openstack/keystone
Code Issues Proposed changes

updating documentation for rewrite of auth_token.

Browse Source 
fixes bug 944372

Change-Id: Ifac365a6eb141e0ca4701cf139d6ea66a0b3ffbc
This commit is contained in:
Joe Heck
2012-03-14 05:08:58 +00:00
parent fb4cbe9d37
commit b03c204781
15 changed files with 139 additions and 1271 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
doc/source/configuringservices.rst
View File

@@ -30,6 +30,7 @@ configure middleware for the OpenStack service to handle authentication tasks
or otherwise interact with Keystone.
In general:
* Clients making calls to the service will pass in an authentication token.
* The Keystone middleware will look for and validate that token, taking the
appropriate action.
@@ -261,7 +262,7 @@ S3 api.
not to `keystone`.
Auth-Token Middleware with Username and Password
--------------------------------
------------------------------------------------
It is also possible to configure Keystone's auth_token middleware using the
'admin_user' and 'admin_password' options. When using the 'admin_user' and

41
doc/source/images/graphs_305.svg
View File

@@ -1,41 +0,0 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<!-- Generated by graphviz version 2.27.20101213.0545 (20101213.0545)
-->
<!-- Title: Handle305 Pages: 1 -->
<svg width="310pt" height="208pt"
viewBox="0.00 0.00 310.00 208.00" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<g id="graph1" class="graph" transform="scale(1 1) rotate(0) translate(4 204)">
<title>Handle305</title>
<polygon fill="white" stroke="white" points="-4,5 -4,-204 307,-204 307,5 -4,5"/>
<!-- AuthComp -->
<g id="node2" class="node"><title>AuthComp</title>
<polygon fill="#fdefe3" stroke="#c00000" points="98,-146 0,-146 0,-106 98,-106 98,-146"/>
<text text-anchor="middle" x="49" y="-129.4" font-family="Helvetica,sans-Serif" font-size="14.00">Auth</text>
<text text-anchor="middle" x="49" y="-113.4" font-family="Helvetica,sans-Serif" font-size="14.00">Component</text>
</g>
<!-- Service -->
<g id="node4" class="node"><title>Service</title>
<polygon fill="#d1ebf1" stroke="#1f477d" points="119,-40 25,-40 25,-0 119,-0 119,-40"/>
<text text-anchor="middle" x="72" y="-23.4" font-family="Helvetica,sans-Serif" font-size="14.00">OpenStack</text>
<text text-anchor="middle" x="72" y="-7.4" font-family="Helvetica,sans-Serif" font-size="14.00">Service</text>
</g>
<!-- AuthComp&#45;&gt;Service -->
<!-- Service&#45;&gt;AuthComp -->
<g id="edge5" class="edge"><title>Service:n&#45;&gt;AuthComp:n</title>
<path fill="none" stroke="black" d="M72,-40C72,-62.2222 76.6172,-67.8558 86,-88 90.0596,-96.7157 95.2138,-96.7977 98,-106 103.152,-123.015 110.312,-133.175 98,-146 92.6344,-151.589 70.1318,-155.75 57.5709,-153.773"/>
<polygon fill="black" stroke="black" points="59.2494,-150.684 49,-148 55.3388,-156.489 59.2494,-150.684"/>
<text text-anchor="middle" x="144" y="-75.4" font-family="Times,serif" font-size="14.00">305 Use Proxy</text>
<text text-anchor="middle" x="144" y="-60.4" font-family="Times,serif" font-size="14.00">To Redirect to Auth</text>
</g>
<!-- Start -->
<!-- Start&#45;&gt;Service -->
<g id="edge7" class="edge"><title>Start:sw&#45;&gt;Service</title>
<path fill="none" stroke="black" d="M216,-164C182.398,-130.398 232.934,-94.0727 202,-58 192.167,-46.5338 159.461,-37.0056 129.317,-30.3582"/>
<polygon fill="black" stroke="black" points="129.738,-26.8696 119.229,-28.2156 128.284,-33.7169 129.738,-26.8696"/>
<text text-anchor="middle" x="255.5" y="-128.4" font-family="Times,serif" font-size="14.00">Request</text>
<text text-anchor="middle" x="255.5" y="-113.4" font-family="Times,serif" font-size="14.00">Service Directly</text>
</g>
</g>
</svg>
Side by Side

Before

Width:  |  Height:  |  Size: 2.6 KiB

36
doc/source/images/graphs_both.svg
View File

@@ -1,36 +0,0 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<!-- Generated by graphviz version 2.27.20101213.0545 (20101213.0545)
-->
<!-- Title: Both Pages: 1 -->
<svg width="116pt" height="180pt"
viewBox="0.00 0.00 116.00 180.00" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<g id="graph1" class="graph" transform="scale(1 1) rotate(0) translate(4 176)">
<title>Both</title>
<polygon fill="white" stroke="white" points="-4,5 -4,-176 113,-176 113,5 -4,5"/>
<!-- AuthComp -->
<g id="node2" class="node"><title>AuthComp</title>
<polygon fill="#fdefe3" stroke="#c00000" points="104,-172 6,-172 6,-132 104,-132 104,-172"/>
<text text-anchor="middle" x="55" y="-155.4" font-family="Helvetica,sans-Serif" font-size="14.00">Auth</text>
<text text-anchor="middle" x="55" y="-139.4" font-family="Helvetica,sans-Serif" font-size="14.00">Component</text>
</g>
<!-- Together -->
<g id="node4" class="node"><title>Together</title>
<polygon fill="white" stroke="white" points="108,-95.5 0,-95.5 0,-0.5 108,-0.5 108,-95.5"/>
<polygon fill="white" stroke="white" points="8,-47 8,-91 101,-91 101,-47 8,-47"/>
<polygon fill="none" stroke="#c00000" points="8,-47 8,-91 101,-91 101,-47 8,-47"/>
<text text-anchor="start" x="38" y="-75.2333" font-family="Helvetica,sans-Serif" font-size="14.00">Auth</text>
<text text-anchor="start" x="13.5" y="-58.4333" font-family="Helvetica,sans-Serif" font-size="14.00">Component</text>
<polygon fill="#d1ebf1" stroke="#d1ebf1" points="8,-4 8,-47 101,-47 101,-4 8,-4"/>
<polygon fill="none" stroke="#1f477d" points="8,-4 8,-47 101,-47 101,-4 8,-4"/>
<text text-anchor="start" x="15.5" y="-31.7333" font-family="Helvetica,sans-Serif" font-size="14.00">OpenStack</text>
<text text-anchor="start" x="28" y="-14.9333" font-family="Helvetica,sans-Serif" font-size="14.00">Service</text>
</g>
<!-- AuthComp&#45;&gt;Together -->
<g id="edge3" class="edge"><title>AuthComp&#45;&gt;Together:OStack:n</title>
<path fill="none" stroke="black" d="M55,-131.871C55,-113.129 55,-84.1127 55,-57.1901"/>
<polygon fill="black" stroke="black" points="58.5001,-57 55,-47 51.5001,-57 58.5001,-57"/>
</g>
</g>
</svg>
Side by Side

Before

Width:  |  Height:  |  Size: 2.2 KiB

53
doc/source/images/graphs_delegate_forbiden_basic.svg
View File

@@ -1,53 +0,0 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<!-- Generated by graphviz version 2.27.20101213.0545 (20101213.0545)
-->
<!-- Title: DelegateRejectForbidden Pages: 1 -->
<svg width="670pt" height="102pt"
viewBox="0.00 0.00 670.00 101.64" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<g id="graph1" class="graph" transform="scale(1 1) rotate(0) translate(4 97.6355)">
<title>DelegateRejectForbidden</title>
<polygon fill="white" stroke="white" points="-4,5 -4,-97.6355 667,-97.6355 667,5 -4,5"/>
<!-- Start -->
<!-- AuthComp -->
<g id="node4" class="node"><title>AuthComp</title>
<polygon fill="#fdefe3" stroke="#c00000" points="348,-61.6355 250,-61.6355 250,-21.6355 348,-21.6355 348,-61.6355"/>
<text text-anchor="middle" x="299" y="-45.0355" font-family="Helvetica,sans-Serif" font-size="14.00">Auth</text>
<text text-anchor="middle" x="299" y="-29.0355" font-family="Helvetica,sans-Serif" font-size="14.00">Component</text>
</g>
<!-- Start&#45;&gt;AuthComp -->
<g id="edge3" class="edge"><title>Start&#45;&gt;AuthComp</title>
<path fill="none" stroke="black" d="M54.0748,-41.6355C97.1107,-41.6355 182.142,-41.6355 239.791,-41.6355"/>
<polygon fill="black" stroke="black" points="239.864,-45.1356 249.863,-41.6355 239.863,-38.1356 239.864,-45.1356"/>
<text text-anchor="middle" x="152" y="-44.0355" font-family="Times,serif" font-size="14.00">Authorization: Basic VTpQ</text>
</g>
<!-- AuthComp&#45;&gt;Start -->
<g id="edge5" class="edge"><title>AuthComp&#45;&gt;Start</title>
<path fill="none" stroke="black" d="M249.934,-26.0577C243.944,-24.6511 237.868,-23.4514 232,-22.6355 161.567,-12.8417 141.697,-8.52478 72,-22.6355 69.1948,-23.2034 66.3471,-23.9518 63.5169,-24.8233"/>
<polygon fill="black" stroke="black" points="62.3066,-21.5388 54.0489,-28.1766 64.6436,-28.1372 62.3066,-21.5388"/>
<text text-anchor="middle" x="152" y="-25.0355" font-family="Times,serif" font-size="14.00">403 Forbidden</text>
</g>
<!-- Service -->
<g id="node7" class="node"><title>Service</title>
<polygon fill="#d1ebf1" stroke="#1f477d" points="662,-61.6355 568,-61.6355 568,-21.6355 662,-21.6355 662,-61.6355"/>
<text text-anchor="middle" x="615" y="-45.0355" font-family="Helvetica,sans-Serif" font-size="14.00">OpenStack</text>
<text text-anchor="middle" x="615" y="-29.0355" font-family="Helvetica,sans-Serif" font-size="14.00">Service</text>
</g>
<!-- AuthComp&#45;&gt;Service -->
<g id="edge7" class="edge"><title>AuthComp&#45;&gt;Service</title>
<path fill="none" stroke="black" d="M348.009,-45.7159C354.065,-46.0953 360.172,-46.4183 366,-46.6355 447.721,-49.6805 468.282,-49.7738 550,-46.6355 552.523,-46.5386 555.101,-46.4206 557.704,-46.2859"/>
<polygon fill="black" stroke="black" points="558.03,-49.7729 567.807,-45.6931 557.62,-42.7849 558.03,-49.7729"/>
<text text-anchor="middle" x="458" y="-81.0355" font-family="Times,serif" font-size="14.00">Authorization: Basic dTpw</text>
<text text-anchor="middle" x="458" y="-66.0355" font-family="Times,serif" font-size="14.00">X&#45;Authorization: Proxy U</text>
<text text-anchor="middle" x="458" y="-51.0355" font-family="Times,serif" font-size="14.00">X&#45;Identity&#45;Status: Confirmed</text>
</g>
<!-- Service&#45;&gt;AuthComp -->
<g id="edge9" class="edge"><title>Service&#45;&gt;AuthComp</title>
<path fill="none" stroke="black" d="M577.062,-21.5392C568.397,-17.8542 559.064,-14.5658 550,-12.6355 470.016,4.39794 446.078,3.95128 366,-12.6355 359.891,-13.9008 353.655,-15.7515 347.566,-17.9158"/>
<polygon fill="black" stroke="black" points="346.234,-14.6781 338.158,-21.5358 348.748,-21.2112 346.234,-14.6781"/>
<text text-anchor="middle" x="458" y="-30.0355" font-family="Times,serif" font-size="14.00">403 Forbidden</text>
<text text-anchor="middle" x="458" y="-15.0355" font-family="Times,serif" font-size="14.00">WWW&#45;Authenticate: Delegated</text>
</g>
</g>
</svg>
Side by Side

