diff options
| author | Joe Heck <heckj@mac.com> | 2012-03-14 05:08:58 +0000 |
|---|---|---|
| committer | Joe Heck <heckj@mac.com> | 2012-03-14 09:44:17 -0700 |
| commit | b03c2047815ff341547d2d9792dfd392148d277a (patch) | |
| tree | 1ead21677e37ff579815c480d2de8868f3faf1b2 /doc | |
| parent | fb4cbe9d3766ac0ccbe746114d5c6745bc91e002 (diff) | |
| download | keystone-b03c2047815ff341547d2d9792dfd392148d277a.tar.gz keystone-b03c2047815ff341547d2d9792dfd392148d277a.tar.xz keystone-b03c2047815ff341547d2d9792dfd392148d277a.zip | |
updating documentation for rewrite of auth_token.
fixes bug 944372
Change-Id: Ifac365a6eb141e0ca4701cf139d6ea66a0b3ffbc
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/source/configuringservices.rst | 3 | ||||
| -rw-r--r-- | doc/source/images/graphs_305.svg | 41 | ||||
| -rw-r--r-- | doc/source/images/graphs_both.svg | 36 | ||||
| -rw-r--r-- | doc/source/images/graphs_delegate_forbiden_basic.svg | 53 | ||||
| -rw-r--r-- | doc/source/images/graphs_delegate_forbiden_proxy.svg | 52 | ||||
| -rw-r--r-- | doc/source/images/graphs_delegate_reject_basic.svg | 55 | ||||
| -rw-r--r-- | doc/source/images/graphs_delegate_reject_oauth.svg | 56 | ||||
| -rw-r--r-- | doc/source/images/graphs_delegate_unimplemented.svg | 53 | ||||
| -rw-r--r-- | doc/source/images/graphs_mapper.svg | 73 | ||||
| -rw-r--r-- | doc/source/images/graphs_proxyAuth.svg | 51 | ||||
| -rw-r--r-- | doc/source/images/images_layouts.svg | 200 | ||||
| -rw-r--r-- | doc/source/index.rst | 3 | ||||
| -rw-r--r-- | doc/source/middleware_architecture.rst | 555 | ||||
| -rw-r--r-- | doc/source/old/middleware.rst | 169 | ||||
| -rw-r--r-- | doc/source/setup.rst | 28 |
15 files changed, 148 insertions, 1280 deletions
diff --git a/doc/source/configuringservices.rst b/doc/source/configuringservices.rst index bfbada65..2d53791e 100644 --- a/doc/source/configuringservices.rst +++ b/doc/source/configuringservices.rst @@ -30,6 +30,7 @@ configure middleware for the OpenStack service to handle authentication tasks or otherwise interact with Keystone. In general: + * Clients making calls to the service will pass in an authentication token. * The Keystone middleware will look for and validate that token, taking the appropriate action. @@ -261,7 +262,7 @@ S3 api. not to `keystone`. Auth-Token Middleware with Username and Password --------------------------------- +------------------------------------------------ It is also possible to configure Keystone's auth_token middleware using the 'admin_user' and 'admin_password' options. When using the 'admin_user' and diff --git a/doc/source/images/graphs_305.svg b/doc/source/images/graphs_305.svg deleted file mode 100644 index 1dff61a6..00000000 --- a/doc/source/images/graphs_305.svg +++ /dev/null @@ -1,41 +0,0 @@ -<?xml version="1.0" encoding="UTF-8" standalone="no"?> -<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" - "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> -<!-- Generated by graphviz version 2.27.20101213.0545 (20101213.0545) - --> -<!-- Title: Handle305 Pages: 1 --> -<svg width="310pt" height="208pt" - viewBox="0.00 0.00 310.00 208.00" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> -<g id="graph1" class="graph" transform="scale(1 1) rotate(0) translate(4 204)"> -<title>Handle305</title> -<polygon fill="white" stroke="white" points="-4,5 -4,-204 307,-204 307,5 -4,5"/> -<!-- AuthComp --> -<g id="node2" class="node"><title>AuthComp</title> -<polygon fill="#fdefe3" stroke="#c00000" points="98,-146 0,-146 0,-106 98,-106 98,-146"/> -<text text-anchor="middle" x="49" y="-129.4" font-family="Helvetica,sans-Serif" font-size="14.00">Auth</text> -<text text-anchor="middle" x="49" y="-113.4" font-family="Helvetica,sans-Serif" font-size="14.00">Component</text> -</g> -<!-- Service --> -<g id="node4" class="node"><title>Service</title> -<polygon fill="#d1ebf1" stroke="#1f477d" points="119,-40 25,-40 25,-0 119,-0 119,-40"/> -<text text-anchor="middle" x="72" y="-23.4" font-family="Helvetica,sans-Serif" font-size="14.00">OpenStack</text> -<text text-anchor="middle" x="72" y="-7.4" font-family="Helvetica,sans-Serif" font-size="14.00">Service</text> -</g> -<!-- AuthComp->Service --> -<!-- Service->AuthComp --> -<g id="edge5" class="edge"><title>Service:n->AuthComp:n</title> -<path fill="none" stroke="black" d="M72,-40C72,-62.2222 76.6172,-67.8558 86,-88 90.0596,-96.7157 95.2138,-96.7977 98,-106 103.152,-123.015 110.312,-133.175 98,-146 92.6344,-151.589 70.1318,-155.75 57.5709,-153.773"/> -<polygon fill="black" stroke="black" points="59.2494,-150.684 49,-148 55.3388,-156.489 59.2494,-150.684"/> -<text text-anchor="middle" x="144" y="-75.4" font-family="Times,serif" font-size="14.00">305 Use Proxy</text> -<text text-anchor="middle" x="144" y="-60.4" font-family="Times,serif" font-size="14.00">To Redirect to Auth</text> -</g> -<!-- Start --> -<!-- Start->Service --> -<g id="edge7" class="edge"><title>Start:sw->Service</title> -<path fill="none" stroke="black" d="M216,-164C182.398,-130.398 232.934,-94.0727 202,-58 192.167,-46.5338 159.461,-37.0056 129.317,-30.3582"/> -<polygon fill="black" stroke="black" points="129.738,-26.8696 119.229,-28.2156 128.284,-33.7169 129.738,-26.8696"/> -<text text-anchor="middle" x="255.5" y="-128.4" font-family="Times,serif" font-size="14.00">Request</text> -<text text-anchor="middle" x="255.5" y="-113.4" font-family="Times,serif" font-size="14.00">Service Directly</text> -</g> -</g> -</svg> diff --git a/doc/source/images/graphs_both.svg b/doc/source/images/graphs_both.svg deleted file mode 100644 index 6aa87612..00000000 --- a/doc/source/images/graphs_both.svg +++ /dev/null @@ -1,36 +0,0 @@ -<?xml version="1.0" encoding="UTF-8" standalone="no"?> -<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" - "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> -<!-- Generated by graphviz version 2.27.20101213.0545 (20101213.0545) - --> -<!-- Title: Both Pages: 1 --> -<svg width="116pt" height="180pt" - viewBox="0.00 0.00 116.00 180.00" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> -<g id="graph1" class="graph" transform="scale(1 1) rotate(0) translate(4 176)"> -<title>Both</title> -<polygon fill="white" stroke="white" points="-4,5 -4,-176 113,-176 113,5 -4,5"/> -<!-- AuthComp --> -<g id="node2" class="node"><title>AuthComp</title> -<polygon fill="#fdefe3" stroke="#c00000" points="104,-172 6,-172 6,-132 104,-132 104,-172"/> -<text text-anchor="middle" x="55" y="-155.4" font-family="Helvetica,sans-Serif" font-size="14.00">Auth</text> -<text text-anchor="middle" x="55" y="-139.4" font-family="Helvetica,sans-Serif" font-size="14.00">Component</text> -</g> -<!-- Together --> -<g id="node4" class="node"><title>Together</title> -<polygon fill="white" stroke="white" points="108,-95.5 0,-95.5 0,-0.5 108,-0.5 108,-95.5"/> -<polygon fill="white" stroke="white" points="8,-47 8,-91 101,-91 101,-47 8,-47"/> -<polygon fill="none" stroke="#c00000" points="8,-47 8,-91 101,-91 101,-47 8,-47"/> -<text text-anchor="start" x="38" y="-75.2333" font-family="Helvetica,sans-Serif" font-size="14.00">Auth</text> -<text text-anchor="start" x="13.5" y="-58.4333" font-family="Helvetica,sans-Serif" font-size="14.00">Component</text> -<polygon fill="#d1ebf1" stroke="#d1ebf1" points="8,-4 8,-47 101,-47 101,-4 8,-4"/> -<polygon fill="none" stroke="#1f477d" points="8,-4 8,-47 101,-47 101,-4 8,-4"/> -<text text-anchor="start" x="15.5" y="-31.7333" font-family="Helvetica,sans-Serif" font-size="14.00">OpenStack</text> -<text text-anchor="start" x="28" y="-14.9333" font-family="Helvetica,sans-Serif" font-size="14.00">Service</text> -</g> -<!-- AuthComp->Together --> -<g id="edge3" class="edge"><title>AuthComp->Together:OStack:n</title> -<path fill="none" stroke="black" d="M55,-131.871C55,-113.129 55,-84.1127 55,-57.1901"/> -<polygon fill="black" stroke="black" points="58.5001,-57 55,-47 51.5001,-57 58.5001,-57"/> -</g> -</g> -</svg> diff --git a/doc/source/images/graphs_delegate_forbiden_basic.svg b/doc/source/images/graphs_delegate_forbiden_basic.svg deleted file mode 100644 index dcd62b77..00000000 --- a/doc/source/images/graphs_delegate_forbiden_basic.svg +++ /dev/null @@ -1,53 +0,0 @@ -<?xml version="1.0" encoding="UTF-8" standalone="no"?> -<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" - "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> -<!-- Generated by graphviz version 2.27.20101213.0545 (20101213.0545) - --> -<!-- Title: DelegateRejectForbidden Pages: 1 --> -<svg width="670pt" height="102pt" - viewBox="0.00 0.00 670.00 101.64" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> -<g id="graph1" class="graph" transform="scale(1 1) rotate(0) translate(4 97.6355)"> -<title>DelegateRejectForbidden</title> -<polygon fill="white" stroke="white" points="-4,5 -4,-97.6355 667,-97.6355 667,5 -4,5"/> -<!-- Start --> -<!-- AuthComp --> -<g id="node4" class="node"><title>AuthComp</title> -<polygon fill="#fdefe3" stroke="#c00000" points="348,-61.6355 250,-61.6355 250,-21.6355 348,-21.6355 348,-61.6355"/> -<text text-anchor="middle" x="299" y="-45.0355" font-family="Helvetica,sans-Serif" font-size="14.00">Auth</text> -<text text-anchor="middle" x="299" y="-29.0355" font-family="Helvetica,sans-Serif" font-size="14.00">Component</text> -</g> -<!-- Start->AuthComp --> -<g id="edge3" class="edge"><title>Start->AuthComp</title> -<path fill="none" stroke="black" d="M54.0748,-41.6355C97.1107,-41.6355 182.142,-41.6355 239.791,-41.6355"/> -<polygon fill="black" stroke="black" points="239.864,-45.1356 249.863,-41.6355 239.863,-38.1356 239.864,-45.1356"/> -<text text-anchor="middle" x="152" y="-44.0355" font-family="Times,serif" font-size="14.00">Authorization: Basic VTpQ</text> -</g> -<!