<div dir="ltr">That makes sense. Shouldn't we wait for something to require it before adding it though?</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Sat, Jul 19, 2014 at 11:41 PM, joehuang <span dir="ltr"><<a href="mailto:joehuang@huawei.com" target="_blank">joehuang@huawei.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div style="direction:ltr;font-family:Tahoma;color:#000000;font-size:10pt">
<p>Hello, Kevin</p>
<p> </p>
<p>The leakage risk may be one of the design purpose. But Nova/Cinder has already stored the token into the context, because Nova needs to access Neutron.Cinder.Glance, And Cinder interact with Glance....</p>
<p> </p>
<p>For Neutron, I think why the token has not been passed to the context, is because that Neutron only reactively provide service (exactly PORT ) to Nova currently, so Neutron has not call other services' API by using the token.
</p>
<p> </p>
<p>If the underlying agent or plugin wants to use the token, then the requirement will be asked by somebody.</p>
<p> </p>
<p>BR</p>
<p> </p>
<p>Joe</p>
<p> </p>
<div style="FONT-FAMILY:Times New Roman;COLOR:#000000;FONT-SIZE:16px">
<hr>
<div style="DIRECTION:ltr"><font color="#000000" face="Tahoma"><b>发件人:</b> Kevin Benton [<a href="mailto:blak111@gmail.com" target="_blank">blak111@gmail.com</a>]<br>
<b>发送时间:</b> 2014年7月19日 4:23<div class=""><br>
<b>收件人:</b> OpenStack Development Mailing List (not for usage questions)<br>
</div><b>主题:</b> Re: [openstack-dev] [Neutron] Auth token in context<br>
</font><br>
</div><div><div class="h5">
<div></div>
<div>
<div dir="ltr">I suspect it was just excluded since it is authenticating information and there wasn't a good use case to pass it around everywhere in the context where it might be leaked into logs or other network requests unexpectedly.</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Fri, Jul 18, 2014 at 1:10 PM, Phillip Toohill <span dir="ltr">
<<a href="mailto:phillip.toohill@rackspace.com" target="_blank">phillip.toohill@rackspace.com</a>></span> wrote:<br>
<blockquote style="BORDER-LEFT:#ccc 1px solid;MARGIN:0px 0px 0px 0.8ex;PADDING-LEFT:1ex" class="gmail_quote">
<div style="FONT-FAMILY:Calibri,sans-serif;WORD-WRAP:break-word;COLOR:rgb(0,0,0);FONT-SIZE:14px">
<div>It was for more of a potential use to query another service. Don't think well go this route though, but was curious why it was one of the only values not populated even though there's a field for it. </div>
<div><br>
</div>
<span>
<div style="BORDER-BOTTOM:medium none;TEXT-ALIGN:left;BORDER-LEFT:medium none;PADDING-BOTTOM:0in;PADDING-LEFT:0in;PADDING-RIGHT:0in;FONT-FAMILY:Calibri;COLOR:black;FONT-SIZE:11pt;BORDER-TOP:#b5c4df 1pt solid;BORDER-RIGHT:medium none;PADDING-TOP:3pt">
<span style="FONT-WEIGHT:bold">From: </span>Kevin Benton <<a href="mailto:blak111@gmail.com" target="_blank">blak111@gmail.com</a>><br>
<span style="FONT-WEIGHT:bold">Reply-To: </span>"OpenStack Development Mailing List (not for usage questions)" <<a href="mailto:openstack-dev@lists.openstack.org" target="_blank">openstack-dev@lists.openstack.org</a>><br>
<span style="FONT-WEIGHT:bold">Date: </span>Friday, July 18, 2014 2:16 PM<br>
<span style="FONT-WEIGHT:bold">To: </span>"OpenStack Development Mailing List (not for usage questions)" <<a href="mailto:openstack-dev@lists.openstack.org" target="_blank">openstack-dev@lists.openstack.org</a>><br>
<span style="FONT-WEIGHT:bold">Subject: </span>Re: [openstack-dev] [Neutron] Auth token in context<br>
</div>
<div>
<div>
<div><br>
</div>
<div>
<div>
<div dir="ltr">What are you trying to use the token to do?</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Fri, Jul 18, 2014 at 9:16 AM, Phillip Toohill <span dir="ltr">
<<a href="mailto:phillip.toohill@rackspace.com" target="_blank">phillip.toohill@rackspace.com</a>></span> wrote:<br>
<blockquote style="BORDER-LEFT:#ccc 1px solid;MARGIN:0px 0px 0px 0.8ex;PADDING-LEFT:1ex" class="gmail_quote">
Excellent! Thank you for the response, I figured it was possible, just<br>
concerned me to why everything else made it to context except for the<br>
token.<br>
<br>
So to be clear, you agree that it should at least be passed to context and<br>
because its not could be deemed a bug?<br>
<br>
Thank you<br>
<div>
<div><br>
On 7/18/14 2:03 AM, "joehuang" <<a href="mailto:joehuang@huawei.com" target="_blank">joehuang@huawei.com</a>> wrote:<br>
<br>
>Hello, Phillip.<br>
><br>
>Currently, Neutron did not pass the token to the context. But Nova/Cinder<br>
>did that. It's easy to do that, just 'copy' from Nova/Cinder.<br>
><br>
>1. How Nova/Cinder did that<br>
>class NovaKeystoneContext(wsgi.Middleware)<br>
>///or CinderKeystoneContext for cinder<br>
><br>
> auth_token = req.headers.get('X_AUTH_TOKEN',<br>
> req.headers.get('X_STORAGE_TOKEN'))<br>
> ctx = context.RequestContext(user_id,<br>
> project_id,<br>
> user_name=user_name,<br>
> project_name=project_name,<br>
> roles=roles,<br>
> auth_token=auth_token,<br>
> remote_address=remote_address,<br>
> service_catalog=service_catalog)<br>
><br>
>2. Neutron not passed token. Also not good for the third part network<br>
>infrastructure to integrate the authentication with KeyStone.<br>
>class NeutronKeystoneContext(wsgi.Middleware)<br>
>.................<br>
>##### token not get from the header and not passed to context. Just<br>
>change here like what Nova/Cinder did.<br>
> context.Context(user_id, tenant_id, roles=roles,<br>
> user_name=user_name,<br>
>tenant_name=tenant_name,<br>
> request_id=req_id)<br>
> req.environ['neutron.context'] = ctx<br>
><br>
>I think I'd better to report a bug for your case.<br>
><br>
>Best Regards<br>
>Chaoyi Huang ( Joe Huang )<br>
>-----邮件原件-----<br>
>发件人: Phillip Toohill [mailto:<a href="mailto:phillip.toohill@RACKSPACE.COM" target="_blank">phillip.toohill@RACKSPACE.COM</a>]<br>
>发送时间: 2014年7月18日 14:07<br>
>收件人: OpenStack Development Mailing List (not for usage questions)<br>
>主题: [openstack-dev] [Neutron] Auth token in context<br>
><br>
>Hello all,<br>
><br>
>I am wondering how to get the auth token from a user request passed down<br>
>to the context so it can potentially be used by the plugin or driver?<br>
><br>
>Thank you<br>
><br>
><br>
>_______________________________________________<br>
>OpenStack-dev mailing list<br>
><a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
>_______________________________________________<br>
>OpenStack-dev mailing list<br>
><a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br>
_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</div>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div>Kevin Benton</div>
</div>
</div>
</div>
</div>
</div>
</span></div>
<br>
_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div>Kevin Benton</div>
</div>
</div>
</div></div></div>
</div>
</div>
<br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div>Kevin Benton</div>
</div>