Before

Width:  |  Height:  |  Size: 3.9 KiB

52
doc/source/images/graphs_delegate_forbiden_proxy.svg
View File

@@ -1,52 +0,0 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<!-- Generated by graphviz version 2.27.20101213.0545 (20101213.0545)
-->
<!-- Title: DelegateForbiddnProxy Pages: 1 -->
<svg width="656pt" height="81pt"
viewBox="0.00 0.00 656.00 81.23" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<g id="graph1" class="graph" transform="scale(1 1) rotate(0) translate(4 77.234)">
<title>DelegateForbiddnProxy</title>
<polygon fill="white" stroke="white" points="-4,5 -4,-77.234 653,-77.234 653,5 -4,5"/>
<!-- Start -->
<!-- AuthComp -->
<g id="node4" class="node"><title>AuthComp</title>
<polygon fill="#fdefe3" stroke="#c00000" points="348,-48.234 250,-48.234 250,-8.23398 348,-8.23398 348,-48.234"/>
<text text-anchor="middle" x="299" y="-31.634" font-family="Helvetica,sans-Serif" font-size="14.00">Auth</text>
<text text-anchor="middle" x="299" y="-15.634" font-family="Helvetica,sans-Serif" font-size="14.00">Component</text>
</g>
<!-- Start&#45;&gt;AuthComp -->
<g id="edge3" class="edge"><title>Start&#45;&gt;AuthComp</title>
<path fill="none" stroke="black" d="M54.0748,-28.234C97.1107,-28.234 182.142,-28.234 239.791,-28.234"/>
<polygon fill="black" stroke="black" points="239.864,-31.7341 249.863,-28.234 239.863,-24.7341 239.864,-31.7341"/>
<text text-anchor="middle" x="152" y="-30.634" font-family="Times,serif" font-size="14.00">Authorization: Basic VTpQ</text>
</g>
<!-- AuthComp&#45;&gt;Start -->
<g id="edge5" class="edge"><title>AuthComp&#45;&gt;Start</title>
<path fill="none" stroke="black" d="M249.934,-12.6562C243.944,-11.2496 237.868,-10.0499 232,-9.23398 161.567,0.55976 141.697,4.87673 72,-9.23398 69.1948,-9.80192 66.3471,-10.5503 63.5169,-11.4218"/>
<polygon fill="black" stroke="black" points="62.3066,-8.13733 54.0489,-14.7751 64.6436,-14.7357 62.3066,-8.13733"/>
<text text-anchor="middle" x="152" y="-11.634" font-family="Times,serif" font-size="14.00">500 Internal Error</text>
</g>
<!-- Service -->
<g id="node7" class="node"><title>Service</title>
<polygon fill="#d1ebf1" stroke="#1f477d" points="648,-48.234 554,-48.234 554,-8.23398 648,-8.23398 648,-48.234"/>
<text text-anchor="middle" x="601" y="-31.634" font-family="Helvetica,sans-Serif" font-size="14.00">OpenStack</text>
<text text-anchor="middle" x="601" y="-15.634" font-family="Helvetica,sans-Serif" font-size="14.00">Service</text>
</g>
<!-- AuthComp&#45;&gt;Service -->
<g id="edge7" class="edge"><title>AuthComp&#45;&gt;Service</title>
<path fill="none" stroke="black" d="M348.194,-28.234C401.691,-28.234 487.101,-28.234 543.616,-28.234"/>
<polygon fill="black" stroke="black" points="543.818,-31.7341 553.818,-28.234 543.818,-24.7341 543.818,-31.7341"/>
<text text-anchor="middle" x="451" y="-60.634" font-family="Times,serif" font-size="14.00">Authorization: Basic dTpw</text>
<text text-anchor="middle" x="451" y="-45.634" font-family="Times,serif" font-size="14.00">X&#45;Authorization: Proxy U</text>
<text text-anchor="middle" x="451" y="-30.634" font-family="Times,serif" font-size="14.00">X&#45;Identity&#45;Status: Confirmed</text>
</g>
<!-- Service&#45;&gt;AuthComp -->
<g id="edge9" class="edge"><title>Service&#45;&gt;AuthComp</title>
<path fill="none" stroke="black" d="M553.774,-12.7435C547.845,-11.2995 541.819,-10.067 536,-9.23398 461.207,1.47328 440.836,1.17187 366,-9.23398 363.341,-9.6037 360.639,-10.0522 357.922,-10.5631"/>
<polygon fill="black" stroke="black" points="357.121,-7.15517 348.066,-12.6562 358.575,-14.0025 357.121,-7.15517"/>
<text text-anchor="middle" x="451" y="-11.634" font-family="Times,serif" font-size="14.00">403 Forbidden</text>
</g>
</g>
</svg>
Side by Side

