<div dir="ltr">That makes sense. Is there a patch up for review to make this available in the context?</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Aug 4, 2014 at 8:21 AM, Isaku Yamahata <span dir="ltr"><<a href="mailto:isaku.yamahata@gmail.com" target="_blank">isaku.yamahata@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">ServiceVM wants auth token.<br>
When creating l3 router which runs inside VM, it launches VM.<br>
So neutron interacts with other projects like serivcevm server or nova.<br>
<br>
thnaks,<br>
<br>
<br>
On Sun, Jul 20, 2014 at 12:14:54AM -0700,<br>
Kevin Benton <<a href="mailto:blak111@gmail.com">blak111@gmail.com</a>> wrote:<br>
<br>
> That makes sense. Shouldn't we wait for something to require it before<br>
> adding it though?<br>
><br>
><br>
> On Sat, Jul 19, 2014 at 11:41 PM, joehuang <<a href="mailto:joehuang@huawei.com">joehuang@huawei.com</a>> wrote:<br>
><br>
> > Hello, Kevin<br>
> ><br>
> ><br>
> ><br>
> > The leakage risk may be one of the design purpose. But Nova/Cinder has<br>
> > already stored the token into the context, because Nova needs to access<br>
> > Neutron.Cinder.Glance, And Cinder interact with Glance....<br>
> ><br>
> ><br>
> ><br>
> > For Neutron, I think why the token has not been passed to the context, is<br>
> > because that Neutron only reactively provide service (exactly PORT ) to<br>
> > Nova currently, so Neutron has not call other services' API by using the<br>
> > token.<br>
> ><br>
> ><br>
> ><br>
> > If the underlying agent or plugin wants to use the token, then the<br>
> > requirement will be asked by somebody.<br>
> ><br>
> ><br>
> ><br>
> > BR<br>
> ><br>
> ><br>
> ><br>
> > Joe<br>
> ><br>
> ><br>
> > ------------------------------<br>
> > *???件人:* Kevin Benton [<a href="mailto:blak111@gmail.com">blak111@gmail.com</a>]<br>
> > *???送??????:* 2014年7月19日 4:23<br>
> ><br>
> > *收件人:* OpenStack Development Mailing List (not for usage questions)<br>
> > *主???:* Re: [openstack-dev] [Neutron] Auth token in context<br>
> ><br>
> > I suspect it was just excluded since it is authenticating information<br>
> > and there wasn't a good use case to pass it around everywhere in the<br>
> > context where it might be leaked into logs or other network requests<br>
> > unexpectedly.<br>
> ><br>
> ><br>
> > On Fri, Jul 18, 2014 at 1:10 PM, Phillip Toohill <<br>
> > <a href="mailto:phillip.toohill@rackspace.com">phillip.toohill@rackspace.com</a>> wrote:<br>
> ><br>
> >> It was for more of a potential use to query another service. Don't<br>
> >> think well go this route though, but was curious why it was one of the only<br>
> >> values not populated even though there's a field for it.<br>
> >><br>
> >> From: Kevin Benton <<a href="mailto:blak111@gmail.com">blak111@gmail.com</a>><br>
> >> Reply-To: "OpenStack Development Mailing List (not for usage questions)"<br>
> >> <<a href="mailto:openstack-dev@lists.openstack.org">openstack-dev@lists.openstack.org</a>><br>
> >> Date: Friday, July 18, 2014 2:16 PM<br>
> >> To: "OpenStack Development Mailing List (not for usage questions)" <<br>
> >> <a href="mailto:openstack-dev@lists.openstack.org">openstack-dev@lists.openstack.org</a>><br>
> >> Subject: Re: [openstack-dev] [Neutron] Auth token in context<br>
> >><br>
> >> What are you trying to use the token to do?<br>
> >><br>
> >><br>
> >> On Fri, Jul 18, 2014 at 9:16 AM, Phillip Toohill <<br>
> >> <a href="mailto:phillip.toohill@rackspace.com">phillip.toohill@rackspace.com</a>> wrote:<br>
> >><br>
> >>> Excellent! Thank you for the response, I figured it was possible, just<br>
> >>> concerned me to why everything else made it to context except for the<br>
> >>> token.<br>
> >>><br>
> >>> So to be clear, you agree that it should at least be passed to context<br>
> >>> and<br>
> >>> because its not could be deemed a bug?<br>
> >>><br>
> >>> Thank you<br>
> >>><br>
> >>> On 7/18/14 2:03 AM, "joehuang" <<a href="mailto:joehuang@huawei.com">joehuang@huawei.com</a>> wrote:<br>
