Do not assume admin privileges on keystone

Avoid issues when running cASO with a low privileges account that cannot list all projects and scope the tokens to the projects that are to be accounted. This allows to run cASO and generate records for non-admin users.
enolfc · Sep 29, 2023 · 1869f55 · 1869f55
1 parent e40e883
commit 1869f55
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 5 deletions.
diff --git a/caso/extract/manager.py b/caso/extract/manager.py
@@ -31,6 +31,9 @@
 from caso import keystone_client
 from caso import loading
 
+from keystoneauth1.exceptions.catalog import EmptyCatalog
+from keystoneauth1.exceptions.http import Forbidden
+
 cli_opts = [
     cfg.ListOpt(
         "projects",
@@ -119,12 +122,20 @@ def __init__(self):
     def projects(self):
         """Get list of configured projects."""
         projects = CONF.projects
-        aux = [i.id for i in self.keystone.projects.list(tags=CONF.caso_tag)]
+        aux = []
+        try:
+            aux = [i.id for i in self.keystone.projects.list(tags=CONF.caso_tag)]
+        except Forbidden as e:
+            LOG.warning(f"Unable to get projects from Keystone, ignoring - {e}")
         return set(projects + aux)
 
-    def _get_keystone_client(self):
+    def _get_keystone_client(self, project=None, system_scope="all"):
         """Get a Keystone Client to get the projects that we will use."""
-        client = keystone_client.get_client(CONF, system_scope="all")
+        if project:
+            system_scope = None
+        client = keystone_client.get_client(
+            CONF, project=project, system_scope=system_scope
+        )
         return client
 
     def get_lastrun(self, project):
@@ -195,7 +206,16 @@ def voms_map(self):
 
     def get_project_vo(self, project_id):
         """Get the VO where the project should be mapped."""
-        project = self.keystone.projects.get(project_id)
+        try:
+            project = self.keystone.projects.get(project_id)
+        except (EmptyCatalog, Forbidden):
+            # we may need scoping here, retrying
+            LOG.warning(
+                f"Scoping the keystone client to the current project {project_id}"
+            )
+            self.keystone = self._get_keystone_client(project_id)
+            project = self.keystone.projects.get(project_id)
+
         project.get()
         vo = project.to_dict().get(CONF.vo_property, None)
         if vo is None:

diff --git a/caso/extract/openstack/base.py b/caso/extract/openstack/base.py
@@ -92,7 +92,9 @@ def _get_keystone_session(self):
 
     def _get_keystone_client(self):
         """Get a Keystone Client for the configured project in the object."""
-        client = keystone_client.get_client(CONF, system_scope="all")
+        client = keystone_client.get_client(
+            CONF, project=self.project, system_scope="all"
+        )
         return client
 
     def _get_cinder_client(self):