Before

Width:  |  Height:  |  Size: 3.6 KiB

55
doc/source/images/graphs_delegate_reject_basic.svg
View File

@@ -1,55 +0,0 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<!-- Generated by graphviz version 2.27.20101213.0545 (20101213.0545)
-->
<!-- Title: DelegateRejectAuthBasic Pages: 1 -->
<svg width="670pt" height="113pt"
viewBox="0.00 0.00 670.00 112.84" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<g id="graph1" class="graph" transform="scale(1 1) rotate(0) translate(4 108.841)">
<title>DelegateRejectAuthBasic</title>
<polygon fill="white" stroke="white" points="-4,5 -4,-108.841 667,-108.841 667,5 -4,5"/>
<!-- Start -->
<!-- AuthComp -->
<g id="node4" class="node"><title>AuthComp</title>
<polygon fill="#fdefe3" stroke="#c00000" points="346,-72.8409 248,-72.8409 248,-32.8409 346,-32.8409 346,-72.8409"/>
<text text-anchor="middle" x="297" y="-56.2409" font-family="Helvetica,sans-Serif" font-size="14.00">Auth</text>
<text text-anchor="middle" x="297" y="-40.2409" font-family="Helvetica,sans-Serif" font-size="14.00">Component</text>
</g>
<!-- Start&#45;&gt;AuthComp -->
<g id="edge3" class="edge"><title>Start&#45;&gt;AuthComp</title>
<path fill="none" stroke="black" d="M54.3777,-61.3549C60.1429,-62.8044 66.2278,-64.0845 72,-64.8409 141.627,-73.9651 160.053,-71.0554 230,-64.8409 232.523,-64.6168 235.094,-64.346 237.686,-64.038"/>
<polygon fill="black" stroke="black" points="238.294,-67.4878 247.737,-62.6852 237.36,-60.5504 238.294,-67.4878"/>
<text text-anchor="middle" x="151" y="-72.2409" font-family="Times,serif" font-size="14.00">Authorization: Basic Yjpw</text>
</g>
<!-- AuthComp&#45;&gt;Start -->
<g id="edge5" class="edge"><title>AuthComp&#45;&gt;Start</title>
<path fill="none" stroke="black" d="M268.012,-32.6508C256.688,-25.9141 243.253,-19.2572 230,-15.8409 162.001,1.68741 138.106,7.84667 72,-15.8409 64.6685,-18.468 57.6762,-22.8621 51.4824,-27.7226"/>
<polygon fill="black" stroke="black" points="48.8781,-25.3457 43.5743,-34.5174 53.44,-30.655 48.8781,-25.3457"/>
<text text-anchor="middle" x="151" y="-48.2409" font-family="Times,serif" font-size="14.00">401 Unauthorized</text>
<text text-anchor="middle" x="151" y="-33.2409" font-family="Times,serif" font-size="14.00">WWW&#45;Authenticate: Basic</text>
<text text-anchor="middle" x="151" y="-18.2409" font-family="Times,serif" font-size="14.00">Realm=&quot;API Realm&quot;</text>
</g>
<!-- Service -->
<g id="node7" class="node"><title>Service</title>
<polygon fill="#d1ebf1" stroke="#1f477d" points="662,-72.8409 568,-72.8409 568,-32.8409 662,-32.8409 662,-72.8409"/>
<text text-anchor="middle" x="615" y="-56.2409" font-family="Helvetica,sans-Serif" font-size="14.00">OpenStack</text>
<text text-anchor="middle" x="615" y="-40.2409" font-family="Helvetica,sans-Serif" font-size="14.00">Service</text>
</g>
<!-- AuthComp&#45;&gt;Service -->
<g id="edge7" class="edge"><title>AuthComp&#45;&gt;Service</title>
<path fill="none" stroke="black" d="M346.009,-56.9214C352.065,-57.3007 358.172,-57.6238 364,-57.8409 446.609,-60.9191 467.394,-61.0134 550,-57.8409 552.523,-57.744 555.101,-57.626 557.704,-57.4913"/>
<polygon fill="black" stroke="black" points="558.03,-60.9783 567.807,-56.8985 557.62,-53.9903 558.03,-60.9783"/>
<text text-anchor="middle" x="457" y="-92.2409" font-family="Times,serif" font-size="14.00">Authorization: Basic dTpw</text>
<text text-anchor="middle" x="457" y="-77.2409" font-family="Times,serif" font-size="14.00">X&#45;Authorization: Proxy b</text>
<text text-anchor="middle" x="457" y="-62.2409" font-family="Times,serif" font-size="14.00">X&#45;Identity&#45;Status: Indeterminate</text>
</g>
<!-- Service&#45;&gt;AuthComp -->
<g id="edge9" class="edge"><title>Service&#45;&gt;AuthComp</title>
<path fill="none" stroke="black" d="M577.062,-32.7447C568.397,-29.0597 559.064,-25.7713 550,-23.8409 469.146,-6.62237 444.948,-7.07388 364,-23.8409 357.891,-25.1063 351.655,-26.957 345.566,-29.1213"/>
<polygon fill="black" stroke="black" points="344.234,-25.8836 336.158,-32.7413 346.748,-32.4166 344.234,-25.8836"/>
<text text-anchor="middle" x="457" y="-41.2409" font-family="Times,serif" font-size="14.00">401 Unauthorized</text>
<text text-anchor="middle" x="457" y="-26.2409" font-family="Times,serif" font-size="14.00">WWW&#45;Authenticate: Delegated</text>
</g>
</g>
</svg>
Side by Side

Before

Width:  |  Height:  |  Size: 4.2 KiB

56
doc/source/images/graphs_delegate_reject_oauth.svg
View File

@@ -1,56 +0,0 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<!-- Generated by graphviz version 2.27.20101213.0545 (20101213.0545)
-->
<!-- Title: DelegateRejectAuthOAuth Pages: 1 -->
<svg width="722pt" height="128pt"
viewBox="0.00 0.00 722.00 127.50" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<g id="graph1" class="graph" transform="scale(1 1) rotate(0) translate(4 123.504)">
<title>DelegateRejectAuthOAuth</title>
<polygon fill="white" stroke="white" points="-4,5 -4,-123.504 719,-123.504 719,5 -4,5"/>
<!-- Start -->
<!-- AuthComp -->
<g id="node4" class="node"><title>AuthComp</title>
<polygon fill="#fdefe3" stroke="#c00000" points="398,-87.504 300,-87.504 300,-47.504 398,-47.504 398,-87.504"/>
<text text-anchor="middle" x="349" y="-70.904" font-family="Helvetica,sans-Serif" font-size="14.00">Auth</text>
<text text-anchor="middle" x="349" y="-54.904" font-family="Helvetica,sans-Serif" font-size="14.00">Component</text>
</g>
<!-- Start&#45;&gt;AuthComp -->
<g id="edge3" class="edge"><title>Start&#45;&gt;AuthComp</title>
<path fill="none" stroke="black" d="M54.4752,-81.8682C60.1286,-84.2034 66.1458,-86.2617 72,-87.504 163.3,-106.879 189.647,-100.994 282,-87.504 284.667,-87.1144 287.375,-86.642 290.098,-86.104"/>
<polygon fill="black" stroke="black" points="290.972,-89.4951 299.969,-83.9 289.446,-82.6633 290.972,-89.4951"/>
<text text-anchor="middle" x="177" y="-101.904" font-family="Times,serif" font-size="14.00">Authorization: OAuth 000&#45;999&#45;222</text>
</g>
<!-- AuthComp&#45;&gt;Start -->
<g id="edge5" class="edge"><title>AuthComp&#45;&gt;Start</title>
<path fill="none" stroke="black" d="M325.91,-47.4946C313.721,-38.2548 297.999,-28.2878 282,-23.504 192.578,3.23327 158.428,11.7282 72,-23.504 62.489,-27.3811 53.8955,-34.3434 46.8279,-41.6023"/>
<polygon fill="black" stroke="black" points="43.8515,-39.6795 39.7866,-49.4636 49.0657,-44.3499 43.8515,-39.6795"/>
<text text-anchor="middle" x="177" y="-70.904" font-family="Times,serif" font-size="14.00">401 Unauthorized</text>
<text text-anchor="middle" x="177" y="-55.904" font-family="Times,serif" font-size="14.00">WWW&#45;Authenticate: OAuth</text>
<text text-anchor="middle" x="177" y="-40.904" font-family="Times,serif" font-size="14.00">Realm=API Realm,</text>
<text text-anchor="middle" x="177" y="-25.904" font-family="Times,serif" font-size="14.00">Error=invalid&#45;token</text>
</g>
<!-- Service -->
<g id="node7" class="node"><title>Service</title>
<polygon fill="#d1ebf1" stroke="#1f477d" points="714,-87.504 620,-87.504 620,-47.504 714,-47.504 714,-87.504"/>
<text text-anchor="middle" x="667" y="-70.904" font-family="Helvetica,sans-Serif" font-size="14.00">OpenStack</text>
<text text-anchor="middle" x="667" y="-54.904" font-family="Helvetica,sans-Serif" font-size="14.00">Service</text>
</g>
<!-- AuthComp&#45;&gt;Service -->
<g id="edge7" class="edge"><title>AuthComp&#45;&gt;Service</title>
<path fill="none" stroke="black" d="M398.009,-71.5844C404.065,-71.9638 410.172,-72.2868 416,-72.504 498.609,-75.5822 519.394,-75.6765 602,-72.504 604.523,-72.4071 607.101,-72.2891 609.704,-72.1544"/>
<polygon fill="black" stroke="black" points="610.03,-75.6414 619.807,-71.5616 609.62,-68.6534 610.03,-75.6414"/>
<text text-anchor="middle" x="509" y="-106.904" font-family="Times,serif" font-size="14.00">Authorization: Basic dTpw</text>
<text text-anchor="middle" x="509" y="-91.904" font-family="Times,serif" font-size="14.00">X&#45;Authorization: Proxy</text>
<text text-anchor="middle" x="509" y="-76.904" font-family="Times,serif" font-size="14.00">X&#45;Identity&#45;Status: Indeterminate</text>
</g>
<!-- Service&#45;&gt;AuthComp -->
<g id="edge9" class="edge"><title>Service&#45;&gt;AuthComp</title>
<path fill="none" stroke="black" d="M629.062,-47.4077C620.397,-43.7227 611.064,-40.4344 602,-38.504 521.146,-21.2854 496.948,-21.7369 416,-38.504 409.891,-39.7693 403.655,-41.62 397.566,-43.7843"/>
<polygon fill="black" stroke="black" points="396.234,-40.5466 388.158,-47.4043 398.748,-47.0797 396.234,-40.5466"/>
<text text-anchor="middle" x="509" y="-55.904" font-family="Times,serif" font-size="14.00">401 Unauthorized</text>
<text text-anchor="middle" x="509" y="-40.904" font-family="Times,serif" font-size="14.00">WWW&#45;Authenticate: Delegated</text>
</g>
</g>
</svg>
Side by Side

