Merge pull request #80 from myyukiho/feature_add-support-for-iam-IAM-342

Add support for IAM authentication

Author: Sunight

README.rst

@@ -43,19 +43,34 @@ you need apply **access key** on `qingcloud console <https://console.qingcloud.c
 
 QingCloud IaaS API
 '''''''''''''''''''
-Pass access key id and secret key into method ``connect_to_zone`` to create connection ::
+1. Pass access key id and secret key into method ``connect_to_zone`` to create connection ::
 
-  >>> import qingcloud.iaas
-  >>> conn = qingcloud.iaas.connect_to_zone(
-          'zone id',
-          'access key id',
-          'secret access key'
-      )
+      >>> import qingcloud.iaas
+      >>> conn = qingcloud.iaas.connect_to_zone(
+              'zone id',
+              'access key id',
+              'secret access key'
+          )
 
-The variable ``conn`` is the instance of ``qingcloud.iaas.connection.APIConnection``,
-we can use it to call resource related methods.
 
-Example::
+2. Call API by using IAM role
+
+If you would like to call our APIs without access key and secret key (bad things would happen if they were lost or leaked)
+or if you want a finer access control over your instances, there is a easy way to do it :P
+
+- Go to our IAM service, create an instance role and attach it to your instance.
+- Create connection without access key and secret key. ::
+
+      >>> import qingcloud.iaas
+      >>> conn = qingcloud.iaas.connect_to_zone(
+            'zone id',
+             None,
+             None
+          )
+
+
+The variable ``conn`` is the instance of ``qingcloud.iaas.connection.APIConnection``,
+we can use it to call resource related methods. Example::
 
   # launch instances
   >>> ret = conn.run_instances(
@@ -104,3 +119,4 @@ Example::
 
   # Delete the key
   >>> bucket.delete_key('myobject')
+

qingcloud/conn/auth.py

@@ -112,8 +112,11 @@ def _calc_signature(self, params, verb, path):
     def add_auth(self, req, **kwargs):
         """ add authorize information for request
         """
-        req.params['access_key_id'] = self.qy_access_key_id
-        req.params['signature_version'] = self.SignatureVersion
+        req.params['access_key_id'] = self.qy_access_key_id if 'access_key' not in kwargs else kwargs.get('access_key')
+        if 'token' in kwargs:
+            req.params['token'] = kwargs.get('token')
+        req.params['signature_version'] = self.SignatureVersion if 'signature_version' not in kwargs \
+            else kwargs.get('signature_version')
         req.params['version'] = self.APIVersion
         time_stamp = get_ts()
         req.params['time_stamp'] = time_stamp
@@ -135,6 +138,7 @@ def add_auth(self, req, **kwargs):
             req.body = ''
             # if this is a retried req, the qs from the previous try will
             # already be there, we need to get rid of that and rebuild it
+            req.params["signature"] = signature
             req.path = req.path.split('?')[0]
             req.path = (req.path + '?' + qs +
                         '&signature=' + urllib.quote_plus(signature))

qingcloud/conn/connection.py

@@ -21,6 +21,9 @@
 except:
     import http.client as httplib
 
+from qingcloud.misc.json_tool import json_load
+from qingcloud.conn.auth import QuerySignatureAuthHandler
+
 
 class ConnectionQueue(object):
     """ Http connection queue
@@ -148,7 +151,11 @@ def __str__(self):
 
     def authorize(self, connection, **kwargs):
         # add authorize information to request
-        if connection._auth_handler:
+        if connection.iam_access_key:
+            kwargs.update({'access_key': connection.iam_access_key,
+                           'token': connection._token,
+                           'signature_version': 2})
+        if connection._auth_handler and (connection.qy_access_key_id or connection.iam_access_key):
             connection._auth_handler.add_auth(self, **kwargs)
 
