Replaces pipelines with flag for auth strategy

 Forcing deployers to modify a paste config file to change auth
 strategies is very fragile. This simplifies things by keying
 pipeline construction off of a single flag. Note that this will
 require a small change to devstack.

Change-Id: I49728c356266e6084ecafb6c59542390137f89e9

9 files changed, 38 insertions, 35 deletions

diff --git a/etc/nova/api-paste.ini b/etc/nova/api-paste.ini
index 861bd3d57..0baa85df0 100644
--- a/etc/nova/api-paste.ini
+++ b/etc/nova/api-paste.ini
@@ -34,12 +34,11 @@ paste.app_factory = nova.api.metadata.handler:MetadataRequestHandler.factory
 use = egg:Paste#urlmap
 /services/Cloud: ec2cloud
 
-[pipeline:ec2cloud]
-pipeline = ec2faultwrap logrequest ec2noauth cloudrequest authorizer validator ec2executor
-# NOTE(vish): use the following pipeline for deprecated auth
-# pipeline = ec2faultwrap logrequest authenticate cloudrequest authorizer validator ec2executor
-# NOTE(vish): use the following pipeline for keystone auth
-# pipeline = ec2faultwrap logrequest ec2keystoneauth cloudrequest authorizer validator ec2executor
+[composite:ec2cloud]
+use = call:nova.api.auth:pipeline_factory
+noauth = ec2faultwrap logrequest ec2noauth cloudrequest authorizer validator ec2executor
+deprecated = ec2faultwrap logrequest authenticate cloudrequest authorizer validator ec2executor
+keystone = ec2faultwrap logrequest ec2keystoneauth cloudrequest authorizer validator ec2executor
 
 [filter:ec2faultwrap]
 paste.filter_factory = nova.api.ec2:FaultWrapper.factory
@@ -90,19 +89,17 @@ use = call:nova.api.openstack.urlmap:urlmap_factory
 /: osvolumeversions
 /v1: openstack_volume_api_v1
 
-[pipeline:openstack_compute_api_v2]
-pipeline = faultwrap noauth ratelimit osapi_compute_app_v2
-# NOTE(vish): use the following pipeline for deprecated auth
-# pipeline = faultwrap auth ratelimit osapi_compute_app_v2
-# NOTE(vish): use the following pipeline for keystone auth
-# pipeline = faultwrap authtoken keystonecontext ratelimit osapi_compute_app_v2
-
-[pipeline:openstack_volume_api_v1]
-pipeline = faultwrap noauth ratelimit osapi_volume_app_v1
-# NOTE(vish): use the following pipeline for deprecated auth
-# pipeline = faultwrap auth ratelimit osapi_volume_app_v1
-# NOTE(vish): use the following pipeline for keystone auth
-# pipeline = faultwrap authtoken keystonecontext ratelimit osapi_volume_app_v1
+[composite:openstack_compute_api_v2]
+use = call:nova.api.auth:pipeline_factory
+noauth = faultwrap noauth ratelimit osapi_compute_app_v2
+deprecated = faultwrap auth ratelimit osapi_compute_app_v2
+keystone = faultwrap authtoken keystonecontext ratelimit osapi_compute_app_v2
+
+[composite:openstack_volume_api_v1]
+use = call:nova.api.auth:pipeline_factory
+noauth = faultwrap noauth ratelimit osapi_volume_app_v1
+deprecated = faultwrap auth ratelimit osapi_volume_app_v1
+keystone = faultwrap authtoken keystonecontext ratelimit osapi_volume_app_v1
 
 [filter:faultwrap]
 paste.filter_factory = nova.api.openstack:FaultWrapper.factory
diff --git a/nova/api/auth.py b/nova/api/auth.py
index e6ad8555f..2d66c0d76 100644
--- a/nova/api/auth.py
+++ b/nova/api/auth.py
@@ -38,6 +38,17 @@ FLAGS.register_opt(use_forwarded_for_opt)
 LOG = logging.getLogger(__name__)
 
 
+def pipeline_factory(loader, global_conf, **local_conf):
+    """A paste pipeline replica that keys off of auth_strategy."""
+    pipeline = local_conf[FLAGS.auth_strategy].split()
+    filters = [loader.get_filter(n) for n in pipeline[:-1]]
+    app = loader.get_app(pipeline[-1])
+    filters.reverse()
+    for filter in filters:
+        app = filter(app)
+    return app
+
+
 class InjectContext(wsgi.Middleware):
     """Add a 'nova.context' to WSGI environ."""
 
@@ -82,7 +93,6 @@ class NovaKeystoneContext(wsgi.Middleware):
                                      project_id,
                                      roles=roles,
                                      auth_token=auth_token,
-                                     strategy='keystone',
                                      remote_address=remote_address)
 
         req.environ['nova.context'] = ctx
diff --git a/nova/api/ec2/__init__.py b/nova/api/ec2/__init__.py
index 6566ab7a9..89ac27542 100644
--- a/nova/api/ec2/__init__.py
+++ b/nova/api/ec2/__init__.py
@@ -327,7 +327,6 @@ class EC2KeystoneAuth(wsgi.Middleware):
                                       project_id,
                                       roles=roles,
                                       auth_token=token_id,
-                                      strategy='keystone',
                                       remote_address=remote_address)
 
