Move admin_token_auth before build_auth_context in sample paste.ini

It's deprecated to have admin_token_auth after build_auth_context, so move admin_token_auth before build_auth_context. Also, for safety in the code handling the deprecated configuration, only do the admin_token check if admin_token is not the default. Closes-Bug: 1549371 Change-Id: I2607e718ecd50eb605a1e4bbfb3862e3968b6484
2016-02-17 10:03:38 -06:00 · 2016-02-17 10:03:38 -06:00 · ee2e3272ac
parent d37af165d0
commit ee2e3272ac
2 changed files with 11 additions and 9 deletions
--- a/etc/keystone-paste.ini
+++ b/etc/keystone-paste.ini
@ -54,17 +54,17 @@ use = egg:keystone#admin_service
 [pipeline:public_api]
 # The last item in this pipeline must be public_service or an equivalent
 # application. It cannot be a filter.
-pipeline = cors sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension public_service
+pipeline = cors sizelimit url_normalize request_id admin_token_auth build_auth_context token_auth json_body ec2_extension public_service

 [pipeline:admin_api]
 # The last item in this pipeline must be admin_service or an equivalent
 # application. It cannot be a filter.
-pipeline = cors sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension s3_extension admin_service
+pipeline = cors sizelimit url_normalize request_id admin_token_auth build_auth_context token_auth json_body ec2_extension s3_extension admin_service

 [pipeline:api_v3]
 # The last item in this pipeline must be service_v3 or an equivalent
 # application. It cannot be a filter.
-pipeline = cors sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension service_v3
+pipeline = cors sizelimit url_normalize request_id admin_token_auth build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3

 [app:public_version_service]
 use = egg:keystone#public_version_service
--- a/keystone/middleware/auth.py
+++ b/keystone/middleware/auth.py
@ -75,14 +75,16 @@ class AuthContextMiddleware(wsgi.Middleware):
        return None, None, False

    def _build_token_auth_context(self, request, token_id):
-        if token_id == CONF.admin_token:
+        if CONF.admin_token and token_id == CONF.admin_token:
            versionutils.report_deprecated_feature(
                LOG,
-                _LW('Auth context checking for the admin token is deprecated '
-                    'as of the Mitaka release and will be removed in the O '
-                    'release. Update keystone-paste.ini so that '
-                    'admin_token_auth is before build_auth_context in the '
-                    'paste pipelines.'))
+                _LW('build_auth_context middleware checking for the admin '
+                    'token is deprecated as of the Mitaka release and will be '
+                    'removed in the O release. If your deployment requires '
+                    'use of the admin token, update keystone-paste.ini so '
+                    'that admin_token_auth is before build_auth_context in '
+                    'the paste pipelines, otherwise remove the '
+                    'admin_token_auth middleware from the paste pipelines.'))
            return {}, True

        context = {'token_id': token_id}