 
@@ -180,7 +187,7 @@ class HttpConnection(object):
 
     def __init__(self, qy_access_key_id, qy_secret_access_key, host=None,
                  port=443, protocol="https", pool=None, expires=None,
-                 http_socket_timeout=10, debug=False):
+                 http_socket_timeout=10, debug=False, credential_proxy_host=None, credential_proxy_port=80):
         """
         @param qy_access_key_id - the access key id
         @param qy_secret_access_key - the secret access key
@@ -204,6 +211,12 @@ def __init__(self, qy_access_key_id, qy_secret_access_key, host=None,
         self._proxy_port = None
         self._proxy_headers = None
         self._proxy_protocol = None
+        self._token = ''
+        self._token_exp = None
+        self.credential_proxy_host = credential_proxy_host
+        self.credential_proxy_port = credential_proxy_port
+        self.iam_access_key = None
+        self.iam_secret_key = None
 
     def set_proxy(self, host, port=None, headers=None, protocol="http"):
         """ set http (https) proxy
@@ -263,6 +276,10 @@ def send(self, method, path, params=None, headers=None, host=None,
         if not host:
             host = self.host
 
+        if not self.qy_access_key_id and not self.qy_secret_access_key:
+            if self._token:
+                path = '/iam/'
+
         # Build the http request
         request = self.build_http_request(method, path, params, auth_path,
                                           headers, host, data)
@@ -299,3 +316,31 @@ def send(self, method, path, params=None, headers=None, host=None,
             self._set_conn(conn)
 
         return response
+
+    def _check_token(self):
+        if not self._token or not self._token_exp or time.time() >= self._token_exp:
+            try:
+                conn = httplib.HTTPConnection(self.credential_proxy_host, self.credential_proxy_port, timeout=1)
+                conn.request("GET", "/latest/meta-data/security-credentials", headers={"Accept": "application/json"})
+                response = conn.getresponse()
+                # Reuse the connection
+                if response.status == 200:
+                    r = response.read()
+                    if r:
+                        # first reverse escape, then json_load
+                        r = json_load(eval(r))
+                        self._token = r.get('id_token')
+                        self._token_exp = r.get('expiration')
+                        self.iam_access_key = r.get('access_key')
+                        self.iam_secret_key = r.get('secret_key')
+
+                        self._auth_handler = QuerySignatureAuthHandler(self.host,
+                                                                       str(self.iam_access_key),
+                                                                       str(self.iam_secret_key))
+
+                elif response.status == 404:
+                    print("The current instance has no credentials")
+                    pass
+            except Exception as e:
+                print("Failed to get credentials due to error: %s" % e)
+                pass

qingcloud/iaas/connection.py

@@ -55,7 +55,8 @@ class APIConnection(HttpConnection):
     def __init__(self, qy_access_key_id, qy_secret_access_key, zone,
                  host="api.qingcloud.com", port=443, protocol="https",
                  pool=None, expires=None,
-                 retry_time=2, http_socket_timeout=60, debug=False):
+                 retry_time=2, http_socket_timeout=60, debug=False,
+                 credential_proxy_host="169.254.169.254", credential_proxy_port=80):
         """
         @param qy_access_key_id - the access key id
         @param qy_secret_access_key - the secret access key
@@ -73,10 +74,14 @@ def __init__(self, qy_access_key_id, qy_secret_access_key, zone,
 
         super(APIConnection, self).__init__(
             qy_access_key_id, qy_secret_access_key, host, port, protocol,
-            pool, expires, http_socket_timeout, debug)
+            pool, expires, http_socket_timeout, debug, credential_proxy_host, credential_proxy_port)
 
-        self._auth_handler = QuerySignatureAuthHandler(self.host,
-                                                       self.qy_access_key_id, self.qy_secret_access_key)
+        if not self.qy_access_key_id and not self.qy_secret_access_key:
+            self._check_token()
+
+        else:
+            self._auth_handler = QuerySignatureAuthHandler(self.host,
+                                                           self.qy_access_key_id, self.qy_secret_access_key)
 
         # other apis
         self.actions = [