a5962d1078
This patch updates the authentication system set up in heat: - We now authenticate against the 'heat' service at the entry point to each api call in the engine. - We are now using the 'Context' class to contain the authentication information as intended. - The two context classes are unified and we now use the same one for both WSGI and RPC. This is the intended design as the context is loaded by the WSGI middleware and then passed into the RPC methods. - We are now doing token authentication in the API that works with both native keystone and AWS style authentication. That token is then passed on to the engine for further authentication for various endpoints. Note that the heat-api-paste.ini file requires updating in order for this to work on your system. Admin user and password must be set properly in the authtoken section in order to perform token based authentication. I suspect there will be a few bugs in here yet. This is just part of the authentication/identification changes we need to make but I wanted to get this in so we could continue to work with a boto based client. Change-Id: Ib635ecd3088304e8d51d8e1fc31a8b1bf751caf3 Signed-off-by: Ian Main <imain@redhat.com>
91 lines
2.8 KiB
INI
91 lines
2.8 KiB
INI
|
|
# Default pipeline
|
|
[pipeline:heat-api]
|
|
pipeline = versionnegotiation ec2authtoken authtoken context apiv1app
|
|
|
|
# Use the following pipeline for keystone auth
|
|
# i.e. in heat-api.conf:
|
|
# [paste_deploy]
|
|
# flavor = keystone
|
|
#
|
|
[pipeline:heat-api-keystone]
|
|
pipeline = versionnegotiation ec2authtoken authtoken context apiv1app
|
|
|
|
# Use the following pipeline to enable transparent caching of image files
|
|
# i.e. in heat-api.conf:
|
|
# [paste_deploy]
|
|
# flavor = caching
|
|
#
|
|
[pipeline:heat-api-caching]
|
|
pipeline = versionnegotiation ec2authtoken authtoken context cache apiv1app
|
|
|
|
# Use the following pipeline for keystone auth with caching
|
|
# i.e. in heat-api.conf:
|
|
# [paste_deploy]
|
|
# flavor = keystone+caching
|
|
#
|
|
[pipeline:heat-api-keystone+caching]
|
|
pipeline = versionnegotiation ec2authtoken authtoken context cache apiv1app
|
|
|
|
# Use the following pipeline to enable the Image Cache Management API
|
|
# i.e. in heat-api.conf:
|
|
# [paste_deploy]
|
|
# flavor = cachemanagement
|
|
#
|
|
[pipeline:heat-api-cachemanagement]
|
|
pipeline = versionnegotiation ec2authtoken authtoken context cache cachemanage apiv1app
|
|
|
|
# Use the following pipeline for keystone auth with cache management
|
|
# i.e. in heat-api.conf:
|
|
# [paste_deploy]
|
|
# flavor = keystone+cachemanagement
|
|
#
|
|
[pipeline:heat-api-keystone+cachemanagement]
|
|
pipeline = versionnegotiation ec2authtoken authtoken auth-context cache cachemanage apiv1app
|
|
|
|
[app:apiv1app]
|
|
paste.app_factory = heat.common.wsgi:app_factory
|
|
heat.app_factory = heat.api.v1:API
|
|
|
|
[filter:versionnegotiation]
|
|
paste.filter_factory = heat.common.wsgi:filter_factory
|
|
heat.filter_factory = heat.api.middleware.version_negotiation:VersionNegotiationFilter
|
|
|
|
[filter:cache]
|
|
paste.filter_factory = heat.common.wsgi:filter_factory
|
|
heat.filter_factory = heat.api.middleware.cache:CacheFilter
|
|
|
|
[filter:cachemanage]
|
|
paste.filter_factory = heat.common.wsgi:filter_factory
|
|
heat.filter_factory = heat.api.middleware.cache_manage:CacheManageFilter
|
|
|
|
[filter:context]
|
|
paste.filter_factory = heat.common.wsgi:filter_factory
|
|
heat.filter_factory = heat.common.context:ContextMiddleware
|
|
|
|
[filter:ec2authtoken]
|
|
paste.filter_factory = heat.common.wsgi:filter_factory
|
|
heat.filter_factory = heat.api.v1:EC2Token
|
|
auth_uri = http://127.0.0.1:5000/v2.0
|
|
keystone_ec2_uri = http://localhost:5000/v2.0/ec2tokens
|
|
|
|
[filter:authtoken]
|
|
paste.filter_factory = heat.common.auth_token:filter_factory
|
|
service_protocol = http
|
|
service_host = 127.0.0.1
|
|
service_port = 5000
|
|
auth_host = 127.0.0.1
|
|
auth_port = 35357
|
|
auth_protocol = http
|
|
auth_uri = http://127.0.0.1:5000/v2.0
|
|
|
|
# These must be set to your local values in order for the token
|
|
# authentication to work.
|
|
admin_tenant_name = admin
|
|
admin_user = admin
|
|
admin_password = verybadpass
|
|
|
|
[filter:auth-context]
|
|
paste.filter_factory = heat.common.wsgi:filter_factory
|
|
heat.filter_factory = keystone.middleware.heat_auth_token:KeystoneContextMiddleware
|