From fab927305a112d2dbc683eb0d0bad44c8b37f84a Mon Sep 17 00:00:00 2001
From: Julien Danjou <julien@danjou.info>
Date: Fri, 18 Dec 2015 11:13:09 +0100
Subject: [PATCH] Do not enable Keystone by default

Closes-Bug: #1520272

Change-Id: I4abf404e987a305368575d64bca93869ce344fcb
---
 devstack/plugin.sh           |  6 +++++-
 doc/source/configuration.rst | 28 ++++++++++++++++++++++++++++
 doc/source/install.rst       | 28 +++++++++++++++++++++++-----
 doc/source/rest.j2           | 17 +++++++++++++----
 etc/gnocchi/api-paste.ini    |  4 ++--
 requirements.txt             |  1 -
 setup.cfg                    |  3 +++
 7 files changed, 74 insertions(+), 13 deletions(-)

diff --git a/devstack/plugin.sh b/devstack/plugin.sh
index 4407ae7ab..b8a8e5aed 100644
--- a/devstack/plugin.sh
+++ b/devstack/plugin.sh
@@ -274,6 +274,8 @@ function configure_gnocchi {
             iniset $GNOCCHI_CONF cors allowed_origin ${GRAFANA_URL}
             iniset $GNOCCHI_CONF cors allow_methods GET,POST,PUT,DELETE,OPTIONS,HEAD,PATCH
             iniset $GNOCCHI_CONF cors allow_headers Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma,X-Auth-Token,X-Subject-Token
+        else
+            iniset $GNOCCHI_PASTE_CONF pipeline:main pipeline "keystone_authtoken gnocchi"
         fi
     else
         iniset $GNOCCHI_PASTE_CONF pipeline:main pipeline gnocchi
@@ -360,8 +362,10 @@ function install_gnocchi {
 
     install_gnocchiclient
 
+    is_service_enabled key && EXTRA_FLAVOR=,keystonmiddleware
+
     # We don't use setup_package because we don't follow openstack/requirements
-    sudo -H pip install -e "$GNOCCHI_DIR"[test,$GNOCCHI_STORAGE_BACKEND,$DATABASE_TYPE]
+    sudo -H pip install -e "$GNOCCHI_DIR"[test,$GNOCCHI_STORAGE_BACKEND,${DATABASE_TYPE}${EXTRA_FLAVOR}]
 
     if [ "$GNOCCHI_USE_MOD_WSGI" == "True" ]; then
         install_apache_wsgi
diff --git a/doc/source/configuration.rst b/doc/source/configuration.rst
index 5f02e675e..9c8c08e54 100644
--- a/doc/source/configuration.rst
+++ b/doc/source/configuration.rst
@@ -55,6 +55,34 @@ Gnocchi provides these indexer drivers:
 .. _`MySQL`: http://mysql.com
 .. _`InfluxDB`: http://influxdb.com
 
+Configuring the WSGI pipeline
+-----------------------------
+
+The API server leverages `Paste Deployment`_ to manage its configuration. You
+can edit the `/etc/gnocchi/api-paste.ini` to tweak the WSGI pipeline of the
+Gnocchi REST HTTP server. By default, no authentication middleware is enabled,
+meaning your request will have to provides the authentication headers.
+
+Gnocchi is easily connectable with `OpenStack Keystone`_. If you successfully
+installed the `keystone` flavor using `pip` (see :ref:`installation`), you can
+edit the `api-paste.ini` file to add the Keystone authentication middleware::
+
+  [pipeline:main]
+  pipeline = keystone_authtoken gnocchi
+
+Also, if you're planning on using `CORS`_ (e.g. to use `Grafana`_), you an also
+add the CORS middleware in the server pipeline::
+
+  [pipeline:main]
+  pipeline = keystone_authtoken cors gnocchi
+
+With or without Keystone support.
+
+.. _`Paste Deployment`: http://pythonpaste.org/deploy/
+.. _`OpenStack Keystone`: http://launchpad.net/keystone
+.. _`CORS`: https://en.wikipedia.org/wiki/Cross-origin_resource_sharing
+.. _`Grafana`: http://grafana.org/
+
 
