OpenStack Identity (Keystone) Middleware
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

226 lines
12KB

  1. # Licensed under the Apache License, Version 2.0 (the "License"); you may
  2. # not use this file except in compliance with the License. You may obtain
  3. # a copy of the License at
  4. #
  5. # http://www.apache.org/licenses/LICENSE-2.0
  6. #
  7. # Unless required by applicable law or agreed to in writing, software
  8. # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
  9. # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
  10. # License for the specific language governing permissions and limitations
  11. # under the License.
  12. import copy
  13. from keystoneauth1 import loading
  14. from oslo_config import cfg
  15. from keystonemiddleware.auth_token import _base
  16. # NOTE(jamielennox): A number of options below are deprecated however are left
  17. # in the list and only mentioned as deprecated in the help string. This is
  18. # because we have to provide the same deprecation functionality for arguments
  19. # passed in via the conf in __init__ (from paste) and there is no way to test
  20. # that the default value was set or not in CONF.
  21. # Also if we were to remove the options from the CONF list (as typical CONF
  22. # deprecation works) then other projects will not be able to override the
  23. # options via CONF.
  24. _OPTS = [
  25. cfg.StrOpt('www_authenticate_uri',
  26. # FIXME(dolph): should be default='http://127.0.0.1:5000/v2.0/',
  27. # or (depending on client support) an unversioned, publicly
  28. # accessible identity endpoint (see bug 1207517). Further, we
  29. # can eliminate this configuration option in favor of pulling
  30. # the endpoint from the service catalog that the service user
  31. # receives (there should be an identity endpoint listed there).
  32. # This wasn't an option originally when many auth_token
  33. # deployments were configured with the "ADMIN" token and
  34. # endpoint combination.
  35. deprecated_name='auth_uri',
  36. help='Complete "public" Identity API endpoint. This endpoint'
  37. ' should not be an "admin" endpoint, as it should be accessible'
  38. ' by all end users. Unauthenticated clients are redirected to'
  39. ' this endpoint to authenticate. Although this endpoint should'
  40. ' ideally be unversioned, client support in the wild varies.'
  41. ' If you\'re using a versioned v2 endpoint here, then this'
  42. ' should *not* be the same endpoint the service user utilizes'
  43. ' for validating tokens, because normal end users may not be'
  44. ' able to reach that endpoint.'),
  45. cfg.StrOpt('auth_uri',
  46. deprecated_for_removal=True,
  47. deprecated_reason='The auth_uri option is deprecated in favor'
  48. ' of www_authenticate_uri and will be removed in the S '
  49. ' release.',
  50. deprecated_since='Queens',
  51. help='Complete "public" Identity API endpoint. This endpoint'
  52. ' should not be an "admin" endpoint, as it should be accessible'
  53. ' by all end users. Unauthenticated clients are redirected to'
  54. ' this endpoint to authenticate. Although this endpoint should'
  55. ' ideally be unversioned, client support in the wild varies.'
  56. ' If you\'re using a versioned v2 endpoint here, then this'
  57. ' should *not* be the same endpoint the service user utilizes'
  58. ' for validating tokens, because normal end users may not be'
  59. ' able to reach that endpoint. This option is deprecated in'
  60. ' favor of www_authenticate_uri and will be removed in the S'
  61. ' release.'),
  62. cfg.StrOpt('auth_version',
  63. help='API version of the Identity API endpoint.'),
  64. cfg.StrOpt('interface',
  65. default='admin',
  66. help='Interface to use for the Identity API endpoint. Valid'
  67. ' values are "public", "internal" or "admin"(default).'),
  68. cfg.BoolOpt('delay_auth_decision',
  69. default=False,
  70. help='Do not handle authorization requests within the'
  71. ' middleware, but delegate the authorization decision to'
  72. ' downstream WSGI components.'),
  73. cfg.IntOpt('http_connect_timeout',
  74. help='Request timeout value for communicating with Identity'
  75. ' API server.'),
  76. cfg.IntOpt('http_request_max_retries',
  77. default=3,
  78. help='How many times are we trying to reconnect when'
  79. ' communicating with Identity API Server.'),
  80. cfg.StrOpt('cache',
  81. help='Request environment key where the Swift cache object is'
  82. ' stored. When auth_token middleware is deployed with a Swift'
  83. ' cache, use this option to have the middleware share a caching'
  84. ' backend with swift. Otherwise, use the ``memcached_servers``'
  85. ' option instead.'),
  86. cfg.StrOpt('certfile',
  87. help='Required if identity server requires client certificate'),
  88. cfg.StrOpt('keyfile',
  89. help='Required if identity server requires client certificate'),
  90. cfg.StrOpt('cafile',
  91. help='A PEM encoded Certificate Authority to use when '
  92. 'verifying HTTPs connections. Defaults to system CAs.'),
  93. cfg.BoolOpt('insecure', default=False, help='Verify HTTPS connections.'),
  94. cfg.StrOpt('region_name',
  95. help='The region in which the identity server can be found.'),
  96. cfg.ListOpt('memcached_servers',
  97. deprecated_name='memcache_servers',
  98. help='Optionally specify a list of memcached server(s) to'
  99. ' use for caching. If left undefined, tokens will instead be'
  100. ' cached in-process.'),
  101. cfg.IntOpt('token_cache_time',
  102. default=300,
  103. help='In order to prevent excessive effort spent validating'
  104. ' tokens, the middleware caches previously-seen tokens for a'
  105. ' configurable duration (in seconds). Set to -1 to disable'
  106. ' caching completely.'),
  107. cfg.StrOpt('memcache_security_strategy',
  108. default='None',
  109. choices=('None', 'MAC', 'ENCRYPT'),
  110. ignore_case=True,
  111. help='(Optional) If defined, indicate whether token data'
  112. ' should be authenticated or authenticated and encrypted.'
