Table Of Contents

Previous topic

ldap Package

Next topic

openstack Package

This Page

middleware Package

middleware Package

auth_token Module

TOKEN-BASED AUTH MIDDLEWARE

This WSGI component:

  • Verifies that incoming client requests have valid tokens by validating tokens with the auth service.
  • Rejects unauthenticated requests UNLESS it is in ‘delay_auth_decision’ mode, which means the final decision is delegated to the downstream WSGI component (usually the OpenStack service)
  • Collects and forwards identity information based on a valid token such as user name, tenant, etc

Refer to: http://keystone.openstack.org/middlewarearchitecture.html

HEADERS

  • Headers starting with HTTP_ is a standard http header
  • Headers starting with HTTP_X is an extended http header

Coming in from initial call from client or customer

HTTP_X_AUTH_TOKEN
The client token being passed in.
HTTP_X_STORAGE_TOKEN
The client token being passed in (legacy Rackspace use) to support swift/cloud files

Used for communication between components

WWW-Authenticate
HTTP header returned to a user indicating which endpoint to use to retrieve a new token

What we add to the request for use by the OpenStack service

HTTP_X_IDENTITY_STATUS
‘Confirmed’ or ‘Invalid’ The underlying service will only see a value of ‘Invalid’ if the Middleware is configured to run in ‘delay_auth_decision’ mode
HTTP_X_TENANT_ID
Identity service managed unique identifier, string
HTTP_X_TENANT_NAME
Unique tenant identifier, string
HTTP_X_USER_ID
Identity-service managed unique identifier, string
HTTP_X_USER_NAME
Unique user identifier, string
HTTP_X_ROLES
Comma delimited list of case-sensitive Roles
HTTP_X_TENANT
Deprecated in favor of HTTP_X_TENANT_ID and HTTP_X_TENANT_NAME Keystone-assigned unique identifier, deprecated
HTTP_X_USER
Deprecated in favor of HTTP_X_USER_ID and HTTP_X_USER_NAME Unique user name, string
HTTP_X_ROLE
Deprecated in favor of HTTP_X_ROLES This is being renamed, and the new header contains the same data.
class keystone.middleware.auth_token.AuthProtocol(app, conf)

Bases: object

Auth Middleware that handles authenticating client calls.

get_admin_token()

Return admin token, possibly fetching a new one.

:return admin token id :raise ServiceError when unable to retrieve token from keystone

exception keystone.middleware.auth_token.InvalidUserToken

Bases: exceptions.Exception

exception keystone.middleware.auth_token.ServiceError

Bases: exceptions.Exception

keystone.middleware.auth_token.app_factory(global_conf, **local_conf)
keystone.middleware.auth_token.filter_factory(global_conf, **local_conf)

Returns a WSGI filter app for use with paste.deploy.

core Module

class keystone.middleware.core.AdminTokenAuthMiddleware(application)

Bases: keystone.common.wsgi.Middleware

A trivial filter that checks for a pre-defined admin token.

Sets ‘is_admin’ to true in the context, expected to be checked by methods that are admin-only.

process_request(request)
class keystone.middleware.core.JsonBodyMiddleware(application)

Bases: keystone.common.wsgi.Middleware

Middleware to allow method arguments to be passed as serialized JSON.

Accepting arguments as JSON is useful for accepting data that may be more complex than simple primitives.

In this case we accept it as urlencoded data under the key ‘json’ as in json=<urlencoded_json> but this could be extended to accept raw JSON in the POST body.

Filters out the parameters self, context and anything beginning with an underscore.

process_request(request)
class keystone.middleware.core.NormalizingFilter(application)

Bases: keystone.common.wsgi.Middleware

Middleware filter to handle URL normalization.

process_request(request)

Normalizes URLs.

class keystone.middleware.core.PostParamsMiddleware(application)

Bases: keystone.common.wsgi.Middleware

Middleware to allow method arguments to be passed as POST parameters.

Filters out the parameters self, context and anything beginning with an underscore.

process_request(request)
class keystone.middleware.core.TokenAuthMiddleware(application)

Bases: keystone.common.wsgi.Middleware

process_request(request)
class keystone.middleware.core.XmlBodyMiddleware(application)

Bases: keystone.common.wsgi.Middleware

De/serializes XML to/from JSON.

process_request(request)

Transform the request from XML to JSON.

process_response(request, response)

Transform the response from JSON to XML.

ec2_token Module

s3_token Module

S3 TOKEN MIDDLEWARE

This WSGI component:

  • Get a request from the swift3 middleware with an S3 Authorization access key.
  • Validate s3 token in Keystone.
  • Transform the account name to AUTH_%(tenant_name).
class keystone.middleware.s3_token.S3Token(app, conf)

Bases: object

Auth Middleware that handles S3 authenticating client calls.

deny_request(code)
exception keystone.middleware.s3_token.ServiceError

Bases: exceptions.Exception

keystone.middleware.s3_token.filter_factory(global_conf, **local_conf)

Returns a WSGI filter app for use with paste.deploy.

swift_auth Module

class keystone.middleware.swift_auth.SwiftAuth(app, conf)

Bases: object

Swift middleware to Keystone authorization system.

In Swift’s proxy-server.conf add this middleware to your pipeline:

[pipeline:main]
pipeline = catch_errors cache authtoken keystone proxy-server

Make sure you have the authtoken middleware before the swiftauth middleware. authtoken will take care of validating the user and swiftauth will authorize access. If support is required for unvalidated users (as with anonymous access) or for tempurl/formpost middleware, authtoken will need to be configured with delay_auth_decision set to 1. See the documentation for more detail on how to configure the authtoken middleware.

Set account auto creation to true:

[app:proxy-server]
account_autocreate = true

And add a swift authorization filter section, such as:

[filter:keystone]
paste.filter_factory = keystone.middleware.auth_token:filter_factory
operator_roles = admin, swiftoperator

This maps tenants to account in Swift.

The user whose able to give ACL / create Containers permissions will be the one that are inside the operator_roles setting which by default includes the admin and the swiftoperator roles.

The option is_admin if set to true will allow the username that has the same name as the account name to be the owner.

Example: If we have the account called hellocorp with a user hellocorp that user will be admin on that account and can give ACL to all other users for hellocorp.

If you need to have a different reseller_prefix to be able to mix different auth servers you can configure the option reseller_prefix in your swiftauth entry like this :

reseller_prefix = NEWAUTH_

Make sure you have a underscore at the end of your new reseller_prefix option.

Parameters:
  • app – The next WSGI app in the pipeline
  • conf – The dict of configuration values
authorize(req)
authorize_anonymous(req)

Authorize an anonymous request.

Returns:None if authorization is granted, an error page otherwise.
denied_response(req)

Deny WSGI Response.

Returns a standard WSGI response callable with the status of 403 or 401 depending on whether the REMOTE_USER is set or not.

keystone.middleware.swift_auth.filter_factory(global_conf, **local_conf)

Returns a WSGI filter app for use with paste.deploy.