Set tenantName to 'admin' in get_admin_auth_token.

Sets the tenantName to 'admin' in get_admin_auth_token. This is required because user-only roles are currently not supported. Give that wsgi is hard coded to check for 'role:admin' this seems to be a reasonable thing to do. In the future it would be nice to add a custom admin_role setting in the config file so the role wouldn't be hard coded to 'admin'. Also removes unused version of get_admin_auth_token. Fixes LP Bug #939015. Change-Id: I545b458e31c8a44a5a69cad1e875f0fe02956246
2012-02-22 22:28:42 -05:00 · 2012-02-22 22:28:42 -05:00 · 6c60d6c783
parent 63437e9dca
commit 6c60d6c783
2 changed files with 27 additions and 21 deletions
--- a/docs/source/configuringservices.rst
+++ b/docs/source/configuringservices.rst
@ -259,3 +259,27 @@ S3 api.
 .. Note::
   With the S3 middleware you are connecting to the `Swift` proxy and
   not to `keystone`.
+
+Auth-Token Middleware with Username and Password
+--------------------------------
+
+It is also possible to configure Keystone's auth_token middleware using the
+'admin_user' and 'admin_password' options. When using the 'admin_user' and
+'admin_password' options the 'admin_token' parameter is optional. If
+'admin_token' is specified it will by used only if the specified token is
+still valid.
+
+Here is an example paste config filter that makes use of the 'admin_user' and
+'admin_password' parameters::
+
+    [filter:tokenauth]
+    paste.filter_factory = keystone.middleware.auth_token:filter_factory
+    service_port = 5000
+    service_host = 127.0.0.1
+    auth_port = 35357
+    auth_host = 127.0.0.1
+    auth_token = ADMIN
+    admin_user = admin
+    admin_password = keystone123
+
+It should be noted that when using this option an 'admin' tenant/role relationship is required. The admin user is granted access to to the 'admin' role via the 'admin' tenant.
--- a/keystone/middleware/auth_token.py
+++ b/keystone/middleware/auth_token.py
@ -77,6 +77,7 @@ from webob.exc import HTTPUnauthorized

 from keystone.common.bufferedhttp import http_connect_raw as http_connect

+ADMIN_TENANTNAME = 'admin'
 PROTOCOL_NAME = 'Token Authentication'


@ -215,26 +216,6 @@ class AuthProtocol(object):
        #Send request downstream
        return self._forward_request(env, start_response, proxy_headers)

-    # NOTE(todd): unused
-    def get_admin_auth_token(self, username, password):
-        """
-        This function gets an admin auth token to be used by this service to
-        validate a user's token. Validate_token is a priviledged call so
-        it needs to be authenticated by a service that is calling it
-        """
-        headers = {'Content-type': 'application/json',
-                   'Accept': 'application/json'}
-        params = {'passwordCredentials': {'username': username,
-                                          'password': password,
-                                          'tenantId': '1'}}
-        conn = httplib.HTTPConnection('%s:%s' \
-            % (self.auth_host, self.auth_port))
-        conn.request('POST', '/v2.0/tokens', json.dumps(params), \
-            headers=headers)
-        response = conn.getresponse()
-        data = response.read()
-        return data
-
    def _get_claims(self, env):
        """Get claims from request"""
        claims = env.get('HTTP_X_AUTH_TOKEN', env.get('HTTP_X_STORAGE_TOKEN'))
@ -266,7 +247,8 @@ class AuthProtocol(object):
                   "passwordCredentials": {
                    "username": username,
                    "password": password,
-                    }
+                    },
+                   "tenantName": ADMIN_TENANTNAME,
                   }
                  }
        if self.auth_protocol == "http":