> >>><br>
> >>> >Hello, Phillip.<br>
> >>> ><br>
> >>> >Currently, Neutron did not pass the token to the context. But<br>
> >>> Nova/Cinder<br>
> >>> >did that. It's easy to do that, just 'copy' from Nova/Cinder.<br>
> >>> ><br>
> >>> >1. How Nova/Cinder did that<br>
> >>> >class NovaKeystoneContext(wsgi.Middleware)<br>
> >>> >///or CinderKeystoneContext for cinder<br>
> >>> ><br>
> >>> > auth_token = req.headers.get('X_AUTH_TOKEN',<br>
> >>> > req.headers.get('X_STORAGE_TOKEN'))<br>
> >>> > ctx = context.RequestContext(user_id,<br>
> >>> > project_id,<br>
> >>> > user_name=user_name,<br>
> >>> > project_name=project_name,<br>
> >>> > roles=roles,<br>
> >>> > auth_token=auth_token,<br>
> >>> > remote_address=remote_address,<br>
> >>> > service_catalog=service_catalog)<br>
> >>> ><br>
> >>> >2. Neutron not passed token. Also not good for the third part network<br>
> >>> >infrastructure to integrate the authentication with KeyStone.<br>
> >>> >class NeutronKeystoneContext(wsgi.Middleware)<br>
> >>> >.................<br>
> >>> >##### token not get from the header and not passed to context. Just<br>
> >>> >change here like what Nova/Cinder did.<br>
> >>> > context.Context(user_id, tenant_id, roles=roles,<br>
> >>> > user_name=user_name,<br>
> >>> >tenant_name=tenant_name,<br>
> >>> > request_id=req_id)<br>
> >>> > req.environ['neutron.context'] = ctx<br>
> >>> ><br>
> >>> >I think I'd better to report a bug for your case.<br>
> >>> ><br>
> >>> >Best Regards<br>
> >>> >Chaoyi Huang ( Joe Huang )<br>
> >>> >-----???件原件-----<br>
> >>> >???件人: Phillip Toohill [mailto:<a href="mailto:phillip.toohill@RACKSPACE.COM">phillip.toohill@RACKSPACE.COM</a>]<br>
> >>> >???送??????: 2014年7月18日 14:07<br>
> >>> >收件人: OpenStack Development Mailing List (not for usage questions)<br>
> >>> >主???: [openstack-dev] [Neutron] Auth token in context<br>
> >>> ><br>
> >>> >Hello all,<br>
> >>> ><br>
> >>> >I am wondering how to get the auth token from a user request passed down<br>
> >>> >to the context so it can potentially be used by the plugin or driver?<br>
> >>> ><br>
> >>> >Thank you<br>
> >>> ><br>
> >>> ><br>
> >>> >_______________________________________________<br>
> >>> >OpenStack-dev mailing list<br>
> >>> ><a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
> >>> ><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
> >>> >_______________________________________________<br>
> >>> >OpenStack-dev mailing list<br>
> >>> ><a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
> >>> ><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
> >>><br>
> >>> _______________________________________________<br>
> >>> OpenStack-dev mailing list<br>
> >>> <a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
> >>> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
> >>><br>
> >><br>
> >><br>
> >><br>
> >> --<br>
> >> Kevin Benton<br>
> >><br>
> >> _______________________________________________<br>
> >> OpenStack-dev mailing list<br>
> >> <a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
> >> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
> >><br>
> >><br>
> ><br>
> ><br>
> > --<br>
> > Kevin Benton<br>
> ><br>
> > _______________________________________________<br>
> > OpenStack-dev mailing list<br>
> > <a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
> > <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
> ><br>
> ><br>
><br>
<span class="HOEnZb"><font color="#888888">><br>
> --<br>
> Kevin Benton<br>
<br>
> _______________________________________________<br>
> OpenStack-dev mailing list<br>
> <a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br>
<br>
--<br>
Isaku Yamahata <<a href="mailto:isaku.yamahata@gmail.com">isaku.yamahata@gmail.com</a>><br>
<br>
_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</font></span></blockquote></div><br><br clear="all"><div><br></div>-- <br><div>Kevin Benton</div>
</div>