add glance middleware ??

2012-01-10 17:27:04 -08:00 · 2012-01-10 17:27:04 -08:00 · 52da8917d1
parent 47908a4735
commit 52da8917d1
1 changed files with 78 additions and 0 deletions
--- a/keystone/glance_auth_token.py
+++ b/keystone/glance_auth_token.py
@ -0,0 +1,78 @@
+# vim: tabstop=4 shiftwidth=4 softtabstop=4
+
+# Copyright 2011 OpenStack LLC.
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+"""
+Glance Keystone Integration Middleware
+
+This WSGI component allows keystone to act as an identity service for
+glance.  Glance now supports the concept of images owned by a tenant,
+and this middleware takes the authentication information provided by
+auth_token and builds a glance-compatible context object.
+
+Use by applying after auth_token in the glance-api.ini and
+glance-registry.ini configurations, replacing the existing context
+middleware.
+
+Example: examples/paste/glance-api.conf,
+    examples/paste/glance-registry.conf
+"""
+
+from glance.common import context
+
+
+class KeystoneContextMiddleware(context.ContextMiddleware):
+    """Glance keystone integration middleware."""
+
+    def process_request(self, req):
+        """
+        Extract keystone-provided authentication information from the
+        request and construct an appropriate context from it.
+        """
+        # Only accept the authentication information if the identity
+        # has been confirmed--presumably by upstream
+        if req.headers.get('X_IDENTITY_STATUS', 'Invalid') != 'Confirmed':
+            # Use the default empty context
+            req.context = self.make_context(read_only=True)
+            return
+
+        # OK, let's extract the information we need
+        auth_tok = req.headers.get('X_AUTH_TOKEN',
+                                   req.headers.get('X_STORAGE_TOKEN'))
+        user = req.headers.get('X_USER')
+        tenant = req.headers.get('X_TENANT')
+        roles = [r.strip() for r in req.headers.get('X_ROLE', '').split(',')]
+        is_admin = 'Admin' in roles
+
+        # Construct the context
+        req.context = self.make_context(auth_tok=auth_tok,
+                                        user=user,
+                                        tenant=tenant,
+                                        roles=roles,
+                                        is_admin=is_admin)
+
+
+def filter_factory(global_conf, **local_conf):
+    """
+    Factory method for paste.deploy
+    """
+    conf = global_conf.copy()
+    conf.update(local_conf)
+
+    def filter(app):
+        return KeystoneContextMiddleware(app, conf)
+
+    return filter