Before

Width:  |  Height:  |  Size: 4.3 KiB

53
doc/source/images/graphs_delegate_unimplemented.svg
View File

@@ -1,53 +0,0 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<!-- Generated by graphviz version 2.27.20101213.0545 (20101213.0545)
-->
<!-- Title: DelegateUnimplemented Pages: 1 -->
<svg width="670pt" height="102pt"
viewBox="0.00 0.00 670.00 101.64" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<g id="graph1" class="graph" transform="scale(1 1) rotate(0) translate(4 97.6355)">
<title>DelegateUnimplemented</title>
<polygon fill="white" stroke="white" points="-4,5 -4,-97.6355 667,-97.6355 667,5 -4,5"/>
<!-- Start -->
<!-- AuthComp -->
<g id="node4" class="node"><title>AuthComp</title>
<polygon fill="#fdefe3" stroke="#c00000" points="348,-61.6355 250,-61.6355 250,-21.6355 348,-21.6355 348,-61.6355"/>
<text text-anchor="middle" x="299" y="-45.0355" font-family="Helvetica,sans-Serif" font-size="14.00">Auth</text>
<text text-anchor="middle" x="299" y="-29.0355" font-family="Helvetica,sans-Serif" font-size="14.00">Component</text>
</g>
<!-- Start&#45;&gt;AuthComp -->
<g id="edge3" class="edge"><title>Start&#45;&gt;AuthComp</title>
<path fill="none" stroke="black" d="M54.0748,-41.6355C97.1107,-41.6355 182.142,-41.6355 239.791,-41.6355"/>
<polygon fill="black" stroke="black" points="239.864,-45.1356 249.863,-41.6355 239.863,-38.1356 239.864,-45.1356"/>
<text text-anchor="middle" x="152" y="-44.0355" font-family="Times,serif" font-size="14.00">Authorization: Basic VTpQ</text>
</g>
<!-- AuthComp&#45;&gt;Start -->
<g id="edge5" class="edge"><title>AuthComp&#45;&gt;Start</title>
<path fill="none" stroke="black" d="M249.934,-26.0577C243.944,-24.6511 237.868,-23.4514 232,-22.6355 161.567,-12.8417 141.697,-8.52478 72,-22.6355 69.1948,-23.2034 66.3471,-23.9518 63.5169,-24.8233"/>
<polygon fill="black" stroke="black" points="62.3066,-21.5388 54.0489,-28.1766 64.6436,-28.1372 62.3066,-21.5388"/>
<text text-anchor="middle" x="152" y="-25.0355" font-family="Times,serif" font-size="14.00">500 Internal Error</text>
</g>
<!-- Service -->
<g id="node7" class="node"><title>Service</title>
<polygon fill="#d1ebf1" stroke="#1f477d" points="662,-61.6355 568,-61.6355 568,-21.6355 662,-21.6355 662,-61.6355"/>
<text text-anchor="middle" x="615" y="-45.0355" font-family="Helvetica,sans-Serif" font-size="14.00">OpenStack</text>
<text text-anchor="middle" x="615" y="-29.0355" font-family="Helvetica,sans-Serif" font-size="14.00">Service</text>
</g>
<!-- AuthComp&#45;&gt;Service -->
<g id="edge7" class="edge"><title>AuthComp&#45;&gt;Service</title>
<path fill="none" stroke="black" d="M348.009,-45.7159C354.065,-46.0953 360.172,-46.4183 366,-46.6355 447.721,-49.6805 468.282,-49.7738 550,-46.6355 552.523,-46.5386 555.101,-46.4206 557.704,-46.2859"/>
<polygon fill="black" stroke="black" points="558.03,-49.7729 567.807,-45.6931 557.62,-42.7849 558.03,-49.7729"/>
<text text-anchor="middle" x="458" y="-81.0355" font-family="Times,serif" font-size="14.00">Authorization: Basic dTpw</text>
<text text-anchor="middle" x="458" y="-66.0355" font-family="Times,serif" font-size="14.00">X&#45;Authorization: Proxy U</text>
<text text-anchor="middle" x="458" y="-51.0355" font-family="Times,serif" font-size="14.00">X&#45;Identity&#45;Status: Confirmed</text>
</g>
<!-- Service&#45;&gt;AuthComp -->
<g id="edge9" class="edge"><title>Service&#45;&gt;AuthComp</title>
<path fill="none" stroke="black" d="M577.062,-21.5392C568.397,-17.8542 559.064,-14.5658 550,-12.6355 470.016,4.39794 446.078,3.95128 366,-12.6355 359.891,-13.9008 353.655,-15.7515 347.566,-17.9158"/>
<polygon fill="black" stroke="black" points="346.234,-14.6781 338.158,-21.5358 348.748,-21.2112 346.234,-14.6781"/>
<text text-anchor="middle" x="458" y="-30.0355" font-family="Times,serif" font-size="14.00">501 Unimplemented</text>
<text text-anchor="middle" x="458" y="-15.0355" font-family="Times,serif" font-size="14.00">WWW&#45;Authenticate: Delegated</text>
</g>
</g>
</svg>
Side by Side

Before

Width:  |  Height:  |  Size: 3.9 KiB

73
doc/source/images/graphs_mapper.svg
View File

@@ -1,73 +0,0 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<!-- Generated by graphviz version 2.27.20101213.0545 (20101213.0545)
-->
<!-- Title: Mapper Pages: 1 -->
<svg width="174pt" height="264pt"
viewBox="0.00 0.00 174.00 264.00" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<g id="graph1" class="graph" transform="scale(1 1) rotate(0) translate(4 260)">
<title>Mapper</title>
<polygon fill="white" stroke="white" points="-4,5 -4,-260 171,-260 171,5 -4,5"/>
<!-- Start -->
<!-- Mapper -->
<g id="node4" class="node"><title>Mapper</title>
<polygon fill="#ebf1de" stroke="#687b37" points="119,-184 49,-184 49,-148 119,-148 119,-184"/>
<text text-anchor="middle" x="84" y="-161.4" font-family="Helvetica,sans-Serif" font-size="14.00">Mapper</text>
</g>
<!-- Start&#45;&gt;Mapper -->
<g id="edge3" class="edge"><title>Start&#45;&gt;Mapper</title>
<path fill="none" stroke="black" d="M84,-219.831C84,-212.131 84,-202.974 84,-194.417"/>
<polygon fill="black" stroke="black" points="87.5001,-194.413 84,-184.413 80.5001,-194.413 87.5001,-194.413"/>
</g>
<!-- Auths -->
<g id="node6" class="node"><title>Auths</title>
<polygon fill="white" stroke="white" points="166,-112 0,-112 0,-76 166,-76 166,-112"/>
<polygon fill="#fdefe3" stroke="#fdefe3" points="8,-81 8,-106 59,-106 59,-81 8,-81"/>
<polygon fill="none" stroke="#c00000" points="8,-81 8,-106 59,-106 59,-81 8,-81"/>
<text text-anchor="start" x="13.5" y="-90.2333" font-family="Helvetica,sans-Serif" font-size="14.00">Auth1</text>
<polygon fill="#fdefe3" stroke="#fdefe3" points="59,-81 59,-106 109,-106 109,-81 59,-81"/>
<polygon fill="none" stroke="#c00000" points="59,-81 59,-106 109,-106 109,-81 59,-81"/>
<text text-anchor="start" x="64" y="-90.2333" font-family="Helvetica,sans-Serif" font-size="14.00">Auth2</text>
<polygon fill="#fdefe3" stroke="#fdefe3" points="109,-81 109,-106 159,-106 159,-81 109,-81"/>
<polygon fill="none" stroke="#c00000" points="109,-81 109,-106 159,-106 159,-81 109,-81"/>
<text text-anchor="start" x="114" y="-90.2333" font-family="Helvetica,sans-Serif" font-size="14.00">Auth3</text>
</g>
<!-- Mapper&#45;&gt;Auths -->
<g id="edge5" class="edge"><title>Mapper:sw&#45;&gt;Auths:auth1</title>
<path fill="none" stroke="black" d="M49,-148C37.5237,-136.524 34.1339,-129.157 33.2662,-116.083"/>
<polygon fill="black" stroke="black" points="36.7628,-115.904 33,-106 29.7652,-116.089 36.7628,-115.904"/>
</g>
<!-- Mapper&#45;&gt;Auths -->
<g id="edge7" class="edge"><title>Mapper:s&#45;&gt;Auths:auth2</title>
<path fill="none" stroke="black" d="M84,-148C84,-133.271 84,-127.258 84,-116.207"/>
<polygon fill="black" stroke="black" points="87.5001,-116 84,-106 80.5001,-116 87.5001,-116"/>
</g>
<!-- Mapper&#45;&gt;Auths -->
<g id="edge9" class="edge"><title>Mapper:se&#45;&gt;Auths:auth3</title>
<path fill="none" stroke="black" d="M119,-148C130.388,-136.612 133.173,-129.088 133.817,-116.035"/>
<polygon fill="black" stroke="black" points="137.317,-116.062 134,-106 130.318,-115.934 137.317,-116.062"/>
</g>
<!-- Service -->
<g id="node10" class="node"><title>Service</title>
<polygon fill="#d1ebf1" stroke="#1f477d" points="131,-40 37,-40 37,-0 131,-0 131,-40"/>
<text text-anchor="middle" x="84" y="-23.4" font-family="Helvetica,sans-Serif" font-size="14.00">OpenStack</text>
<text text-anchor="middle" x="84" y="-7.4" font-family="Helvetica,sans-Serif" font-size="14.00">Service</text>
</g>
<!-- Auths&#45;&gt;Service -->
<g id="edge11" class="edge"><title>Auths:auth1&#45;&gt;Service</title>
<path fill="none" stroke="black" d="M33,-81C33,-68.2561 39.6326,-56.7707 48.1141,-47.2933"/>
<polygon fill="black" stroke="black" points="50.6575,-49.6992 55.221,-40.1376 45.6908,-44.7664 50.6575,-49.6992"/>
</g>
<!-- Auths&#45;&gt;Service -->
<g id="edge13" class="edge"><title>Auths:auth2&#45;&gt;Service</title>
<path fill="none" stroke="black" d="M84,-81C84,-70.9674 84,-60.0066 84,-50.1784"/>
<polygon fill="black" stroke="black" points="87.5001,-50.0559 84,-40.056 80.5001,-50.056 87.5001,-50.0559"/>
</g>
<!-- Auths&#45;&gt;Service -->
<g id="edge15" class="edge"><title>Auths:auth3&#45;&gt;Service</title>
<path fill="none" stroke="black" d="M134,-81C134,-68.4835 127.626,-57.1283 119.429,-47.7009"/>
<polygon fill="black" stroke="black" points="121.686,-45.0006 112.215,-40.2521 116.658,-49.8705 121.686,-45.0006"/>
</g>
</g>
</svg>
Side by Side

