def __init__(self, app, conf): log = logging.getLogger(conf.get('log_name', __name__)) log.info('Starting Keystone auth_token middleware') self._conf = config.Config('auth_token', _base.AUTHTOKEN_GROUP, list_opts(), conf) token_roles_required = self._conf.get('service_token_roles_required') if not token_roles_required: log.warning('AuthToken middleware is set with ' 'keystone_authtoken.service_token_roles_required ' 'set to False. This is backwards compatible but ' 'deprecated behaviour. Please set this to True.') super(AuthProtocol, self).__init__( app, log=log, enforce_token_bind=self._conf.get('enforce_token_bind'), service_token_roles=self._conf.get('service_token_roles'), service_token_roles_required=token_roles_required) # delay_auth_decision means we still allow unauthenticated requests # through and we let the downstream service make the final decision self._delay_auth_decision = self._conf.get('delay_auth_decision') self._include_service_catalog = self._conf.get( 'include_service_catalog') self._hash_algorithms = self._conf.get('hash_algorithms') self._auth = self._create_auth_plugin() self._session = self._create_session() self._identity_server = self._create_identity_server() self._auth_uri = self._conf.get('auth_uri') if not self._auth_uri: self.log.warning( 'Configuring auth_uri to point to the public identity ' 'endpoint is required; clients may not be able to ' 'authenticate against an admin endpoint') # FIXME(dolph): drop support for this fallback behavior as # documented in bug 1207517. self._auth_uri = self._identity_server.auth_uri self._signing_directory = _signing_dir.SigningDirectory( directory_name=self._conf.get('signing_dir'), log=self.log) self._token_cache = self._token_cache_factory() revocation_cache_timeout = datetime.timedelta( seconds=self._conf.get('revocation_cache_time')) self._revocations = _revocations.Revocations(revocation_cache_timeout, self._signing_directory, self._identity_server, self._cms_verify, self.log) self._check_revocations_for_cached = self._conf.get( 'check_revocations_for_cached')
def __init__(self, app, conf): log = logging.getLogger(conf.get('log_name', __name__)) log.info('Starting Keystone auth_token middleware') self._conf = config.Config('auth_token', _base.AUTHTOKEN_GROUP, list_opts(), conf) if self._conf.oslo_conf_obj is not cfg.CONF: oslo_cache.configure(self._conf.oslo_conf_obj) token_roles_required = self._conf.get('service_token_roles_required') if not token_roles_required: log.warning('AuthToken middleware is set with ' 'keystone_authtoken.service_token_roles_required ' 'set to False. This is backwards compatible but ' 'deprecated behaviour. Please set this to True.') super(AuthProtocol, self).__init__( app, log=log, enforce_token_bind=self._conf.get('enforce_token_bind'), service_token_roles=self._conf.get('service_token_roles'), service_token_roles_required=token_roles_required) # delay_auth_decision means we still allow unauthenticated requests # through and we let the downstream service make the final decision self._delay_auth_decision = self._conf.get('delay_auth_decision') self._include_service_catalog = self._conf.get( 'include_service_catalog') self._interface = self._conf.get('interface') self._auth = self._create_auth_plugin() self._session = self._create_session() self._identity_server = self._create_identity_server() self._www_authenticate_uri = self._conf.get('www_authenticate_uri') if not self._www_authenticate_uri: self._www_authenticate_uri = self._conf.get('auth_uri') if not self._www_authenticate_uri: self.log.warning( 'Configuring www_authenticate_uri to point to the public ' 'identity endpoint is required; clients may not be able to ' 'authenticate against an admin endpoint') # FIXME(dolph): drop support for this fallback behavior as # documented in bug 1207517. self._www_authenticate_uri = \ self._identity_server.www_authenticate_uri self._token_cache = self._token_cache_factory()
def __init__(self, app, **conf): self._application = app self._conf = config.Config('audit', AUDIT_MIDDLEWARE_GROUP, _list_opts(), conf) global _LOG _LOG = logging.getLogger(conf.get('log_name', __name__)) self._service_name = conf.get('service_name') self._ignore_req_list = [ x.upper().strip() for x in conf.get('ignore_req_list', '').split(',') ] self._cadf_audit = _api.OpenStackAuditApi(conf.get('audit_map_file'), _LOG) self._notifier = _notifier.create_notifier(self._conf, _LOG)
from keystoneauth1 import adapter, loading from oslo_config import cfg from keystoneauth1.loading import session as session_loading from keystonemiddleware._common import config from keystonemiddleware.auth_token import list_opts CONF = cfg.CONF CONF(project='test', default_config_files=['/etc/nova/nova.conf']) conf = config.Config("auth_token", "keystone_authtoken", list_opts(), {}) group = conf.get('auth_section') or "keystone_authtoken" plugin_name = (conf.get('auth_type', group=group) or conf.paste_overrides.get('auth_plugin')) plugin_loader = loading.get_plugin_loader(plugin_name) plugin_opts = loading.get_auth_plugin_conf_options(plugin_loader) conf.oslo_conf_obj.register_opts(plugin_opts, group=group) getter = lambda opt: conf.get(opt.dest, group=group) auth = plugin_loader.load_from_options_getter(getter) adap = adapter.Adapter(session_loading.Session().load_from_options(), auth=auth, service_type='identity', interface='admin', region_name=conf.get('region_name'), connect_retries=conf.get('http_request_max_retries'))