openstack/keystonemiddleware
Code Issues Proposed changes

Revert "Support service user and project in non-default domain"

Browse Source 
This case can be handled by default/design by using a v3 authentication
plugin. The values also don't make sense for v2 authentication.

Having them here means extra values to support in the default case.

There has not been a release with this patch.

This reverts commit bb00caf15b.
Related-bug: #1372142

Change-Id: I690f39284010906a0171178511729749ccc566b8
This commit is contained in:
Jamie Lennox 2014-10-20 10:27:00 +02:00
parent 89eddf54ee
commit 3b5c93f864
4 changed files with 6 additions and 90 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
doc/source/middlewarearchitecture.rst
View File

@ -167,12 +167,6 @@ a WSGI component. Example for the auth_token middleware:
# Keystone account username (string value) # Keystone account username (string value)
#admin_user=<None> #admin_user=<None>
# Keystone service account user domain ID. (string value)
#admin_user_domain_id=<None>
# Keystone service account user domain name. (string value)
#admin_user_domain_name=<None>
# Keystone account password (string value) # Keystone account password (string value)
admin_password=SuperSekretPassword admin_password=SuperSekretPassword
@ -180,12 +174,6 @@ a WSGI component. Example for the auth_token middleware:
# (string value) # (string value)
#admin_tenant_name=admin #admin_tenant_name=admin
# Keystone service account project domain ID. (string value)
#admin_project_domain_id=<None>
# Keystone service account project domain name. (string value)
#admin_project_domain_name=<None>
# Env key for the swift cache (string value) # Env key for the swift cache (string value)
#cache=<None> #cache=<None>
@ -309,15 +297,10 @@ Configuration Options
* ``admin_token``: either this or the following three options are required. If * ``admin_token``: either this or the following three options are required. If
set, this is a single shared secret with the keystone configuration used to set, this is a single shared secret with the keystone configuration used to
validate tokens. validate tokens.
* ``admin_user``, ``admin_user_domain_name``, ``admin_user_domain_id``, * ``admin_user``, ``admin_password``, ``admin_tenant_name``: if ``admin_token``
``admin_password``, ``admin_tenant_name``, ``admin_project_domain_id``, is not set, or invalid, then admin_user, admin_password, and
``admin_project_domain_name``: if ``admin_token`` admin_tenant_name are defined as a service account which is expected to have
is not set, or invalid, then ``admin_user``, ``admin_password``, and been previously configured in Keystone to validate user tokens.
``admin_tenant_name`` are defined as a service account which is expected to
have been previously configured in Keystone to validate user tokens. If the
service user isn't in the default domain, set ``admin_user_domain_name`` or
``admin_user_domain_id``. If the service project isn't in the default domain,
set ``admin_project_domain_id`` or ``admin_project_domain_name``.
* ``cache``: (optional) Env key for the swift cache * ``cache``: (optional) Env key for the swift cache