Before

Width:  |  Height:  |  Size: 4.3 KiB

51
doc/source/images/graphs_proxyAuth.svg
View File

@@ -1,51 +0,0 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<!-- Generated by graphviz version 2.27.20101213.0545 (20101213.0545)
-->
<!-- Title: ProxyAuth Pages: 1 -->
<svg width="644pt" height="74pt"
viewBox="0.00 0.00 644.00 73.70" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<g id="graph1" class="graph" transform="scale(1 1) rotate(0) translate(4 69.7025)">
<title>ProxyAuth</title>
<polygon fill="white" stroke="white" points="-4,5 -4,-69.7025 641,-69.7025 641,5 -4,5"/>
<!-- Start -->
<!-- AuthComp -->
<g id="node4" class="node"><title>AuthComp</title>
<polygon fill="#fdefe3" stroke="#c00000" points="348,-55.7025 250,-55.7025 250,-15.7025 348,-15.7025 348,-55.7025"/>
<text text-anchor="middle" x="299" y="-39.1025" font-family="Helvetica,sans-Serif" font-size="14.00">Auth</text>
<text text-anchor="middle" x="299" y="-23.1025" font-family="Helvetica,sans-Serif" font-size="14.00">Component</text>
</g>
<!-- Start&#45;&gt;AuthComp -->
<g id="edge3" class="edge"><title>Start&#45;&gt;AuthComp</title>
<path fill="none" stroke="black" d="M54.0748,-35.7025C97.1107,-35.7025 182.142,-35.7025 239.791,-35.7025"/>
<polygon fill="black" stroke="black" points="239.864,-39.2026 249.863,-35.7025 239.863,-32.2026 239.864,-39.2026"/>
<text text-anchor="middle" x="152" y="-38.1025" font-family="Times,serif" font-size="14.00">Authorization: Basic VTpQ</text>
</g>
<!-- AuthComp&#45;&gt;Start -->
<g id="edge9" class="edge"><title>AuthComp:w&#45;&gt;Start</title>
<path fill="none" stroke="black" d="M250,-35.7025C238.368,-35.7025 242.686,-21.2988 232,-16.7025 166.676,11.3956 141.697,-2.59182 72,-16.7025 69.1948,-17.2705 66.3471,-18.0189 63.5169,-18.8903"/>
<polygon fill="black" stroke="black" points="62.3066,-15.6059 54.0489,-22.2437 64.6436,-22.2043 62.3066,-15.6059"/>
<text text-anchor="middle" x="152" y="-19.1025" font-family="Times,serif" font-size="14.00">500 Internal Error</text>
</g>
<!-- Service -->
<g id="node6" class="node"><title>Service</title>
<polygon fill="#d1ebf1" stroke="#1f477d" points="636,-55.7025 542,-55.7025 542,-15.7025 636,-15.7025 636,-55.7025"/>
<text text-anchor="middle" x="589" y="-39.1025" font-family="Helvetica,sans-Serif" font-size="14.00">OpenStack</text>
<text text-anchor="middle" x="589" y="-23.1025" font-family="Helvetica,sans-Serif" font-size="14.00">Service</text>
</g>
<!-- AuthComp&#45;&gt;Service -->
<g id="edge5" class="edge"><title>AuthComp&#45;&gt;Service</title>
<path fill="none" stroke="black" d="M348.195,-35.7025C399.052,-35.7025 478.372,-35.7025 531.947,-35.7025"/>
<polygon fill="black" stroke="black" points="531.971,-39.2026 541.971,-35.7025 531.971,-32.2026 531.971,-39.2026"/>
<text text-anchor="middle" x="445" y="-53.1025" font-family="Times,serif" font-size="14.00">Authorization: Basic dTpw</text>
<text text-anchor="middle" x="445" y="-38.1025" font-family="Times,serif" font-size="14.00">X&#45;Authorization: Proxy U</text>
</g>
<!-- Service&#45;&gt;AuthComp -->
<g id="edge7" class="edge"><title>Service:w&#45;&gt;AuthComp</title>
<path fill="none" stroke="black" d="M542,-35.7025C530.368,-35.7025 534.686,-21.2988 524,-16.7025 459.492,11.0444 435.553,-7.03121 366,-16.7025 363.341,-17.0723 360.639,-17.5208 357.922,-18.0316"/>
<polygon fill="black" stroke="black" points="357.121,-14.6237 348.066,-20.1248 358.575,-21.471 357.121,-14.6237"/>
<text text-anchor="middle" x="445" y="-19.1025" font-family="Times,serif" font-size="14.00">403 Forbidden</text>
</g>
</g>
</svg>
Side by Side

Before

Width:  |  Height:  |  Size: 3.5 KiB

200
doc/source/images/images_layouts.svg
View File

@@ -1,200 +0,0 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:cc="http://creativecommons.org/ns#"
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
width="222pt"
height="135pt"
viewBox="0.00 0.00 245.00 135.00"
id="svg3479"
version="1.1"
inkscape:version="0.48.0 r9654"
sodipodi:docname="layouts-full.svg">
<metadata
id="metadata3492">
<rdf:RDF>
<cc:Work
rdf:about="">
<dc:format>image/svg+xml</dc:format>
<dc:type
rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
</cc:Work>
</rdf:RDF>
</metadata>
<defs
id="defs3490" />
<sodipodi:namedview
pagecolor="#ffffff"
bordercolor="#666666"
borderopacity="1"
objecttolerance="10"
gridtolerance="10"
guidetolerance="10"
inkscape:pageopacity="0"
inkscape:pageshadow="2"
inkscape:window-width="1680"
inkscape:window-height="1002"
id="namedview3488"
showgrid="false"
inkscape:zoom="1"
inkscape:cx="-0.58191504"
inkscape:cy="23.096747"
inkscape:window-x="0"
inkscape:window-y="22"
inkscape:window-maximized="0"
inkscape:current-layer="svg3479" />
<g
id="layouts">
<title
id="title3482">Auth Layouts</title>
<text
text-anchor="middle"
x="58"
y="134"
font-family="Helvetica,sans-Serif"
font-size="14.00"
id="text3484">(a)</text>
<text
text-anchor="middle"
x="178"
y="134"
font-family="Helvetica,sans-Serif"
font-size="14.00"
id="text3486">(b)</text>
</g>
<g
id="graph1"
class="graph"
transform="matrix(0.81928538,0,0,0.77044025,18.190271,97.915731)">
<title
id="title3172">Together</title>
<polygon
style="fill:#ffffff;stroke:#ffffff"
points="-4,5 -4,5 -4,-100 113,-100 113,5 "
id="polygon3174" />
<!-- Together -->
<g
id="node2"
class="node">
<title
id="title3177">Together</title>
<polygon
style="fill:#fdefe3;stroke:#fdefe3"
points="8,-47 8,-47 8,-91 101,-91 101,-47 "
id="polygon3179" />
<polygon
style="fill:none;stroke:#c00000"
points="8,-47 8,-47 8,-91 101,-91 101,-47 "
id="polygon3181" />
<text
style="font-size:14px;text-anchor:start;font-family:'Helvetica,sans-Serif'"
x="38"
y="-75.233299"
font-size="14.00"
id="text3183">Auth</text>
<text
style="font-size:14px;text-anchor:start;font-family:'Helvetica,sans-Serif'"
x="13.5"
y="-58.4333"
font-size="14.00"
id="text3185">Component</text>
<polygon
style="fill:#d1ebf1;stroke:#d1ebf1"
points="8,-4 8,-4 8,-47 101,-47 101,-4 "
id="polygon3187" />
<polygon
style="fill:none;stroke:#1f477d"
points="8,-4 8,-4 8,-47 101,-47 101,-4 "
id="polygon3189" />
<text
style="font-size:14px;text-anchor:start;font-family:'Helvetica,sans-Serif'"
x="15.5"
y="-31.733299"
font-size="14.00"
id="text3191">OpenStack</text>
<text
style="font-size:14px;text-anchor:start;font-family:'Helvetica,sans-Serif'"
x="28"
y="-14.9333"
font-size="14.00"
id="text3193">Service</text>
</g>
</g>
<g
id="graph2"
class="graph"
transform="matrix(0.84200867,0,0,0.82332332,134.01425,108.66091)">
<title
id="title3134">Seperate</title>
<polygon
style="fill:#ffffff;stroke:#ffffff"
points="-4,-120 103,-120 103,5 -4,5 -4,5 "
id="polygon3136" />
<!-- AuthComp -->
<g
id="node2-9"
class="node">
<title
id="title3139">AuthComp</title>
<polygon
style="fill:#fdefe3;stroke:#c00000"
points="0,-116 0,-76 98,-76 98,-116 98,-116 "
id="polygon3141" />
<text
style="font-size:14px;text-anchor:middle;font-family:'Helvetica,sans-Serif'"
x="49"
y="-99.400002"
font-size="14.00"
id="text3143">Auth</text>
<text
style="font-size:14px;text-anchor:middle;font-family:'Helvetica,sans-Serif'"
x="49"
y="-83.400002"
font-size="14.00"
id="text3145">Component</text>
</g>
<!-- Service -->
<g
id="node4"
class="node">
<title
id="title3148">Service</title>
<polygon
style="fill:#d1ebf1;stroke:#1f477d"
points="2,-40 2,0 96,0 96,-40 96,-40 "
id="polygon3150" />
<text
style="font-size:14px;text-anchor:middle;font-family:'Helvetica,sans-Serif'"
x="49"
y="-23.4"
font-size="14.00"
id="text3152">OpenStack</text>
<text
style="font-size:14px;text-anchor:middle;font-family:'Helvetica,sans-Serif'"
x="49"
y="-7.4000001"
font-size="14.00"
id="text3154">Service</text>
</g>
<!-- AuthComp&#45;&gt;Service -->
<g
id="edge3"
class="edge">
<title
id="title3157">AuthComp-&gt;Service</title>
<path
style="fill:none;stroke:#000000"
inkscape:connector-curvature="0"
d="m 49,-75.6334 c 0,7.8148 0,16.9081 0,25.4504"
id="path3159" />
<polygon
style="fill:#000000;stroke:#000000"
points="52.5001,-50.1593 49,-40.1593 45.5001,-50.1593 52.5001,-50.1593 "
id="polygon3161" />
</g>
</g>
</svg>
Side by Side

