[openstack-dev] [KEYSTONE] subclassing auth_token middleware
Joe Heck
Joe.Heck at nebula.com
Tue Nov 13 21:50:09 UTC 2012
Chatting with Kevin on IRC today - he has a review up (https://review.openstack.org/#/c/16002) that started the conversation, but it all generally boils down to how we accept data in through auth_token middleware and pass it down to subsequent WSGI pipeline components.
The general issue is that there's some extended token data that they're using now that doesn't get translated and pushed down the WSGI pipeline after receiving the authorization token. His current path with the review is to strip these arbitrary data segments out and add them as HTTP headers. One of the goals that he's trying to accomplish is to make it easier to subclass auth_token middleware for use beyond what it does today.
Guang brought up the same need (and I think his team at HP is alrealdy doing it) - so I wanted to get some feedback on the contracts that you (Kevin & Guang) are after to support making auth_token something that's stable enough to be subclassed (and to nail down those interfaces so we don't accidentally break them in the future). What hooks or methods do your needs for subclasses have today?
Guang mentioned how keystone handles EC2 token validation today - perhaps breaking auth_token middleware into two separate filters, token_validator and context_builder.
Can you illustrate what you're after and what methods would help make that most effective?
-joe
More information about the OpenStack-dev
mailing list