 Driver notes
 ============
diff --git a/doc/source/install.rst b/doc/source/install.rst
index 6ea2b332e..1d09774c5 100644
--- a/doc/source/install.rst
+++ b/doc/source/install.rst
@@ -22,6 +22,9 @@ Then, you can start devstack:
 
     ./stack.sh
 
+
+.. _installation:
+
 Installation
 ============
 
@@ -29,18 +32,33 @@ To install Gnocchi using `pip`, just type::
 
   pip install gnocchi
 
-Depending on the drivers you want to use, you need to install extra variants
-using, for example::
+Depending on the drivers and features you want to use, you need to install
+extra variants using, for example::
 
-  pip install gnocchi[postgresql,ceph]
+  pip install gnocchi[postgresql,ceph,keystone]
+
+This would install PostgreSQL support for the indexer, Ceph support for
+storage, and Keystone support for authentication and authorization.
+
+The list of variants available is:
+
+* keystone – provides Keystone authentication support
+* mysql - provides MySQL indexer support
+* postgresql – provides PostgreSQL indexer support
+* influxdb – provides InfluxDB storage support
+* swift – provides OpenStack Swift storage support
+* ceph – provides Ceph storage support
+* file – provides file driver support
+* doc – documentation building support
+* test – unit and functional tests support
 
 To install Gnocchi from source, run the standard Python installation
 procedure::
 
   pip install -e .
 
-Again, depending on the drivers you want to use, you need to install extra
-variants using, for example::
+Again, depending on the drivers and features you want to use, you need to
+install extra variants using, for example::
 
   pip install -e .[postgresql,ceph]
 
diff --git a/doc/source/rest.j2 b/doc/source/rest.j2
index c52cdde29..af9f35ba4 100644
--- a/doc/source/rest.j2
+++ b/doc/source/rest.j2
@@ -5,10 +5,19 @@
 Authentication
 ==============
 
-By default, the `api.middleware` configuration option is set to use the
-Keystone middleware. Therefore, you must authenticate using Keystone to use the
-API and provide an `X-Auth-Token` header with a valid token for each request
-sent to Gnocchi.
+By default, no authentication is configured in Gnocchi. You need to provides
+these headers in your HTTP requests:
+
+* X-User-Id
+* X-Project-Id
+
+The `X-Roles` header can also be provided in order to match role based ACL
+specified in `policy.json`.
+
+If you enable the OpenStack Keystone middleware, you only need to authenticate
+against Keystone and provide `X-Auth-Token` header with a valid token for each
+request sent to Gnocchi. The headers mentionned above will be filled
+automatically based on your Keystone authorizations.
 
 Metrics
 =======
diff --git a/etc/gnocchi/api-paste.ini b/etc/gnocchi/api-paste.ini
index 7b6a9e1b0..e82ccb2b1 100644
--- a/etc/gnocchi/api-paste.ini
+++ b/etc/gnocchi/api-paste.ini
@@ -1,6 +1,6 @@
-# Remove keystone_authtoken from the pipeline if you don't want to use keystone authentication
+# Add keystone_authtoken in the pipeline if you want to use keystone authentication
 [pipeline:main]
-pipeline = keystone_authtoken gnocchi
+pipeline = gnocchi
 
 [app:gnocchi]
 paste.app_factory = gnocchi.rest.app:app_factory
diff --git a/requirements.txt b/requirements.txt
index 31685ed27..759bc5d18 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -17,6 +17,5 @@ werkzeug
 trollius
 retrying
 WebOb>=1.4.1
-keystonemiddleware>=4.0.0
 PasteDeploy
 prettytable
diff --git a/setup.cfg b/setup.cfg
index 06498fcc4..746200474 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -19,6 +19,8 @@ classifier =
     Topic :: System :: Monitoring
 
 [extras]
+keystone =
+    keystonemiddleware>=4.0.0
 mysql =
     pymysql
     oslo.db>=1.8.0
@@ -64,6 +66,7 @@ test =
     doc8
     sysv_ipc
     tooz>=0.11
+    keystonemiddleware>=4.0.0
 
 [global]
 setup-hooks =