Implementation of opt-out from catalog data during token validation.

The additional query parameter nocatalog in GET /v3/auth/tokens allows the requestor to receive a token response omitting the catalog data. This makes the token response sensibly smaller in case the catalog is large due to the vaste deployment environment and available services. e.g. GET /v3/auth/tokens?nocatalog blueprint token-valid-catalog-opt-out Change-Id: I272b1282acc0f04565d88c51b87dc7e30b141b7c
2013-10-14 15:47:55 -07:00 · 2013-10-14 15:47:55 -07:00 · d28b84a9a1
parent 94f965b29a
commit d28b84a9a1
3 changed files with 15 additions and 3 deletions
--- a/keystone/auth/controllers.py
+++ b/keystone/auth/controllers.py
@ -367,7 +367,11 @@ class Auth(controller.V3Controller):
    @controller.protected()
    def validate_token(self, context):
        token_id = context.get('subject_token_id')
-        token_data = self.token_provider_api.validate_v3_token(token_id)
+        include_catalog = 'nocatalog' not in context['query_string']
+        token_data = self.token_provider_api.validate_v3_token(
+            token_id)
+        if not include_catalog and 'catalog' in token_data['token']:
+            del token_data['token']['catalog']
        return render_token_data_response(token_id, token_data)

    @controller.protected()
--- a/keystone/tests/test_v3_auth.py
+++ b/keystone/tests/test_v3_auth.py
@ -320,6 +320,16 @@ class TestPKITokenAPIs(test_v3.RestfulTestCase):
        r = self.get('/auth/tokens', headers=self.headers)
        self.assertValidUnscopedTokenResponse(r)

+    def test_validate_token_nocatalog(self):
+        auth_data = self.build_authentication_request(
+            user_id=self.user['id'],
+            password=self.user['password'],
+            project_id=self.project['id'])
+        resp = self.post('/auth/tokens', body=auth_data)
+        headers = {'X-Subject-Token': resp.headers.get('X-Subject-Token')}
+        r = self.get('/auth/tokens?nocatalog', headers=headers)
+        self.assertValidProjectScopedTokenResponse(r, require_catalog=False)
+
    def test_revoke_token(self):
        headers = {'X-Subject-Token': self.get_scoped_token()}
        self.delete('/auth/tokens', headers=headers, expected_status=204)
--- a/keystone/token/provider.py
+++ b/keystone/token/provider.py
@ -317,8 +317,6 @@ class Provider(object):

        :param token_id: identity of the token
        :type token_id: string
-        :param belongs_to: project_id token belongs to
-        :type belongs_to: string
        :returns: token data
        :raises: keystone.exception.TokenNotFound
        """