def __init__(self, app, conf):
log = logging.getLogger(conf.get('log_name', __name__))
log.info('Starting Keystone auth_token middleware')
self._conf = config.Config('auth_token', _base.AUTHTOKEN_GROUP,
list_opts(), conf)
token_roles_required = self._conf.get('service_token_roles_required')
if not token_roles_required:
log.warning('AuthToken middleware is set with '
'keystone_authtoken.service_token_roles_required '
'set to False. This is backwards compatible but '
'deprecated behaviour. Please set this to True.')
super(AuthProtocol, self).__init__(
app,
log=log,
enforce_token_bind=self._conf.get('enforce_token_bind'),
service_token_roles=self._conf.get('service_token_roles'),
service_token_roles_required=token_roles_required)
# delay_auth_decision means we still allow unauthenticated requests
# through and we let the downstream service make the final decision
self._delay_auth_decision = self._conf.get('delay_auth_decision')
self._include_service_catalog = self._conf.get(
'include_service_catalog')
self._hash_algorithms = self._conf.get('hash_algorithms')
self._auth = self._create_auth_plugin()
self._session = self._create_session()
self._identity_server = self._create_identity_server()
self._auth_uri = self._conf.get('auth_uri')
if not self._auth_uri:
self.log.warning(
'Configuring auth_uri to point to the public identity '
'endpoint is required; clients may not be able to '
'authenticate against an admin endpoint')
# FIXME(dolph): drop support for this fallback behavior as
# documented in bug 1207517.
self._auth_uri = self._identity_server.auth_uri
self._signing_directory = _signing_dir.SigningDirectory(
directory_name=self._conf.get('signing_dir'), log=self.log)
self._token_cache = self._token_cache_factory()
revocation_cache_timeout = datetime.timedelta(
seconds=self._conf.get('revocation_cache_time'))
self._revocations = _revocations.Revocations(revocation_cache_timeout,
self._signing_directory,
self._identity_server,
self._cms_verify,
self.log)
self._check_revocations_for_cached = self._conf.get(
'check_revocations_for_cached')
def __init__(self, app, conf):
log = logging.getLogger(conf.get('log_name', __name__))
log.info('Starting Keystone auth_token middleware')
self._conf = config.Config('auth_token',
_base.AUTHTOKEN_GROUP,
list_opts(),
conf)
if self._conf.oslo_conf_obj is not cfg.CONF:
oslo_cache.configure(self._conf.oslo_conf_obj)
token_roles_required = self._conf.get('service_token_roles_required')
if not token_roles_required:
log.warning('AuthToken middleware is set with '
'keystone_authtoken.service_token_roles_required '
'set to False. This is backwards compatible but '
'deprecated behaviour. Please set this to True.')
super(AuthProtocol, self).__init__(
app,
log=log,
enforce_token_bind=self._conf.get('enforce_token_bind'),
service_token_roles=self._conf.get('service_token_roles'),
service_token_roles_required=token_roles_required)
# delay_auth_decision means we still allow unauthenticated requests
# through and we let the downstream service make the final decision
self._delay_auth_decision = self._conf.get('delay_auth_decision')
self._include_service_catalog = self._conf.get(
'include_service_catalog')
self._interface = self._conf.get('interface')
self._auth = self._create_auth_plugin()
self._session = self._create_session()
self._identity_server = self._create_identity_server()
self._www_authenticate_uri = self._conf.get('www_authenticate_uri')
if not self._www_authenticate_uri:
self._www_authenticate_uri = self._conf.get('auth_uri')
if not self._www_authenticate_uri:
self.log.warning(
'Configuring www_authenticate_uri to point to the public '
'identity endpoint is required; clients may not be able to '
'authenticate against an admin endpoint')
# FIXME(dolph): drop support for this fallback behavior as
# documented in bug 1207517.
self._www_authenticate_uri = \
self._identity_server.www_authenticate_uri
self._token_cache = self._token_cache_factory()
def __init__(self, app, **conf):
self._application = app
self._conf = config.Config('audit', AUDIT_MIDDLEWARE_GROUP,
_list_opts(), conf)
global _LOG
_LOG = logging.getLogger(conf.get('log_name', __name__))
self._service_name = conf.get('service_name')
self._ignore_req_list = [
x.upper().strip()
for x in conf.get('ignore_req_list', '').split(',')
]
self._cadf_audit = _api.OpenStackAuditApi(conf.get('audit_map_file'),
_LOG)
self._notifier = _notifier.create_notifier(self._conf, _LOG)
from keystoneauth1 import adapter, loading
from oslo_config import cfg
from keystoneauth1.loading import session as session_loading
from keystonemiddleware._common import config
from keystonemiddleware.auth_token import list_opts
CONF = cfg.CONF
CONF(project='test', default_config_files=['/etc/nova/nova.conf'])
conf = config.Config("auth_token", "keystone_authtoken", list_opts(), {})
group = conf.get('auth_section') or "keystone_authtoken"
plugin_name = (conf.get('auth_type', group=group)
or conf.paste_overrides.get('auth_plugin'))
plugin_loader = loading.get_plugin_loader(plugin_name)
plugin_opts = loading.get_auth_plugin_conf_options(plugin_loader)
conf.oslo_conf_obj.register_opts(plugin_opts, group=group)
getter = lambda opt: conf.get(opt.dest, group=group)
auth = plugin_loader.load_from_options_getter(getter)
adap = adapter.Adapter(session_loading.Session().load_from_options(),
auth=auth,
service_type='identity',
interface='admin',
region_name=conf.get('region_name'),
connect_retries=conf.get('http_request_max_retries'))