Before

Width:  |  Height:  |  Size: 5.7 KiB

3
doc/source/index.rst
View File

@@ -52,7 +52,7 @@ Man Pages
.. toctree::
:maxdepth: 1
man/keystone
man/keystone-all
man/keystone-manage
Developers Documentation
@@ -62,6 +62,7 @@ Developers Documentation
developing
architecture
middleware_architecture
api_curl_examples
Code Documentation

537
doc/source/middleware_architecture.rst
View File

@@ -21,29 +21,20 @@ Middleware Architecture
Abstract
========
The Keystone middleware architecture supports multiple authentication protocols
in a pluggable manner in OpenStack. By providing support for authentication via
pluggable authentication components, this architecture allows OpenStack
services to be integrated easily into existing deployment environments. It also
provides a path by which to implement support for emerging authentication
standards such as OAUTH.
The Keystone middleware architecture supports a common authentication protocol
in use between the OpenStack projects. By using keystone as a common
authentication and authorization mechanisms, the OpenStack project can plug in
to existing authentication and authorization systems in use by existing
environments.
Rationale and Goals
===================
In this document, we describe the architecture and responsibilities of the
authentication middleware which acts as the internal API mechanism for
OpenStack projects based on the WSGI standard.
Keystone is the Identity service for OpenStack. To support the easy integrating
of OpenStack with existing authentication and identity management systems,
Keystone supports talking to multiple backends like LDAP.
And to support different deployment needs, it can support multiple
authentication protocols via pluggable 'authentication components' implemented
as WSGI middleware.
In this document, we describe the responsibilities of the authentication
middleware. We describe how these interact with underlying OpenStack services
and how existing services can be modified to take advantage of pluggable
authentication. The goal is to allow OpenStack services to be integrated easily
into existing deployment environments and to provide a path by which to
implement support for emerging authentication standards such as OAUTH.
For the architecture of keystone and its services, please see
:doc:`architecture`. This documentation primarily describes the implementation
in ``keystone/middleware/auth_token.py``
(:py:class:`keystone.middleware.auth_token.AuthProtocol`)
Specification Overview
======================
@@ -52,14 +43,25 @@ Specification Overview
are. Typically, 'authentication protocols' such as HTTP Basic Auth, Digest
Access, public key, token, etc, are used to verify a user's identity. In this
document, we define an ''authentication component'' as a software module that
implements an authentication protocol for an OpenStack service.
implements an authentication protocol for an OpenStack service. OpenStack is
using a token based mechanism to represent authentication and authorization.
At a high level, an authentication component is simply a reverse proxy that
intercepts HTTP calls from clients. Once it has verified a user's identity, the
authentication component extends the call with information about the current
user and forwards the request to the OpenStack service. Otherwise, if a user's
identity is not verified, the message is rejected before it gets to the
service. This is illustrated in :ref:`authComponent`.
At a high level, an authentication middleware component is a proxy that
intercepts HTTP calls from clients and populates HTTP headers in the request
context for other WSGI middleware or applications to use. The general flow
of the middleware processing is:
* clear any existing authorization headers to prevent forgery
* collect the token from the existing HTTP request headers
* validate the token
* if valid, populate additional headers representing the identity that has
been authenticated and authorized
* in invalid, or not token present, reject the request (HTTPUnauthorized)
or pass along a header indicating the request is unauthorized (configurable
in the middleware)
* if the keystone service is unavailable to validate the token, reject
the request with HTTPServiceUnavailable.
.. _authComponent:
@@ -73,15 +75,14 @@ Figure 1. Authentication Component
:height: 180
:alt: An Authentication Component
Authentication components may operate in 'delegated mode'. In this mode, the
decision reject an unauthenticated client is delegated to the OpenStack
service. Delegated mode is illustrated in :ref:`authComponentDelegated`.
The middleware may also be configured to operated in a 'delegated mode'.
In this mode, the decision reject an unauthenticated client is delegated to
the OpenStack service, as illustrated in :ref:`authComponentDelegated`.
Here, requests are forwarded to the OpenStack service with an identity status
message that indicates whether the client's identity has been confirmed or is
indeterminate. It is the OpenStack service that decides whether or not a reject
message should be sent to the client. Note that it is always the responsibility
of the Authentication Component to transmit reject messages to the client.
message should be sent to the client.
.. _authComponentDelegated:
@@ -95,204 +96,104 @@ Figure 2. Authentication Component (Delegated Mode)
:height: 180
:alt: An Authentication Component (Delegated Mode)
In this architecture, we define interactions between the authentication component
and the OpenStack service. Interactions between the client and the
authentication component are defined only for exceptional cases. For example,
we define the message that should be returned when the OpenStack service is
down. Other interactions, however, are defined by the underlying authentication
protocol and the OpenStack service and are considered out of scope.
.. _deployStrategies:
Deployment Strategies
=====================
Deployment Strategy
===================
An authentication component may be integrated directly into the service
implementation, or it may be deployed separately as an HTTP reverse proxy. This
is illustrated in :ref:`deployment`, showing both approaches to
authentication, labeled Option (a) and Option (b).
The middleware is intended to be used inline with OpenStack wsgi components,
based on the openstack-common WSGI middleware class. It is typically deployed
as a configuration element in a paste configuration pipeline of other
middleware components, with the pipeline terminating in the service
application. The middleware conforms to the python WSGI standard [PEP-333]_.
In initializing the middleware, a configuration item (which acts like a python
dictionary) is passed to the middleware with relevant configuration options.
.. _deployment:
Configuration
-------------
Authentication Component Deployments Options
--------------------------------------------
The middleware is configured within the config file of the main application as
a WSGI component. Example for the auth_token middleware::
Figure 3. Authentication Component Deployments Options
[app:myService]
paste.app_factory = myService:app_factory
.. image:: images/images_layouts.svg
:width: 100%
:height: 180
:alt: Authentication Component Deployments Options
[pipeline:main]
pipeline = tokenauth myService
In Option (a), the component is integrated into the service implementation. In
this case, communication between the authentication component and the service
can be efficiently implemented via a method call. In Option (b), the component
is deployed separately and communication between the service and the component
involves an HTTP request. In both cases, unauthenticated requests are filtered
before they reach the service.
[filter:tokenauth]
paste.filter_factory = keystone.middleware.auth_token:filter_factory
auth_host = 127.0.0.1
auth_port = 35357
auth_protocol = http
auth_uri = http://127.0.0.1:5000/
admin_token = Super999Sekret888Password777
admin_user = admin
admin_password = SuperSekretPassword
admin_tenant_name = service
;Uncomment next line and check ip:port to use memcached to cache tokens
;memcache_servers = 127.0.0.1:11211
Each approach offers some benefits. Option (a) offers low latency and ease of
initial implementation, making it possibly most appropriate as a starting point
for simple configurations. Option (b) offers several key advantages that may be
of particular value in complex and dynamic configurations. It offers the
ability to scale horizontally in cases where authentication is computationally
expensive, such as when verifying digital signatures. Option (b) also allows
authentication components to be written in different programming languages.
Finally, Option (b) allows multiple authentication components to be deployed in
front of the same service.
Configuration Options
---------------------
OpenStack services can support both embedded (Option (a)) and external (Option
(b)) deployment strategies. Individual authentication components should support
either strategy or they |may| support both strategies. In order to support
option (a), authentication components written in the Python programming
language should be written as WSGI middleware components (in accordance with
the Web Server Gateway Interface (WSGI) standard [PEP-333]_.
* ``auth_host``: (required) the host providing the keystone service API endpoint
for validating and requesting tokens
* ``admin_token``: either this or the following three options are required. If
set, this is a single shared secret with the keystone configuration used to
validate tokens.
* ``admin_user``, ``admin_password``, ``admin_tenant_name``: if ``admin_token``
is not set, or invalid, then admin_user, admin_password, and
admin_tenant_name are defined as a service account which is expected to have
been previously configured in Keystone to validate user tokens.
Additionally, services should support the ability to swap between different
embedded or external authentication components via configuration options.
* ``delay_auth_decision``: (optional, default `0`) (off). If on, the middleware
will not reject invalid auth requests, but will delegate that decision to
downstream WSGI components.
* ``auth_port``: (optional, default `35357`) the port used to validate tokens
* ``auth_protocol``: (optional, default `https`)
* ``auth_uri``: (optional, defaults to `auth_protocol`://`auth_host`:`auth_port`)
Caching for improved response
-----------------------------
In order to prevent every service request, the middleware may be configured
to utilize a cache, and the keystone API returns the tokens with an
expiration (configurable in duration on the keystone service). The middleware
supports memcache based caching.
* ``memcache_servers``: (optonal) if defined, the memcache server(s) to use for
cacheing
* ``token_cache_time``: (optional, default 300 seconds) Only valid if
memcache_servers is defined.
Exchanging User Information
===========================
If a request is successfully authenticated, the authentication component must
extend the request by adding an ``X-Authorization`` header. The header |must|
be formatted as illustrated in :ref:`xAuthHeader`.
The middleware expects to find a token representing the user with the header
``X-Auth-Token`` or ``X-Storage-Token``. `X-Storage-Token` is supported for
swift/cloud files and for legacy Rackspace use. If the token isn't present and
the middleware is configured to not delegate auth responsibility, it will
respond to the HTTP request with HTTPUnauthorized, returning the header
``WWW-Authenticate`` with the value `Keystone uri='...'` to indicate where to
request a token. The auth_uri returned is configured with the middleware.
.. _xAuthHeader:
The authentication middleware extends the HTTP request with the header
``X-Identity-Status``. If a request is successfully authenticated, the value
is set to `Confirmed`. If the middleware is delegating the auth decision to the
service, then the status is set to `Invalid` if the auth request was
unsuccessful.
X-Authorization Header
----------------------
Extended the request with additional User Information
-----------------------------------------------------
Example 1. X-Authorization Header::
:py:class:`keystone.middleware.auth_token.AuthProtocol` extends the request
with additional information if the user has been authenticated.
X-Authorization: Proxy JoeUser
Here, `Proxy` denotes that the authentication occurred via a proxy (in this
case authentication component) and ''JoeUser'' is the name of the user who
issued the request.
.. note:
We considered using an ``Authorization`` header rather than an
``X-Authorization``, thereby following normal HTTP semantics. There are some
cases, however, where multiple ``Authorization`` headers need to be transmitted
in a single request. We want to assure ourselves that this will not break
common clients before we recommend the approach.
Authentication components |may| extend the request with additional
information. For example, an authentication system may add additional headers
or modify the target URI to pass authentication information to the back-end
service. Additionally, an authentication component |may| strip sensitive
information — a plain text password, for example — from the request. That said,
