keystonemiddleware

Make AuthContextMiddleware more flask friendly

Bug #1797446 reported by Morgan Fainberg on 2018-10-11

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Triaged	Wishlist	Unassigned
	keystonemiddleware	Triaged	Wishlist	Unassigned

Bug Description

AuthContextMiddleware requires a lot of modification of the code for auth_token middleware. The code should be updated to ensure that there are no-web-ob specific bits that need to be carried in keystone's tree. This likely requires splitting the "tokenless auth" (x509) into a separate flask-aware middleware and making KeystoneMiddleware only require overloading the "fetch_token" method for use within Keystone.

This is a wishlist bug to eliminate the last hard dependencies within Keystone Server on Webob and being 100% flask native (externally loaded middleware makes no difference).

Morgan Fainberg (mdrnstm) on 2018-10-11

Changed in keystone:
status:	New → Triaged
importance:	Undecided → Wishlist
Changed in keystonemiddleware:
status:	New → Triaged
importance:	Undecided → Wishlist

Revision history for this message

Jamie Lennox (jamielennox) wrote on 2018-10-11:

I understand the wishlish nature of this, so just a comment.

The middleware itself should be a purely wsgi interface. There are some objects passed down that technicallly break this contract, but off the top of my head i don't think any of them are webob related.

Webob is a small dependency which basically wraps those wsgi interfaces into something easy to use and my impression is that the work required to re-implement it is not worth the effort.

Anyway - wishlist.

Revision history for this message

Morgan Fainberg (mdrnstm) wrote on 2018-10-12:

Keystone shouldn't need to import webob is the point. Keystone should be able to say "hey, get a token like X and validate a token like Y" and that's it. There should be no "import this thing, subclass it and lean on webob to make my subclassing work".

This is all because Keystone no longer uses webob in any meaningful outside of AuthContextMiddleware [once the last patch for Flaskification lands]

Revision history for this message

Morgan Fainberg (mdrnstm) wrote on 2018-10-12:

I think we can split apart the bits in KSM to have "process environment" and "get environment data". If we do this split, keystone can use the "process environment" code and supply the environment directly from flask.request.environ instead of assuming the data will come from a webob request object. This means that keystone benefits from all the work KSM does, but can push AuthContext down to a simple "pre-request" function that populates the sane bits of the environment used further down the stack.

Revision history for this message

Morgan Fainberg (mdrnstm) wrote on 2018-10-12:

Hmm. The more I look at it the more I think the change can be super small:

Removal of "_confirm_token_bind" [With fernet only, token binding is dead]

Change process_request to pull apart the request and do the work with just the data such as "request.user_token".

This is a small amount of work to make it so Keystone can lean on KSM without needing to run it as a full middleware.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.