tripleo

Bug #1282842
Comment #9

Comment 9 for bug 1282842

Revision history for this message

Hua Zhang (zhhuabj) wrote on 2014-03-24:

I think maybe we need to set the token expiration time be greater than the time the test run after having read the related code, looks all the logic are right. any thoughts ?

1, The non-admin user uses usename and password to invoke REST API to generate a token
1, when non-admin user request a REST API via WSGI, nova.api.auth:NovaKeystoneContext will get this token by name 'X_AUTH_TOKEN' from http header
3, The get_client method of $nova/network/neutronv2/__init__.py will use this token to Instantiate a neutron HTTPClient object.
   def _get_client(token=None):
    ... other code ...
   if token:
        params['token'] = token
        params['auth_strategy'] = None
    else:
        params['username'] = CONF.neutron_admin_username
        if CONF.neutron_admin_tenant_id:
            params['tenant_id'] = CONF.neutron_admin_tenant_id
        else:
            params['tenant_name'] = CONF.neutron_admin_tenant_name
            LOG.warning(_("Using neutron_admin_tenant_name for authentication "
                          "is deprecated and will be removed in the next "
                          "release. Use neutron_admin_tenant_id instead."))
        params['password'] = CONF.neutron_admin_password
        params['auth_url'] = CONF.neutron_admin_auth_url
        params['auth_strategy'] = CONF.neutron_auth_strategy
    return clientv20.Client(**params)

    def get_client(context, admin=False):
      ... other code ...
      if context.auth_token:
          token = context.auth_token
          return _get_client(token=token)
      ... other code ...
4, do_request method of neutronclient will invoke authenticate method if the token is unauthorized we passed.
   def do_request(self, url, method, **kwargs):
        self.authenticate_and_fetch_endpoint_url()
        try:
            kwargs.setdefault('headers', {})
            kwargs['headers']['X-Auth-Token'] = self.auth_token
            resp, body = self._cs_request(self.endpoint_url + url, method,
                                          **kwargs)
            return resp, body
        except exceptions.Unauthorized:
            self.authenticate()
5, authenticate method throws the Unauthorized exception normally because this is a unauthorized token.
def authenticate(self):
       if self.auth_strategy != 'keystone':
            raise exceptions.Unauthorized(message=_('Unknown auth strategy'))

I think maybe we need to set the token expiration time be greater than the time the test run after having read the related code, looks all the logic are right. any thoughts ?

1, The non-admin user uses usename and password to invoke REST API to generate a token
1, when non-admin user request a REST API via WSGI, nova.api.auth:NovaKeystoneContext will get this token by name 'X_AUTH_TOKEN' from http header
3, The get_client method of $nova/network/neutronv2/__init__.py will use this token to Instantiate a neutron HTTPClient object.
   def _get_client(token=None):
    ... other code ...
   if token:
        params['token'] = token
        params['auth_strategy'] = None
    else:
        params['username'] = CONF.neutron_admin_username
        if CONF.neutron_admin_tenant_id:
            params['tenant_id'] = CONF.neutron_admin_tenant_id
        else:
            params['tenant_name'] = CONF.neutron_admin_tenant_name
            LOG.warning(_("Using neutron_admin_tenant_name for authentication "
                          "is deprecated and will be removed in the next "
                          "release.  Use neutron_admin_tenant_id instead."))
        params['password'] = CONF.neutron_admin_password
        params['auth_url'] = CONF.neutron_admin_auth_url
        params['auth_strategy'] = CONF.neutron_auth_strategy
    return clientv20.Client(**params)