OpenStack Identity (Keystone)

auth_token middleware should be stand alone

Reported by Dan Prince on 2012-08-21
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Keystone
High
Henry Nash

Bug Description

With some of the most recent Folsom changes auth_token.py now has some external dependencies on several other keystone modules:

 from keystone.openstack.common import jsonutils
 from keystone.common import cms
 from keystone.common import utils
 from keystone.openstack.common import timeutils

If we want users to be able to deploy just the single module (like was possible with Essex) I think we may want to re-work some of this so that auth_token.py is once again a stand alone module.

Joseph Heck (heckj) on 2012-08-21
Changed in keystone:
status: New → Triaged
importance: Undecided → High
Joseph Heck (heckj) on 2012-08-21
tags: added: blueprint
Alex Yang (alexyang) wrote :

Swift has added swift/common/middleware/keystone_auth.py for instead of the swift_auth middleware.
So, move the auth_token to openstack/common ?

Adam Young (ayoung) on 2012-09-04
Changed in keystone:
assignee: nobody → Adam Young (ayoung)
Alex Yang (alexyang) wrote :

Hi Adam Young,
What's your plan of fixing the bug? Put the auth_token middleware to openstack.common?
I just makes a change(https://review.openstack.org/#/c/12356/) about the auth_token middleware.
You may consider this change before your work.

Joseph Heck (heckj) on 2012-10-23
Changed in keystone:
assignee: Adam Young (ayoung) → Henry Nash (henry-nash)
Henry Nash (henry-nash) on 2012-11-06
Changed in keystone:
status: Triaged → In Progress
Henry Nash (henry-nash) wrote :

So here's the High Level plan for fixing this:

1) Move auth_token from keystone to keystone client, so that other projects only need to have access to the client modules, not the server itself
2) Change the various paste files to find this in the new location.
3) Do the above in a sequence that doesn't break anything

Detail of the changes:

a) Unfortunately, auth_token has grown some roots in the keystone server that we need to cut, namely:
- It references some keystone.openstack.common items (jsonutils, timeutils, cfg) that are not in keystoneclient.openstack.common, so we'll add those to the client (and update its openstack-common.conf file accordingly)
- It also references cms, utils (and indirectly logging) from keystone.common. Now for utils, the only thing that is referenced is hash_signed_token - and nobody else in the server uses this. So I propose we move this function to keystoneclient.utils and leave keystone.common.utils where it is. cms needs to move (but also be accessed by keystone). For cms and auth_token, we need to ensure that when running as part of keystone itself then we use the keystone.common.logging (which is a wrapper round the standard logger), while in all other cases we are just going straight to the standard logger.
b) We'll start by making the above changes in keystoneclient - but leave everything hooked up to the original ones in keystone - so the initial set of patches will be benign
c) We'll add the tests to the client side and ensure that they call and run the new code and all work fine
d) We'll then change devstack and the paste files in the other projects to point keystoneclient rather than keystone for the authorization code.
e) Finally we'll retire the keystone version of auth_token and make keystone reference the client of any the files we have moved

Expect a series of patches to execute the above, as well as additional bugs/changes opened on the other projects to modify their paste files

On 11/06/2012 07:35 AM, Henry Nash wrote:
> So here's the High Level plan for fixing this:
>
> 1) Move auth_token from keystone to keystone client, so that other projects only need to have access to the client modules, not the server itself
> 2) Change the various paste files to find this in the new location.
> 3) Do the above in a sequence that doesn't break anything
>
> Detail of the changes:
>
> a) Unfortunately, auth_token has grown some roots in the keystone server that we need to cut, namely:
> - It references some keystone.openstack.common items (jsonutils, timeutils, cfg) that are not in keystoneclient.openstack.common, so we'll add those to the client (and update its openstack-common.conf file accordingly)
> - It also references cms, utils (and indirectly logging) from keystone.common. Now for utils, the only thing that is referenced is hash_signed_token - and nobody else in the server uses this. So I propose we move this function to keystoneclient.utils and leave keystone.common.utils where it is. cms needs to move (but also be accessed by keystone). For cms and auth_token, we need to ensure that when running as part of keystone itself then we use the keystone.common.logging (which is a wrapper round the standard logger), while in all other cases we are just going straight to the standard logger.
> b) We'll start by making the above changes in keystoneclient - but leave everything hooked up to the original ones in keystone - so the initial set of patches will be benign
> c) We'll add the tests to the client side and ensure that they call and run the new code and all work fine
> d) We'll then change devstack and the paste files in the other projects to point keystoneclient rather than keystone for the authorization code.
> e) Finally we'll retire the keystone version of auth_token and make keystone reference the client of any the files we have moved
>
> Expect a series of patches to execute the above, as well as additional
> bugs/changes opened on the other projects to modify their paste files
>
ACK

Henry Nash (henry-nash) on 2012-11-20
Changed in keystone:
status: In Progress → Fix Committed
Henry Nash (henry-nash) wrote :

As part of https://review.openstack.org/#/c/15904/ the middleware has now been moved to keystoneclient.middleware.auth_token.py so this is all that is required for a service to get access to the token authentication (i.e. they need keystoneclient, but not keystone itself). The various project paste files will updated over the next few weeks, but anyone that wants to can update theirs now and reference the client only. This bug, therefore, is not complete.

Joseph Heck (heckj) on 2012-11-20
Changed in keystone:
milestone: none → grizzly-1
Thierry Carrez (ttx) on 2012-11-22
Changed in keystone:
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2013-04-04
Changed in keystone:
milestone: grizzly-1 → 2013.1
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers