<html dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<style id="owaParaStyle">P {
MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px
}
</style>
</head>
<body fPStyle="1" ocsi="0">
<div style="direction: ltr;font-family: Tahoma;color: #000000;font-size: 10pt;">
<p>Hello, Kevin</p>
<p> </p>
<p>The leakage risk may be one of the design purpose. But Nova/Cinder has already stored the token into the context, because Nova needs to access Neutron.Cinder.Glance, And Cinder interact with Glance....</p>
<p> </p>
<p>For Neutron, I think why the token has not been passed to the context, is because that Neutron only reactively provide service (exactly PORT ) to Nova currently, so Neutron has not call other services' API by using the token.
</p>
<p> </p>
<p>If the underlying agent or plugin wants to use the token, then the requirement will be asked by somebody.</p>
<p> </p>
<p>BR</p>
<p> </p>
<p>Joe</p>
<p> </p>
<div style="FONT-FAMILY: Times New Roman; COLOR: #000000; FONT-SIZE: 16px">
<hr tabindex="-1">
<div style="DIRECTION: ltr" id="divRpF758129"><font color="#000000" size="2" face="Tahoma"><b>发件人:</b> Kevin Benton [blak111@gmail.com]<br>
<b>发送时间:</b> 2014年7月19日 4:23<br>
<b>收件人:</b> OpenStack Development Mailing List (not for usage questions)<br>
<b>主题:</b> Re: [openstack-dev] [Neutron] Auth token in context<br>
</font><br>
</div>
<div></div>
<div>
<div dir="ltr">I suspect it was just excluded since it is authenticating information and there wasn't a good use case to pass it around everywhere in the context where it might be leaked into logs or other network requests unexpectedly.</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Fri, Jul 18, 2014 at 1:10 PM, Phillip Toohill <span dir="ltr">
<<a href="mailto:phillip.toohill@rackspace.com" target="_blank">phillip.toohill@rackspace.com</a>></span> wrote:<br>
<blockquote style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex" class="gmail_quote">
<div style="FONT-FAMILY: Calibri,sans-serif; WORD-WRAP: break-word; COLOR: rgb(0,0,0); FONT-SIZE: 14px">
<div>It was for more of a potential use to query another service. Don't think well go this route though, but was curious why it was one of the only values not populated even though there's a field for it. </div>
<div><br>
</div>
<span>
<div style="BORDER-BOTTOM: medium none; TEXT-ALIGN: left; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; FONT-FAMILY: Calibri; COLOR: black; FONT-SIZE: 11pt; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="FONT-WEIGHT: bold">From: </span>Kevin Benton <<a href="mailto:blak111@gmail.com" target="_blank">blak111@gmail.com</a>><br>
<span style="FONT-WEIGHT: bold">Reply-To: </span>"OpenStack Development Mailing List (not for usage questions)" <<a href="mailto:openstack-dev@lists.openstack.org" target="_blank">openstack-dev@lists.openstack.org</a>><br>
<span style="FONT-WEIGHT: bold">Date: </span>Friday, July 18, 2014 2:16 PM<br>
<span style="FONT-WEIGHT: bold">To: </span>"OpenStack Development Mailing List (not for usage questions)" <<a href="mailto:openstack-dev@lists.openstack.org" target="_blank">openstack-dev@lists.openstack.org</a>><br>
<span style="FONT-WEIGHT: bold">Subject: </span>Re: [openstack-dev] [Neutron] Auth token in context<br>
</div>
<div>
<div class="h5">
<div><br>
</div>
<div>
<div>
<div dir="ltr">What are you trying to use the token to do?</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Fri, Jul 18, 2014 at 9:16 AM, Phillip Toohill <span dir="ltr">
<<a href="mailto:phillip.toohill@rackspace.com" target="_blank">phillip.toohill@rackspace.com</a>></span> wrote:<br>
<blockquote style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex" class="gmail_quote">
Excellent! Thank you for the response, I figured it was possible, just<br>
concerned me to why everything else made it to context except for the<br>
token.<br>
<br>
So to be clear, you agree that it should at least be passed to context and<br>
because its not could be deemed a bug?<br>
<br>
Thank you<br>
<div>
<div><br>
On 7/18/14 2:03 AM, "joehuang" <<a href="mailto:joehuang@huawei.com" target="_blank">joehuang@huawei.com</a>> wrote:<br>
<br>
>Hello, Phillip.<br>
><br>
>Currently, Neutron did not pass the token to the context. But Nova/Cinder<br>
>did that. It's easy to do that, just 'copy' from Nova/Cinder.<br>
><br>
>1. How Nova/Cinder did that<br>
>class NovaKeystoneContext(wsgi.Middleware)<br>
>///or CinderKeystoneContext for cinder<br>
><br>
> auth_token = req.headers.get('X_AUTH_TOKEN',<br>
> req.headers.get('X_STORAGE_TOKEN'))<br>
> ctx = context.RequestContext(user_id,<br>
> project_id,<br>
> user_name=user_name,<br>
> project_name=project_name,<br>
> roles=roles,<br>
> auth_token=auth_token,<br>
> remote_address=remote_address,<br>
> service_catalog=service_catalog)<br>
><br>
>2. Neutron not passed token. Also not good for the third part network<br>
>infrastructure to integrate the authentication with KeyStone.<br>
>class NeutronKeystoneContext(wsgi.Middleware)<br>
>.................<br>
>##### token not get from the header and not passed to context. Just<br>
>change here like what Nova/Cinder did.<br>
> context.Context(user_id, tenant_id, roles=roles,<br>
> user_name=user_name,<br>
>tenant_name=tenant_name,<br>
> request_id=req_id)<br>
> req.environ['neutron.context'] = ctx<br>
><br>
>I think I'd better to report a bug for your case.<br>
><br>
>Best Regards<br>
>Chaoyi Huang ( Joe Huang )<br>
>-----邮件原件-----<br>
>发件人: Phillip Toohill [mailto:<a href="mailto:phillip.toohill@RACKSPACE.COM" target="_blank">phillip.toohill@RACKSPACE.COM</a>]<br>
>发送时间: 2014年7月18日 14:07<br>
>收件人: OpenStack Development Mailing List (not for usage questions)<br>
>主题: [openstack-dev] [Neutron] Auth token in context<br>
><br>
>Hello all,<br>
><br>
>I am wondering how to get the auth token from a user request passed down<br>
>to the context so it can potentially be used by the plugin or driver?<br>
><br>
>Thank you<br>
><br>
><br>
>_______________________________________________<br>
>OpenStack-dev mailing list<br>
><a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
>_______________________________________________<br>
>OpenStack-dev mailing list<br>
><a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br>
_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</div>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div>Kevin Benton</div>
</div>
</div>
</div>
</div>
</div>
</span></div>
<br>
_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div>Kevin Benton</div>
</div>
</div>
</div>
</div>
</body>
</html>