-- AuthComp->Start --> -<g id="edge5" class="edge"><title>AuthComp->Start</title> -<path fill="none" stroke="black" d="M249.934,-26.0577C243.944,-24.6511 237.868,-23.4514 232,-22.6355 161.567,-12.8417 141.697,-8.52478 72,-22.6355 69.1948,-23.2034 66.3471,-23.9518 63.5169,-24.8233"/> -<polygon fill="black" stroke="black" points="62.3066,-21.5388 54.0489,-28.1766 64.6436,-28.1372 62.3066,-21.5388"/> -<text text-anchor="middle" x="152" y="-25.0355" font-family="Times,serif" font-size="14.00">403 Forbidden</text> -</g> -<!-- Service --> -<g id="node7" class="node"><title>Service</title> -<polygon fill="#d1ebf1" stroke="#1f477d" points="662,-61.6355 568,-61.6355 568,-21.6355 662,-21.6355 662,-61.6355"/> -<text text-anchor="middle" x="615" y="-45.0355" font-family="Helvetica,sans-Serif" font-size="14.00">OpenStack</text> -<text text-anchor="middle" x="615" y="-29.0355" font-family="Helvetica,sans-Serif" font-size="14.00">Service</text> -</g> -<!-- AuthComp->Service --> -<g id="edge7" class="edge"><title>AuthComp->Service</title> -<path fill="none" stroke="black" d="M348.009,-45.7159C354.065,-46.0953 360.172,-46.4183 366,-46.6355 447.721,-49.6805 468.282,-49.7738 550,-46.6355 552.523,-46.5386 555.101,-46.4206 557.704,-46.2859"/> -<polygon fill="black" stroke="black" points="558.03,-49.7729 567.807,-45.6931 557.62,-42.7849 558.03,-49.7729"/> -<text text-anchor="middle" x="458" y="-81.0355" font-family="Times,serif" font-size="14.00">Authorization: Basic dTpw</text> -<text text-anchor="middle" x="458" y="-66.0355" font-family="Times,serif" font-size="14.00">X-Authorization: Proxy U</text> -<text text-anchor="middle" x="458" y="-51.0355" font-family="Times,serif" font-size="14.00">X-Identity-Status: Confirmed</text> -</g> -<!-- Service->AuthComp --> -<g id="edge9" class="edge"><title>Service->AuthComp</title> -<path fill="none" stroke="black" d="M577.062,-21.5392C568.397,-17.8542 559.064,-14.5658 550,-12.6355 470.016,4.39794 446.078,3.95128 366,-12.6355 359.891,-13.9008 353.655,-15.7515 347.566,-17.9158"/> -<polygon fill="black" stroke="black" points="346.234,-14.6781 338.158,-21.5358 348.748,-21.2112 346.234,-14.6781"/> -<text text-anchor="middle" x="458" y="-30.0355" font-family="Times,serif" font-size="14.00">403 Forbidden</text> -<text text-anchor="middle" x="458" y="-15.0355" font-family="Times,serif" font-size="14.00">WWW-Authenticate: Delegated</text> -</g> -</g> -</svg> diff --git a/doc/source/images/graphs_delegate_forbiden_proxy.svg b/doc/source/images/graphs_delegate_forbiden_proxy.svg deleted file mode 100644 index df53212b..00000000 --- a/doc/source/images/graphs_delegate_forbiden_proxy.svg +++ /dev/null @@ -1,52 +0,0 @@ -<?xml version="1.0" encoding="UTF-8" standalone="no"?> -<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" - "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> -<!-- Generated by graphviz version 2.27.20101213.0545 (20101213.0545) - --> -<!-- Title: DelegateForbiddnProxy Pages: 1 --> -<svg width="656pt" height="81pt" - viewBox="0.00 0.00 656.00 81.23" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> -<g id="graph1" class="graph" transform="scale(1 1) rotate(0) translate(4 77.234)"> -<title>DelegateForbiddnProxy</title> -<polygon fill="white" stroke="white" points="-4,5 -4,-77.234 653,-77.234 653,5 -4,5"/> -<!-- Start --> -<!-- AuthComp --> -<g id="node4" class="node"><title>AuthComp</title> -<polygon fill="#fdefe3" stroke="#c00000" points="348,-48.234 250,-48.234 250,-8.23398 348,-8.23398 348,-48.234"/> -<text text-anchor="middle" x="299" y="-31.634" font-family="Helvetica,sans-Serif" font-size="14.00">Auth</text> -<text text-anchor="middle" x="299" y="-15.634" font-family="Helvetica,sans-Serif" font-size="14.00">Component</text> -</g> -<!-- Start->AuthComp --> -<g id="edge3" class="edge"><title>Start->AuthComp</title> -<path fill="none" stroke="black" d="M54.0748,-28.234C97.1107,-28.234 182.142,-28.234 239.791,-28.234"/> -<polygon fill="black" stroke="black" points="239.864,-31.7341 249.863,-28.234 239.863,-24.7341 239.864,-31.7341"/> -<text text-anchor="middle" x="152" y="-30.634" font-family="Times,serif" font-size="14.00">Authorization: Basic VTpQ</text> -</g> -<!-- AuthComp->Start --> -<g id="edge5" class="edge"><title>AuthComp->Start</title> -<path fill="none" stroke="black" d="M249.934,-12.6562C243.944,-11.2496 237.868,-10.0499 232,-9.23398 161.567,0.55976 141.697,4.87673 72,-9.23398 69.1948,-9.80192 66.3471,-10.5503 63.5169,-11.4218"/> -<polygon fill="black" stroke="black" points="62.3066,-8.13733 54.0489,-14.7751 64.6436,-14.7357 62.3066,-8.13733"/> -<text text-anchor="middle" x="152" y="-11.634" font-family="Times,serif" font-size="14.00">500 Internal Error</text> -</g> -<!-- Service --> -<g id="node7" class="node"><title>Service</title> -<polygon fill="#d1ebf1" stroke="#1f477d" points="648,-48.234 554,-48.234 554,-8.23398 648,-8.23398 648,-48.234"/> -<text text-anchor="middle" x="601" y="-31.634" font-family="Helvetica,sans-Serif" font-size="14.00">OpenStack</text> -<text text-anchor="middle" x="601" y="-15.634" font-family="Helvetica,sans-Serif" font-size="14.00">Service</text> -</g> -<!-- AuthComp->Service --> -<g id="edge7" class="edge"><title>AuthComp->Service</title> -<path fill="none" stroke="black" d="M348.194,-28.234C401.691,-28.234 487.101,-28.234 543.616,-28.234"/> -<polygon fill="black" stroke="black" points="543.818,-31.7341 553.818,-28.234 543.818,-24.7341 543.818,-31.7341"/> -<text text-anchor="middle" x="451" y="-60.634" font-family="Times,serif" font-size="14.00">Authorization: Basic dTpw</text> -<text text-anchor="middle" x="451" y="-45.634" font-family="Times,serif" font-size="14.00">X-Authorization: Proxy U</text> -<text text-anchor="middle" x="451" y="-30.634" font-family="Times,serif" font-size="14.00">X-Identity-Status: Confirmed</text> -</g> -<!-- Service->AuthComp --> -<g id="edge9" class="edge"><title>Service->AuthComp</title> -<path fill="none" stroke="black" d="M553.774,-12.7435C547.845,-11.2995 541.819,-10.067 536,-9.23398 461.207,1.47328 440.836,1.17187 366,-9.23398 363.341,-9.6037 360.639,-10.0522 357.922,-10.5631"/> -<polygon fill="black" stroke="black" points="357.121,-7.15517 348.066,-12.6562 358.575,-14.0025 357.121,-7.15517"/> -<text text-anchor="middle" x="451" y="-11.634" font-family="Times,serif" font-size="14.00">403 Forbidden</text> -</g> -</g> -</svg> diff --git a/doc/source/images/graphs_delegate_reject_basic.svg b/doc/source/images/graphs_delegate_reject_basic.svg deleted file mode 100644 index a33ea095..00000000 --- a/doc/source/images/graphs_delegate_reject_basic.svg +++ /dev/null @@ -1,55 +0,0 @@ -<?xml version="1.0" encoding="UTF-8" standalone="no"?> -<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" - "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> -<!-- Generated by graphviz version 2.27.20101213.0545 (20101213.0545) - --> -<!-- Title: DelegateRejectAuthBasic Pages: 1 --> -<svg width="670pt" height="113pt" - viewBox="0.00 0.00 670.00 112.84" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> -<g id="graph1" class="graph" transform="scale(1 1) rotate(0) translate(4 108.841)"> -<title>DelegateRejectAuthBasic</title> -<polygon fill="white" stroke="white" points="-4,5 -4,-108.841 667,-108.841 667,5 -4,5"/> -<!-- Start --> -<!-- AuthComp --> -<g id="node4" class="node"><title>AuthComp</title> -<polygon fill="#fdefe3" stroke="#c00000" points="346,-72.8409 248,-72.8409 248,-32.8409 346,-32.8409 346,-72.8409"/> -<text text-anchor="middle" x="297" y="-56.2409" font-family="Helvetica,sans-Serif" font-size="14.00">Auth</text> -<text text-anchor="middle" x="297" y="-40.2409" font-family="Helvetica,sans-Serif" font-size="14.00">Component</text> -</g> -<!-- Start->AuthComp --> -<g id="edge3" class="edge"><title>Start->AuthComp</title> -<path fill="none" stroke="black" d="M54.3777,-61.3549C60.1429,-62.8044 66.2278,-64.0845 72,-64.8409 141.627,-73.9651 160.053,-71.0554 230,-64.8409 232.523,-64.6168 235.094,-64.346 237.686,-64.038"/> -<polygon fill="black" stroke="black" points="238.294,-67.4878 247.737,-62.6852 237.36,-60.5504 238.294,-67.4878"/> -<text text-anchor="middle" x="151" y="-72.2409" font-family="Times,serif" font-size="14.00">Authorization: Basic Yjpw</text> -</g> -<!-- AuthComp->Start --> -<g id="edge5" class="edge"><title>AuthComp->Start</title> -<path fill="none" stroke="black" d="M268.012,-32.6508C256.688,-25.9141 243.253,-19.2572 230,-15.8409 162.001,1.68741 138.106,7.84667 72,-15.8409 64.6685,-18.468 57.6762,-22.8621 51.4824,-27.7226"/> -<polygon fill="black" stroke="black" points="48.8781,-25.3457 43.5743,-34.5174 53.44,-30.655 48.8781,-25.3457"/> -<text text-anchor="middle" x="151" y="-48.2409" font-family="Times,serif" font-size="14.00">401 Unauthorized</text> -<text text-anchor="middle" x="151" y="-33.2409" font-family="Times,serif" font-size="14.00">WWW-Authenticate: Basic</text> -<text text-anchor="middle" x="151" y="-18.2409" font-family="Times,serif" font-size="14.00">Realm="API Realm"</text> -</g> -<!-- Service --> -<g id="node7" class="node"><title>Service</title> -<polygon fill="#d1ebf1" stroke="#1f477d" points="662,-72.8409 568,-72.8409 568,-32.8409 662,-32.8409 662,-72.8409"/> -<text text-anchor="middle" x="615" y="-56.2409" font-family="Helvetica,sans-Serif" font-size="14.00">OpenStack</text> -<text text-anchor="middle" x="615" y="-40.2409" font-family="Helvetica,sans-Serif" font-size="14.00">Service</text> -</g> -<!-- AuthComp->Service --> -<g id="edge7" class="edge"><title>AuthComp->Service</title> -<path fill="none" stroke="black" d="M346.009,-56.9214C352.065,-57.3007 358.172,-57.6238 364,-57.8409 446.609,-60.9191 467.394,-61.0134 550,-57.8409 552.523,-57.744 555.101,-57.626 557.704,-57.4913"/> -<polygon fill="black" stroke="black" points="558.03,-60.9783 567.807,-56.8985 557.62,-53.9903 558.03,-60.9783"/> -<text text-anchor="middle" x="457" y="-92.2409" font-family="Times,serif" font-size="14.00">Authorization: Basic dTpw</text> -<text text-anchor="middle" x="457" y="-77.2409" font-family="Times,serif" font-size="14.00">X-Authorization: Proxy b</text> -<text text-anchor="middle" x="457" y="-62.2409" font-family="Times,serif" font-size="14.00">X-Identity-Status: Indeterminate</text> -</g> -<!