openstack
/
keystonemiddleware
Code Issues Proposed changes

s3token config with auth URI 

s3token middleware only allows configuring host and port for the
auth URI. This doesn't allow the auth server to be on a path.

A new auth_uri config option is added that allows the deployer to
specify the full URL for auth. This overrides auth_host, auth_port,
and auth_protocol. auth_host, auth_port, and auth_protocol are
deprecated.

DocImpact

Change-Id: I1fe13f0365ca4704717fe680a0c8f54c64a9f06c
This commit is contained in:
Brant Knudson 2016-05-03 15:52:53 -05:00
parent 89ec136e5a
commit 8dee7458e3
3 changed files with 33 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
keystonemiddleware/s3_token.py
View File

@ -40,7 +40,7 @@ import requests
import six
from six.moves import urllib
from keystonemiddleware.i18n import _, _LI
from keystonemiddleware.i18n import _, _LI, _LW
PROTOCOL_NAME = 'S3 Token Authentication'
@ -109,12 +109,19 @@ class S3Token(object):
self._reseller_prefix = conf.get('reseller_prefix', 'AUTH_')
# where to find the auth service (we use this to validate tokens)
auth_host = conf.get('auth_host')
auth_port = int(conf.get('auth_port', 35357))
auth_protocol = conf.get('auth_protocol', 'https')
self._request_uri = conf.get('auth_uri')
if not self._request_uri:
self._logger.warning(_LW(
"Use of the auth_host, auth_port, and auth_protocol "
"configuration options was deprecated in the Newton release "
"in favor of auth_uri. These options may be removed in a "
"future release."))
auth_host = conf.get('auth_host')
auth_port = int(conf.get('auth_port', 35357))
auth_protocol = conf.get('auth_protocol', 'https')
self._request_uri = '%s://%s:%s' % (auth_protocol, auth_host,
auth_port)
self._request_uri = '%s://%s:%s' % (auth_protocol, auth_host,
auth_port)
# SSL
insecure = strutils.bool_from_string(conf.get('insecure', False))

27
keystonemiddleware/tests/unit/test_s3_token_middleware.py
View File

@ -38,20 +38,14 @@ class FakeApp(object):
class S3TokenMiddlewareTestBase(utils.TestCase):
TEST_PROTOCOL = 'https'
TEST_HOST = 'fakehost'
TEST_PORT = 35357
TEST_URL = '%s://%s:%d/v2.0/s3tokens' % (TEST_PROTOCOL,
TEST_HOST,
TEST_PORT)
TEST_AUTH_URI = 'https://fakehost/identity'
TEST_URL = '%s/v2.0/s3tokens' % (TEST_AUTH_URI, )
def setUp(self):
super(S3TokenMiddlewareTestBase, self).setUp()
self.conf = {
'auth_host': self.TEST_HOST,
'auth_port': self.TEST_PORT,
'auth_protocol': self.TEST_PROTOCOL,
'auth_uri': self.TEST_AUTH_URI,
}
self.requests_mock = self.useFixture(rm_fixture.Fixture())
@ -100,14 +94,17 @@ class S3TokenMiddlewareTestGood(S3TokenMiddlewareTestBase):
self.assertEqual(req.headers['X-Auth-Token'], 'TOKEN_ID')
def test_authorized_http(self):
self.requests_mock.post(self.TEST_URL.replace('https', 'http'),
status_code=201,
json=GOOD_RESPONSE)
protocol = 'http'
host = 'fakehost'
port = 35357
self.requests_mock.post(
'%s://%s:%s/v2.0/s3tokens' % (protocol, host, port),
status_code=201, json=GOOD_RESPONSE)
self.middleware = (
s3_token.filter_factory({'auth_protocol': 'http',
'auth_host': self.TEST_HOST,
'auth_port': self.TEST_PORT})(FakeApp()))
s3_token.filter_factory({'auth_protocol': protocol,
'auth_host': host,
'auth_port': port})(FakeApp()))
req = webob.Request.blank('/v1/AUTH_cfa/c/o')
req.headers['Authorization'] = 'access:signature'
req.headers['X-Storage-Token'] = 'token'

8
releasenotes/notes/s3token_auth_uri-490c1287d90b9df7.yaml Normal file
View File

@ -0,0 +1,8 @@
---
features:
- A new configuration option for the s3token middleware called auth_uri can
be used to set the URI to be used for authentication. This replaces
auth_host, auth_port, and auth_protocol.
deprecations:
- The auth_host, auth_port, and auth_protocol configuration options to the
s3token middleware are now deprecated.