remove keystone

etc/nova/api-paste.ini

@@ -22,15 +22,11 @@ use = egg:Paste#urlmap
 pipeline = logrequest ec2noauth cloudrequest authorizer ec2executor
 # NOTE(vish): use the following pipeline for deprecated auth
 #pipeline = logrequest authenticate cloudrequest authorizer ec2executor
-# NOTE(vish): use the following pipeline for keystone
-# pipeline = logrequest totoken authtoken keystonecontext cloudrequest authorizer ec2executor
 
 [pipeline:ec2admin]
 pipeline = logrequest ec2noauth adminrequest authorizer ec2executor
 # NOTE(vish): use the following pipeline for deprecated auth
 #pipeline = logrequest authenticate adminrequest authorizer ec2executor
-# NOTE(vish): use the following pipeline for keystone
-#pipeline = logrequest totoken authtoken keystonecontext adminrequest authorizer ec2executor
 
 [pipeline:ec2metadata]
 pipeline = logrequest ec2md
@@ -44,9 +40,6 @@ paste.filter_factory = nova.api.ec2:RequestLogging.factory
 [filter:ec2lockout]
 paste.filter_factory = nova.api.ec2:Lockout.factory
 
-[filter:totoken]
-paste.filter_factory = nova.api.ec2:ToToken.factory
-
 [filter:ec2noauth]
 paste.filter_factory = nova.api.ec2:NoAuth.factory
 
@@ -87,15 +80,11 @@ use = egg:Paste#urlmap
 pipeline = faultwrap noauth ratelimit osapiapp10
 # NOTE(vish): use the following pipeline for deprecated auth
 # pipeline = faultwrap auth ratelimit osapiapp10
-# NOTE(vish): use the following pipeline for keystone
-#pipeline = faultwrap authtoken keystonecontext ratelimit osapiapp10
 
 [pipeline:openstackapi11]
 pipeline = faultwrap noauth ratelimit extensions osapiapp11
 # NOTE(vish): use the following pipeline for deprecated auth
 # pipeline = faultwrap auth ratelimit extensions osapiapp11
-# NOTE(vish): use the following pipeline for keystone
-# pipeline = faultwrap authtoken keystonecontext ratelimit extensions osapiapp11
 
 [filter:faultwrap]
 paste.filter_factory = nova.api.openstack:FaultWrapper.factory
@@ -123,22 +112,3 @@ pipeline = faultwrap osversionapp
 
 [app:osversionapp]
 paste.app_factory = nova.api.openstack.versions:Versions.factory
-
-##########
-# Shared #
-##########
-
-[filter:keystonecontext]
-paste.filter_factory = nova.api.auth:KeystoneContext.factory
-
-[filter:authtoken]
-paste.filter_factory = keystone.middleware.auth_token:filter_factory
-service_protocol = http
-service_host = 127.0.0.1
-service_port = 808
-auth_host = 127.0.0.1
-auth_port = 5001
-auth_protocol = http
-auth_uri = http://127.0.0.1:5000/
-admin_token = 999888777666
-

nova/api/auth.py

@@ -43,34 +43,3 @@ class InjectContext(wsgi.Middleware):
     def __call__(self, req):
         req.environ['nova.context'] = self.context
         return self.application
-
-
-class KeystoneContext(wsgi.Middleware):
-    """Make a request context from keystone headers"""
-
-    @webob.dec.wsgify(RequestClass=wsgi.Request)
-    def __call__(self, req):
-        try:
-            user_id = req.headers['X_USER']
-        except KeyError:
-            return webob.exc.HTTPUnauthorized()
-        # get the roles
-        roles = [r.strip() for r in req.headers.get('X_ROLE', '').split(',')]
-        project_id = req.headers['X_TENANT']
-        # Get the auth token
-        auth_token = req.headers.get('X_AUTH_TOKEN',
-                                     req.headers.get('X_STORAGE_TOKEN'))
-
-        # Build a context, including the auth_token...
-        remote_address = getattr(req, 'remote_address', '127.0.0.1')
-        remote_address = req.remote_addr
-        if FLAGS.use_forwarded_for:
-            remote_address = req.headers.get('X-Forwarded-For', remote_address)
-        ctx = context.RequestContext(user_id,
-                                     project_id,
-                                     roles=roles,
-                                     auth_token=auth_token,
-                                     remote_address=remote_address)
-
-        req.environ['nova.context'] = ctx
-        return self.application

nova/api/ec2/__init__.py

@@ -142,54 +142,6 @@ class Lockout(wsgi.Middleware):
         return res
 
 
-class ToToken(wsgi.Middleware):
-    """Authenticate an EC2 request with keystone and convert to token."""
-
-    @webob.dec.wsgify(RequestClass=wsgi.Request)
-    def __call__(self, req):
-        # Read request signature and access id.
-        try:
-            signature = req.params['Signature']
-            access = req.params['AWSAccessKeyId']
-        except KeyError:
-            raise webob.exc.HTTPBadRequest()
-
-        # Make a copy of args for authentication and signature verification.
-        auth_params = dict(req.params)
-        # Not part of authentication args
-        auth_params.pop('Signature')
-
-        # Authenticate the request.
-        creds = {'ec2Credentials': {'access': access,
-                                    'signature': signature,
-                                    'host': req.host,
-                                    'verb': req.method,
-                                    'path': req.path,
-                                    'params': auth_params,
-                                   }}
-        creds_json = utils.dumps(creds)
-        headers = {'Content-Type': 'application/json'}
-        o = urlparse(FLAGS.keystone_ec2_url)
-        if o.scheme == "http":
-            conn = httplib.HTTPConnection(o.netloc)
-        else:
-            conn = httplib.HTTPSConnection(o.netloc)
-        conn.request('POST', o.path, body=creds_json, headers=headers)
-        response = conn.getresponse().read()
-        conn.close()
-
-        # NOTE(vish): We could save a call to keystone by
-        #             having keystone return token, tenant,
-        #             user, and roles from this call.
-        result = utils.loads(response)
-        # TODO(vish): check for errors
-
-        token_id = result['auth']['token']['id']
-        # Authenticated!
-        req.headers['X-Auth-Token'] = token_id
-        return self.application
-
-
 class NoAuth(wsgi.Middleware):
     """Add user:project as 'nova.context' to WSGI environ."""