[openstack-dev] 答复: [Neutron] Auth token in context

Kevin Benton blak111 at gmail.com
Sun Jul 20 07:14:54 UTC 2014


That makes sense. Shouldn't we wait for something to require it before
adding it though?


On Sat, Jul 19, 2014 at 11:41 PM, joehuang <joehuang at huawei.com> wrote:

>  Hello, Kevin
>
>
>
> The leakage risk may be one of the design purpose. But  Nova/Cinder has
> already stored the token into the context, because Nova needs to access
> Neutron.Cinder.Glance, And Cinder interact with Glance....
>
>
>
> For Neutron, I think why the token has not been passed to the context, is
> because that Neutron only reactively provide service (exactly PORT ) to
> Nova currently, so Neutron has not call other services' API by using the
> token.
>
>
>
> If the underlying agent or plugin wants to use the token, then the
> requirement will be asked by somebody.
>
>
>
> BR
>
>
>
> Joe
>
>
>  ------------------------------
> *发件人:* Kevin Benton [blak111 at gmail.com]
> *发送时间:* 2014年7月19日 4:23
>
> *收件人:* OpenStack Development Mailing List (not for usage questions)
> *主题:* Re: [openstack-dev] [Neutron] Auth token in context
>
>   I suspect it was just excluded since it is authenticating information
> and there wasn't a good use case to pass it around everywhere in the
> context where it might be leaked into logs or other network requests
> unexpectedly.
>
>
> On Fri, Jul 18, 2014 at 1:10 PM, Phillip Toohill <
> phillip.toohill at rackspace.com> wrote:
>
>>  It was for more of a potential use to query another service. Don't
>> think well go this route though, but was curious why it was one of the only
>> values not populated even though there's a field for it.
>>
>>   From: Kevin Benton <blak111 at gmail.com>
>> Reply-To: "OpenStack Development Mailing List (not for usage questions)"
>> <openstack-dev at lists.openstack.org>
>> Date: Friday, July 18, 2014 2:16 PM
>> To: "OpenStack Development Mailing List (not for usage questions)" <
>> openstack-dev at lists.openstack.org>
>> Subject: Re: [openstack-dev] [Neutron] Auth token in context
>>
>>   What are you trying to use the token to do?
>>
>>
>> On Fri, Jul 18, 2014 at 9:16 AM, Phillip Toohill <
>> phillip.toohill at rackspace.com> wrote:
>>
>>> Excellent! Thank you for the response, I figured it was possible, just
>>> concerned me to why everything else made it to context except for the
>>> token.
>>>
>>> So to be clear, you agree that it should at least be passed to context
>>> and
>>> because its not could be deemed a bug?
>>>
>>> Thank you
>>>
>>> On 7/18/14 2:03 AM, "joehuang" <joehuang at huawei.com> wrote:
>>>
>>> >Hello, Phillip.
>>> >
>>> >Currently, Neutron did not pass the token to the context. But
>>> Nova/Cinder
>>> >did that. It's easy to do that, just 'copy' from Nova/Cinder.
>>> >
>>> >1.  How Nova/Cinder did that
>>> >class NovaKeystoneContext(wsgi.Middleware)
>>> >///or CinderKeystoneContext for cinder
>>> >
>>> >              auth_token = req.headers.get('X_AUTH_TOKEN',
>>> >                                     req.headers.get('X_STORAGE_TOKEN'))
>>> >              ctx = context.RequestContext(user_id,
>>> >                                     project_id,
>>> >                                     user_name=user_name,
>>> >                                     project_name=project_name,
>>> >                                     roles=roles,
>>> >                                     auth_token=auth_token,
>>> >                                     remote_address=remote_address,
>>> >                                     service_catalog=service_catalog)
>>> >
>>> >2.  Neutron not passed token. Also not good for the third part network
>>> >infrastructure to integrate the authentication with KeyStone.
>>> >class NeutronKeystoneContext(wsgi.Middleware)
>>> >.................
>>> >##### token not get from the header and not passed to context. Just
>>> >change here like what Nova/Cinder did.
>>> >        context.Context(user_id, tenant_id, roles=roles,
>>> >                              user_name=user_name,
>>> >tenant_name=tenant_name,
>>> >                              request_id=req_id)
>>> >        req.environ['neutron.context'] = ctx
>>> >
>>> >I think I'd better to report a bug for your case.
>>> >
>>> >Best Regards
>>> >Chaoyi Huang ( Joe Huang )
>>> >-----邮件原件-----
>>> >发件人: Phillip Toohill [mailto:phillip.toohill at RACKSPACE.COM]
>>> >发送时间: 2014年7月18日 14:07
>>> >收件人: OpenStack Development Mailing List (not for usage questions)
>>> >主题: [openstack-dev] [Neutron] Auth token in context
>>> >
>>> >Hello all,
>>> >
>>> >I am wondering how to get the auth token from a user request passed down
>>> >to the context so it can potentially be used by the plugin or driver?
>>> >
>>> >Thank you
>>> >
>>> >
>>> >_______________________________________________
>>> >OpenStack-dev mailing list
>>> >OpenStack-dev at lists.openstack.org
>>> >http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>> >_______________________________________________
>>> >OpenStack-dev mailing list
>>> >OpenStack-dev at lists.openstack.org
>>> >http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
>>> _______________________________________________
>>> OpenStack-dev mailing list
>>> OpenStack-dev at lists.openstack.org
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
>>
>>
>>
>>  --
>> Kevin Benton
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>
>
>  --
> Kevin Benton
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>


-- 
Kevin Benton
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140720/861f59b5/attachment.html>


More information about the OpenStack-dev mailing list