This patch modifies AuthProtocol to defer authentication
to a downstream service if an invalid service token is found
and delay_auth_decision is True. This makes the behavior for
an invalid service token similar to that for an invalid user
token.
This is required by Swift because multiple auth middlewares
may co-exist, and auth_token will currently deny a request
on detecting an invalid service token when that service token
is in fact intended to be validated by another downstream auth
middleware. This is precisely the configuration used in
devstack which configures both authtoken and tempauth in
the Swift proxy pipeline [1].
Swift support for service tokens is currently in review [2]
and functional tests will not pass using devstack without the
change proposed here.
[1] https://github.com/openstack-dev/devstack/blob/master/lib/swift#L396
[2] change I6072b4efb3a479a8e0cc2d9c11ffda5764b55e30
DocImpact
SecurityImpact
Closes-Bug: #1422389
Change-Id: Ic9402ef35ce3dd7c905d868a9eff7db5f3a4a40b
c682b07a4f