openstack/python-keystoneclient
Code Issues Proposed changes

Opt-out of service catalog

Browse Source 
Introducing a config option 'include_service_catalog' to indicate whether
service catalog is needed. If the 'include_service_catalog' option is set to
False, middleware will not ask for service catalog on token validation and will
not set the X-Service-Catalog header.

This option is backward compatible as it is default to True.

DocImpact
Fixed bug 1228317

Change-Id: Id8c410a7ae0443ac425d20cb9c6a24ee5bb2cb8d
This commit is contained in:
guang-yee
2013-10-11 14:08:57 -07:00
parent b89d28663e
commit a97b293501
3 changed files with 32 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
doc/source/middlewarearchitecture.rst
View File

@@ -141,6 +141,8 @@ a WSGI component. Example for the auth_token middleware::
;Uncomment next 2 lines if Keystone server is validating client cert ;Uncomment next 2 lines if Keystone server is validating client cert
;certfile = <path to middleware public cert> ;certfile = <path to middleware public cert>
;keyfile = <path to middleware private cert> ;keyfile = <path to middleware private cert>
;Uncomment next line to opt-out of service catalog
;include_service_catalog = False
For services which have separate paste-deploy ini file, auth_token middleware For services which have separate paste-deploy ini file, auth_token middleware
can be alternatively configured in [keystone_authtoken] section in the main can be alternatively configured in [keystone_authtoken] section in the main
@@ -197,6 +199,10 @@ Configuration Options
encoded CA file/bundle that will be used to verify HTTPS connections. encoded CA file/bundle that will be used to verify HTTPS connections.
* ``insecure``: (optional, default `False`) Don't verify HTTPS connections * ``insecure``: (optional, default `False`) Don't verify HTTPS connections
(overrides `cafile`). (overrides `cafile`).
* ``include_service_catalog``: (optional, default `True`) Indicate whether to
set the X-Service-Catalog header. If False, middleware will not ask for
service catalog on token validation and will not set the X-Service-Catalog
header.
Caching for improved response Caching for improved response
----------------------------- -----------------------------

21
keystoneclient/middleware/auth_token.py
View File

@@ -291,7 +291,13 @@ opts = [
default=None, default=None,
secret=True, secret=True,
help='(optional, mandatory if memcache_security_strategy is' help='(optional, mandatory if memcache_security_strategy is'
' defined) this string is used for key derivation.') ' defined) this string is used for key derivation.'),
cfg.BoolOpt('include_service_catalog',
default=True,
help='(optional) indicate whether to set the X-Service-Catalog'
' header. If False, middleware will not ask for service'
' catalog on token validation and will not set the'
' X-Service-Catalog header.')
] ]
CONF.register_opts(opts, group='keystone_authtoken') CONF.register_opts(opts, group='keystone_authtoken')
@@ -461,6 +467,9 @@ class AuthProtocol(object):
self.http_request_max_retries = \ self.http_request_max_retries = \
self._conf_get('http_request_max_retries') self._conf_get('http_request_max_retries')
self.include_service_catalog = self._conf_get(
'include_service_catalog')
def _assert_valid_memcache_protection_config(self): def _assert_valid_memcache_protection_config(self):
if self._memcache_security_strategy: if self._memcache_security_strategy:
if self._memcache_security_strategy not in ('MAC', 'ENCRYPT'): if self._memcache_security_strategy not in ('MAC', 'ENCRYPT'):
@@ -921,11 +930,9 @@ class AuthProtocol(object):
self.LOG.debug("Received request from user: %s with project_id : %s" self.LOG.debug("Received request from user: %s with project_id : %s"
" and roles: %s ", user_id, project_id, roles) " and roles: %s ", user_id, project_id, roles)
try: if self.include_service_catalog and catalog_key in catalog_root:
catalog = catalog_root[catalog_key] catalog = catalog_root[catalog_key]
rval['X-Service-Catalog'] = jsonutils.dumps(catalog) rval['X-Service-Catalog'] = jsonutils.dumps(catalog)
except KeyError:
pass
return rval return rval
@@ -1090,9 +1097,13 @@ class AuthProtocol(object):
if self.auth_version == 'v3.0': if self.auth_version == 'v3.0':
headers = {'X-Auth-Token': self.get_admin_token(), headers = {'X-Auth-Token': self.get_admin_token(),
'X-Subject-Token': safe_quote(user_token)} 'X-Subject-Token': safe_quote(user_token)}
path = '/v3/auth/tokens'
if not self.include_service_catalog:
# NOTE(gyee): only v3 API support this option
path = path + '?nocatalog'
response, data = self._json_request( response, data = self._json_request(
'GET', 'GET',
'/v3/auth/tokens', path,
additional_headers=headers) additional_headers=headers)
else: else:
headers = {'X-Auth-Token': self.get_admin_token()} headers = {'X-Auth-Token': self.get_admin_token()}

10
keystoneclient/tests/test_auth_token_middleware.py
View File

@@ -418,6 +418,8 @@ class CommonAuthTokenMiddlewareTest(object):
self.assertEqual(self.response_status, 200) self.assertEqual(self.response_status, 200)
if with_catalog: if with_catalog:
self.assertTrue(req.headers.get('X-Service-Catalog')) self.assertTrue(req.headers.get('X-Service-Catalog'))
else:
self.assertNotIn('X-Service-Catalog', req.headers)
self.assertEqual(body, ['SUCCESS']) self.assertEqual(body, ['SUCCESS'])
self.assertTrue('keystone.token_info' in req.environ) self.assertTrue('keystone.token_info' in req.environ)
@@ -845,6 +847,14 @@ class CommonAuthTokenMiddlewareTest(object):
self.assertEqual(mock_obj.call_count, times_retry) self.assertEqual(mock_obj.call_count, times_retry)
def test_nocatalog(self):
conf = {
'include_service_catalog': False
}
self.set_middleware(conf=conf)
self.assert_valid_request_200(self.token_dict['uuid_token_default'],
with_catalog=False)
class CertDownloadMiddlewareTest(BaseAuthTokenMiddlewareTest): class CertDownloadMiddlewareTest(BaseAuthTokenMiddlewareTest):
def setUp(self): def setUp(self):