Set tenantName to 'admin' in get_admin_auth_token.
Sets the tenantName to 'admin' in get_admin_auth_token. This is required because user-only roles are currently not supported. Give that wsgi is hard coded to check for 'role:admin' this seems to be a reasonable thing to do. In the future it would be nice to add a custom admin_role setting in the config file so the role wouldn't be hard coded to 'admin'. Also removes unused version of get_admin_auth_token. Fixes LP Bug #939015. Change-Id: I545b458e31c8a44a5a69cad1e875f0fe02956246
This commit is contained in:
parent
63437e9dca
commit
6c60d6c783
|
@ -259,3 +259,27 @@ S3 api.
|
||||||
.. Note::
|
.. Note::
|
||||||
With the S3 middleware you are connecting to the `Swift` proxy and
|
With the S3 middleware you are connecting to the `Swift` proxy and
|
||||||
not to `keystone`.
|
not to `keystone`.
|
||||||
|
|
||||||
|
Auth-Token Middleware with Username and Password
|
||||||
|
--------------------------------
|
||||||
|
|
||||||
|
It is also possible to configure Keystone's auth_token middleware using the
|
||||||
|
'admin_user' and 'admin_password' options. When using the 'admin_user' and
|
||||||
|
'admin_password' options the 'admin_token' parameter is optional. If
|
||||||
|
'admin_token' is specified it will by used only if the specified token is
|
||||||
|
still valid.
|
||||||
|
|
||||||
|
Here is an example paste config filter that makes use of the 'admin_user' and
|
||||||
|
'admin_password' parameters::
|
||||||
|
|
||||||
|
[filter:tokenauth]
|
||||||
|
paste.filter_factory = keystone.middleware.auth_token:filter_factory
|
||||||
|
service_port = 5000
|
||||||
|
service_host = 127.0.0.1
|
||||||
|
auth_port = 35357
|
||||||
|
auth_host = 127.0.0.1
|
||||||
|
auth_token = ADMIN
|
||||||
|
admin_user = admin
|
||||||
|
admin_password = keystone123
|
||||||
|
|
||||||
|
It should be noted that when using this option an 'admin' tenant/role relationship is required. The admin user is granted access to to the 'admin' role via the 'admin' tenant.
|
||||||
|
|
|
@ -77,6 +77,7 @@ from webob.exc import HTTPUnauthorized
|
||||||
|
|
||||||
from keystone.common.bufferedhttp import http_connect_raw as http_connect
|
from keystone.common.bufferedhttp import http_connect_raw as http_connect
|
||||||
|
|
||||||
|
ADMIN_TENANTNAME = 'admin'
|
||||||
PROTOCOL_NAME = 'Token Authentication'
|
PROTOCOL_NAME = 'Token Authentication'
|
||||||
|
|
||||||
|
|
||||||
|
@ -215,26 +216,6 @@ class AuthProtocol(object):
|
||||||
#Send request downstream
|
#Send request downstream
|
||||||
return self._forward_request(env, start_response, proxy_headers)
|
return self._forward_request(env, start_response, proxy_headers)
|
||||||
|
|
||||||
# NOTE(todd): unused
|
|
||||||
def get_admin_auth_token(self, username, password):
|
|
||||||
"""
|
|
||||||
This function gets an admin auth token to be used by this service to
|
|
||||||
validate a user's token. Validate_token is a priviledged call so
|
|
||||||
it needs to be authenticated by a service that is calling it
|
|
||||||
"""
|
|
||||||
headers = {'Content-type': 'application/json',
|
|
||||||
'Accept': 'application/json'}
|
|
||||||
params = {'passwordCredentials': {'username': username,
|
|
||||||
'password': password,
|
|
||||||
'tenantId': '1'}}
|
|
||||||
conn = httplib.HTTPConnection('%s:%s' \
|
|
||||||
% (self.auth_host, self.auth_port))
|
|
||||||
conn.request('POST', '/v2.0/tokens', json.dumps(params), \
|
|
||||||
headers=headers)
|
|
||||||
response = conn.getresponse()
|
|
||||||
data = response.read()
|
|
||||||
return data
|
|
||||||
|
|
||||||
def _get_claims(self, env):
|
def _get_claims(self, env):
|
||||||
"""Get claims from request"""
|
"""Get claims from request"""
|
||||||
claims = env.get('HTTP_X_AUTH_TOKEN', env.get('HTTP_X_STORAGE_TOKEN'))
|
claims = env.get('HTTP_X_AUTH_TOKEN', env.get('HTTP_X_STORAGE_TOKEN'))
|
||||||
|
@ -266,7 +247,8 @@ class AuthProtocol(object):
|
||||||
"passwordCredentials": {
|
"passwordCredentials": {
|
||||||
"username": username,
|
"username": username,
|
||||||
"password": password,
|
"password": password,
|
||||||
}
|
},
|
||||||
|
"tenantName": ADMIN_TENANTNAME,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if self.auth_protocol == "http":
|
if self.auth_protocol == "http":
|
||||||
|
|
Loading…
Reference in New Issue