an authentication component |should| pass the majority of the request
unmodified.
Reverse Proxy Authentication
----------------------------
An OpenStack service |should| verify that it is receiving requests from a
trusted authentication component. This is particularly important in cases where
the authentication component and the OpenStack service are deployed separately.
In order to trust incoming requests, the OpenStack service should therefore
authenticate the authentication component. To avoid confusion, we call this
'reverse proxy authentication', since in this case the authentication
component is acting as an HTTP reverse proxy.
Any HTTP-based authentication scheme may be used for reverse proxy
authentication; however, all OpenStack services and all authentication
components |must| support HTTP Basic Authentication as defined in
[RFC-2617]_.
Whether or not reverse proxy authentication is required is strictly a
deployment concern. For example, an operations team may opt to utilize firewall
rules instead of an authentication protocol to verify the integrity of incoming
request. Because of this, both OpenStack services and authentication components
|must| also allow for unauthenticated communication.
In cases where reverse proxy authentication is used, the authorization
component may receive an HTTP 401 authentication error or an HTTP 403
authorization error. These errors indicate that the component does not have
access to the underlying OpenStack service. The authentication component
|must not| return these errors to the client application. Instead, the
component |must| return a 500 internal error. This is illustrated in
:ref:`proxyAuth` and :ref:`proxyAuthDelegated` below. The component
|should| format the errors in a manner that does not break the service
contract defined by the OpenStack service. :ref:`proxyAuthDelegated`
illustrates proxy authorization in delegated mode. Delegated mode is discussed
in detail in the next section.
.. _proxyAuth:
Reverse Proxy Authentication
----------------------------
Figure 4. Reverse Proxy Authentication
.. image:: images/graphs_proxyAuth.svg
:width: 100%
:height: 180
:alt: Reverse Proxy Authentication
.. _proxyAuthDelegated:
Reverse Proxy Authentication (Delegated Mode)
---------------------------------------------
Figure 5. Reverse Proxy Authentication (Delegated Mode)
.. image:: images/graphs_delegate_forbiden_proxy.svg
:width: 100%
:height: 180
:alt: Reverse Proxy Authentication (Delegated Mode)
Delegated Mode
==============
In some cases, the decision to reject an unauthenticated request should be
delegated to the OpenStack service. An unauthenticated request may be
appropriate in cases when anonymous access is allowed. In order to support
these cases, an authentication component may be placed in Delegated Mode. In
this mode, the component forwards requests to the OpenStack service when the
client's identity has been confirmed or is indeterminate — that is when
credentials are missing. The authentication component directly rejects requests
with invalid credentials. Authentication components |must| extend the
request by adding an `X-Identity-Status` header. The identity status header
|must| contain one of the following values:
Identity Status Values
----------------------
Confirmed
A `confirmed` value indicates that valid credentials were sent and identity
has been confirmed. The service can trust that the request has been sent on
behalf of the user specified in the `X-Authorization` header.
Indeterminate
An `indeterminate` value indicates that no credentials were sent and
identity has not been confirmed. In this case, the service will receive an
`X-Authorization` header with no user entry as illustrated in
:ref:`xauth-header-indeterminate`.
.. _xauth-header-indeterminate:
Indeterminate Identity Headers
------------------------------
Example 2. Indeterminate Identity Headers::
X-Identity-Status: Indeterminate
X-Authorization: Proxy
Services |may| reject a delegated request by issuing an HTTP 401
authentication error or an HTTP 403 authorization error. These responses
|must| contain an ``WWW-Authenticate`` header with a value of ``Delegated`` as
illustrated in :ref:`unauthHeaders`.
X-Identity-Status
Provides information on whether the request was authenticated or not.
X-Tenant
Provides the tenant ID (as it appears in the URL in Keystone). This is to support any legacy implementations before Keystone switched to an ID/Name schema for tenants.
X-Tenant-Id
The unique, immutable tenant Id
@@ -305,225 +206,25 @@ X-User-Id
X-User-Name
The username used to log in
X-User
The username used to log in. This is to support any legacy implementations before Keystone switched to an ID/Name schema for tenants.
X-Roles
The roles associated with that user
.. _unauthHeaders:
Deprecated additions
--------------------
Delegated WWW-Authenticate Header
---------------------------------
X-Tenant
Provides the tenant name. This is to support any legacy implementations
before Keystone switched to an ID/Name schema for tenants.
::
X-User
The username used to log in. This is to support any legacy implementations
before Keystone switched to an ID/Name schema for tenants.
WWW-Authenticate: Delegated
It is important to note that the actual reject message will likely be modified
by the authentication component in order to comply with the authentication
scheme it is implementing. This is illustrated in :ref:`delegateRejectBasic` and
:ref:`delegateRejectOAuth` below.
.. _delegateRejectBasic:
Delegated Reject Basic Auth
---------------------------
.. image:: images/graphs_delegate_reject_basic.svg
:width: 100%
:height: 180
:alt: Delegated Reject Basic Auth
.. _delegateRejectOAuth:
Delegated Reject OAuth
----------------------
.. image:: images/graphs_delegate_reject_oauth.svg
:width: 100%
:height: 180
:alt: Delegated Reject OAuth
The presence of the `WWW-Authenticate` header with a value of `Delegated`
distinguishes a client authentication/authorization failure from a component
failure. For example, compare :ref:`delegateForbidden` with :ref:`proxyAuthDelegated`. In
:ref:`delegateForbidden`, the client is not allowed to access the OpenStack service.
In :ref:`proxyAuthDelegated`, it is the authentication component itself which is
unauthorized.
.. _delegateForbidden:
Delegated Reject Forbidden
--------------------------
Figure 8. Delegated Reject Forbidden
.. image:: images/graphs_delegate_forbiden_basic.svg
:width: 100%
:height: 180
:alt: Delegated Reject Forbidden
Authentication components |must| support both delegated and undelegated
(standard) modes. Delegated mode |should| be configured via a configuration
option. Delegated mode |should| be disabled by default.
OpenStack services are not required to support delegated mode. If a service
does not support delegated mode, it |must| respond with a 501 not implemented
error and an `WWW-Authenticate` header with a value of `Delegated`. The
authentication component |must not| return the error to the client
application. Instead, the component |must| return a 500 internal error; this is
illustrated in :ref:`delegateUnimplemented`. The component |should|
format the error in a manner that does not break the service contract defined
by the OpenStack service. The component should also log the error such that it
that will inform operators of the misconfiguration.
.. _delegateUnimplemented:
Unimplemented Delegated Mode
----------------------------
.. image:: images/graphs_delegate_unimplemented.svg
:width: 100%
:height: 180
:alt: Unimplemented Delegated Mode
Handling Direct Client Connections
==================================
Requests from the authentication component to an OpenStack service |must|
contain an ``X-Authorization`` header. If the header is missing, and reverse
proxy authentication fails or is switched off, the OpenStack service |may|
assume that the request is coming directly from a client application. In this
case, the OpenStack service |must| redirect the request to the authentication
component by issuing an HTTP 305 User Proxy redirect. This is illustrated in
:ref:`redirect`. Note that the redirect response |must| include a ``Location`` header
specifying the authentication component's URL as shown in :ref:`redirect-response`.
.. _redirect:
Auth Component Redirect
-----------------------
.. image:: images/graphs_305.svg
:width: 100%
:height: 280
:alt: Auth Component Redirect
.. _redirect-response:
Auth Component Redirect Response
--------------------------------
::
HTTP/1.1 305 Use Proxy
Date: Thu, 28 Oct 2011 07:41:16 GMT
Location: http://sample.auth.openstack.com/path/to/resource
Using Multiple Authentication Components
========================================
There are some use cases when a service provider might want to consider using
multiple authentication components for different purposes. For instance, a
service provider may have one authentication scheme to authenticate the users
of the service and another one to authenticate the administrators or operations
personnel that maintain the service. For such scenarios, we propose using a
mapper as illustrated in :ref:`multiAuth`.
.. _multiAuth:
Multiple Authentication Components
----------------------------------
.. image:: images/graphs_mapper.svg
:width: 100%
:height: 320
:alt: Multiple Authentication Components
At a high level, a mapper is a simple reverse proxy that intercepts HTTP calls
from clients and routes the request to the appropriate authentication
component. A mapper can make the routing decisions based on a number of routing
rules that map a resource to a specific authentication component. For example,
a request URI may determine whether a call should be authenticated via one
authentication component or another.
Note that neither the authentication component nor the OpenStack service need
be aware of the mapper. Any external authentication component can be used
alongside others. Mappers may provide a means by which to offer support for
anonymous or guest access to a subset of service resources. A mapper may be
implemented via a traditional reverse proxy server such as Pound or Zeus.
The Default Component
=====================
Individual services |must| be distributed with a simple integrated
authentication component by default. Providing such a component lowers barriers
to the deployment of individual services. This is especially important to]
developers who may want to deploy OpenStack services on their own machines.
Also, since there is no direct dependency on an external authentication system,
OpenStack services can be deployed individually, without the need to stand up
and configure additional services. Finally, having a standard authentication
component that all services share promotes a separation of concerns. That is,
as a community we are explicitly stating that services should not develop their
own authentication mechanisms. Additional authentication components may be
developed, of course, but these components should not be intimately coupled to
any one particular service.
As discussed in :ref:`deployStrategies`, an authentication component may be
integrated directly into the service implementation (Option (a)), or it may be
deployed separately as an HTTP reverse proxy (Option (b)). The default
component should be implemented to support Option (a) and services should
maintain support for Option (b). One way to achieve this is to provide a
method that allows the disabling of the default authentication component via
configuration. This is illustrated in :ref:`both`. Here, requests are
sent directly to the OpenStack service when the default authentication
component is disabled.
We will discuss the design of the default component in an upcoming blueprint.
.. _both:
Disabled Embedded Component
---------------------------
.. image:: images/graphs_both.svg
:width: 100%
:height: 250
:alt: Disabled Embedded Component
Questions and Answers
=====================
#. Why do authentication components send reject messages? Why not have
OpenStack services reject requests themselves?
The content and format of an authentication failed message is determined by
the authentication scheme (or protocol). For the service to respond
appropriately, it would have to be aware of the authentication scheme in
which it participates; this defeats the purpose of pluggable authentication
components.
#. Why require support for deploying authentication components in separate
nodes?
The deployment strategy is very flexible. It allows for authentication
components to be horizontally scalable. It allows for components to be written
in different languages. Finally, it allows different authentication components
to be deployed simultaneously as described above.
X-Role
The roles associated with that user
References
==========
.. [PEP-333] pep0333 Phillip J Eby. 'Python Web Server Gateway Interface
v1.0.'' http://www.python.org/dev/peps/pep-0333/.
.. [RFC-2617] rfc2617 J Franks. P Hallam-Baker. J Hostetler. S Lawrence.
P Leach. A Luotonen. L Stewart. ''HTTP Authentication: Basic and Digest
Access Authentication.'' http://tools.ietf.org/html/rfc2617.
.. |must| replace:: must must
.. |should| replace:: should should
.. |may| replace:: may may
.. |must not| replace:: "must not" "must not"

