The heat.common.auth_token Module

TOKEN-BASED AUTH MIDDLEWARE

This WSGI component:

• Verifies that incoming client requests have valid tokens by validating tokens with the auth service.
• Rejects unauthenticated requests UNLESS it is in ‘delay_auth_decision’ mode, which means the final decision is delegated to the downstream WSGI component (usually the OpenStack service)
• Collects and forwards identity information based on a valid token such as user name, tenant, etc

Refer to: http://keystone.openstack.org/middlewarearchitecture.html

HEADERS

• Headers starting with HTTP_ is a standard http header
• Headers starting with HTTP_X is an extended http header

Coming in from initial call from client or customer

HTTP_X_AUTH_TOKEN

The client token being passed in.

HTTP_X_STORAGE_TOKEN

The client token being passed in (legacy Rackspace use) to support swift/cloud files

Used for communication between components

WWW-Authenticate

HTTP header returned to a user indicating which endpoint to use to retrieve a new token

What we add to the request for use by the OpenStack service

HTTP_X_IDENTITY_STATUS

‘Confirmed’ or ‘Invalid’ The underlying service will only see a value of ‘Invalid’ if the Middleware is configured to run in ‘delay_auth_decision’ mode

HTTP_X_TENANT_ID

Identity service managed unique identifier, string

HTTP_X_TENANT_NAME

Unique tenant identifier, string

HTTP_X_USER_ID

Identity-service managed unique identifier, string

HTTP_X_USER_NAME

Unique user identifier, string

HTTP_X_ROLES

Comma delimited list of case-sensitive Roles

HTTP_X_TENANT

Deprecated in favor of HTTP_X_TENANT_ID and HTTP_X_TENANT_NAME Keystone-assigned unique identifier, deprecated

HTTP_X_USER

Deprecated in favor of HTTP_X_USER_ID and HTTP_X_USER_NAME Unique user name, string

HTTP_X_ROLE

Deprecated in favor of HTTP_X_ROLES This is being renamed, and the new header contains the same data.

class heat.common.auth_token.AuthProtocol(app, conf)

Bases: object

Auth Middleware that handles authenticating client calls.

get_admin_token()

Return admin token, possibly fetching a new one.

:return admin token id :raise ServiceError when unable to retrieve token from keystone

exception heat.common.auth_token.InvalidUserToken

Bases: exceptions.Exception

exception heat.common.auth_token.ServiceError

Bases: exceptions.Exception

heat.common.auth_token.app_factory(global_conf, **local_conf)

heat.common.auth_token.filter_factory(global_conf, **local_conf)

Returns a WSGI filter app for use with paste.deploy.