Token-based Authentication Middleware.
This WSGI component:
delay_auth_decision
mode, which means the final decision is delegated to
the downstream WSGI component (usually the OpenStack service).Refer to: https://docs.openstack.org/keystonemiddleware/latest/middlewarearchitecture.html
The auth_token middleware uses headers sent in by the client on the request and sets headers and environment variables for the downstream WSGI component.
When using composite authentication (a user and service token are
present) additional service headers relating to the service user
will be added. They take the same form as the standard headers but add
_SERVICE_
. These headers will not exist in the environment if no
service token is present.
Will be set to either Confirmed
or Invalid
.
The underlying service will only see a value of ‘Invalid’ if the middleware
is configured to run in delay_auth_decision
mode. As with all such
headers, HTTP_X_SERVICE_IDENTITY_STATUS
will only exist in the
environment if a service token is presented. This is different than
HTTP_X_IDENTITY_STATUS
which is always set even if no user token is
presented. This allows the underlying service to determine if a
denial should use 401 Unauthenticated
or 403 Forbidden
.
service catalog (optional, JSON string).
For compatibility reasons this catalog will always be in the V2 catalog format even if it is a v3 token.
Note
This is an exception in that it contains ‘SERVICE’ but relates to a user token, not a service token. The existing user’s catalog can be very large; it was decided not to present a catalog relating to the service token to avoid using more HTTP header space.
Deprecated in favor of HTTP_X_PROJECT_ID.
Identity service managed unique identifier, string. For v3 tokens, this will be set to the same value as HTTP_X_PROJECT_ID.
Deprecated in favor of HTTP_X_PROJECT_NAME.
Project identifier, unique within owning domain, string. For v3 tokens, this will be set to the same value as HTTP_X_PROJECT_NAME.
Deprecated in favor of HTTP_X_TENANT_ID and HTTP_X_TENANT_NAME.
Identity server-assigned unique identifier, string. For v3 tokens, this will be set to the same value as HTTP_X_PROJECT_ID.
Deprecated in favor of HTTP_X_USER_ID and HTTP_X_USER_NAME.
User name, unique within owning domain, string.
Deprecated in favor of HTTP_X_ROLES.
Will contain the same values as HTTP_X_ROLES.
These variables are set in the request environment for use by the downstream WSGI component.
keystoneauth1.session.Session
. This plugin will load the
authentication data provided to auth_token middleware.auth_token middleware configuration can be in the main application’s
configuration file, e.g. in nova.conf
:
[keystone_authtoken]
auth_plugin = password
auth_url = http://keystone:35357/
username = nova
user_domain_id = default
password = whyarewestillusingpasswords
project_name = service
project_domain_id = default
Configuration can also be in the api-paste.ini
file with the same options,
but this is discouraged.
When deploy auth_token middleware with Swift, user may elect to use Swift
memcache instead of the local auth_token memcache. Swift memcache is passed in
from the request environment and it’s identified by the swift.cache
key.
However it could be different, depending on deployment. To use Swift memcache,
you must set the cache
option to the environment key where the Swift cache
object is stored.
keystonemiddleware.auth_token.
AuthProtocol
(app, conf)¶Bases: keystonemiddleware.auth_token.BaseAuthProtocol
Middleware that handles authenticating client calls.
fetch_token
(token, allow_expired=False)¶Retrieve a token from either a PKI bundle or the identity server.
Parameters: | token (str) – token id |
---|---|
Raises: | exc.InvalidToken – if token is rejected |
kwargs_to_fetch_token
= True¶process_request
(request)¶Process request.
Evaluate the headers in a request and attempt to authenticate the request. If authenticated then additional headers are added to the request for use by applications. If not authenticated the request will be rejected or marked unauthenticated depending on configuration.
process_response
(response)¶Process Response.
Add WWW-Authenticate
headers to requests that failed with
401 Unauthenticated
so users know where to authenticate for future
requests.
keystonemiddleware.auth_token.
BaseAuthProtocol
(app, log=<oslo_log.log.KeywordArgumentAdapter object>, enforce_token_bind='permissive', service_token_roles=None, service_token_roles_required=False)¶Bases: object
A base class for AuthProtocol token checking implementations.
Parameters: |
|
---|
fetch_token
(token, **kwargs)¶Fetch the token data based on the value in the header.
Retrieve the data associated with the token value that was in the header. This can be from PKI, contacting the identity server or whatever is required.
Parameters: |
|
---|---|
Raises: | exc.InvalidToken – if token is invalid. |
Returns: | The token data |
Return type: | dict |
kwargs_to_fetch_token
= False¶process_request
(request)¶Process request.
If this method returns a value then that value will be used as the response. The next application down the stack will not be executed and process_response will not be called.
Otherwise, the next application down the stack will be executed and process_response will be called with the generated response.
By default this method does not return a value.
Parameters: | request (_request.AuthTokenRequest) – Incoming request |
---|
process_response
(response)¶Do whatever you’d like to the response.
By default the response is returned unmodified.
Parameters: | response (_request._AuthTokenResponse) – Response object |
---|
keystonemiddleware.auth_token.
app_factory
(global_conf, **local_conf)¶keystonemiddleware.auth_token.
filter_factory
(global_conf, **local_conf)¶Return a WSGI filter app for use with paste.deploy.
keystonemiddleware.auth_token.
list_opts
()¶Return a list of oslo_config options available in auth_token middleware.
The returned list includes all oslo_config options which may be registered at runtime by the project.
Each element of the list is a tuple. The first element is the name of the group under which the list of elements in the second element will be registered. A group name of None corresponds to the [DEFAULT] group in config files.
NOTE: This function is no longer used for oslo_config sample generation. Some services rely on this function for listing ALL (including deprecated) options and registering them into their own config objects which we do not want for sample config files.
See: keystonemiddleware.auth_token._opts.list_opts()
for sample
config files.
Returns: | a list of (group_name, opts) tuples |
---|
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.