Make AuthContextMiddleware more flask friendly

Bug #1797446 reported by Morgan Fainberg on 2018-10-11
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)

Bug Description

AuthContextMiddleware requires a lot of modification of the code for auth_token middleware. The code should be updated to ensure that there are no-web-ob specific bits that need to be carried in keystone's tree. This likely requires splitting the "tokenless auth" (x509) into a separate flask-aware middleware and making KeystoneMiddleware only require overloading the "fetch_token" method for use within Keystone.

This is a wishlist bug to eliminate the last hard dependencies within Keystone Server on Webob and being 100% flask native (externally loaded middleware makes no difference).

Changed in keystone:
status: New → Triaged
importance: Undecided → Wishlist
Changed in keystonemiddleware:
status: New → Triaged
importance: Undecided → Wishlist
Jamie Lennox (jamielennox) wrote :

I understand the wishlish nature of this, so just a comment.

The middleware itself should be a purely wsgi interface. There are some objects passed down that technicallly break this contract, but off the top of my head i don't think any of them are webob related.

Webob is a small dependency which basically wraps those wsgi interfaces into something easy to use and my impression is that the work required to re-implement it is not worth the effort.

Anyway - wishlist.

Morgan Fainberg (mdrnstm) wrote :

Keystone shouldn't need to import webob is the point. Keystone should be able to say "hey, get a token like X and validate a token like Y" and that's it. There should be no "import this thing, subclass it and lean on webob to make my subclassing work".

This is all because Keystone no longer uses webob in any meaningful outside of AuthContextMiddleware [once the last patch for Flaskification lands]

Morgan Fainberg (mdrnstm) wrote :

I think we can split apart the bits in KSM to have "process environment" and "get environment data". If we do this split, keystone can use the "process environment" code and supply the environment directly from flask.request.environ instead of assuming the data will come from a webob request object. This means that keystone benefits from all the work KSM does, but can push AuthContext down to a simple "pre-request" function that populates the sane bits of the environment used further down the stack.

Morgan Fainberg (mdrnstm) wrote :

Hmm. The more I look at it the more I think the change can be super small:

Removal of "_confirm_token_bind" [With fernet only, token binding is dead]

Change process_request to pull apart the request and do the work with just the data such as "request.user_token".

This is a small amount of work to make it so Keystone can lean on KSM without needing to run it as a full middleware.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers