Allow special paths to not require keystone auth
Closes-Bug: #1704468 Co-Authored-By: Michael Johnson <johnsomor@gmail.com> Change-Id: Ica502ebc4673a549e1e38aa05d5a0fafb842093d
This commit is contained in:
parent
73d4f356e4
commit
270bf5aea8
|
@ -12,7 +12,6 @@
|
|||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from keystonemiddleware import auth_token
|
||||
from oslo_config import cfg
|
||||
from oslo_log import log as logging
|
||||
from oslo_middleware import cors
|
||||
|
@ -21,6 +20,7 @@ import pecan
|
|||
|
||||
from octavia.api import config as app_config
|
||||
from octavia.common import constants
|
||||
from octavia.common import keystone
|
||||
from octavia.common import service as octavia_service
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
|
@ -54,7 +54,7 @@ def _wrap_app(app):
|
|||
"""Wraps wsgi app with additional middlewares."""
|
||||
app = request_id.RequestId(app)
|
||||
if cfg.CONF.api_settings.auth_strategy == constants.KEYSTONE:
|
||||
app = auth_token.AuthProtocol(app, {})
|
||||
app = keystone.SkippingAuthProtocol(app, {})
|
||||
|
||||
# This should be the last middleware in the list (which results in
|
||||
# it being the first in the middleware chain). This is to ensure
|
||||
|
|
|
@ -13,8 +13,14 @@
|
|||
# under the License.
|
||||
|
||||
from keystoneauth1 import loading as ks_loading
|
||||
from keystonemiddleware import auth_token
|
||||
from octavia.common import constants
|
||||
from oslo_config import cfg
|
||||
from oslo_log import log as logging
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
|
||||
_NOAUTH_PATHS = ['/', '/load-balancer/']
|
||||
|
||||
|
||||
class KeystoneSession(object):
|
||||
|
@ -38,3 +44,27 @@ class KeystoneSession(object):
|
|||
cfg.CONF, self.section, auth=self._auth)
|
||||
|
||||
return self._session
|
||||
|
||||
|
||||
class SkippingAuthProtocol(auth_token.AuthProtocol):
|
||||
"""SkippingAuthProtocol to reach special endpoints
|
||||
|
||||
Bypasses keystone authentication for special request paths, such
|
||||
as the api version discovery path.
|
||||
|
||||
Note:
|
||||
SkippingAuthProtocol is lean customization
|
||||
of :py:class:`keystonemiddleware.auth_token.AuthProtocol`
|
||||
that disables keystone communication if the request path
|
||||
is in the _NOAUTH_PATHS list.
|
||||
|
||||
"""
|
||||
|
||||
def process_request(self, request):
|
||||
path = request.path
|
||||
if path in _NOAUTH_PATHS:
|
||||
LOG.info(('Request path is %s and it does not require keystone '
|
||||
'authentication'), path)
|
||||
return None # return NONE to reach actual logic
|
||||
|
||||
return super(SkippingAuthProtocol, self).process_request(request)
|
||||
|
|
Loading…
Reference in New Issue