/nova

Permalink
Browse files

Merge "Replaces pipelines with flag for auth strategy"

  • Loading branch information...
2 parents 5674c7e + ba2c9cf commit 314dd69ab00cb35b0683a384023e0cae9844428b Jenkins committed with openstack-gerrit Mar 7, 2012
View
35 etc/nova/api-paste.ini
@@ -34,12 +34,11 @@ paste.app_factory = nova.api.metadata.handler:MetadataRequestHandler.factory
use = egg:Paste#urlmap
/services/Cloud: ec2cloud
-[pipeline:ec2cloud]
-pipeline = ec2faultwrap logrequest ec2noauth cloudrequest authorizer validator ec2executor
-# NOTE(vish): use the following pipeline for deprecated auth
-# pipeline = ec2faultwrap logrequest authenticate cloudrequest authorizer validator ec2executor
-# NOTE(vish): use the following pipeline for keystone auth
-# pipeline = ec2faultwrap logrequest ec2keystoneauth cloudrequest authorizer validator ec2executor
+[composite:ec2cloud]
+use = call:nova.api.auth:pipeline_factory
+noauth = ec2faultwrap logrequest ec2noauth cloudrequest authorizer validator ec2executor
+deprecated = ec2faultwrap logrequest authenticate cloudrequest authorizer validator ec2executor
+keystone = ec2faultwrap logrequest ec2keystoneauth cloudrequest authorizer validator ec2executor
[filter:ec2faultwrap]
paste.filter_factory = nova.api.ec2:FaultWrapper.factory
@@ -90,19 +89,17 @@ use = call:nova.api.openstack.urlmap:urlmap_factory
/: osvolumeversions
/v1: openstack_volume_api_v1
-[pipeline:openstack_compute_api_v2]
-pipeline = faultwrap noauth ratelimit osapi_compute_app_v2
-# NOTE(vish): use the following pipeline for deprecated auth
-# pipeline = faultwrap auth ratelimit osapi_compute_app_v2
-# NOTE(vish): use the following pipeline for keystone auth
-# pipeline = faultwrap authtoken keystonecontext ratelimit osapi_compute_app_v2
-
-[pipeline:openstack_volume_api_v1]
-pipeline = faultwrap noauth ratelimit osapi_volume_app_v1
-# NOTE(vish): use the following pipeline for deprecated auth
-# pipeline = faultwrap auth ratelimit osapi_volume_app_v1
-# NOTE(vish): use the following pipeline for keystone auth
-# pipeline = faultwrap authtoken keystonecontext ratelimit osapi_volume_app_v1
+[composite:openstack_compute_api_v2]
+use = call:nova.api.auth:pipeline_factory
+noauth = faultwrap noauth ratelimit osapi_compute_app_v2
+deprecated = faultwrap auth ratelimit osapi_compute_app_v2
+keystone = faultwrap authtoken keystonecontext ratelimit osapi_compute_app_v2
+
+[composite:openstack_volume_api_v1]
+use = call:nova.api.auth:pipeline_factory
+noauth = faultwrap noauth ratelimit osapi_volume_app_v1
+deprecated = faultwrap auth ratelimit osapi_volume_app_v1
+keystone = faultwrap authtoken keystonecontext ratelimit osapi_volume_app_v1
[filter:faultwrap]
paste.filter_factory = nova.api.openstack:FaultWrapper.factory
View
12 nova/api/auth.py
@@ -38,6 +38,17 @@
LOG = logging.getLogger(__name__)
+def pipeline_factory(loader, global_conf, **local_conf):
+ """A paste pipeline replica that keys off of auth_strategy."""
+ pipeline = local_conf[FLAGS.auth_strategy].split()
+ filters = [loader.get_filter(n) for n in pipeline[:-1]]
+ app = loader.get_app(pipeline[-1])
+ filters.reverse()
+ for filter in filters:
+ app = filter(app)
+ return app
+
+
class InjectContext(wsgi.Middleware):
"""Add a 'nova.context' to WSGI environ."""
@@ -82,7 +93,6 @@ def __call__(self, req):
project_id,
roles=roles,
auth_token=auth_token,
- strategy='keystone',
remote_address=remote_address)
req.environ['nova.context'] = ctx
View
1 nova/api/ec2/__init__.py
@@ -327,7 +327,6 @@ def __call__(self, req):
project_id,
roles=roles,
auth_token=token_id,
- strategy='keystone',
remote_address=remote_address)
