Opt-out of service catalog

Introducing a config option 'include_service_catalog' to indicate whether service catalog is needed. If the 'include_service_catalog' option is set to False, middleware will not ask for service catalog on token validation and will not set the X-Service-Catalog header. This option is backward compatible as it is default to True. DocImpact Fixed bug 1228317 Change-Id: Id8c410a7ae0443ac425d20cb9c6a24ee5bb2cb8d
2013-10-11 14:08:57 -07:00
parent b89d28663e
commit a97b293501
3 changed files with 32 additions and 5 deletions
--- a/doc/source/middlewarearchitecture.rst
+++ b/doc/source/middlewarearchitecture.rst
@@ -141,6 +141,8 @@ a WSGI component. Example for the auth_token middleware::
    ;Uncomment next 2 lines if Keystone server is validating client cert
    ;certfile = <path to middleware public cert>
    ;keyfile = <path to middleware private cert>
+    ;Uncomment next line to opt-out of service catalog
+    ;include_service_catalog = False

 For services which have separate paste-deploy ini file, auth_token middleware
 can be alternatively configured in [keystone_authtoken] section in the main
@@ -197,6 +199,10 @@ Configuration Options
  encoded CA file/bundle that will be used to verify HTTPS connections.
 * ``insecure``: (optional, default `False`) Don't verify HTTPS connections
  (overrides `cafile`).
+* ``include_service_catalog``: (optional, default `True`) Indicate whether to
+  set the X-Service-Catalog header. If False, middleware will not ask for
+  service catalog on token validation and will not set the X-Service-Catalog
+  header.

 Caching for improved response
 -----------------------------
--- a/keystoneclient/middleware/auth_token.py
+++ b/keystoneclient/middleware/auth_token.py
@@ -291,7 +291,13 @@ opts = [
               default=None,
               secret=True,
               help='(optional, mandatory if memcache_security_strategy is'
-               ' defined) this string is used for key derivation.')
+               ' defined) this string is used for key derivation.'),
+    cfg.BoolOpt('include_service_catalog',
+                default=True,
+                help='(optional) indicate whether to set the X-Service-Catalog'
+                ' header. If False, middleware will not ask for service'
+                ' catalog on token validation and will not set the'
+                ' X-Service-Catalog header.')
 ]
 CONF.register_opts(opts, group='keystone_authtoken')

@@ -461,6 +467,9 @@ class AuthProtocol(object):
        self.http_request_max_retries = \
            self._conf_get('http_request_max_retries')

+        self.include_service_catalog = self._conf_get(
+            'include_service_catalog')
+
    def _assert_valid_memcache_protection_config(self):
        if self._memcache_security_strategy:
            if self._memcache_security_strategy not in ('MAC', 'ENCRYPT'):
@@ -921,11 +930,9 @@ class AuthProtocol(object):
        self.LOG.debug("Received request from user: %s with project_id : %s"
                       " and roles: %s ", user_id, project_id, roles)

-        try:
+        if self.include_service_catalog and catalog_key in catalog_root:
            catalog = catalog_root[catalog_key]
            rval['X-Service-Catalog'] = jsonutils.dumps(catalog)
-        except KeyError:
-            pass

        return rval

@@ -1090,9 +1097,13 @@ class AuthProtocol(object):
        if self.auth_version == 'v3.0':
            headers = {'X-Auth-Token': self.get_admin_token(),
                       'X-Subject-Token': safe_quote(user_token)}
+            path = '/v3/auth/tokens'
+            if not self.include_service_catalog:
+                # NOTE(gyee): only v3 API support this option
+                path = path + '?nocatalog'
            response, data = self._json_request(
                'GET',
-                '/v3/auth/tokens',
+                path,
                additional_headers=headers)
        else:
            headers = {'X-Auth-Token': self.get_admin_token()}
--- a/keystoneclient/tests/test_auth_token_middleware.py
+++ b/keystoneclient/tests/test_auth_token_middleware.py
@@ -418,6 +418,8 @@ class CommonAuthTokenMiddlewareTest(object):
        self.assertEqual(self.response_status, 200)
        if with_catalog:
            self.assertTrue(req.headers.get('X-Service-Catalog'))
+        else:
+            self.assertNotIn('X-Service-Catalog', req.headers)
        self.assertEqual(body, ['SUCCESS'])
        self.assertTrue('keystone.token_info' in req.environ)

@@ -845,6 +847,14 @@ class CommonAuthTokenMiddlewareTest(object):

        self.assertEqual(mock_obj.call_count, times_retry)

+    def test_nocatalog(self):
+        conf = {
+            'include_service_catalog': False
+        }
+        self.set_middleware(conf=conf)
+        self.assert_valid_request_200(self.token_dict['uuid_token_default'],
+                                      with_catalog=False)
+

 class CertDownloadMiddlewareTest(BaseAuthTokenMiddlewareTest):
    def setUp(self):