-- Service->AuthComp --> -<g id="edge9" class="edge"><title>Service->AuthComp</title> -<path fill="none" stroke="black" d="M577.062,-32.7447C568.397,-29.0597 559.064,-25.7713 550,-23.8409 469.146,-6.62237 444.948,-7.07388 364,-23.8409 357.891,-25.1063 351.655,-26.957 345.566,-29.1213"/> -<polygon fill="black" stroke="black" points="344.234,-25.8836 336.158,-32.7413 346.748,-32.4166 344.234,-25.8836"/> -<text text-anchor="middle" x="457" y="-41.2409" font-family="Times,serif" font-size="14.00">401 Unauthorized</text> -<text text-anchor="middle" x="457" y="-26.2409" font-family="Times,serif" font-size="14.00">WWW-Authenticate: Delegated</text> -</g> -</g> -</svg> diff --git a/doc/source/images/graphs_delegate_reject_oauth.svg b/doc/source/images/graphs_delegate_reject_oauth.svg deleted file mode 100644 index 760adeb6..00000000 --- a/doc/source/images/graphs_delegate_reject_oauth.svg +++ /dev/null @@ -1,56 +0,0 @@ -<?xml version="1.0" encoding="UTF-8" standalone="no"?> -<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" - "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> -<!-- Generated by graphviz version 2.27.20101213.0545 (20101213.0545) - --> -<!-- Title: DelegateRejectAuthOAuth Pages: 1 --> -<svg width="722pt" height="128pt" - viewBox="0.00 0.00 722.00 127.50" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> -<g id="graph1" class="graph" transform="scale(1 1) rotate(0) translate(4 123.504)"> -<title>DelegateRejectAuthOAuth</title> -<polygon fill="white" stroke="white" points="-4,5 -4,-123.504 719,-123.504 719,5 -4,5"/> -<!-- Start --> -<!-- AuthComp --> -<g id="node4" class="node"><title>AuthComp</title> -<polygon fill="#fdefe3" stroke="#c00000" points="398,-87.504 300,-87.504 300,-47.504 398,-47.504 398,-87.504"/> -<text text-anchor="middle" x="349" y="-70.904" font-family="Helvetica,sans-Serif" font-size="14.00">Auth</text> -<text text-anchor="middle" x="349" y="-54.904" font-family="Helvetica,sans-Serif" font-size="14.00">Component</text> -</g> -<!-- Start->AuthComp --> -<g id="edge3" class="edge"><title>Start->AuthComp</title> -<path fill="none" stroke="black" d="M54.4752,-81.8682C60.1286,-84.2034 66.1458,-86.2617 72,-87.504 163.3,-106.879 189.647,-100.994 282,-87.504 284.667,-87.1144 287.375,-86.642 290.098,-86.104"/> -<polygon fill="black" stroke="black" points="290.972,-89.4951 299.969,-83.9 289.446,-82.6633 290.972,-89.4951"/> -<text text-anchor="middle" x="177" y="-101.904" font-family="Times,serif" font-size="14.00">Authorization: OAuth 000-999-222</text> -</g> -<!-- AuthComp->Start --> -<g id="edge5" class="edge"><title>AuthComp->Start</title> -<path fill="none" stroke="black" d="M325.91,-47.4946C313.721,-38.2548 297.999,-28.2878 282,-23.504 192.578,3.23327 158.428,11.7282 72,-23.504 62.489,-27.3811 53.8955,-34.3434 46.8279,-41.6023"/> -<polygon fill="black" stroke="black" points="43.8515,-39.6795 39.7866,-49.4636 49.0657,-44.3499 43.8515,-39.6795"/> -<text text-anchor="middle" x="177" y="-70.904" font-family="Times,serif" font-size="14.00">401 Unauthorized</text> -<text text-anchor="middle" x="177" y="-55.904" font-family="Times,serif" font-size="14.00">WWW-Authenticate: OAuth</text> -<text text-anchor="middle" x="177" y="-40.904" font-family="Times,serif" font-size="14.00">Realm=’API Realm’,</text> -<text text-anchor="middle" x="177" y="-25.904" font-family="Times,serif" font-size="14.00">Error=’invalid-token’</text> -</g> -<!-- Service --> -<g id="node7" class="node"><title>Service</title> -<polygon fill="#d1ebf1" stroke="#1f477d" points="714,-87.504 620,-87.504 620,-47.504 714,-47.504 714,-87.504"/> -<text text-anchor="middle" x="667" y="-70.904" font-family="Helvetica,sans-Serif" font-size="14.00">OpenStack</text> -<text text-anchor="middle" x="667" y="-54.904" font-family="Helvetica,sans-Serif" font-size="14.00">Service</text> -</g> -<!-- AuthComp->Service --> -<g id="edge7" class="edge"><title>AuthComp->Service</title> -<path fill="none" stroke="black" d="M398.009,-71.5844C404.065,-71.9638 410.172,-72.2868 416,-72.504 498.609,-75.5822 519.394,-75.6765 602,-72.504 604.523,-72.4071 607.101,-72.2891 609.704,-72.1544"/> -<polygon fill="black" stroke="black" points="610.03,-75.6414 619.807,-71.5616 609.62,-68.6534 610.03,-75.6414"/> -<text text-anchor="middle" x="509" y="-106.904" font-family="Times,serif" font-size="14.00">Authorization: Basic dTpw</text> -<text text-anchor="middle" x="509" y="-91.904" font-family="Times,serif" font-size="14.00">X-Authorization: Proxy</text> -<text text-anchor="middle" x="509" y="-76.904" font-family="Times,serif" font-size="14.00">X-Identity-Status: Indeterminate</text> -</g> -<!-- Service->AuthComp --> -<g id="edge9" class="edge"><title>Service->AuthComp</title> -<path fill="none" stroke="black" d="M629.062,-47.4077C620.397,-43.7227 611.064,-40.4344 602,-38.504 521.146,-21.2854 496.948,-21.7369 416,-38.504 409.891,-39.7693 403.655,-41.62 397.566,-43.7843"/> -<polygon fill="black" stroke="black" points="396.234,-40.5466 388.158,-47.4043 398.748,-47.0797 396.234,-40.5466"/> -<text text-anchor="middle" x="509" y="-55.904" font-family="Times,serif" font-size="14.00">401 Unauthorized</text> -<text text-anchor="middle" x="509" y="-40.904" font-family="Times,serif" font-size="14.00">WWW-Authenticate: Delegated</text> -</g> -</g> -</svg> diff --git a/doc/source/images/graphs_delegate_unimplemented.svg b/doc/source/images/graphs_delegate_unimplemented.svg deleted file mode 100644 index 8c4fdc6b..00000000 --- a/doc/source/images/graphs_delegate_unimplemented.svg +++ /dev/null @@ -1,53 +0,0 @@ -<?xml version="1.0" encoding="UTF-8" standalone="no"?> -<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" - "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> -<!-- Generated by graphviz version 2.27.20101213.0545 (20101213.0545) - --> -<!-- Title: DelegateUnimplemented Pages: 1 --> -<svg width="670pt" height="102pt" - viewBox="0.00 0.00 670.00 101.64" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> -<g id="graph1" class="graph" transform="scale(1 1) rotate(0) translate(4 97.6355)"> -<title>DelegateUnimplemented</title> -<polygon fill="white" stroke="white" points="-4,5 -4,-97.6355 667,-97.6355 667,5 -4,5"/> -<!-- Start --> -<!-- AuthComp --> -<g id="node4" class="node"><title>AuthComp</title> -<polygon fill="#fdefe3" stroke="#c00000" points="348,-61.6355 250,-61.6355 250,-21.6355 348,-21.6355 348,-61.6355"/> -<text text-anchor="middle" x="299" y="-45.0355" font-family="Helvetica,sans-Serif" font-size="14.00">Auth</text> -<text text-anchor="middle" x="299" y="-29.0355" font-family="Helvetica,sans-Serif" font-size="14.00">Component</text> -</g> -<!-- Start->AuthComp --> -<g id="edge3" class="edge"><title>Start->AuthComp</title> -<path fill="none" stroke="black" d="M54.0748,-41.6355C97.1107,-41.6355 182.142,-41.6355 239.791,-41.6355"/> -<polygon fill="black" stroke="black" points="239.864,-45.1356 249.863,-41.6355 239.863,-38.1356 239.864,-45.1356"/> -<text text-anchor="middle" x="152" y="-44.0355" font-family="Times,serif" font-size="14.00">Authorization: Basic VTpQ</text> -</g> -<!-- AuthComp->Start --> -<g id="edge5" class="edge"><title>AuthComp->Start</title> -<path fill="none" stroke="black" d="M249.934,-26.0577C243.944,-24.6511 237.868,-23.4514 232,-22.6355 161.567,-12.8417 141.697,-8.52478 72,-22.6355 69.1948,-23.2034 66.3471,-23.9518 63.5169,-24.8233"/> -<polygon fill="black" stroke="black" points="62.3066,-21.5388 54.0489,-28.1766 64.6436,-28.1372 62.3066,-21.5388"/> -<text text-anchor="middle" x="152" y="-25.0355" font-family="Times,serif" font-size="14.00">500 Internal Error</text> -</g> -<!-- Service --> -<g id="node7" class="node"><title>Service</title> -<polygon fill="#d1ebf1" stroke="#1f477d" points="662,-61.6355 568,-61.6355 568,-21.6355 662,-21.6355 662,-61.6355"/> -<text text-anchor="middle" x="615" y="-45.0355" font-family="Helvetica,sans-Serif" font-size="14.00">OpenStack</text> -<text text-anchor="middle" x="615" y="-29.0355" font-family="Helvetica,sans-Serif" font-size="14.00">Service</text> -</g> -<!-- AuthComp->Service --> -<g id="edge7" class="edge"><title>AuthComp->Service</title> -<path fill="none" stroke="black" d="M348.009,-45.7159C354.065,-46.0953 360.172,-46.4183 366,-46.6355 447.721,-49.6805 468.282,-49.7738 550,-46.6355 552.523,-46.5386 555.101,-46.4206 557.704,-46.2859"/> -<polygon fill="black" stroke="black" points="558.03,-49.7729 567.807,-45.6931 557.62,-42.7849 558.03,-49.7729"/> -<text text-anchor="middle" x="458" y="-81.0355" font-family="Times,serif" font-size="14.00">Authorization: Basic dTpw</text> -<text text-anchor="middle" x="458" y="-66.0355" font-family="Times,serif" font-size="14.00">X-Authorization: Proxy U</text> -<text text-anchor="middle" x="458" y="-51.0355" font-family="Times,serif" font-size="14.00">X-Identity-Status: Confirmed</text> -</g> -<!-- Service->AuthComp --> -<g id="edge9" class="edge"><title>Service->AuthComp</title> -<path fill="none" stroke="black" d="M577.062,-21.5392C568.397,-17.8542 559.064,-14.5658 550,-12.6355 470.016,4.39794 446.078,3.95128 366,-12.6355 359.891,-13.9008 353.655,-15.7515 347.566,-17.9158"/> -<polygon fill="black" stroke="black" points="346.234,-14.6781 338.158,-21.5358 348.748,-21.2112 346.234,-14.6781"/> -<text text-anchor="middle" x="458" y="-30.0355" font-family="Times,serif" font-size="14.00">501 Unimplemented</text> -<text text-anchor="middle" x="458" y="-15.0355" font-family="Times,serif" font-size="14.00">WWW-Authenticate: Delegated</text> -</g> -</g> -</svg> diff --git a/doc/source/images/graphs_mapper.svg b/doc/source/images/graphs_mapper.svg deleted file mode 100644 index 52c6c55b..00000000 --- a/doc/source/images/graphs_mapper.svg +++ /dev/null @@ -1,73 +0,0 @@ -<?xml version="1.0" encoding="UTF-8" standalone="no"?> -<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" - "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> -<!