OpenStack Compute (nova)

Merge lp:~vishvananda/nova/remove-keystone-middleware into lp:~hudson-openstack/nova/trunk

  1. remove-keystone-middleware
  2. Merge into trunk
Proposed by Vish Ishaya
Status: Merged
Approved by: Soren Hansen
Approved revision: 1544
Merged at revision: 1606
Proposed branch: lp:~vishvananda/nova/remove-keystone-middleware
Merge into: lp:~hudson-openstack/nova/trunk
Diff against target: 176 lines (+0/-113)
3 files modified
etc/nova/api-paste.ini (+0/-30)
nova/api/auth.py (+0/-32)
nova/api/ec2/__init__.py (+0/-51)
To merge this branch: bzr merge lp:~vishvananda/nova/remove-keystone-middleware
Reviewer Review Type Date Requested Status
Soren Hansen (community) Approve
Devin Carlen (community) Approve
Review via email: mp+76297@code.launchpad.net

Description of the change

Remove keystone middlewares.

To post a comment you must log in.
lp:~vishvananda/nova/remove-keystone-middleware updated
1543. By Vish Ishaya

merge trunk, fix conflicts

1544. By Vish Ishaya

remove keystone url flag

Revision history for this message
Devin Carlen (devcamcar) wrote :

yes indeed

review: Approve
Revision history for this message
Soren Hansen (soren) wrote :

