Allow special paths to not require keystone auth

Closes-Bug: #1704468 Co-Authored-By: Michael Johnson <johnsomor@gmail.com> Change-Id: Ica502ebc4673a549e1e38aa05d5a0fafb842093d
2017-07-24 15:34:53 -06:00 · 2017-07-24 15:34:53 -06:00 · 270bf5aea8
parent 73d4f356e4
commit 270bf5aea8
2 changed files with 32 additions and 2 deletions
--- a/octavia/api/app.py
+++ b/octavia/api/app.py
@ -12,7 +12,6 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.

-from keystonemiddleware import auth_token
 from oslo_config import cfg
 from oslo_log import log as logging
 from oslo_middleware import cors
@ -21,6 +20,7 @@ import pecan

 from octavia.api import config as app_config
 from octavia.common import constants
+from octavia.common import keystone
 from octavia.common import service as octavia_service

 LOG = logging.getLogger(__name__)
@ -54,7 +54,7 @@ def _wrap_app(app):
    """Wraps wsgi app with additional middlewares."""
    app = request_id.RequestId(app)
    if cfg.CONF.api_settings.auth_strategy == constants.KEYSTONE:
-        app = auth_token.AuthProtocol(app, {})
+        app = keystone.SkippingAuthProtocol(app, {})

    # This should be the last middleware in the list (which results in
    # it being the first in the middleware chain). This is to ensure
--- a/octavia/common/keystone.py
+++ b/octavia/common/keystone.py
@ -13,8 +13,14 @@
 #    under the License.

 from keystoneauth1 import loading as ks_loading
+from keystonemiddleware import auth_token
 from octavia.common import constants
 from oslo_config import cfg
+from oslo_log import log as logging
+
+LOG = logging.getLogger(__name__)
+
+_NOAUTH_PATHS = ['/', '/load-balancer/']


 class KeystoneSession(object):
@ -38,3 +44,27 @@ class KeystoneSession(object):
                cfg.CONF, self.section, auth=self._auth)

        return self._session
+
+
+class SkippingAuthProtocol(auth_token.AuthProtocol):
+    """SkippingAuthProtocol to reach special endpoints
+
+    Bypasses keystone authentication for special request paths, such
+    as the api version discovery path.
+
+    Note:
+        SkippingAuthProtocol is lean customization
+        of :py:class:`keystonemiddleware.auth_token.AuthProtocol`
+        that disables keystone communication if the request path
+        is in the _NOAUTH_PATHS list.
+
+    """
+
+    def process_request(self, request):
+        path = request.path
+        if path in _NOAUTH_PATHS:
+            LOG.info(('Request path is %s and it does not require keystone '
+                      'authentication'), path)
+            return None  # return NONE to reach actual logic
+
+        return super(SkippingAuthProtocol, self).process_request(request)