OpenStack Identity (keystone)

move the auth_token middleware to the keystoneclient repository

Registered by Joseph Heck on 2012-09-24

Per discussion here: http://lists.openstack.org/pipermail/openstack-dev/2012-September/001184.html
and here: http://lists.openstack.org/pipermail/openstack-dev/2012-September/001334.html

auth_token needs to be a package separate from keystone, and keystoneclient looks to be a good repository to place it into.

Blueprint information

Status:: Complete

Approver:: Joseph Heck

Priority:: High

Drafter:: Joseph Heck

Direction:: Approved

Assignee:: Henry Nash

Definition:: Approved

Series goal:: Accepted for grizzly

Implementation:: Implemented

Milestone target:: 2013.1

Started by: Henry Nash on 2012-11-06

Completed by: Joseph Heck on 2012-11-20

Related branches

Related bugs

Bug #1036847: auth_token middleware has too much state	Invalid
Bug #1039567: auth_token middleware should be stand alone	Fix Released

Sprints

Whiteboard

So here's the High Level plan for fixing this:

1) Move auth_token from keystone to keystone client, so that other projects only need to have access to the client modules, not the server itself
2) Change the various paste files to find this in the new location.
3) Do the above in a sequence that doesn't break anything

Detail of the changes:

Unfortunately, auth_token has grown some roots in the keystone server that we need to cut, namely:
- It references some keystone.openstack.common items (jsonutils, timeutils, cfg) that are not in keystoneclient.openstack.common, so we'll add those to the client (and update its openstack-common.conf file accordingly)
- It also references cms, utils (and indirectly logging) from keystone.common. Now for utils, the only thing that is referenced is hash_signed_token - and nobody else in the server uses this. So I propose we move this function to keystoneclient.utils and leave keystone.common.utils where it is. cms needs to move (but also be accessed by keystone). For cms and auth_token, we need to ensure that when running as part of keystone itself then we use the keystone.common.logging (which is a wrapper round the standard logger), while in all other cases we are just going straight to the standard logger.

Note from OpenStack Meeting (11/13) - request to please import auth_token in keystone from keystoneclient for backwards compatibility

Gerrit topic: https://review.openstack.org/#q,topic:bp/authtoken-to-keystoneclient-repo,n,z

Addressed by: https://review.openstack.org/16363
Import keystoneclient auth_token back to keystone for backward compatibility

(?)

Work Items

Work items:
a) Update keystone client with the addition of newly required openstack.common items : DONE
b) Duplicate hash_signed_token to keystone.common.utils : DONE
c) Duplicate auth_token and cms to keystoneclient.middleware, and ensure logging is factored correctly. Duplicate the auth_token tests into keystone client : DONE
d) bcwaldon requested that we import auth_token from keystoneclient into where it exists today in keystone to maintain backwards compatibility through the next release : DONE
e) Change devstack and the paste files in the other projects to point keystoneclient rather than keystone for the authorization code : TODO
f) Retire the keystone version of auth_token that imports from the client at some future release : POSTPONED

This blueprint contains Public information

Everyone can see this information.

Subscribers

No subscribers.