openstack/nova
Code Issues Proposed changes

create noauth2

Browse Source 
This creates a noauth2 auth_strategy which is similar to noauth,
except it only gives you an admin context if the username passed in is
'admin'. This allows testing of non admin activities.

noauth is deprecated as of this commit. While we expect that it would
only be used in testing, it is exposed as a conf option, so could be
used behind a different auth proxy.

Also make the error path for pipeline loading contain a full
LOG.exception. This is a fatal condition for nova, and the current
error was often quite opaque. The full stack trace during this fatal
error makes addressing paste.ini issues much more straight forward.

DocImpact

Change-Id: I7cb5ab3e43a1e3bd7ccba0480053361743f859b2
This commit is contained in:
Sean Dague
2015-02-26 09:20:26 -05:00
parent a5b8f6d344
commit df9181e564
8 changed files with 69 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
nova/api/auth.py
View File

@@ -25,6 +25,7 @@ import webob.exc
from nova import context
from nova.i18n import _
from nova.openstack.common import versionutils
from nova import wsgi
@@ -36,7 +37,13 @@ auth_opts = [
'is removed from v3 api.'),
cfg.StrOpt('auth_strategy',
default='keystone',
help='The strategy to use for auth: noauth or keystone.'),
help='''
The strategy to use for auth: keystone, noauth (deprecated), or
noauth2. Both noauth and noauth2 are designed for testing only, as
they do no actual credential checking. noauth provides administrative
credentials regardless of the passed in user, noauth2 only does if
'admin' is specified as the username.
'''),
cfg.BoolOpt('use_forwarded_for',
default=False,
help='Treat X-Forwarded-For as the canonical remote address. '
@@ -60,6 +67,12 @@ def _load_pipeline(loader, pipeline):
def pipeline_factory(loader, global_conf, **local_conf):
"""A paste pipeline replica that keys off of auth_strategy."""
# TODO(sdague): remove deprecated noauth in Liberty
if CONF.auth_strategy == 'noauth':
versionutils.report_deprecated_feature(
LOG,
('The noauth middleware will be removed in Liberty.'
' noauth2 should be used instead.'))
pipeline = local_conf[CONF.auth_strategy]
if not CONF.api_rate_limit:
limit_name = CONF.auth_strategy + '_nolimit'