-- Generated by graphviz version 2.27.20101213.0545 (20101213.0545) - --> -<!-- Title: Mapper Pages: 1 --> -<svg width="174pt" height="264pt" - viewBox="0.00 0.00 174.00 264.00" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> -<g id="graph1" class="graph" transform="scale(1 1) rotate(0) translate(4 260)"> -<title>Mapper</title> -<polygon fill="white" stroke="white" points="-4,5 -4,-260 171,-260 171,5 -4,5"/> -<!-- Start --> -<!-- Mapper --> -<g id="node4" class="node"><title>Mapper</title> -<polygon fill="#ebf1de" stroke="#687b37" points="119,-184 49,-184 49,-148 119,-148 119,-184"/> -<text text-anchor="middle" x="84" y="-161.4" font-family="Helvetica,sans-Serif" font-size="14.00">Mapper</text> -</g> -<!-- Start->Mapper --> -<g id="edge3" class="edge"><title>Start->Mapper</title> -<path fill="none" stroke="black" d="M84,-219.831C84,-212.131 84,-202.974 84,-194.417"/> -<polygon fill="black" stroke="black" points="87.5001,-194.413 84,-184.413 80.5001,-194.413 87.5001,-194.413"/> -</g> -<!-- Auths --> -<g id="node6" class="node"><title>Auths</title> -<polygon fill="white" stroke="white" points="166,-112 0,-112 0,-76 166,-76 166,-112"/> -<polygon fill="#fdefe3" stroke="#fdefe3" points="8,-81 8,-106 59,-106 59,-81 8,-81"/> -<polygon fill="none" stroke="#c00000" points="8,-81 8,-106 59,-106 59,-81 8,-81"/> -<text text-anchor="start" x="13.5" y="-90.2333" font-family="Helvetica,sans-Serif" font-size="14.00">Auth1</text> -<polygon fill="#fdefe3" stroke="#fdefe3" points="59,-81 59,-106 109,-106 109,-81 59,-81"/> -<polygon fill="none" stroke="#c00000" points="59,-81 59,-106 109,-106 109,-81 59,-81"/> -<text text-anchor="start" x="64" y="-90.2333" font-family="Helvetica,sans-Serif" font-size="14.00">Auth2</text> -<polygon fill="#fdefe3" stroke="#fdefe3" points="109,-81 109,-106 159,-106 159,-81 109,-81"/> -<polygon fill="none" stroke="#c00000" points="109,-81 109,-106 159,-106 159,-81 109,-81"/> -<text text-anchor="start" x="114" y="-90.2333" font-family="Helvetica,sans-Serif" font-size="14.00">Auth3</text> -</g> -<!-- Mapper->Auths --> -<g id="edge5" class="edge"><title>Mapper:sw->Auths:auth1</title> -<path fill="none" stroke="black" d="M49,-148C37.5237,-136.524 34.1339,-129.157 33.2662,-116.083"/> -<polygon fill="black" stroke="black" points="36.7628,-115.904 33,-106 29.7652,-116.089 36.7628,-115.904"/> -</g> -<!-- Mapper->Auths --> -<g id="edge7" class="edge"><title>Mapper:s->Auths:auth2</title> -<path fill="none" stroke="black" d="M84,-148C84,-133.271 84,-127.258 84,-116.207"/> -<polygon fill="black" stroke="black" points="87.5001,-116 84,-106 80.5001,-116 87.5001,-116"/> -</g> -<!-- Mapper->Auths --> -<g id="edge9" class="edge"><title>Mapper:se->Auths:auth3</title> -<path fill="none" stroke="black" d="M119,-148C130.388,-136.612 133.173,-129.088 133.817,-116.035"/> -<polygon fill="black" stroke="black" points="137.317,-116.062 134,-106 130.318,-115.934 137.317,-116.062"/> -</g> -<!-- Service --> -<g id="node10" class="node"><title>Service</title> -<polygon fill="#d1ebf1" stroke="#1f477d" points="131,-40 37,-40 37,-0 131,-0 131,-40"/> -<text text-anchor="middle" x="84" y="-23.4" font-family="Helvetica,sans-Serif" font-size="14.00">OpenStack</text> -<text text-anchor="middle" x="84" y="-7.4" font-family="Helvetica,sans-Serif" font-size="14.00">Service</text> -</g> -<!-- Auths->Service --> -<g id="edge11" class="edge"><title>Auths:auth1->Service</title> -<path fill="none" stroke="black" d="M33,-81C33,-68.2561 39.6326,-56.7707 48.1141,-47.2933"/> -<polygon fill="black" stroke="black" points="50.6575,-49.6992 55.221,-40.1376 45.6908,-44.7664 50.6575,-49.6992"/> -</g> -<!-- Auths->Service --> -<g id="edge13" class="edge"><title>Auths:auth2->Service</title> -<path fill="none" stroke="black" d="M84,-81C84,-70.9674 84,-60.0066 84,-50.1784"/> -<polygon fill="black" stroke="black" points="87.5001,-50.0559 84,-40.056 80.5001,-50.056 87.5001,-50.0559"/> -</g> -<!-- Auths->Service --> -<g id="edge15" class="edge"><title>Auths:auth3->Service</title> -<path fill="none" stroke="black" d="M134,-81C134,-68.4835 127.626,-57.1283 119.429,-47.7009"/> -<polygon fill="black" stroke="black" points="121.686,-45.0006 112.215,-40.2521 116.658,-49.8705 121.686,-45.0006"/> -</g> -</g> -</svg> diff --git a/doc/source/images/graphs_proxyAuth.svg b/doc/source/images/graphs_proxyAuth.svg deleted file mode 100644 index 7b94b077..00000000 --- a/doc/source/images/graphs_proxyAuth.svg +++ /dev/null @@ -1,51 +0,0 @@ -<?xml version="1.0" encoding="UTF-8" standalone="no"?> -<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" - "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> -<!-- Generated by graphviz version 2.27.20101213.0545 (20101213.0545) - --> -<!-- Title: ProxyAuth Pages: 1 --> -<svg width="644pt" height="74pt" - viewBox="0.00 0.00 644.00 73.70" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> -<g id="graph1" class="graph" transform="scale(1 1) rotate(0) translate(4 69.7025)"> -<title>ProxyAuth</title> -<polygon fill="white" stroke="white" points="-4,5 -4,-69.7025 641,-69.7025 641,5 -4,5"/> -<!-- Start --> -<!-- AuthComp --> -<g id="node4" class="node"><title>AuthComp</title> -<polygon fill="#fdefe3" stroke="#c00000" points="348,-55.7025 250,-55.7025 250,-15.7025 348,-15.7025 348,-55.7025"/> -<text text-anchor="middle" x="299" y="-39.1025" font-family="Helvetica,sans-Serif" font-size="14.00">Auth</text> -<text text-anchor="middle" x="299" y="-23.1025" font-family="Helvetica,sans-Serif" font-size="14.00">Component</text> -</g> -<!-- Start->AuthComp --> -<g id="edge3" class="edge"><title>Start->AuthComp</title> -<path fill="none" stroke="black" d="M54.0748,-35.7025C97.1107,-35.7025 182.142,-35.7025 239.791,-35.7025"/> -<polygon fill="black" stroke="black" points="239.864,-39.2026 249.863,-35.7025 239.863,-32.2026 239.864,-39.2026"/> -<text text-anchor="middle" x="152" y="-38.1025" font-family="Times,serif" font-size="14.00">Authorization: Basic VTpQ</text> -</g> -<!-- AuthComp->Start --> -<g id="edge9" class="edge"><title>AuthComp:w->Start</title> -<path fill="none" stroke="black" d="M250,-35.7025C238.368,-35.7025 242.686,-21.2988 232,-16.7025 166.676,11.3956 141.697,-2.59182 72,-16.7025 69.1948,-17.2705 66.3471,-18.0189 63.5169,-18.8903"/> -<polygon fill="black" stroke="black" points="62.3066,-15.6059 54.0489,-22.2437 64.6436,-22.2043 62.3066,-15.6059"/> -<text text-anchor="middle" x="152" y="-19.1025" font-family="Times,serif" font-size="14.00">500 Internal Error</text> -</g> -<!-- Service --> -<g id="node6" class="node"><title>Service</title> -<polygon fill="#d1ebf1" stroke="#1f477d" points="636,-55.7025 542,-55.7025 542,-15.7025 636,-15.7025 636,-55.7025"/> -<text text-anchor="middle" x="589" y="-39.1025" font-family="Helvetica,sans-Serif" font-size="14.00">OpenStack</text> -<text text-anchor="middle" x="589" y="-23.1025" font-family="Helvetica,sans-Serif" font-size="14.00">Service</text> -</g> -<!-- AuthComp->Service --> -<g id="edge5" class="edge"><title>AuthComp->Service</title> -<path fill="none" stroke="black" d="M348.195,-35.7025C399.052,-35.7025 478.372,-35.7025 531.947,-35.7025"/> -<polygon fill="black" stroke="black" points="531.971,-39.2026 541.971,-35.7025 531.971,-32.2026 531.971,-39.2026"/> -<text text-anchor="middle" x="445" y="-53.1025" font-family="Times,serif" font-size="14.00">Authorization: Basic dTpw</text> -<text text-anchor="middle" x="445" y="-38.1025" font-family="Times,serif" font-size="14.00">X-Authorization: Proxy U</text> -</g> -<!-- Service->AuthComp --> -<g id="edge7" class="edge"><title>Service:w->AuthComp</title> -<path fill="none" stroke="black" d="M542,-35.7025C530.368,-35.7025 534.686,-21.2988 524,-16.7025 459.492,11.0444 435.553,-7.03121 366,-16.7025 363.341,-17.0723 360.639,-17.5208 357.922,-18.0316"/> -<polygon fill="black" stroke="black" points="357.121,-14.6237 348.066,-20.1248 358.575,-21.471 357.121,-14.6237"/> -<text text-anchor="middle" x="445" y="-19.1025" font-family="Times,serif" font-size="14.00">403 Forbidden</text> -</g> -</g> -</svg> diff --git a/doc/source/images/images_layouts.svg b/doc/source/images/images_layouts.svg deleted file mode 100644 index e7fe7a95..00000000 --- a/doc/source/images/images_layouts.svg +++ /dev/null @@ -1,200 +0,0 @@ -<?xml version="1.0" encoding="UTF-8" standalone="no"?> -<svg - xmlns:dc="http://purl.org/dc/elements/1.1/" - xmlns:cc="http://creativecommons.org/ns#" - xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" - xmlns:svg="http://www.w3.org/2000/svg" - xmlns="http://www.w3.org/2000/svg" - xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd" - xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape" - width="222pt" - height="135pt" - viewBox="0.00 0.00 245.00 135.00" - id="svg3479" - version="1.1" - inkscape:version="0.48.0 r9654" - sodipodi:docname="layouts-full.svg"> - <metadata - id="metadata3492"> - <rdf:RDF> - <cc:Work - rdf:about=""> - <dc:format>image/svg+xml</dc:format> - <dc:type - rdf:resource="http://purl.org/dc/dcmitype/StillImage" /> - </cc:Work> - </rdf:RDF> - </metadata> - <defs - id="defs3490" /> - <sodipodi:namedview - pagecolor="#ffffff" - bordercolor="#666666" - borderopacity="1" - objecttolerance="10" - gridtolerance="10" - guidetolerance="10" - inkscape:pageopacity="0" - inkscape:pageshadow="2" - inkscape:window-width="1680" - inkscape:window-height="1002" - id="namedview3488" - showgrid="false" - inkscape:zoom="1" - inkscape:cx="-0.58191504" - inkscape:cy="23.096747" - inkscape:window-x="0" - inkscape:window-y="22" - inkscape:window-maximized="0" - inkscape:current-layer="svg3479" /> - <g - id="layouts"> - <title - id="title3482">Auth Layouts</title> - <text - text-anchor="middle" - x="58" - y="134" - font-family="Helvetica,sans-Serif" - font-size="14.00" - id="text3484">(a)</text> - <text - text-anchor="middle" - x="178" - y="134" - font-family="Helvetica,sans-Serif" - font-size="14.00" - id="text3486">(b)</text> - </g> - <g - id="graph1" - class="graph" - transform="matrix(0.81928538,0,0,0.77044025,18.190271,97.915731)"> - <title - id="title3172">Together</title> - <polygon - style="fill:#ffffff;stroke:#ffffff" - points="-4,5 -4,5 -4,-100 113,-100 113,5 " - id="polygon3174" /> - <!