req.environ['nova.context'] = ctxt
View
5 nova/auth/manager.py
@@ -40,9 +40,6 @@
auth_opts = [
- cfg.BoolOpt('use_deprecated_auth',
- default=False,
- help='This flag must be set to use old style auth'),
cfg.ListOpt('allowed_roles',
default=[
'cloudadmin',
@@ -830,7 +827,7 @@ def __generate_rc(user, pid, use_dmz=True, host=None):
rc = open(FLAGS.credentials_template).read()
# NOTE(vish): Deprecated auth uses an access key, no auth uses a
# the user_id in place of it.
- if FLAGS.use_deprecated_auth:
+ if FLAGS.auth_strategy == 'deprecated':
access = user.access
else:
access = user.id
View
7 nova/context.py
@@ -38,8 +38,7 @@ class RequestContext(object):
def __init__(self, user_id, project_id, is_admin=None, read_deleted="no",
roles=None, remote_address=None, timestamp=None,
- request_id=None, auth_token=None, strategy='noauth',
- overwrite=True):
+ request_id=None, auth_token=None, overwrite=True):
"""
:param read_deleted: 'no' indicates deleted records are hidden, 'yes'
indicates deleted records are visible, 'only' indicates that
@@ -71,7 +70,6 @@ def __init__(self, user_id, project_id, is_admin=None, read_deleted="no",
request_id = generate_request_id()
self.request_id = request_id
self.auth_token = auth_token
- self.strategy = strategy
if overwrite or not hasattr(local.store, 'context'):
local.store.context = self
@@ -84,8 +82,7 @@ def to_dict(self):
'remote_address': self.remote_address,
'timestamp': utils.strtime(self.timestamp),
'request_id': self.request_id,
- 'auth_token': self.auth_token,
- 'strategy': self.strategy}
+ 'auth_token': self.auth_token}
@classmethod
def from_dict(cls, values):
View
4 nova/flags.py
@@ -462,6 +462,10 @@ def _get_my_ip():
cfg.StrOpt('default_access_ip_network_name',
default=None,
help='Name of network to use to set access ips for instances'),
+ cfg.StrOpt('auth_strategy',
+ default='noauth',
+ help='The strategy to use for auth. Supports noauth, keystone, '
+ 'and deprecated.'),
]
FLAGS.register_opts(global_opts)
View
5 nova/image/glance.py
@@ -39,7 +39,6 @@
FLAGS = flags.FLAGS
-flags.DECLARE('use_deprecated_auth', 'nova.auth.manager')
GlanceClient = utils.import_class('glance.client.Client')
@@ -61,7 +60,7 @@ def _parse_image_ref(image_href):
def _create_glance_client(context, host, port):
- if context.strategy == 'keystone':
+ if FLAGS.auth_strategy == 'keystone':
# NOTE(dprince): Glance client just needs auth_tok right? Should we
# add username and tenant to the creds below?
creds = {'strategy': 'keystone',
@@ -319,7 +318,7 @@ def delete(self, context, image_id):
# NOTE(vish): show is to check if image is available
image_meta = self.show(context, image_id)
- if FLAGS.use_deprecated_auth:
+ if FLAGS.auth_strategy == 'deprecated':
# NOTE(parthi): only allow image deletions if the user
# is a member of the project owning the image, in case of
# setup without keystone
View
2 nova/tests/image/test_glance.py
@@ -410,7 +410,7 @@ def test_delete(self):
def test_delete_not_by_owner(self):
# this test is only relevant for deprecated auth mode
- self.flags(use_deprecated_auth=True)
+ self.flags(auth_strategy='deprecated')
fixture = self._make_fixture(name='test image')
properties = {'project_id': 'proj1'}
View
2 nova/tests/test_auth.py
@@ -155,7 +155,7 @@ def test_signature_is_valid(self):
'/services/Cloud'))
def test_can_get_credentials(self):
- self.flags(use_deprecated_auth=True)
+ self.flags(auth_strategy='deprecated')
st = {'access': 'access', 'secret': 'secret'}
with user_and_project_generator(self.manager, user_state=st) as (u, p):
credentials = self.manager.get_environment_rc(u, p)

0 comments on commit 314dd69

Please sign in to comment.