1
# vim: tabstop=4 shiftwidth=4 softtabstop=4
3
# Copyright 2011 OpenStack LLC.
6
# Licensed under the Apache License, Version 2.0 (the "License"); you may
7
# not use this file except in compliance with the License. You may obtain
8
# a copy of the License at
10
# http://www.apache.org/licenses/LICENSE-2.0
12
# Unless required by applicable law or agreed to in writing, software
13
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
14
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
15
# License for the specific language governing permissions and limitations
19
Glance Keystone Integration Middleware
21
This WSGI component allows keystone to act as an identity service for
22
glance. Glance now supports the concept of images owned by a tenant,
23
and this middleware takes the authentication information provided by
24
auth_token and builds a glance-compatible context object.
26
Use by applying after auth_token in the glance-api.ini and
27
glance-registry.ini configurations, replacing the existing context
30
Example: examples/paste/glance-api.conf,
31
examples/paste/glance-registry.conf
34
from glance.common import context
37
class KeystoneContextMiddleware(context.ContextMiddleware):
38
"""Glance keystone integration middleware."""
40
def process_request(self, req):
42
Extract keystone-provided authentication information from the
43
request and construct an appropriate context from it.
45
# Only accept the authentication information if the identity
46
# has been confirmed--presumably by upstream
47
if req.headers.get('X_IDENTITY_STATUS', 'Invalid') != 'Confirmed':
48
# Use the default empty context
49
req.context = self.make_context(read_only=True)
52
# OK, let's extract the information we need
53
auth_tok = req.headers.get('X_AUTH_TOKEN',
54
req.headers.get('X_STORAGE_TOKEN'))
55
user = req.headers.get('X_USER')
56
tenant = req.headers.get('X_TENANT')
57
roles = [r.strip() for r in req.headers.get('X_ROLE', '').split(',')]
58
is_admin = 'Admin' in roles
60
# Construct the context
61
req.context = self.make_context(auth_tok, user, tenant, is_admin)
64
def filter_factory(global_conf, **local_conf):
66
Factory method for paste.deploy
68
conf = global_conf.copy()
69
conf.update(local_conf)
72
return KeystoneContextMiddleware(app, conf)