Skip to content
Permalink
Browse files

Opt-out of service catalog

Introducing a config option 'include_service_catalog' to indicate whether
service catalog is needed. If the 'include_service_catalog' option is set to
False, middleware will not ask for service catalog on token validation and will
not set the X-Service-Catalog header.

This option is backward compatible as it is default to True.

DocImpact
Fixed bug 1228317

Change-Id: Id8c410a7ae0443ac425d20cb9c6a24ee5bb2cb8d
  • Loading branch information...
guang-yee
guang-yee committed Oct 11, 2013
1 parent b89d286 commit a97b293501fa504dd154fc921809a40bc2a34049
@@ -141,6 +141,8 @@ a WSGI component. Example for the auth_token middleware::
;Uncomment next 2 lines if Keystone server is validating client cert
;certfile = <path to middleware public cert>
;keyfile = <path to middleware private cert>
;Uncomment next line to opt-out of service catalog
;include_service_catalog = False

For services which have separate paste-deploy ini file, auth_token middleware
can be alternatively configured in [keystone_authtoken] section in the main
@@ -197,6 +199,10 @@ Configuration Options
encoded CA file/bundle that will be used to verify HTTPS connections.
* ``insecure``: (optional, default `False`) Don't verify HTTPS connections
(overrides `cafile`).
* ``include_service_catalog``: (optional, default `True`) Indicate whether to
set the X-Service-Catalog header. If False, middleware will not ask for
service catalog on token validation and will not set the X-Service-Catalog
header.

Caching for improved response
-----------------------------
@@ -291,7 +291,13 @@
default=None,
secret=True,
help='(optional, mandatory if memcache_security_strategy is'
' defined) this string is used for key derivation.')
' defined) this string is used for key derivation.'),
cfg.BoolOpt('include_service_catalog',
default=True,
help='(optional) indicate whether to set the X-Service-Catalog'
' header. If False, middleware will not ask for service'
' catalog on token validation and will not set the'
' X-Service-Catalog header.')
]
CONF.register_opts(opts, group='keystone_authtoken')

@@ -461,6 +467,9 @@ def __init__(self, app, conf):
self.http_request_max_retries = \
self._conf_get('http_request_max_retries')

self.include_service_catalog = self._conf_get(
'include_service_catalog')

def _assert_valid_memcache_protection_config(self):
if self._memcache_security_strategy:
if self._memcache_security_strategy not in ('MAC', 'ENCRYPT'):
@@ -921,11 +930,9 @@ def default_tenant():
self.LOG.debug("Received request from user: %s with project_id : %s"
" and roles: %s ", user_id, project_id, roles)

try:
if self.include_service_catalog and catalog_key in catalog_root:
catalog = catalog_root[catalog_key]
rval['X-Service-Catalog'] = jsonutils.dumps(catalog)
except KeyError:
pass

return rval

@@ -1090,9 +1097,13 @@ def verify_uuid_token(self, user_token, retry=True):
if self.auth_version == 'v3.0':
headers = {'X-Auth-Token': self.get_admin_token(),
'X-Subject-Token': safe_quote(user_token)}
path = '/v3/auth/tokens'
if not self.include_service_catalog:
# NOTE(gyee): only v3 API support this option
path = path + '?nocatalog'
response, data = self._json_request(
'GET',
'/v3/auth/tokens',
path,
additional_headers=headers)
else:
headers = {'X-Auth-Token': self.get_admin_token()}
@@ -418,6 +418,8 @@ def assert_valid_request_200(self, token, with_catalog=True):
self.assertEqual(self.response_status, 200)
if with_catalog:
self.assertTrue(req.headers.get('X-Service-Catalog'))
else:
self.assertNotIn('X-Service-Catalog', req.headers)
self.assertEqual(body, ['SUCCESS'])
self.assertTrue('keystone.token_info' in req.environ)

@@ -845,6 +847,14 @@ def test_http_request_max_retries(self):

self.assertEqual(mock_obj.call_count, times_retry)

def test_nocatalog(self):
conf = {
'include_service_catalog': False
}
self.set_middleware(conf=conf)
self.assert_valid_request_200(self.token_dict['uuid_token_default'],
with_catalog=False)


class CertDownloadMiddlewareTest(BaseAuthTokenMiddlewareTest):
def setUp(self):

0 comments on commit a97b293

Please sign in to comment.
You can’t perform that action at this time.