception.Forbidden
Bases: glance.common.exception.Forbidden
Bases: glance.common.exception.NotFound
Bases: glance.common.exception.NotFound
Bases: glance.common.exception.NotFound
Bases: glance.common.exception.NotFound
Bases: glance.common.exception.NotFound
Bases: glance.common.exception.NotFound
Bases: glance.common.exception.GlanceException
Bases: glance.common.exception.GlanceException
Bases: glance.common.exception.GlanceException
Bases: glance.common.exception.GlanceException
Bases: glance.common.exception.GlanceException
Bases: glance.common.exception.Forbidden
Bases: glance.common.exception.Forbidden
Bases: glance.common.exception.Forbidden
Bases: glance.common.exception.Forbidden
Bases: glance.common.exception.Forbidden
Bases: glance.common.exception.Forbidden
Bases: glance.common.exception.Forbidden
Bases: glance.common.exception.GlanceException
Bases: glance.common.exception.Forbidden
Bases: glance.common.exception.GlanceException
Bases: glance.common.exception.Forbidden
Bases: glance.common.exception.GlanceException
Bases: glance.common.exception.GlanceException
Bases: glance.common.exception.GlanceException
Bases: glance.common.exception.GlanceException
Bases: glance.common.exception.GlanceException
Bases: glance.common.exception.GlanceException
Bases: glance.common.exception.TaskException, glance.common.exception.NotFound
Bases: glance.common.exception.GlanceException
Bases: glance.common.exception.NotFound
Bases: glance.common.exception.GlanceException
Bases: glance.common.exception.GlanceException
A mixin that validates the given body for jsonpatch-compatibility. The methods supported are limited to listed in METHODS_ALLOWED
RPC Controller
Bases: object
Base RPCController.
This is the base controller for RPC based APIs. Commands handled by this controller respect the following form:
- [{
- ‘command’: ‘method_name’, ‘kwargs’: {...}
}]
The controller is capable of processing more than one command per request and will always return a list of results.
Params raise_exc: | |
---|---|
Boolean that specifies whether to raise |
exceptions instead of “serializing” them.
Exports methods through the RPC Api.
Params resource: | |
---|---|
Resource’s instance to register. | |
Params filtered: | |
List of methods that can be registered. Read |
as “Method must be in this list”. :params excluded: List of methods to exclude. :params refiner: Callable to use as filter for methods.
Raises TypeError: | |
---|---|
If refiner is not callable. |
Support signature verification.
Bases: object
Create verifier to use when the key type is DSA
Parameters: |
|
---|---|
Returns: | the verifier to use to verify the signature for DSA |
Create the verifier to use when the key type is ECC_*.
Parameters: |
|
---|---|
Returns: | the verifier to use to verify the signature for ECC_* |
Create the verifier to use when the key type is RSA-PSS.
Parameters: |
|
---|---|
Returns: | the verifier to use to verify the signature for RSA-PSS |
Raises glance.common.exception.SignatureVerificationError: | |
if the RSA-PSS specific properties are invalid |
Create the certificate object from the retrieved certificate data.
Parameters: |
|
---|---|
Returns: | the certificate cryptography object |
Raises glance.common.exception.SignatureVerificationError: | |
if the retrieval fails or the format is invalid |
Verify the hash method name and create the hash method.
Parameters: | hash_method_name – the name of the hash method to retrieve |
---|---|
Returns: | the hash method, a cryptography object |
Raises glance.common.exception.SignatureVerificationError: | |
if the hash method name is invalid |
Create the public key object from a retrieved certificate.
Parameters: |
|
---|---|
Returns: | the public key cryptography object |
Raises glance.common.exception.SignatureVerificationError: | |
if public key format is invalid |
Decode the signature data and returns the signature.
Parameters: | siganture_data – the base64-encoded signature data |
---|---|
Returns: | the decoded signature |
Raises glance.common.exception.SignatureVerificationError: | |
if the signature data is malformatted |
Retrieve the image properties and use them to create a verifier.
Parameters: |
|
---|---|
Returns: | instance of cryptography AsymmetricVerificationContext |
Raises glance.common.exception.SignatureVerificationError: | |
if building the verifier fails |
Determine whether a verifier should be created.
Using the image properties, determine whether existing properties indicate that signature verification should be done.
Parameters: | image_properties – the key-value properties about the image |
---|---|
Returns: | True, if signature metadata properties exist, False otherwise |
Determine whether a signature should be verified.
Using the image properties, determine whether existing properties indicate that signature verification should be done.
Parameters: | image_properties – the key-value properties about the image |
---|---|
Returns: | True, if signature metadata properties exist, False otherwise |
Verify that the certificate has not expired.
Parameters: | certificate – the cryptography certificate object |
---|---|
Raises glance.common.exception.SignatureVerificationError: | |
if the certificate valid time range does not include now |
Retrieve the image properties and use them to verify the signature.
Parameters: |
|
---|---|
Returns: | True if verification succeeds |
Raises glance.common.exception.SignatureVerificationError: | |
if verification fails |
Given a location, immediately or schedule the deletion of an image location and update location status to db.
Parameters: |
|
---|
Given a location, delete an image from the store and update location status to db.
This function try to handle all known exceptions which might be raised by those calls on store and DB modules in its implementation.
Parameters: |
|
---|
Given a location, schedule the deletion of an image location and update location status to db.
Parameters: |
|
---|
Validate if URI of external location are supported.
Only over non-local store types are OK, i.e. S3, Swift, HTTP. Note the absence of ‘file://‘ for security reasons, see LP bug #942118, 1400966, ‘swift+config://’ is also absent for security reasons, see LP bug #1334196.