  113. ' If MAC, token data is authenticated (with HMAC) in the cache.'
  114. ' If ENCRYPT, token data is encrypted and authenticated in the'
  115. ' cache. If the value is not one of these options or empty,'
  116. ' auth_token will raise an exception on initialization.'),
  117. cfg.StrOpt('memcache_secret_key',
  118. secret=True,
  119. help='(Optional, mandatory if memcache_security_strategy is'
  120. ' defined) This string is used for key derivation.'),
  121. cfg.IntOpt('memcache_pool_dead_retry',
  122. default=5 * 60,
  123. help='(Optional) Number of seconds memcached server is'
  124. ' considered dead before it is tried again.'),
  125. cfg.IntOpt('memcache_pool_maxsize',
  126. default=10,
  127. help='(Optional) Maximum total number of open connections to'
  128. ' every memcached server.'),
  129. cfg.IntOpt('memcache_pool_socket_timeout',
  130. default=3,
  131. help='(Optional) Socket timeout in seconds for communicating '
  132. 'with a memcached server.'),
  133. cfg.IntOpt('memcache_pool_unused_timeout',
  134. default=60,
  135. help='(Optional) Number of seconds a connection to memcached'
  136. ' is held unused in the pool before it is closed.'),
  137. cfg.IntOpt('memcache_pool_conn_get_timeout',
  138. default=10,
  139. help='(Optional) Number of seconds that an operation will wait '
  140. 'to get a memcached client connection from the pool.'),
  141. cfg.BoolOpt('memcache_use_advanced_pool',
  142. default=False,
  143. help='(Optional) Use the advanced (eventlet safe) memcached '
  144. 'client pool. The advanced pool will only work under '
  145. 'python 2.x.'),
  146. cfg.BoolOpt('include_service_catalog',
  147. default=True,
  148. help='(Optional) Indicate whether to set the X-Service-Catalog'
  149. ' header. If False, middleware will not ask for service'
  150. ' catalog on token validation and will not set the'
  151. ' X-Service-Catalog header.'),
  152. cfg.StrOpt('enforce_token_bind',
  153. default='permissive',
  154. help='Used to control the use and type of token binding. Can'
  155. ' be set to: "disabled" to not check token binding.'
  156. ' "permissive" (default) to validate binding information if the'
  157. ' bind type is of a form known to the server and ignore it if'
  158. ' not. "strict" like "permissive" but if the bind type is'
  159. ' unknown the token will be rejected. "required" any form of'
  160. ' token binding is needed to be allowed. Finally the name of a'
  161. ' binding method that must be present in tokens.'),
  162. cfg.ListOpt('service_token_roles', default=['service'],
  163. help='A choice of roles that must be present in a service'
  164. ' token. Service tokens are allowed to request that an expired'
  165. ' token can be used and so this check should tightly control'
  166. ' that only actual services should be sending this token.'
  167. ' Roles here are applied as an ANY check so any role in this'
  168. ' list must be present. For backwards compatibility reasons'
  169. ' this currently only affects the allow_expired check.'),
  170. cfg.BoolOpt('service_token_roles_required', default=False,
  171. help='For backwards compatibility reasons we must let valid'
  172. ' service tokens pass that don\'t pass the service_token_roles'
  173. ' check as valid. Setting this true will become the default'
  174. ' in a future release and should be enabled if possible.'),
  175. cfg.StrOpt('service_type',
  176. help='The name or type of the service as it appears in the'
  177. ' service catalog. This is used to validate tokens that have'
  178. ' restricted access rules.'),
  179. ]
  180. CONF = cfg.CONF
  181. CONF.register_opts(_OPTS, group=_base.AUTHTOKEN_GROUP)
  182. loading.register_auth_conf_options(cfg.CONF, _base.AUTHTOKEN_GROUP)
  183. auth_token_opts = [
  184. (_base.AUTHTOKEN_GROUP, _OPTS + loading.get_auth_common_conf_options()),
  185. ]
  186. __all__ = (
  187. 'list_opts',
  188. )
  189. def list_opts():
  190. """Return a list of oslo_config options available in auth_token middleware.
  191. The returned list includes the non-deprecated oslo_config options which may
  192. be registered at runtime by the project. The purpose of this is to allow
  193. tools like the Oslo sample config file generator to discover the options
  194. exposed to users by this middleware.
  195. Deprecated Options should not show up here so as to not be included in
  196. sample configuration.
  197. Each element of the list is a tuple. The first element is the name of the
  198. group under which the list of elements in the second element will be
  199. registered. A group name of None corresponds to the [DEFAULT] group in
  200. config files.
  201. This function is discoverable via the entry point
  202. 'keystonemiddleware.auth_token' under the 'oslo.config.opts' namespace.
  203. :returns: a list of (group_name, opts) tuples
  204. """
  205. auth_token_opts = (_OPTS + loading.get_auth_common_conf_options())
  206. return [(_base.AUTHTOKEN_GROUP, copy.deepcopy(auth_token_opts))]