allow middleware configuration from app config

From markmc's proposal:
http://lists.openstack.org/pipermail/openstack-dev/2012-July/000277.html

For backward compatiblity, configuration from paste-deploy INI is used
if it exists. If not, section [keystone_authtoken] in  global
configuration is expected, with the same parameter names.

Requires application using global cfg.CONF object (nova and glance since
folsom-2) and before there's openstack.common library, attempts to use
copy/pasted <application>.openstack.common.cfg

DocImpact

Change-Id: If6aa22280f4ce2cc698d99a130b5792dab808363

2 files changed, 49 insertions, 3 deletions

diff --git a/doc/source/configuringservices.rst b/doc/source/configuringservices.rst
index 1c422530..4dbba55e 100644
--- a/doc/source/configuringservices.rst
+++ b/doc/source/configuringservices.rst
@@ -49,7 +49,7 @@ Admin Token
 For a default installation of Keystone, before you can use the REST API, you
 need to define an authorization token. This is configured in ``keystone.conf``
 file under the section ``[DEFAULT]``. In the sample file provided with the
-keystone project, the line defining this token is
+keystone project, the line defining this token is::
 
     [DEFAULT]
     admin_token = ADMIN
@@ -70,7 +70,7 @@ be able to use to authenticate users against keystone. The ``auth_token``
 middleware supports using either the shared secret described above as
 `admin_token` or users for each service.
 
-See doc:`configuration` for a walk through on how to create tenants, users,
+See :doc:`configuration` for a walk through on how to create tenants, users,
 and roles.
 
 Setting up services
@@ -169,7 +169,8 @@ Configuring Nova to use Keystone
 
 When configuring Nova, it is important to create a admin service token for
 the service (from the Configuration step above) and include that as the key
-'admin_token' in Nova's api-paste.ini.
+'admin_token' in Nova's api-paste.ini [filter:authtoken] section or in
+nova.conf [keystone_authtoken] section.
 
 Configuring Swift to use Keystone
 ---------------------------------
@@ -344,3 +345,22 @@ Here is an example paste config filter that makes use of the 'admin_user' and
 It should be noted that when using this option an admin tenant/role
 relationship is required. The admin user is granted access to to the 'Admin'
 role to the 'admin' tenant.
+
+The auth_token middleware can also be configured in nova.conf
+[keystone_authtoken] section to keep paste config clean of site-specific
+parameters::
+
+    [filter:authtoken]
+    paste.filter_factory = keystone.middleware.auth_token:filter_factory
+
+and in nova.conf::
+
+    [DEFAULT]
+    ...
+    auth_strategy=keystone
+
+    [keystone_authtoken]
+    auth_port = 35357
+    auth_host = 127.0.0.1
+    admin_user = admin
+    admin_password = keystone123
diff --git a/doc/source/middlewarearchitecture.rst b/doc/source/middlewarearchitecture.rst
index dc0b1d53..8c92add4 100644
--- a/doc/source/middlewarearchitecture.rst
+++ b/doc/source/middlewarearchitecture.rst
@@ -137,6 +137,32 @@ a WSGI component. Example for the auth_token middleware::
     certfile = <path to middleware public cert>
     keyfile = <path to middleware private cert>
 
+For services which have separate paste-deploy ini file, auth_token middleware
+can be alternatively configured in [keystone_authtoken] section in the main
+config file. For example in Nova, all middleware parameters can be removed
+from api-paste.ini::
+
+    [filter:authtoken]
+    paste.filter_factory = keystone.middleware.auth_token:filter_factory
+
+and set in nova.conf::
+
+    [DEFAULT]
+    ...
+    auth_strategy=keystone
+
+    [keystone_authtoken]
+    auth_host = 127.0.0.1
+    auth_port = 35357
+    auth_protocol = http
+    auth_uri = http://127.0.0.1:5000/
+    admin_user = admin
+    admin_password = SuperSekretPassword
+    admin_tenant_name = service
+
+Note that middleware parameters in paste config take priority, they must be
+removed to use values in [keystone_authtoken] section.
+
 Configuration Options
 ---------------------