-- Together --> - <g - id="node2" - class="node"> - <title - id="title3177">Together</title> - <polygon - style="fill:#fdefe3;stroke:#fdefe3" - points="8,-47 8,-47 8,-91 101,-91 101,-47 " - id="polygon3179" /> - <polygon - style="fill:none;stroke:#c00000" - points="8,-47 8,-47 8,-91 101,-91 101,-47 " - id="polygon3181" /> - <text - style="font-size:14px;text-anchor:start;font-family:'Helvetica,sans-Serif'" - x="38" - y="-75.233299" - font-size="14.00" - id="text3183">Auth</text> - <text - style="font-size:14px;text-anchor:start;font-family:'Helvetica,sans-Serif'" - x="13.5" - y="-58.4333" - font-size="14.00" - id="text3185">Component</text> - <polygon - style="fill:#d1ebf1;stroke:#d1ebf1" - points="8,-4 8,-4 8,-47 101,-47 101,-4 " - id="polygon3187" /> - <polygon - style="fill:none;stroke:#1f477d" - points="8,-4 8,-4 8,-47 101,-47 101,-4 " - id="polygon3189" /> - <text - style="font-size:14px;text-anchor:start;font-family:'Helvetica,sans-Serif'" - x="15.5" - y="-31.733299" - font-size="14.00" - id="text3191">OpenStack</text> - <text - style="font-size:14px;text-anchor:start;font-family:'Helvetica,sans-Serif'" - x="28" - y="-14.9333" - font-size="14.00" - id="text3193">Service</text> - </g> - </g> - <g - id="graph2" - class="graph" - transform="matrix(0.84200867,0,0,0.82332332,134.01425,108.66091)"> - <title - id="title3134">Seperate</title> - <polygon - style="fill:#ffffff;stroke:#ffffff" - points="-4,-120 103,-120 103,5 -4,5 -4,5 " - id="polygon3136" /> - <!-- AuthComp --> - <g - id="node2-9" - class="node"> - <title - id="title3139">AuthComp</title> - <polygon - style="fill:#fdefe3;stroke:#c00000" - points="0,-116 0,-76 98,-76 98,-116 98,-116 " - id="polygon3141" /> - <text - style="font-size:14px;text-anchor:middle;font-family:'Helvetica,sans-Serif'" - x="49" - y="-99.400002" - font-size="14.00" - id="text3143">Auth</text> - <text - style="font-size:14px;text-anchor:middle;font-family:'Helvetica,sans-Serif'" - x="49" - y="-83.400002" - font-size="14.00" - id="text3145">Component</text> - </g> - <!-- Service --> - <g - id="node4" - class="node"> - <title - id="title3148">Service</title> - <polygon - style="fill:#d1ebf1;stroke:#1f477d" - points="2,-40 2,0 96,0 96,-40 96,-40 " - id="polygon3150" /> - <text - style="font-size:14px;text-anchor:middle;font-family:'Helvetica,sans-Serif'" - x="49" - y="-23.4" - font-size="14.00" - id="text3152">OpenStack</text> - <text - style="font-size:14px;text-anchor:middle;font-family:'Helvetica,sans-Serif'" - x="49" - y="-7.4000001" - font-size="14.00" - id="text3154">Service</text> - </g> - <!-- AuthComp->Service --> - <g - id="edge3" - class="edge"> - <title - id="title3157">AuthComp->Service</title> - <path - style="fill:none;stroke:#000000" - inkscape:connector-curvature="0" - d="m 49,-75.6334 c 0,7.8148 0,16.9081 0,25.4504" - id="path3159" /> - <polygon - style="fill:#000000;stroke:#000000" - points="52.5001,-50.1593 49,-40.1593 45.5001,-50.1593 52.5001,-50.1593 " - id="polygon3161" /> - </g> - </g> -</svg> diff --git a/doc/source/index.rst b/doc/source/index.rst index a6c67f5e..24e3d1ae 100644 --- a/doc/source/index.rst +++ b/doc/source/index.rst @@ -52,7 +52,7 @@ Man Pages .. toctree:: :maxdepth: 1 - man/keystone + man/keystone-all man/keystone-manage Developers Documentation @@ -62,6 +62,7 @@ Developers Documentation developing architecture + middleware_architecture api_curl_examples Code Documentation diff --git a/doc/source/middleware_architecture.rst b/doc/source/middleware_architecture.rst index 68ae4e9b..9216719b 100644 --- a/doc/source/middleware_architecture.rst +++ b/doc/source/middleware_architecture.rst @@ -21,29 +21,20 @@ Middleware Architecture Abstract ======== -The Keystone middleware architecture supports multiple authentication protocols -in a pluggable manner in OpenStack. By providing support for authentication via -pluggable authentication components, this architecture allows OpenStack -services to be integrated easily into existing deployment environments. It also -provides a path by which to implement support for emerging authentication -standards such as OAUTH. - -Rationale and Goals -=================== +The Keystone middleware architecture supports a common authentication protocol +in use between the OpenStack projects. By using keystone as a common +authentication and authorization mechanisms, the OpenStack project can plug in +to existing authentication and authorization systems in use by existing +environments. -Keystone is the Identity service for OpenStack. To support the easy integrating -of OpenStack with existing authentication and identity management systems, -Keystone supports talking to multiple backends like LDAP. -And to support different deployment needs, it can support multiple -authentication protocols via pluggable 'authentication components' implemented -as WSGI middleware. +In this document, we describe the architecture and responsibilities of the +authentication middleware which acts as the internal API mechanism for +OpenStack projects based on the WSGI standard. -In this document, we describe the responsibilities of the authentication -middleware. We describe how these interact with underlying OpenStack services -and how existing services can be modified to take advantage of pluggable -authentication. The goal is to allow OpenStack services to be integrated easily -into existing deployment environments and to provide a path by which to -implement support for emerging authentication standards such as OAUTH. +For the architecture of keystone and its services, please see +:doc:`architecture`. This documentation primarily describes the implementation +in ``keystone/middleware/auth_token.py`` +(:py:class:`keystone.middleware.auth_token.AuthProtocol`) Specification Overview ====================== @@ -52,14 +43,25 @@ Specification Overview are. Typically, 'authentication protocols' such as HTTP Basic Auth, Digest Access, public key, token, etc, are used to verify a user's identity. In this document, we define an ''authentication component'' as a software module that -implements an authentication protocol for an OpenStack service. - -At a high level, an authentication component is simply a reverse proxy that -intercepts HTTP calls from clients. Once it has verified a user's identity, the -authentication component extends the call with information about the current -user and forwards the request to the OpenStack service. Otherwise, if a user's -identity is not verified, the message is rejected before it gets to the -service. This is illustrated in :ref:`authComponent`. +implements an authentication protocol for an OpenStack service. OpenStack is +using a token based mechanism to represent authentication and authorization. + +At a high level, an authentication middleware component is a proxy that +intercepts HTTP calls from clients and populates HTTP headers in the request +context for other WSGI middleware or applications to use. The general flow +of the middleware processing is: + +* clear any existing authorization headers to prevent forgery +* collect the token from the existing HTTP request headers +* validate the token + + * if valid, populate additional headers representing the identity that has + been authenticated and authorized + * in invalid, or not token present, reject the request (HTTPUnauthorized) + or pass along a header indicating the request is unauthorized (configurable + in the middleware) + * if the keystone service is unavailable to validate the token, reject + the request with HTTPServiceUnavailable. .. _authComponent: @@ -73,15 +75,14 @@ Figure 1. Authentication Component :height: 180 :alt: An Authentication Component -Authentication components may operate in 'delegated mode'. In this mode, the -decision reject an unauthenticated client is delegated to the OpenStack -service. Delegated mode is illustrated in :ref:`authComponentDelegated`. +The middleware may also be configured to operated in a 'delegated mode'. +In this mode, the decision reject an unauthenticated client is delegated to +the OpenStack service, as illustrated in :ref:`authComponentDelegated`. Here, requests are forwarded to the OpenStack service with an identity status message that indicates whether the client's identity has been confirmed or is indeterminate. It is the OpenStack service that decides whether or not a reject -message should be sent to the client. Note that it is always the responsibility -of the Authentication Component to transmit reject messages to the client. +message should be sent to the client. .. _authComponentDelegated: @@ -95,204 +96,104 @@ Figure 2. Authentication Component (Delegated Mode) :height: 180 :alt: An Authentication Component (Delegated Mode) -In this architecture, we define interactions between the authentication component -and the OpenStack service. Interactions between the client and the -authentication component are defined only for exceptional cases. For example, -we define the message that should be returned when the OpenStack service is -down. Other interactions, however, are defined by the underlying authentication -protocol and the OpenStack service and are considered out of scope. - .. _deployStrategies: -Deployment Strategies -===================== - -An authentication component may be integrated directly into the service -implementation, or it may be deployed separately as an HTTP reverse proxy. This -is illustrated in :ref:`deployment`, showing both approaches to -authentication, labeled Option (a) and Option (b). - -.. _deployment: - -Authentication Component Deployments Options --------------------------------------------- - -Figure 3. Authentication