Parameters: | uri – The URI of external image location. |
---|---|
Returns: | Whether given URI of external image location are OK. |
Time related utilities and helper functions.
Return the difference between two timing objects.
Compute the difference in seconds between two date, time, or datetime objects (as a float, to microsecond resolution).
Returns an iso8601 formatted date from timestamp.
Stringify time in ISO 8601 format.
System-level utilities and helper functions.
Bases: object
An eventlet thread friendly class for reading in image data.
When accessing data either through the iterator or the read method we perform a sleep to allow a co-operative yield. When there is more than one image being uploaded/downloaded this prevents eventlet thread starvation, ie allows all threads to be scheduled periodically rather than having the same thread be continuously active.
Bases: object
Reader designed to fail when reading image data past the configured allowable amount.
Return an iterator to a file-like obj which yields fixed size chunks
Parameters: |
|
---|
Wrap a readable iterator with a reader yielding chunks of a preferred size, otherwise leave iterator unchanged.
Parameters: |
|
---|
Return an iterator which schedules after each iteration. This can prevent eventlet thread starvation.
Parameters: | iter – an iterator to wrap |
---|
Wrap a file descriptor’s read with a partial function which schedules after each read. This can prevent eventlet thread starvation.
Parameters: | fd – a file descriptor to wrap |
---|
Returns a dictionary-like mashup of the image core properties and the image custom properties from given image metadata.
Parameters: | image_meta – metadata of image with core and custom properties |
---|
Evaluate a comparison operator. Designed for use on a comparative-filtering query field.
Parameters: |
|
---|---|
Raises: | InvalidFilterOperatorValue if an unknown operator is provided |
Returns: | boolean result of applied comparison |
Processes HTTP headers from a supplied response that match the x-image-meta and x-image-meta-property and returns a mapping of image metadata and properties
Parameters: | response – Response to process |
---|
Returns a set of image metadata into a dict of HTTP headers that can be fed to either a Webob Request object or an httplib.HTTP(S)Connection object
Parameters: | image_meta – Mapping of image metadata |
---|
Verify whether a hostname (not an FQDN) is valid.
Checks that no 4 byte unicode characters are allowed in dicts’ keys/values and string’s parameters
Given a “host:port” string, attempts to parse it as intelligently as possible to determine if it is valid. This includes IPv6 [host]:port form, IPv4 ip:port form, and hostname:port or fqdn:port form.
Invalid inputs will raise a ValueError, while valid inputs will return a (host, port) tuple where the port will always be of type int.
Split operator from threshold in an expression. Designed for use on a comparative-filtering query field. When no operator is found, default to an equality comparison.
Parameters: | expression – the expression to parse |
---|---|
Returns: | a tuple (operator, threshold) parsed from expression |
Split filter values
Split values by commas and quotes for ‘in’ operator, according api-wg.
Make a copy of some of the current global CONF’s settings. Allows determining if any of these values have changed when the config is reloaded.
Utility methods for working with WSGI servers
Bases: routes.mapper.Mapper
Handle route matching when url is ‘’ because routes.Mapper returns an error in this case.
Bases: glance.common.wsgi.Middleware
Helper class that can be inserted into any WSGI application chain to get information about the request and response.
Bases: object
Returns whether a Webob.Request object will possess an entity body.
Parameters: | request – Webob.Request object |
---|
Bases: object
Base WSGI middleware wrapper. These classes require an application to be initialized that will be called next. By default the middleware will simply call its wrapped app, or you can override __call__ to customize its behavior.
Bases: webob.request.Request
Add some OpenStack API-specific logic to the base webob.Request.
Bases: object
WSGI app that handles (de)serialization and controller dispatch.
Reads routing information supplied by RoutesMiddleware and calls the requested action method upon its deserializer, controller, and serializer. Those three objects may implement any of the basic controller action methods (create, update, show, index, delete) along with any that may be specified in the api router. A ‘default’ method may also be implemented to be used in place of any non-implemented actions. Deserializer methods must accept a request argument and return a dictionary. Controller methods must accept a request argument. Additionally, they must also accept keyword arguments that represent the keys returned by the Deserializer. They may raise a webob.exc exception or return a dict, which will be serialized by requested content type.
Bases: object
WSGI middleware that maps incoming requests to WSGI apps.
Bases: object
Server class to manage multiple WSGI sockets and applications.
This class requires initialize_glance_store set to True if glance store needs to be initialized.
Apply configuration settings
Parameters: |
|
---|
Ensure a socket exists and is appropriately configured.
This function is called on start up, and can also be called in the event of a configuration reload.
When called for the first time a new socket is created. If reloading and either bind_host or bind port have been changed the existing socket must be closed and a new socket opened (laws of physics).
In all other cases (bind_host/bind_port have not changed) the existing socket is reused.
Parameters: |
|
---|
Reload and re-apply configuration settings
Existing child processes are sent a SIGHUP signal and will exit after completing existing requests. New child processes, which will have the updated configuration, are spawned. This allows preventing interruption to the service.
Return eventlet pool to caller.
Also store pools created in global list, to wait on it after getting signal for graceful shutdown.
Parameters: | size – eventlet pool size |
---|---|
Returns: | eventlet pool |
Bind socket to bind ip:port in conf
note: Mostly comes from Swift with a few small changes...
Parameters: | default_port – port to bind to if none is specified in conf |
---|---|
Returns: | a socket object as returned from socket.listen or ssl.wrap_socket if conf specifies cert_file |