169
doc/source/old/middleware.rst
View File

@@ -1,169 +0,0 @@
..
Copyright 2011-2012 OpenStack, LLC
All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with the License. You may obtain
a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
License for the specific language governing permissions and limitations
under the License.
==========
Middleware
==========
The Keystone middleware sits in front of an OpenStack service and handles authenticating
incoming requests. The middleware was designed according to `this spec`.
The middleware is found in source under Keystone/middleware.
The middleware supports two interfaces; WSGI and REST/HTTP.
.. _`this spec`: http://wiki.openstack.org/openstack-authn
REST & HTTP API
===============
If an unauthenticated call comes in, the middleware will respond with a 401 Unauthorized error. As per
HTTP standards, it will also return a WWW-Authenticate header informing the caller
of what protocols are supported. For Keystone authentication, the response syntax will be::
WWW-Authenticate: Keystone uri="url to Keystone server"
The client can then make the necessary calls to the Keystone server, obtain a token, and retry the call with the token.
The token is passed in using ther X-Auth-Token header.
WSGI API (Headers)
==================
Upon successful authentication the middleware sends the following
headers to the downstream WSGI app:
X-Identity-Status
Provides information on whether the request was authenticated or not.
X-Tenant
Provides the tenant ID (as it appears in the URL in Keystone). This is to support any legacy implementations before Keystone switched to an ID/Name schema for tenants.
X-Tenant-Id
The unique, immutable tenant Id
X-Tenant-Name
The unique, but mutable (it can change) tenant name.
X-User-Id
The user id of the user used to log in
X-User-Name
The username used to log in
X-User
The username used to log in. This is to support any legacy implementations before Keystone switched to an ID/Name schema for tenants.
X-Roles
The roles associated with that user
Configuration
=============
The middleware is configured within the config file of the main application as
a WSGI component. Example for the auth_token middleware::
[app:myService]
paste.app_factory = myService:app_factory
[pipeline:main]
pipeline =
tokenauth
myService
[filter:tokenauth]
paste.filter_factory = keystone.middleware.auth_token:filter_factory
auth_host = 127.0.0.1
auth_port = 35357
auth_protocol = http
auth_uri = http://127.0.0.1:5000/
admin_token = 999888777666
;Uncomment next line and check ip:port to use memcached to cache token requests
;memcache_servers = 127.0.0.1:11211
*The required configuration entries are:*
auth_host
The IP address or DNS name of the Keystone server
auth_port
The TCP/IP port of the Keystone server
auth_protocol
The protocol of the Keystone server ('http' or 'https')
auth_uri
The externally accessible URL of the Keystone server. This will be where unauthenticated
clients are redirected to. This is in the form of a URL. For example, if they make an
unauthenticated call, they get this response::
HTTP/1.1 401 Unauthorized
Www-Authenticate: Keystone uri='https://auth.example.com/'
Content-Length: 381
In this case, the auth_uri setting is set to https://auth.example.com/
admin_token
This is the long-lived token issued to the service to authenticate itself when calling
Keystone. See :doc:`configuration` for more information on setting this up.
*Optional parameters are:*
delay_auth_decision
Whether the middleware should reject invalid or unauthenticated calls directly or not. If not,
it will send all calls down to the service to decide, but it will set the HTTP-X-IDENTITY-STATUS
header appropriately (set to'Confirmed' or 'Indeterminate' based on validation) and the
service can then decide if it wants to honor the call or not. This is useful if the service offers
some resources publicly, for example.
auth_timeout
The amount of time to wait before timing out a call to Keystone (in seconds)
memcache_hosts
This is used to point to a memcached server (in ip:port format). If supplied,
the middleware will cache tokens and data retrieved from Keystone in memcached
to minimize calls made to Keystone and optimize performance.
.. warning::
Tokens are cached for the duration of their validity. If they are revoked eariler in Keystone,
the service will not know and will continue to honor the token as it has them stored in memcached.
Also note that tokens and data stored in memcached are not encrypted. The memcached server must
be trusted and on a secure network.
*Parameters needed in a distributed topology.* In this configuration, the middleware is running
on a separate machine or cluster than the protected service (not common - see :doc:`middleware_architecture`
for details on different deployment topologies):
service_host
The IP address or DNS name of the location of the service (since it is remote
and not automatically down the WSGI chain)
service_port
The TCP/IP port of the remote service.
service_protocol
The protocol of the service ('http' or 'https')
service_pass
The basic auth password used to authenticate to the service (so the service
knows the call is coming from a server that has validated the token and not from
an untrusted source or spoofer)
service_timeout
The amount of time to wait for the service to respond before timing out.

28
doc/source/setup.rst
View File

@@ -21,7 +21,8 @@ Setting up a Keystone development environment
This document describes getting the source from keystone's `GitHub repository`_
for development purposes.
To install keystone from packaging, refer instead to Keystone's `User Documentation`_.
To install keystone from packaging, refer instead to Keystone's `User
Documentation`_.
.. _`GitHub Repository`: http://github.com/openstack/keystone
.. _`User Documentation`: http://docs.openstack.org/
@@ -96,9 +97,10 @@ Mac OS X Lion (requires MacPorts_)::
PyPi Packages and VirtualEnv
----------------------------
We recommend establishing a virtualenv to run keystone within. Virtualenv limits the python environment
to just what you're installing as depdendencies, useful to keep a clean environment for working on
Keystone. The tools directory in keystone has a script already created to make this very simple::
We recommend establishing a virtualenv to run keystone within. Virtualenv
limits the python environment to just what you're installing as depdendencies,
useful to keep a clean environment for working on Keystone. The tools directory
in keystone has a script already created to make this very simple::
$ python tools/install_venv.py
@@ -117,8 +119,8 @@ see virtualenv_.
.. _virtualenv: http://www.virtualenv.org/
If you want to run keystone outside of a virtualenv, you can install the dependencies directly
into your system from the requires files::
If you want to run keystone outside of a virtualenv, you can install the
dependencies directly into your system from the requires files::
# Install the dependencies for running keystone
$ pip install -r tools/pip-requires
@@ -126,18 +128,19 @@ into your system from the requires files::
# Install the dependencies for developing, testing, and running keystone
$ pip install -r tools/test-requires
# Fake-install the project by symlinking Keystone into your Python site-packages
# Use python setup.py to link Keystone into python's site-packages
$ python setup.py develop
Verifying Keystone is set up
============================
Once set up, either directly or within a virtualenv, you should be able to invoke python and import
the libraries. If you're using a virtualenv, don't forget to activate it::
Once set up, either directly or within a virtualenv, you should be able to
invoke python and import the libraries. If you're using a virtualenv, don't
forget to activate it::
$ source .venv/bin/activate
$ python
$ source .venv/bin/activate
$ python
You should then be able to `import keystone` from your Python shell
without issue::
@@ -145,7 +148,8 @@ without issue::
>>> import keystone
>>>
If you can import keystone successfully, you should be ready to move on to :doc:`developing`
If you can import keystone successfully, you should be ready to move on to
:doc:`developing`
Troubleshooting
===============