Component Deployments Options +Deployment Strategy +=================== -.. image:: images/images_layouts.svg - :width: 100% - :height: 180 - :alt: Authentication Component Deployments Options - -In Option (a), the component is integrated into the service implementation. In -this case, communication between the authentication component and the service -can be efficiently implemented via a method call. In Option (b), the component -is deployed separately and communication between the service and the component -involves an HTTP request. In both cases, unauthenticated requests are filtered -before they reach the service. - -Each approach offers some benefits. Option (a) offers low latency and ease of -initial implementation, making it possibly most appropriate as a starting point -for simple configurations. Option (b) offers several key advantages that may be -of particular value in complex and dynamic configurations. It offers the -ability to scale horizontally in cases where authentication is computationally -expensive, such as when verifying digital signatures. Option (b) also allows -authentication components to be written in different programming languages. -Finally, Option (b) allows multiple authentication components to be deployed in -front of the same service. - -OpenStack services can support both embedded (Option (a)) and external (Option -(b)) deployment strategies. Individual authentication components should support -either strategy or they |may| support both strategies. In order to support -option (a), authentication components written in the Python programming -language should be written as WSGI middleware components (in accordance with -the Web Server Gateway Interface (WSGI) standard [PEP-333]_. - -Additionally, services should support the ability to swap between different -embedded or external authentication components via configuration options. +The middleware is intended to be used inline with OpenStack wsgi components, +based on the openstack-common WSGI middleware class. It is typically deployed +as a configuration element in a paste configuration pipeline of other +middleware components, with the pipeline terminating in the service +application. The middleware conforms to the python WSGI standard [PEP-333]_. +In initializing the middleware, a configuration item (which acts like a python +dictionary) is passed to the middleware with relevant configuration options. + +Configuration +------------- + +The middleware is configured within the config file of the main application as +a WSGI component. Example for the auth_token middleware:: + + [app:myService] + paste.app_factory = myService:app_factory + + [pipeline:main] + pipeline = tokenauth myService + + [filter:tokenauth] + paste.filter_factory = keystone.middleware.auth_token:filter_factory + auth_host = 127.0.0.1 + auth_port = 35357 + auth_protocol = http + auth_uri = http://127.0.0.1:5000/ + admin_token = Super999Sekret888Password777 + admin_user = admin + admin_password = SuperSekretPassword + admin_tenant_name = service + ;Uncomment next line and check ip:port to use memcached to cache tokens + ;memcache_servers = 127.0.0.1:11211 + +Configuration Options +--------------------- + +* ``auth_host``: (required) the host providing the keystone service API endpoint + for validating and requesting tokens +* ``admin_token``: either this or the following three options are required. If + set, this is a single shared secret with the keystone configuration used to + validate tokens. +* ``admin_user``, ``admin_password``, ``admin_tenant_name``: if ``admin_token`` + is not set, or invalid, then admin_user, admin_password, and + admin_tenant_name are defined as a service account which is expected to have + been previously configured in Keystone to validate user tokens. + +* ``delay_auth_decision``: (optional, default `0`) (off). If on, the middleware + will not reject invalid auth requests, but will delegate that decision to + downstream WSGI components. +* ``auth_port``: (optional, default `35357`) the port used to validate tokens +* ``auth_protocol``: (optional, default `https`) +* ``auth_uri``: (optional, defaults to `auth_protocol`://`auth_host`:`auth_port`) + +Caching for improved response +----------------------------- + +In order to prevent every service request, the middleware may be configured +to utilize a cache, and the keystone API returns the tokens with an +expiration (configurable in duration on the keystone service). The middleware +supports memcache based caching. + +* ``memcache_servers``: (optonal) if defined, the memcache server(s) to use for + cacheing +* ``token_cache_time``: (optional, default 300 seconds) Only valid if + memcache_servers is defined. Exchanging User Information =========================== -If a request is successfully authenticated, the authentication component must -extend the request by adding an ``X-Authorization`` header. The header |must| -be formatted as illustrated in :ref:`xAuthHeader`. - -.. _xAuthHeader: - -X-Authorization Header ----------------------- - -Example 1. X-Authorization Header:: - - X-Authorization: Proxy JoeUser - -Here, `Proxy` denotes that the authentication occurred via a proxy (in this -case authentication component) and ''JoeUser'' is the name of the user who -issued the request. - -.. note: - - We considered using an ``Authorization`` header rather than an - ``X-Authorization``, thereby following normal HTTP semantics. There are some - cases, however, where multiple ``Authorization`` headers need to be transmitted - in a single request. We want to assure ourselves that this will not break - common clients before we recommend the approach. - -Authentication components |may| extend the request with additional -information. For example, an authentication system may add additional headers -or modify the target URI to pass authentication information to the back-end -service. Additionally, an authentication component |may| strip sensitive -information — a plain text password, for example — from the request. That said, -an authentication component |should| pass the majority of the request -unmodified. - -Reverse Proxy Authentication ----------------------------- - -An OpenStack service |should| verify that it is receiving requests from a -trusted authentication component. This is particularly important in cases where -the authentication component and the OpenStack service are deployed separately. -In order to trust incoming requests, the OpenStack service should therefore -authenticate the authentication component. To avoid confusion, we call this -'reverse proxy authentication', since in this case the authentication -component is acting as an HTTP reverse proxy. - -Any HTTP-based authentication scheme may be used for reverse proxy -authentication; however, all OpenStack services and all authentication -components |must| support HTTP Basic Authentication as defined in -[RFC-2617]_. - -Whether or not reverse proxy authentication is required is strictly a -deployment concern. For example, an operations team may opt to utilize firewall -rules instead of an authentication protocol to verify the integrity of incoming -request. Because of this, both OpenStack services and authentication components -|must| also allow for unauthenticated communication. - -In cases where reverse proxy authentication is used, the authorization -component may receive an HTTP 401 authentication error or an HTTP 403 -authorization error. These errors indicate that the component does not have -access to the underlying OpenStack service. The authentication component -|must not| return these errors to the client application. Instead, the -component |must| return a 500 internal error. This is illustrated in -:ref:`proxyAuth` and :ref:`proxyAuthDelegated` below. The component -|should| format the errors in a manner that does not break the service -contract defined by the OpenStack service. :ref:`proxyAuthDelegated` -illustrates proxy authorization in delegated mode. Delegated mode is discussed -in detail in the next section. - -.. _proxyAuth: - -Reverse Proxy Authentication ----------------------------- - -Figure 4. Reverse Proxy Authentication - -.. image:: images/graphs_proxyAuth.svg - :width: 100% - :height: 180 - :alt: Reverse Proxy Authentication +The middleware expects to find a token representing the user with the header +``X-Auth-Token`` or ``X-Storage-Token``. `X-Storage-Token` is supported for +swift/cloud files and for legacy Rackspace use. If the token isn't present and +the middleware is configured to not delegate auth responsibility, it will +respond to the HTTP request with HTTPUnauthorized, returning the header +``WWW-Authenticate`` with the value `Keystone uri='...'