[Openstack] Openstack Nova/Quantum :; api-paste.ini file

Trinath Somanchi trinath.somanchi at gmail.com
Thu Dec 6 18:28:26 UTC 2012

Thanks a lot kevin..

Your explanation has cleared my doubts..

Keeping togethor what i understand...

Suppose, we have a resquest to Nova..

The following steps are performed...

1. The request is captured by webob and is authenticated by keystone and is
decorated to wsgi app
2. Nova-api maps the url params to extensions
3. Nova-api extensions return the data dict.. Which webob returns as
response to the request in json/xml format...
4. Paste-api helps the keystone and other modules for update of the

This the request is served...

In the above steps, i might be misunderstanding the concepts..

Kindly please help me by validating my understanding ...

On Dec 6, 2012 11:42 PM, "Kevin L. Mitchell" <kevin.mitchell at rackspace.com>

> It's probably best to ask these sorts of questions on the email list, as
> it gives an opportunity to others to answer them, as well as allowing
> others who may have similar questions to see the answers in the first
> place.
> On Thu, 2012-12-06 at 23:24 +0530, Trinath Somanchi wrote:
> > [1] In nova or quantum api,
> > We can access the .conf params,
> >
> > This way...
> >
> > cfg.Conf.xxxxx as per the soutce code... We can get the
> > api-paste-config too.. But i wonder how we can get the paste api confs
> > values too accessible this way.... Like, admin_user .....
> PasteDeploy passes configuration options as arguments to the
> constructors/factories for the various applications and middleware.
> But, as I say, we're trying to avoid relying on this data in nova; the
> only consumer of it I am aware of is the Keystone auth_token middleware,
> and it has the capability now of specifying its necessary configuration
> in the [keystone_authtoken] section of the nova/glance/quantum/cinder
> configuration files.  (I suspect the Keystone team is deprecating the
> configuration through api-paste.ini.)  This should all be documented in
> the PasteDeploy manual…
> > [2] since nova/quantum run as services, how do webob and wsgi play a
> > role to prepare the request dict?
> At this point, we leave behind PasteDeploy.  To answer your second
> question first, WSGI is an interface specification; it describes how a
> web application can be called by the server which receives the HTTP
> request.  You can find out more about WSGI from PEP-333, at:
>         http://www.python.org/dev/peps/pep-0333/
> As for webob, that is another package used by nova, etc., which changes
> the interface we actually implement; that is, a WSGI application is a
> callable taking a dictionary with the environment and a "start_response"
> callback, but webob takes these two arguments and encapsulates them in a
> Request class, which provides simplified access to the environment data
> and some utility methods.  In essence, webob implements the
> strange-looking parts of the WSGI interface spec for us, and we can
> concentrate on getting the job done.
> > [3] When does( at what level )keystone authentication happens for
> > given RESTful request...
> Keystone authentication happens, for most projects, in two separate
> pieces of middleware.  The first is auth_token, contained in the
> python-keystoneclient package (it was just moved from the keystone
> package); this piece of middleware grabs the token out of the incoming
> request, verifies that it is a valid and unexpired token, then inserts
> various authentication data needed by the project (user and tenant IDs,
> for instance).
> The second piece of authentication is more or less a shim between the
> Keystone auth_token and the project; it extracts the data that
> auth_token injected into the request, then builds a project-specific
> authentication context.  This context is how the various projects keep
> track of what user made the request, and is used in authorization checks
> ("Does this user have permission to take this action on this
> resource?").
> --
> Kevin L. Mitchell <kevin.mitchell at rackspace.com>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20121206/9cc6edfc/attachment.html>

More information about the Openstack mailing list