Expired admin token not auto-refreshed

Hi Gabe!

I don't quite understand this one. What is an admin token?

-jay

Hm, just realized this is probably on the keystone project instead. An admin_token is the token the middleware uses to authenticate to the identity service so that it can validate a user token.

I also was having some discussions around this, and giving the admin user and password is actually a lot more powerful than just giving it a token - I'm not sure what people's security policies will allow, but maybe a better approach is to use an admin token that doesn't expire automatically instead of having it auto-renew the token.

+1 for either A) tokens without expiration dates ("api keys"?) or, B) actually authenticating with keystone using credentials to retrieve an admin token whenever necessary.

Keystone supports (B) today; the middleware just has to take advantage of it.

Fix proposed to branch: master
Review: https://review.openstack.org/3669

Reviewed: https://review.openstack.org/3669
Committed: http://github.com/openstack/keystone/commit/f76477c7b19aeade22ef00bccc1b652cc37d7349
Submitter: Jenkins
Branch: master

commit f76477c7b19aeade22ef00bccc1b652cc37d7349
Author: Dan Prince <email address hidden>
Date: Wed Feb 1 15:17:26 2012 -0500

    Update auth_token middleware to support creds.

    Updates to the auth_token middleware to support admin_user and
    admin_password in addition to the existing admin_token. If an
    admin_token isn't specified then a call to obtain the admin_token
    is made. If an admin token expires the username and password can
    also be used to obtain a fresh token.

    Also, added a test for case for middleware where token isn't
    specified.

    Fixes LP Bug #923573.

    Change-Id: I643efec310cbb9a175607cc17f0c077f261b1d6d