Make quantum pipeline configurable from quantum.conf.

Fixes bug 1029313.

The current api-paste.ini does not provide a way to choose a pipeline:
there is no way to switching a pipeline between keystone-enabled and
noauth pipelines without modifying the pipeline directly.

This commit introduces 'auth_strategy' flag to quantum.conf and
a pipeline used is determined depending on the flag. Supported values for
this flag are 'keystone' (default) and 'noauth' at the moment.

Change-Id: Ieafaf31eaaec2b02727ed5d3bd36c907e50aee5b

etc/api-paste.ini

@@ -5,26 +5,20 @@ use = egg:Paste#urlmap
 /v1.1: quantumapi_v1_1
 /v2.0: quantumapi_v2_0
 
-[pipeline:quantumapi_v1_0]
-# By default, authentication is disabled.
-# To enable Keystone integration comment out the
-# following line and uncomment the next one
-pipeline = extensions quantumapiapp_v1_0
-# pipeline = authtoken keystonecontext extensions quantumapiapp_v1_0
+[composite:quantumapi_v1_0]
+use = call:quantum.auth:pipeline_factory
+noauth = extensions quantumapiapp_v1_0
+keystone = authtoken keystonecontext extensions quantumapiapp_v1_0
 
-[pipeline:quantumapi_v1_1]
-# By default, authentication is disabled.
-# To enable Keystone integration comment out the
-# following line and uncomment the next one
-pipeline = extensions quantumapiapp_v1_1
-# pipeline = authtoken keystonecontext extensions quantumapiapp_v1_1
+[composite:quantumapi_v1_1]
+use = call:quantum.auth:pipeline_factory
+noauth = extensions quantumapiapp_v1_1
+keystone = authtoken keystonecontext extensions quantumapiapp_v1_1
 
-[pipeline:quantumapi_v2_0]
-# By default, authentication is disabled.
-# To enable Keystone integration comment out the
-# following line and uncomment the next one
-pipeline = extensions quantumapiapp_v2_0
-# pipeline = authtoken keystonecontext extensions quantumapiapp_v2_0
+[composite:quantumapi_v2_0]
+use = call:quantum.auth:pipeline_factory
+noauth = extensions quantumapiapp_v2_0
+keystone = authtoken keystonecontext extensions quantumapiapp_v2_0
 
 [filter:keystonecontext]
 paste.filter_factory = quantum.auth:QuantumKeystoneContext.factory

etc/quantum.conf

@@ -24,6 +24,10 @@ core_plugin = quantum.plugins.sample.SamplePlugin.FakePlugin
 # Paste configuration file
 api_paste_config = api-paste.ini
 
+# The strategy to be used for auth.
+# Supported values are 'keystone'(default), 'noauth'.
+# auth_strategy = keystone
+
 # Base MAC address. The first 3 bytes will remain unchanged. The
 # lower 3 bytes will be randomly generated.
 # base_mac = fa:16:3e:00:00:00

quantum/auth.py

@@ -21,6 +21,7 @@ import webob.exc
 
 from quantum import context
 from quantum import wsgi
+from quantum.openstack.common import cfg
 
 
 LOG = logging.getLogger(__name__)
@@ -50,3 +51,15 @@ class QuantumKeystoneContext(wsgi.Middleware):
         req.environ['quantum.context'] = ctx
 
         return self.application
+
+
+def pipeline_factory(loader, global_conf, **local_conf):
+    """Create a paste pipeline based on the 'auth_strategy' config option."""
+    pipeline = local_conf[cfg.CONF.auth_strategy]
+    pipeline = pipeline.split()
+    filters = [loader.get_filter(n) for n in pipeline[:-1]]
+    app = loader.get_app(pipeline[-1])
+    filters.reverse()
+    for filter in filters:
+        app = filter(app)
+    return app

quantum/common/config.py

@@ -32,12 +32,13 @@ from quantum.version import version_string
 
 LOG = logging.getLogger(__name__)
 
-bind_opts = [
+core_opts = [
     cfg.StrOpt('bind_host', default='0.0.0.0'),
     cfg.IntOpt('bind_port', default=9696),
     cfg.StrOpt('api_paste_config', default="api-paste.ini"),
     cfg.StrOpt('api_extensions_path', default=""),
     cfg.StrOpt('policy_file', default="policy.json"),
+    cfg.StrOpt('auth_strategy', default='keystone'),
     cfg.StrOpt('core_plugin',
                default='quantum.plugins.sample.SamplePlugin.FakePlugin'),
     cfg.StrOpt('base_mac', default="fa:16:3e:00:00:00"),
@@ -45,7 +46,7 @@ bind_opts = [
 ]
 
 # Register the configuration options
-cfg.CONF.register_opts(bind_opts)
+cfg.CONF.register_opts(core_opts)
 
 
 def parse(args):