Updates to middleware to deprecate X_USER

- There is an outstanding issue where we return the user id
  for the legacy X-User header, but the documentation says
  it should be the 'name the user logged in with'. I did not
  fix this in this commit until we discuss with other teams.

Change-Id: Ibf2acf5bb594b889b5c220ea00d777ac528175b0

5 files changed, 13 insertions, 6 deletions

diff --git a/doc/source/middleware.rst b/doc/source/middleware.rst
index f2bb0c01..69506ee2 100644
--- a/doc/source/middleware.rst
+++ b/doc/source/middleware.rst
@@ -58,9 +58,15 @@ X-Tenant-Id
 X-Tenant-Name
     The unique, but mutable (it can change) tenant name.
 
-X-User
+X-User-Id
+    The user id of the user used to log in
+
+X-User-Name
     The username used to log in
 
+X-User
+    The username used to log in. This is to support any legacy implementations before Keystone switched to an ID/Name schema for tenants.
+
 X-Roles
     The roles associated with that user
 
diff --git a/keystone/middleware/auth_token.py b/keystone/middleware/auth_token.py
index 1cc45898..4a3918dd 100644
--- a/keystone/middleware/auth_token.py
+++ b/keystone/middleware/auth_token.py
@@ -318,6 +318,8 @@ class AuthProtocol(object):
                         claims['tenant']['id'], env, proxy_headers)
 
                     # Deprecated in favor of X_USER_ID and _NAME
+                    # TODO(zns): documentation says this should be the username
+                    # the user logged in with. We've been returning the id...
                     self._decorate_request('X_USER',
                         claims['user']['id'], env, proxy_headers)
 
diff --git a/keystone/middleware/glance_auth_token.py b/keystone/middleware/glance_auth_token.py
index d37b6fe2..cc689bc8 100644
--- a/keystone/middleware/glance_auth_token.py
+++ b/keystone/middleware/glance_auth_token.py
@@ -57,7 +57,7 @@ class KeystoneContextMiddleware(context.ContextMiddleware):
         # OK, let's extract the information we need
         auth_tok = req.headers.get('X_AUTH_TOKEN',
                                    req.headers.get('X_STORAGE_TOKEN'))
-        user = req.headers.get('X_USER')
+        user = req.headers.get('X_USER_ID') or req.headers.get('X_USER')
         tenant = req.headers.get('X_TENANT')
         roles = [r.strip() for r in req.headers.get('X_ROLE', '').split(',')]
         is_admin = 'Admin' in roles
diff --git a/keystone/middleware/nova_auth_token.py b/keystone/middleware/nova_auth_token.py
index 389f040f..842f81e2 100644
--- a/keystone/middleware/nova_auth_token.py
+++ b/keystone/middleware/nova_auth_token.py
@@ -37,7 +37,6 @@ from nova import flags
 from nova import utils
 from nova import wsgi
 # pylint: disable=W0611
-from nova import exception
 
 logger = logging.getLogger(__name__)  # pylint: disable=C0103
 
@@ -63,13 +62,13 @@ class KeystoneAuthShim(wsgi.Middleware):
     def __call__(self, req):
         # find or create user
         try:
-            user_id = req.headers.get('X_USER')
+            user_id = req.headers.get('X_USER_ID') or req.headers['X_USER']
         except Exception as e:
             logger.exception("Unexpected error trying to get user from "
                              "request: %s" % e)
             raise
         if not user_id:
-             return webob.exc.HTTPUnauthorized()
+            return webob.exc.HTTPUnauthorized()
 
         try:
             user_ref = self.auth.get_user(user_id)
diff --git a/keystone/middleware/nova_keystone_context.py b/keystone/middleware/nova_keystone_context.py
index 9a701d34..199602cb 100644
--- a/keystone/middleware/nova_keystone_context.py
+++ b/keystone/middleware/nova_keystone_context.py
@@ -39,7 +39,7 @@ class NovaKeystoneContext(wsgi.Middleware):
     @webob.dec.wsgify(RequestClass=wsgi.Request)
     def __call__(self, req):
         try:
-            user_id = req.headers['X_USER']
+            user_id = req.headers.get('X_USER_ID') or req.headers['X_USER']
         except KeyError:
             logger.debug("X_USER not found in request")
             return webob.exc.HTTPUnauthorized()