` to indicate where to +request a token. The auth_uri returned is configured with the middleware. -.. _proxyAuthDelegated: +The authentication middleware extends the HTTP request with the header +``X-Identity-Status``. If a request is successfully authenticated, the value +is set to `Confirmed`. If the middleware is delegating the auth decision to the +service, then the status is set to `Invalid` if the auth request was +unsuccessful. -Reverse Proxy Authentication (Delegated Mode) ---------------------------------------------- +Extended the request with additional User Information +----------------------------------------------------- -Figure 5. Reverse Proxy Authentication (Delegated Mode) +:py:class:`keystone.middleware.auth_token.AuthProtocol` extends the request +with additional information if the user has been authenticated. -.. image:: images/graphs_delegate_forbiden_proxy.svg - :width: 100% - :height: 180 - :alt: Reverse Proxy Authentication (Delegated Mode) - -Delegated Mode -============== -In some cases, the decision to reject an unauthenticated request should be -delegated to the OpenStack service. An unauthenticated request may be -appropriate in cases when anonymous access is allowed. In order to support -these cases, an authentication component may be placed in Delegated Mode. In -this mode, the component forwards requests to the OpenStack service when the -client's identity has been confirmed or is indeterminate — that is when -credentials are missing. The authentication component directly rejects requests -with invalid credentials. Authentication components |must| extend the -request by adding an `X-Identity-Status` header. The identity status header -|must| contain one of the following values: - -Identity Status Values ----------------------- - -Confirmed - A `confirmed` value indicates that valid credentials were sent and identity - has been confirmed. The service can trust that the request has been sent on - behalf of the user specified in the `X-Authorization` header. - -Indeterminate - An `indeterminate` value indicates that no credentials were sent and - identity has not been confirmed. In this case, the service will receive an - `X-Authorization` header with no user entry as illustrated in - :ref:`xauth-header-indeterminate`. - -.. _xauth-header-indeterminate: - -Indeterminate Identity Headers ------------------------------- - -Example 2. Indeterminate Identity Headers:: - - X-Identity-Status: Indeterminate - X-Authorization: Proxy - -Services |may| reject a delegated request by issuing an HTTP 401 -authentication error or an HTTP 403 authorization error. These responses -|must| contain an ``WWW-Authenticate`` header with a value of ``Delegated`` as -illustrated in :ref:`unauthHeaders`. X-Identity-Status Provides information on whether the request was authenticated or not. -X-Tenant - Provides the tenant ID (as it appears in the URL in Keystone). This is to support any legacy implementations before Keystone switched to an ID/Name schema for tenants. - X-Tenant-Id The unique, immutable tenant Id @@ -305,225 +206,25 @@ X-User-Id X-User-Name The username used to log in -X-User - The username used to log in. This is to support any legacy implementations before Keystone switched to an ID/Name schema for tenants. - X-Roles The roles associated with that user -.. _unauthHeaders: - -Delegated WWW-Authenticate Header ---------------------------------- - -:: - - WWW-Authenticate: Delegated - -It is important to note that the actual reject message will likely be modified -by the authentication component in order to comply with the authentication -scheme it is implementing. This is illustrated in :ref:`delegateRejectBasic` and -:ref:`delegateRejectOAuth` below. - -.. _delegateRejectBasic: - -Delegated Reject Basic Auth ---------------------------- - -.. image:: images/graphs_delegate_reject_basic.svg - :width: 100% - :height: 180 - :alt: Delegated Reject Basic Auth - -.. _delegateRejectOAuth: - -Delegated Reject OAuth ----------------------- - -.. image:: images/graphs_delegate_reject_oauth.svg - :width: 100% - :height: 180 - :alt: Delegated Reject OAuth - -The presence of the `WWW-Authenticate` header with a value of `Delegated` -distinguishes a client authentication/authorization failure from a component -failure. For example, compare :ref:`delegateForbidden` with :ref:`proxyAuthDelegated`. In -:ref:`delegateForbidden`, the client is not allowed to access the OpenStack service. -In :ref:`proxyAuthDelegated`, it is the authentication component itself which is -unauthorized. - -.. _delegateForbidden: - -Delegated Reject Forbidden --------------------------- - -Figure 8. Delegated Reject Forbidden +Deprecated additions +-------------------- -.. image:: images/graphs_delegate_forbiden_basic.svg - :width: 100% - :height: 180 - :alt: Delegated Reject Forbidden - -Authentication components |must| support both delegated and undelegated -(standard) modes. Delegated mode |should| be configured via a configuration -option. Delegated mode |should| be disabled by default. - -OpenStack services are not required to support delegated mode. If a service -does not support delegated mode, it |must| respond with a 501 not implemented -error and an `WWW-Authenticate` header with a value of `Delegated`. The -authentication component |must not| return the error to the client -application. Instead, the component |must| return a 500 internal error; this is -illustrated in :ref:`delegateUnimplemented`. The component |should| -format the error in a manner that does not break the service contract defined -by the OpenStack service. The component should also log the error such that it -that will inform operators of the misconfiguration. - -.. _delegateUnimplemented: - -Unimplemented Delegated Mode ----------------------------- - -.. image:: images/graphs_delegate_unimplemented.svg - :width: 100% - :height: 180 - :alt: Unimplemented Delegated Mode - -Handling Direct Client Connections -================================== - -Requests from the authentication component to an OpenStack service |must| -contain an ``X-Authorization`` header. If the header is missing, and reverse -proxy authentication fails or is switched off, the OpenStack service |may| -assume that the request is coming directly from a client application. In this -case, the OpenStack service |must| redirect the request to the authentication -component by issuing an HTTP 305 User Proxy redirect. This is illustrated in -:ref:`redirect`. Note that the redirect response |must| include a ``Location`` header -specifying the authentication component's URL as shown in :ref:`redirect-response`. - -.. _redirect: - -Auth Component Redirect ------------------------ - -.. image:: images/graphs_305.svg - :width: 100% - :height: 280 - :alt: Auth Component Redirect - -.. _redirect-response: - -Auth Component Redirect Response --------------------------------- - -:: - - HTTP/1.1 305 Use Proxy - Date: Thu, 28 Oct 2011 07:41:16 GMT - Location: http://sample.auth.openstack.com/path/to/resource - -Using Multiple Authentication Components -======================================== - -There are some use cases when a service provider might want to consider using -multiple authentication components for different purposes. For instance, a -service provider may have one authentication scheme to authenticate the users -of the service and another one to authenticate the administrators or operations -personnel that maintain the service. For such scenarios, we propose using a -mapper as illustrated in :ref:`multiAuth`. - -.. _multiAuth: - -Multiple Authentication Components ----------------------------------- - -.. image:: images/graphs_mapper.svg - :width: 100% - :height: 320 - :alt: Multiple Authentication Components - -At a high level, a mapper is a simple reverse proxy that intercepts HTTP calls -from clients and routes the request to the appropriate authentication -component. A mapper can make the routing decisions based on a number of routing -rules that map a resource to a specific authentication component. For example, -a request URI may determine whether a call should be authenticated via one -authentication component or another. - -Note that neither the authentication component nor the OpenStack service need -be aware of the mapper. Any external authentication component can be used -alongside others. Mappers may provide a means by which to offer support for -anonymous or guest access to a subset of service resources. A mapper may be -implemented via a traditional reverse proxy server such as Pound or Zeus. - -The Default Component -===================== - -Individual services |must| be distributed with a simple integrated -authentication component by default. Providing such a component lowers barriers -to the deployment of individual services. This is especially important to] -developers who may want to deploy OpenStack services on their own machines. -Also, since there is no direct dependency on an external authentication system, -OpenStack services can be deployed individually, without the need to stand up -and configure additional services. Finally, having a standard authentication -component that all services share promotes a separation of concerns. That is, -as a community we are explicitly stating that services should not develop their -own authentication mechanisms. Additional authentication components may be -developed, of course, but these components should not be intimately coupled to -any one particular service. - -As discussed in :ref:`deployStrategies`, an authentication component may be -integrated directly into the service implementation (Option (a)), or it may be -deployed separately as an HTTP reverse proxy (Option (b)). The default -component should be implemented to support Option (a) and services should -maintain support for Option (b). One way to achieve this is to provide a -method that allows the disabling of the default authentication component via -configuration. This is illustrated in :ref:`both`. Here, requests are -sent directly to the OpenStack service when the default authentication -component is disabled. - -We will discuss the design of the default component in an upcoming blueprint. - -.. _both: - -Disabled Embedded Component ---------------------------- - -.. image:: images/graphs_both.svg - :width: 100% - :height: 250 - :alt: Disabled Embedded Component - -Questions and Answers -===================== - -#. Why do authentication components send reject messages? Why not have - OpenStack services reject requests themselves? - - The content and format of an authentication failed message is determined by - the authentication scheme (or protocol). For the service to respond - appropriately, it would have to be aware of the authentication scheme in - which it participates; this defeats the purpose of pluggable authentication - components. +X-Tenant + Provides the tenant name. This is to support any legacy implementations + before Keystone switched to an ID/Name schema for tenants. -#. Why require support for deploying authentication components in separate - nodes? +X-User + The username used to log in. This is to support any legacy implementations + before Keystone switched to an ID/Name schema for tenants. - The deployment strategy is very flexible. It allows for authentication - components to be horizontally scalable. It allows for components to be written - in different languages. Finally, it allows different authentication components - to be deployed simultaneously as described above. +X-Role + The roles associated with that user References ========== .. [PEP-333] pep0333 Phillip J Eby. 