OpenStack Identity (Keystone)

move the auth_token middleware to the keystoneclient repository

Registered by Joseph Heck on 2012-09-24

Per discussion here: http://lists.openstack.org/pipermail/openstack-dev/2012-September/001184.html
and here: http://lists.openstack.org/pipermail/openstack-dev/2012-September/001334.html

auth_token needs to be a package separate from keystone, and keystoneclient looks to be a good repository to place it into.

Blueprint information

Status:
Complete
Approver:
Joseph Heck
Priority:
High
Drafter:
Joseph Heck
Direction:
Approved
Assignee:
Henry Nash
Definition:
Approved
Series goal:
Accepted for grizzly
Implementation:
Implemented
Milestone target:
milestone icon 2013.1
Started by
Henry Nash on 2012-11-06
Completed by
Joseph Heck on 2012-11-20

Whiteboard

So here's the High Level plan for fixing this:

1) Move auth_token from keystone to keystone client, so that other projects only need to have access to the client modules, not the server itself
2) Change the various paste files to find this in the new location.
3) Do the above in a sequence that doesn't break anything

Detail of the changes:

Unfortunately, auth_token has grown some roots in the keystone server that we need to cut, namely:
- It references some keystone.openstack.common items (jsonutils, timeutils, cfg) that are not in keystoneclient.openstack.common, so we'll add those to the client (and update its openstack-common.conf file accordingly)
- It also references cms, utils (and indirectly logging) from keystone.common. Now for utils, the only thing that is referenced is hash_signed_token - and nobody else in the server uses this. So I propose we move this function to keystoneclient.utils and leave keystone.common.utils where it is. cms needs to move (but also be accessed by keystone). For cms and auth_token, we need to ensure that when running as part of keystone itself then we use the keystone.common.logging (which is a wrapper round the standard logger), while in all other cases we are just going straight to the standard logger.

Note from OpenStack Meeting (11/13) - request to please import auth_token in keystone from keystoneclient for backwards compatibility

Gerrit topic: https://review.openstack.org/#q,topic:bp/authtoken-to-keystoneclient-repo,n,z

Addressed by: https://review.openstack.org/16363
    Import keystoneclient auth_token back to keystone for backward compatibility

(?)

Work Items

Work items:
a) Update keystone client with the addition of newly required openstack.common items : DONE
b) Duplicate hash_signed_token to keystone.common.utils : DONE
c) Duplicate auth_token and cms to keystoneclient.middleware, and ensure logging is factored correctly. Duplicate the auth_token tests into keystone client : DONE
d) bcwaldon requested that we import auth_token from keystoneclient into where it exists today in keystone to maintain backwards compatibility through the next release : DONE
e) Change devstack and the paste files in the other projects to point keystoneclient rather than keystone for the authorization code : TODO
f) Retire the keystone version of auth_token that imports from the client at some future release : POSTPONED

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.