Add keystone access support to ostf wsgi

- Added keystone middleware to wsgi - Additional keystone params supported in ostf.conf - Auth can be enabled by adapter/auth_enable = True Related to blueprint: access-control-master-node Change-Id: I6a6b2aacb2278fa70c45a87521de224d0230d623
2014-06-27 11:27:07 +03:00 · 2014-06-27 11:27:07 +03:00 · 64a2991f52
parent 5d24a68269
commit 64a2991f52
4 changed files with 166 additions and 3 deletions
--- a/etc/ostf/ostf.conf
+++ b/etc/ostf/ostf.conf
@ -6,4 +6,139 @@ lock_dir = /var/lock
 nailgun_host = 127.0.0.1
 nailgun_port = 8000
 log_file = /var/log/ostf.log
-after_init_hook = False
+after_init_hook = False
+auth_enable = False
+
+[keystone_authtoken]
+
+#
+# Options defined in keystoneclient.middleware.auth_token
+#
+
+# Prefix to prepend at the beginning of the path. Deprecated,
+# use identity_uri. (string value)
+#auth_admin_prefix=
+
+# Host providing the admin Identity API endpoint. Deprecated,
+# use identity_uri. (string value)
+#auth_host=127.0.0.1
+
+# Port of the admin Identity API endpoint. Deprecated, use
+# identity_uri. (integer value)
+#auth_port=35357
+
+# Protocol of the admin Identity API endpoint (http or https).
+# Deprecated, use identity_uri. (string value)
+#auth_protocol=https
+
+# Complete public Identity API endpoint (string value)
+#auth_uri=<None>
+
+# Complete admin Identity API endpoint. This should specify
+# the unversioned root endpoint eg. https://localhost:35357/
+# (string value)
+#identity_uri=<None>
+
+# API version of the admin Identity API endpoint (string
+# value)
+#auth_version=<None>
+
+# Do not handle authorization requests within the middleware,
+# but delegate the authorization decision to downstream WSGI
+# components (boolean value)
+#delay_auth_decision=false
+
+# Request timeout value for communicating with Identity API
+# server. (boolean value)
+#http_connect_timeout=<None>
+
+# How many times are we trying to reconnect when communicating
+# with Identity API Server. (integer value)
+#http_request_max_retries=3
+
+# Single shared secret with the Keystone configuration used
+# for bootstrapping a Keystone installation, or otherwise
+# bypassing the normal authentication process. (string value)
+#admin_token=<None>
+
+# Keystone account username (string value)
+#admin_user=<None>
+
+# Keystone account password (string value)
+#admin_password=<None>
+
+# Keystone service account tenant name to validate user tokens
+# (string value)
+#admin_tenant_name=admin
+
+# Env key for the swift cache (string value)
+#cache=<None>
+
+# Required if Keystone server requires client certificate
+# (string value)
+#certfile=<None>
+
+# Required if Keystone server requires client certificate
+# (string value)
+#keyfile=<None>
+
+# A PEM encoded Certificate Authority to use when verifying
+# HTTPs connections. Defaults to system CAs. (string value)
+#cafile=<None>
+
+# Verify HTTPS connections. (boolean value)
+#insecure=false
+
+# Directory used to cache files related to PKI tokens (string
+# value)
+#signing_dir=<None>
+
+# Optionally specify a list of memcached server(s) to use for
+# caching. If left undefined, tokens will instead be cached
+# in-process. (list value)
+# Deprecated group/name - [DEFAULT]/memcache_servers
+#memcached_servers=<None>
+
+# In order to prevent excessive effort spent validating
+# tokens, the middleware caches previously-seen tokens for a
+# configurable duration (in seconds). Set to -1 to disable
+# caching completely. (integer value)
+#token_cache_time=300
+
+# Determines the frequency at which the list of revoked tokens
+# is retrieved from the Identity service (in seconds). A high
+# number of revocation events combined with a low cache
+# duration may significantly reduce performance. (integer
+# value)
+#revocation_cache_time=300
+
+# (optional) if defined, indicate whether token data should be
+# authenticated or authenticated and encrypted. Acceptable
+# values are MAC or ENCRYPT.  If MAC, token data is
+# authenticated (with HMAC) in the cache. If ENCRYPT, token
+# data is encrypted and authenticated in the cache. If the
+# value is not one of these options or empty, auth_token will
+# raise an exception on initialization. (string value)
+#memcache_security_strategy=<None>
+
+# (optional, mandatory if memcache_security_strategy is
+# defined) this string is used for key derivation. (string
+# value)
+#memcache_secret_key=<None>
+
+# (optional) indicate whether to set the X-Service-Catalog
+# header. If False, middleware will not ask for service
+# catalog on token validation and will not set the X-Service-
+# Catalog header. (boolean value)
+#include_service_catalog=true
+
+# Used to control the use and type of token binding. Can be
+# set to: "disabled" to not check token binding. "permissive"
+# (default) to validate binding information if the bind type
+# is of a form known to the server and ignore it if not.
+# "strict" like "permissive" but if the bind type is unknown
+# the token will be rejected. "required" any form of token
+# binding is needed to be allowed. Finally the name of a
+# binding method that must be present in tokens. (string
+# value)
+#enforce_token_bind=permissive
--- a/fuel_plugin/ostf_adapter/config.py
+++ b/fuel_plugin/ostf_adapter/config.py
@ -44,7 +44,11 @@ adapter_opts = [
               help=""),
    cfg.StrOpt('log_file',
               default='/var/log/ostf.log',
-               help="")
+               help=""),
+    cfg.BoolOpt('auth_enable',
+                default=False,
+                help="Set True to enable auth.")
+
 ]

 cli_opts = [
--- a/fuel_plugin/ostf_adapter/wsgi/access_control.py
+++ b/fuel_plugin/ostf_adapter/wsgi/access_control.py
@ -0,0 +1,23 @@
+#    Copyright 2014 Mirantis, Inc.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from keystoneclient.middleware import auth_token
+from oslo.config import cfg
+
+
+def setup(app):
+    if cfg.CONF.adapter.auth_enable:
+        return auth_token.AuthProtocol(app, dict(cfg.CONF.keystone_authtoken))
+    else:
+        return app
--- a/fuel_plugin/ostf_adapter/wsgi/app.py
+++ b/fuel_plugin/ostf_adapter/wsgi/app.py
@ -15,6 +15,7 @@
 from oslo.config import cfg
 import pecan

+from fuel_plugin.ostf_adapter.wsgi import access_control
 from fuel_plugin.ostf_adapter.wsgi import hooks

 CONF = cfg.CONF
@ -56,4 +57,4 @@ def setup_app(config=None):
        force_canonical=True,
        hooks=[hooks.CustomTransactionalHook(dbpath=pecan.conf.dbpath)]
    )
-    return app
+    return access_control.setup(app)