This correctly removes the keystone middleware, which, per our fearless leader, is what we want.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'etc/nova/api-paste.ini'
--- etc/nova/api-paste.ini 2011-08-24 02:43:10 +0000
+++ etc/nova/api-paste.ini 2011-09-20 22:55:27 +0000
@@ -22,15 +22,11 @@
22pipeline = logrequest ec2noauth cloudrequest authorizer ec2executor22pipeline = logrequest ec2noauth cloudrequest authorizer ec2executor
23# NOTE(vish): use the following pipeline for deprecated auth23# NOTE(vish): use the following pipeline for deprecated auth
24#pipeline = logrequest authenticate cloudrequest authorizer ec2executor24#pipeline = logrequest authenticate cloudrequest authorizer ec2executor
25# NOTE(vish): use the following pipeline for keystone
26# pipeline = logrequest totoken authtoken keystonecontext cloudrequest authorizer ec2executor
2725
28[pipeline:ec2admin]26[pipeline:ec2admin]
29pipeline = logrequest ec2noauth adminrequest authorizer ec2executor27pipeline = logrequest ec2noauth adminrequest authorizer ec2executor
30# NOTE(vish): use the following pipeline for deprecated auth28# NOTE(vish): use the following pipeline for deprecated auth
31#pipeline = logrequest authenticate adminrequest authorizer ec2executor29#pipeline = logrequest authenticate adminrequest authorizer ec2executor
32# NOTE(vish): use the following pipeline for keystone
33#pipeline = logrequest totoken authtoken keystonecontext adminrequest authorizer ec2executor
3430
35[pipeline:ec2metadata]31[pipeline:ec2metadata]
36pipeline = logrequest ec2md32pipeline = logrequest ec2md
@@ -44,9 +40,6 @@
44[filter:ec2lockout]40[filter:ec2lockout]
45paste.filter_factory = nova.api.ec2:Lockout.factory41paste.filter_factory = nova.api.ec2:Lockout.factory
4642
47[filter:totoken]
48paste.filter_factory = nova.api.ec2:ToToken.factory
49
50[filter:ec2noauth]43[filter:ec2noauth]
51paste.filter_factory = nova.api.ec2:NoAuth.factory44paste.filter_factory = nova.api.ec2:NoAuth.factory
5245
@@ -87,15 +80,11 @@
87pipeline = faultwrap noauth ratelimit osapiapp1080pipeline = faultwrap noauth ratelimit osapiapp10
88# NOTE(vish): use the following pipeline for deprecated auth81# NOTE(vish): use the following pipeline for deprecated auth
89# pipeline = faultwrap auth ratelimit osapiapp1082# pipeline = faultwrap auth ratelimit osapiapp10
90# NOTE(vish): use the following pipeline for keystone
91#pipeline = faultwrap authtoken keystonecontext ratelimit osapiapp10
9283
93[pipeline:openstackapi11]84[pipeline:openstackapi11]
94pipeline = faultwrap noauth ratelimit extensions osapiapp1185pipeline = faultwrap noauth ratelimit extensions osapiapp11
95# NOTE(vish): use the following pipeline for deprecated auth86# NOTE(vish): use the following pipeline for deprecated auth
96# pipeline = faultwrap auth ratelimit extensions osapiapp1187# pipeline = faultwrap auth ratelimit extensions osapiapp11
97# NOTE(vish): use the following pipeline for keystone
98# pipeline = faultwrap authtoken keystonecontext ratelimit extensions osapiapp11
9988
100[filter:faultwrap]89[filter:faultwrap]
101paste.filter_factory = nova.api.openstack:FaultWrapper.factory90paste.filter_factory = nova.api.openstack:FaultWrapper.factory
@@ -123,22 +112,3 @@
123112
124[app:osversionapp]113[app:osversionapp]
125paste.app_factory = nova.api.openstack.versions:Versions.factory114paste.app_factory = nova.api.openstack.versions:Versions.factory
126
127##########
128# Shared #
129##########
130
131[filter:keystonecontext]
132paste.filter_factory = nova.api.auth:KeystoneContext.factory
133
134[filter:authtoken]
135paste.filter_factory = keystone.middleware.auth_token:filter_factory
136service_protocol = http
137service_host = 127.0.0.1
138service_port = 808
139auth_host = 127.0.0.1
140auth_port = 5001
141auth_protocol = http
142auth_uri = http://127.0.0.1:5000/
143admin_token = 999888777666
144
145115
=== modified file 'nova/api/auth.py'
--- nova/api/auth.py 2011-09-10 17:56:54 +0000
+++ nova/api/auth.py 2011-09-20 22:55:27 +0000
@@ -43,35 +43,3 @@
43 def __call__(self, req):43 def __call__(self, req):
44 req.environ['nova.context'] = self.context44 req.environ['nova.context'] = self.context
45 return self.application45 return self.application
46
47
48class KeystoneContext(wsgi.Middleware):
49 """Make a request context from keystone headers"""
50
51 @webob.dec.wsgify(RequestClass=wsgi.Request)
52 def __call__(self, req):
53 try:
54 user_id = req.headers['X_USER']
55 except KeyError:
56 return webob.exc.HTTPUnauthorized()
57 # get the roles
58 roles = [r.strip() for r in req.headers.get('X_ROLE', '').split(',')]
59 project_id = req.headers['X_TENANT']
60 # Get the auth token
61 auth_token = req.headers.get('X_AUTH_TOKEN',
62 req.headers.get('X_STORAGE_TOKEN'))
63
64 # Build a context, including the auth_token...
65 remote_address = getattr(req, 'remote_address', '127.0.0.1')
66 remote_address = req.remote_addr
67 if FLAGS.use_forwarded_for:
68 remote_address = req.headers.get('X-Forwarded-For', remote_address)
69 ctx = context.RequestContext(user_id,
70 project_id,
71 roles=roles,
72 auth_token=auth_token,
73 strategy='keystone',
74 remote_address=remote_address)
75
76 req.environ['nova.context'] = ctx
77 return self.application
7846
=== modified file 'nova/api/ec2/__init__.py'
--- nova/api/ec2/__init__.py 2011-09-01 14:02:02 +0000
+++ nova/api/ec2/__init__.py 2011-09-20 22:55:27 +0000
@@ -46,9 +46,6 @@
46 'Number of minutes to lockout if triggered.')46 'Number of minutes to lockout if triggered.')
47flags.DEFINE_integer('lockout_window', 15,47flags.DEFINE_integer('lockout_window', 15,
48 'Number of minutes for lockout window.')48 'Number of minutes for lockout window.')
49flags.DEFINE_string('keystone_ec2_url',
50 'http://localhost:5000/v2.0/ec2tokens',
51 'URL to get token from ec2 request.')
52flags.DECLARE('use_forwarded_for', 'nova.api.auth')49flags.DECLARE('use_forwarded_for', 'nova.api.auth')
5350
5451
@@ -142,54 +139,6 @@
142 return res139 return res
143140
144141
145class ToToken(wsgi.Middleware):
146 """Authenticate an EC2 request with keystone and convert to token."""
147
148 @webob.dec.wsgify(RequestClass=wsgi.Request)
149 def __call__(self, req):
150 # Read request signature and access id.
151 try:
152 signature = req.params['Signature']
153 access = req.params['AWSAccessKeyId']
154 except KeyError:
155 raise webob.exc.HTTPBadRequest()
156
157 # Make a copy of args for authentication and signature verification.
158 auth_params = dict(req.params)
159 # Not part of authentication args
160 auth_params.pop('Signature')
161
162 # Authenticate the request.
163 creds = {'ec2Credentials': {'access': access,
164 'signature': signature,
165 'host': req.host,
166 'verb': req.method,
167 'path': req.path,
168 'params': auth_params,
169 }}
170 creds_json = utils.dumps(creds)
171 headers = {'Content-Type': 'application/json'}
172 o = urlparse(FLAGS.keystone_ec2_url)
173 if o.scheme == "http":
174 conn = httplib.HTTPConnection(o.netloc)
175 else:
176 conn = httplib.HTTPSConnection(o.netloc)
177 conn.request('POST', o.path, body=creds_json, headers=headers)
178 response = conn.getresponse().read()
179 conn.close()
180
181 # NOTE(vish): We could save a call to keystone by
182 # having keystone return token, tenant,
183 # user, and roles from this call.
184 result = utils.loads(response)
185 # TODO(vish): check for errors
186
187 token_id = result['auth']['token']['id']
188 # Authenticated!
189 req.headers['X-Auth-Token'] = token_id
190 return self.application
191
192
193class NoAuth(wsgi.Middleware):142class NoAuth(wsgi.Middleware):
194 """Add user:project as 'nova.context' to WSGI environ."""143 """Add user:project as 'nova.context' to WSGI environ."""
195144