'Python Web Server Gateway Interface v1.0.'' http://www.python.org/dev/peps/pep-0333/. - -.. [RFC-2617] rfc2617 J Franks. P Hallam-Baker. J Hostetler. S Lawrence. - P Leach. A Luotonen. L Stewart. ''HTTP Authentication: Basic and Digest - Access Authentication.'' http://tools.ietf.org/html/rfc2617. - -.. |must| replace:: must must -.. |should| replace:: should should -.. |may| replace:: may may -.. |must not| replace:: "must not" "must not" - diff --git a/doc/source/old/middleware.rst b/doc/source/old/middleware.rst deleted file mode 100644 index fd415813..00000000 --- a/doc/source/old/middleware.rst +++ /dev/null @@ -1,169 +0,0 @@ -.. - Copyright 2011-2012 OpenStack, LLC - All Rights Reserved. - - Licensed under the Apache License, Version 2.0 (the "License"); you may - not use this file except in compliance with the License. You may obtain - a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, WITHOUT - WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the - License for the specific language governing permissions and limitations - under the License. - -========== -Middleware -========== - -The Keystone middleware sits in front of an OpenStack service and handles authenticating -incoming requests. The middleware was designed according to `this spec`. - -The middleware is found in source under Keystone/middleware. - -The middleware supports two interfaces; WSGI and REST/HTTP. - -.. _`this spec`: http://wiki.openstack.org/openstack-authn - -REST & HTTP API -=============== - -If an unauthenticated call comes in, the middleware will respond with a 401 Unauthorized error. As per -HTTP standards, it will also return a WWW-Authenticate header informing the caller -of what protocols are supported. For Keystone authentication, the response syntax will be:: - - WWW-Authenticate: Keystone uri="url to Keystone server" - -The client can then make the necessary calls to the Keystone server, obtain a token, and retry the call with the token. - -The token is passed in using ther X-Auth-Token header. - -WSGI API (Headers) -================== - -Upon successful authentication the middleware sends the following -headers to the downstream WSGI app: - -X-Identity-Status - Provides information on whether the request was authenticated or not. - -X-Tenant - Provides the tenant ID (as it appears in the URL in Keystone). This is to support any legacy implementations before Keystone switched to an ID/Name schema for tenants. - -X-Tenant-Id - The unique, immutable tenant Id - -X-Tenant-Name - The unique, but mutable (it can change) tenant name. - -X-User-Id - The user id of the user used to log in - -X-User-Name - The username used to log in - -X-User - The username used to log in. This is to support any legacy implementations before Keystone switched to an ID/Name schema for tenants. - -X-Roles - The roles associated with that user - - -Configuration -============= - -The middleware is configured within the config file of the main application as -a WSGI component. Example for the auth_token middleware:: - - [app:myService] - paste.app_factory = myService:app_factory - - [pipeline:main] - pipeline = - tokenauth - myService - - [filter:tokenauth] - paste.filter_factory = keystone.middleware.auth_token:filter_factory - auth_host = 127.0.0.1 - auth_port = 35357 - auth_protocol = http - auth_uri = http://127.0.0.1:5000/ - admin_token = 999888777666 - ;Uncomment next line and check ip:port to use memcached to cache token requests - ;memcache_servers = 127.0.0.1:11211 - -*The required configuration entries are:* - -auth_host - The IP address or DNS name of the Keystone server - -auth_port - The TCP/IP port of the Keystone server - -auth_protocol - The protocol of the Keystone server ('http' or 'https') - -auth_uri - The externally accessible URL of the Keystone server. This will be where unauthenticated - clients are redirected to. This is in the form of a URL. For example, if they make an - unauthenticated call, they get this response:: - - HTTP/1.1 401 Unauthorized - Www-Authenticate: Keystone uri='https://auth.example.com/' - Content-Length: 381 - - In this case, the auth_uri setting is set to https://auth.example.com/ - -admin_token - This is the long-lived token issued to the service to authenticate itself when calling - Keystone. See :doc:`configuration` for more information on setting this up. - - -*Optional parameters are:* - -delay_auth_decision - Whether the middleware should reject invalid or unauthenticated calls directly or not. If not, - it will send all calls down to the service to decide, but it will set the HTTP-X-IDENTITY-STATUS - header appropriately (set to'Confirmed' or 'Indeterminate' based on validation) and the - service can then decide if it wants to honor the call or not. This is useful if the service offers - some resources publicly, for example. - -auth_timeout - The amount of time to wait before timing out a call to Keystone (in seconds) - -memcache_hosts - This is used to point to a memcached server (in ip:port format). If supplied, - the middleware will cache tokens and data retrieved from Keystone in memcached - to minimize calls made to Keystone and optimize performance. - -.. warning:: - Tokens are cached for the duration of their validity. If they are revoked eariler in Keystone, - the service will not know and will continue to honor the token as it has them stored in memcached. - Also note that tokens and data stored in memcached are not encrypted. The memcached server must - be trusted and on a secure network. - - -*Parameters needed in a distributed topology.* In this configuration, the middleware is running -on a separate machine or cluster than the protected service (not common - see :doc:`middleware_architecture` -for details on different deployment topologies): - -service_host - The IP address or DNS name of the location of the service (since it is remote - and not automatically down the WSGI chain) - -service_port - The TCP/IP port of the remote service. - -service_protocol - The protocol of the service ('http' or 'https') - -service_pass - The basic auth password used to authenticate to the service (so the service - knows the call is coming from a server that has validated the token and not from - an untrusted source or spoofer) - -service_timeout - The amount of time to wait for the service to respond before timing out. diff --git a/doc/source/setup.rst b/doc/source/setup.rst index e18e5d6e..96e1f35d 100644 --- a/doc/source/setup.rst +++ b/doc/source/setup.rst @@ -21,7 +21,8 @@ Setting up a Keystone development environment This document describes getting the source from keystone's `GitHub repository`_ for development purposes. -To install keystone from packaging, refer instead to Keystone's `User Documentation`_. +To install keystone from packaging, refer instead to Keystone's `User +Documentation`_. .. _`GitHub Repository`: http://github.com/openstack/keystone .. _`User Documentation`: http://docs.openstack.org/ @@ -96,9 +97,10 @@ Mac OS X Lion (requires MacPorts_):: PyPi Packages and VirtualEnv ---------------------------- -We recommend establishing a virtualenv to run keystone within. Virtualenv limits the python environment -to just what you're installing as depdendencies, useful to keep a clean environment for working on -Keystone. The tools directory in keystone has a script already created to make this very simple:: +We recommend establishing a virtualenv to run keystone within. Virtualenv +limits the python environment to just what you're installing as depdendencies, +useful to keep a clean environment for working on Keystone. The tools directory +in keystone has a script already created to make this very simple:: $ python tools/install_venv.py @@ -117,8 +119,8 @@ see virtualenv_. .. _virtualenv: http://www.virtualenv.org/ -If you want to run keystone outside of a virtualenv, you can install the dependencies directly -into your system from the requires files:: +If you want to run keystone outside of a virtualenv, you can install the +dependencies directly into your system from the requires files:: # Install the dependencies for running keystone $ pip install -r tools/pip-requires @@ -126,18 +128,19 @@ into your system from the requires files:: # Install the dependencies for developing, testing, and running keystone $ pip install -r tools/test-requires - # Fake-install the project by symlinking Keystone into your Python site-packages + # Use python setup.py to link Keystone into python's site-packages $ python setup.py develop Verifying Keystone is set up ============================ -Once set up, either directly or within a virtualenv, you should be able to invoke python and import -the libraries. If you're using a virtualenv, don't forget to activate it:: +Once set up, either directly or within a virtualenv, you should be able to +invoke python and import the libraries. If you're using a virtualenv, don't +forget to activate it:: - $ source .venv/bin/activate - $ python + $ source .venv/bin/activate + $ python You should then be able to `import keystone` from your Python shell without issue:: @@ -145,7 +148,8 @@ without issue:: >>> import keystone >>> -If you can import keystone successfully, you should be ready to move on to :doc:`developing` +If you can import keystone successfully, you should be ready to move on to +:doc:`developing` Troubleshooting =============== |