29
keystonemiddleware/auth_token.py
View File

@ -175,7 +175,6 @@ import time
from keystoneclient import access from keystoneclient import access
from keystoneclient.auth.identity import base as base_identity from keystoneclient.auth.identity import base as base_identity
from keystoneclient.auth.identity import v2 from keystoneclient.auth.identity import v2
from keystoneclient.auth.identity import v3
from keystoneclient.auth import token_endpoint from keystoneclient.auth import token_endpoint
from keystoneclient.common import cms from keystoneclient.common import cms
from keystoneclient import exceptions from keystoneclient import exceptions
@ -272,10 +271,6 @@ _OPTS = [
' instead.'), ' instead.'),
cfg.StrOpt('admin_user', cfg.StrOpt('admin_user',
help='Keystone account username'), help='Keystone account username'),
cfg.StrOpt('admin_user_domain_id',
help='Keystone service account user domain ID.'),
cfg.StrOpt('admin_user_domain_name',
help='Keystone service account user domain name.'),
cfg.StrOpt('admin_password', cfg.StrOpt('admin_password',
secret=True, secret=True,
help='Keystone account password'), help='Keystone account password'),
@ -283,10 +278,6 @@ _OPTS = [
default='admin', default='admin',
help='Keystone service account tenant name to validate' help='Keystone service account tenant name to validate'
' user tokens'), ' user tokens'),
cfg.StrOpt('admin_project_domain_id',
help='Keystone service account project domain ID.'),
cfg.StrOpt('admin_project_domain_name',
help='Keystone service account project domain name.'),
cfg.StrOpt('cache', cfg.StrOpt('cache',
default=None, default=None,
help='Env key for the swift cache'), help='Env key for the swift cache'),
@ -1241,37 +1232,21 @@ class AuthProtocol(object):
# of this can be changed when we get keystoneclient 0.10. For now this # of this can be changed when we get keystoneclient 0.10. For now this
# hardcoded path is EXACTLY the same as the original auth_token did. # hardcoded path is EXACTLY the same as the original auth_token did.
auth_url = '%s/v2.0' % self._identity_uri auth_url = '%s/v2.0' % self._identity_uri
auth_plugin = None
admin_token = self._conf_get('admin_token') admin_token = self._conf_get('admin_token')
admin_user_domain_id = self._conf_get('admin_user_domain_id')
admin_user_domain_name = self._conf_get('admin_user_domain_name')
if admin_token: if admin_token:
self._LOG.warning( self._LOG.warning(
"The admin_token option in the auth_token middleware is " "The admin_token option in the auth_token middleware is "
"deprecated and should not be used. The admin_user and " "deprecated and should not be used. The admin_user and "
"admin_password options should be used instead. The " "admin_password options should be used instead. The "
"admin_token option may be removed in a future release.") "admin_token option may be removed in a future release.")
auth_plugin = token_endpoint.Token(auth_url, admin_token) sess.auth = token_endpoint.Token(auth_url, admin_token)
elif admin_user_domain_id or admin_user_domain_name:
auth_url = '%s/v3' % self._identity_uri
project_domain_name = self._conf_get('admin_project_domain_name')
auth_plugin = v3.Password(
auth_url,
username=self._conf_get('admin_user'),
user_domain_id=admin_user_domain_id,
user_domain_name=admin_user_domain_name,
password=self._conf_get('admin_password'),
project_name=self._conf_get('admin_tenant_name'),
project_domain_id=self._conf_get('admin_project_domain_id'),
project_domain_name=project_domain_name)
else: else:
auth_plugin = v2.Password( sess.auth = v2.Password(
auth_url, auth_url,
username=self._conf_get('admin_user'), username=self._conf_get('admin_user'),
password=self._conf_get('admin_password'), password=self._conf_get('admin_password'),
tenant_name=self._conf_get('admin_tenant_name')) tenant_name=self._conf_get('admin_tenant_name'))
sess.auth = auth_plugin
return sess return sess
def _identity_server_factory(self): def _identity_server_factory(self):

38
keystonemiddleware/tests/test_auth_token_middleware.py
View File

@ -643,44 +643,6 @@ class GeneralAuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest,
self.assertRaises(auth_token.ConfigurationError, self.assertRaises(auth_token.ConfigurationError,
auth_token.AuthProtocol, self.fake_app, conf) auth_token.AuthProtocol, self.fake_app, conf)
def test_service_auth_domain_name(self):
# When the service user and project domain name is configured, the V3
# password plugin is used.
user_domain_name = uuid.uuid4().hex
project_domain_name = uuid.uuid4().hex
conf = {
'admin_user_domain_name': user_domain_name,
'admin_project_domain_name': project_domain_name,
}
self.set_middleware(conf=conf)
auth_plugin = self.middleware._session.auth
self.assertEqual(project_domain_name, auth_plugin.project_domain_name)
auth_method = auth_plugin.auth_methods[0]
self.assertEqual(user_domain_name, auth_method.user_domain_name)
def test_service_user_domain_id(self):
# When the service user and project domain ID is configured, the V3
# password plugin is used.
user_domain_id = uuid.uuid4().hex
project_domain_id = uuid.uuid4().hex
conf = {
'admin_user_domain_id': user_domain_id,
'admin_project_domain_id': project_domain_id,
}
self.set_middleware(conf=conf)
auth_plugin = self.middleware._session.auth
self.assertEqual(project_domain_id, auth_plugin.project_domain_id)
auth_method = auth_plugin.auth_methods[0]
self.assertEqual(user_domain_id, auth_method.user_domain_id)
class CommonAuthTokenMiddlewareTest(object): class CommonAuthTokenMiddlewareTest(object):
"""These tests are run once using v2 tokens and again using v3 tokens.""" """These tests are run once using v2 tokens and again using v3 tokens."""

4
keystonemiddleware/tests/test_opts.py
View File

@ -40,12 +40,8 @@ class OptsTestCase(utils.TestCase):
'http_request_max_retries', 'http_request_max_retries',
'admin_token', 'admin_token',
'admin_user', 'admin_user',
'admin_user_domain_id',
'admin_user_domain_name',
'admin_password', 'admin_password',
'admin_tenant_name', 'admin_tenant_name',
'admin_project_domain_id',
'admin_project_domain_name',
'cache', 'cache',
'certfile', 'certfile',
'keyfile', 'keyfile',