         req.environ['nova.context'] = ctxt
diff --git a/nova/auth/manager.py b/nova/auth/manager.py
index 23d9cee05..d2c5bc647 100644
--- a/nova/auth/manager.py
+++ b/nova/auth/manager.py
@@ -40,9 +40,6 @@ from nova.auth import signer
 
 
 auth_opts = [
-    cfg.BoolOpt('use_deprecated_auth',
-                default=False,
-                help='This flag must be set to use old style auth'),
     cfg.ListOpt('allowed_roles',
                 default=[
                   'cloudadmin',
@@ -830,7 +827,7 @@ class AuthManager(object):
         rc = open(FLAGS.credentials_template).read()
         # NOTE(vish): Deprecated auth uses an access key, no auth uses a
         #             the user_id in place of it.
-        if FLAGS.use_deprecated_auth:
+        if FLAGS.auth_strategy == 'deprecated':
             access = user.access
         else:
             access = user.id
diff --git a/nova/context.py b/nova/context.py
index 8ec4a30ec..f83d8fd75 100644
--- a/nova/context.py
+++ b/nova/context.py
@@ -38,8 +38,7 @@ class RequestContext(object):
 
     def __init__(self, user_id, project_id, is_admin=None, read_deleted="no",
                  roles=None, remote_address=None, timestamp=None,
-                 request_id=None, auth_token=None, strategy='noauth',
-                 overwrite=True):
+                 request_id=None, auth_token=None, overwrite=True):
         """
         :param read_deleted: 'no' indicates deleted records are hidden, 'yes'
             indicates deleted records are visible, 'only' indicates that
@@ -71,7 +70,6 @@ class RequestContext(object):
             request_id = generate_request_id()
         self.request_id = request_id
         self.auth_token = auth_token
-        self.strategy = strategy
         if overwrite or not hasattr(local.store, 'context'):
             local.store.context = self
 
@@ -84,8 +82,7 @@ class RequestContext(object):
                 'remote_address': self.remote_address,
                 'timestamp': utils.strtime(self.timestamp),
                 'request_id': self.request_id,
-                'auth_token': self.auth_token,
-                'strategy': self.strategy}
+                'auth_token': self.auth_token}
 
     @classmethod
     def from_dict(cls, values):
diff --git a/nova/flags.py b/nova/flags.py
index fb7b57cd8..8aaf56659 100644
--- a/nova/flags.py
+++ b/nova/flags.py
@@ -462,6 +462,10 @@ global_opts = [
     cfg.StrOpt('default_access_ip_network_name',
                default=None,
                help='Name of network to use to set access ips for instances'),
+    cfg.StrOpt('auth_strategy',
+               default='noauth',
+               help='The strategy to use for auth. Supports noauth, keystone, '
+                    'and deprecated.'),
 ]
 
 FLAGS.register_opts(global_opts)
diff --git a/nova/image/glance.py b/nova/image/glance.py
index 5edab2655..4bbf7a7fc 100644
--- a/nova/image/glance.py
+++ b/nova/image/glance.py
@@ -38,7 +38,6 @@ LOG = logging.getLogger(__name__)
 
 
 FLAGS = flags.FLAGS
-flags.DECLARE('use_deprecated_auth', 'nova.auth.manager')
 
 
 GlanceClient = utils.import_class('glance.client.Client')
@@ -60,7 +59,7 @@ def _parse_image_ref(image_href):
 
 
 def _create_glance_client(context, host, port):
-    if context.strategy == 'keystone':
+    if FLAGS.auth_strategy == 'keystone':
         # NOTE(dprince): Glance client just needs auth_tok right? Should we
         # add username and tenant to the creds below?
         creds = {'strategy': 'keystone',
@@ -318,7 +317,7 @@ class GlanceImageService(object):
         # NOTE(vish): show is to check if image is available
         image_meta = self.show(context, image_id)
 
-        if FLAGS.use_deprecated_auth:
+        if FLAGS.auth_strategy == 'deprecated':
             # NOTE(parthi): only allow image deletions if the user
             # is a member of the project owning the image, in case of
             # setup without keystone
diff --git a/nova/tests/image/test_glance.py b/nova/tests/image/test_glance.py
index 6d965756a..98852e9d5 100644
--- a/nova/tests/image/test_glance.py
+++ b/nova/tests/image/test_glance.py
@@ -386,7 +386,7 @@ class TestGlanceImageService(test.TestCase):
 
     def test_delete_not_by_owner(self):
         # this test is only relevant for deprecated auth mode
-        self.flags(use_deprecated_auth=True)
+        self.flags(auth_strategy='deprecated')
 
         fixture = self._make_fixture(name='test image')
         properties = {'project_id': 'proj1'}
diff --git a/nova/tests/test_auth.py b/nova/tests/test_auth.py
index fb7219aad..242da09d9 100644
--- a/nova/tests/test_auth.py
+++ b/nova/tests/test_auth.py
@@ -155,7 +155,7 @@ class _AuthManagerBaseTestCase(test.TestCase):
                         '/services/Cloud'))
 
     def test_can_get_credentials(self):
-        self.flags(use_deprecated_auth=True)
+        self.flags(auth_strategy='deprecated')
         st = {'access': 'access', 'secret': 'secret'}
         with user_and_project_generator(self.manager, user_state=st) as (u, p):
             credentials = self.manager.get_environment_rc(u, p)