Replaces pipelines with flag for auth strategy

 Forcing deployers to modify a paste config file to change auth
 strategies is very fragile. This simplifies things by keying
 pipeline construction off of a single flag. Note that this will
 require a small change to devstack.

Change-Id: I49728c356266e6084ecafb6c59542390137f89e9

2 files changed, 11 insertions, 2 deletions

diff --git a/nova/api/auth.py b/nova/api/auth.py
index e6ad8555f..2d66c0d76 100644
--- a/nova/api/auth.py
+++ b/nova/api/auth.py
@@ -38,6 +38,17 @@ FLAGS.register_opt(use_forwarded_for_opt)
 LOG = logging.getLogger(__name__)
 
 
+def pipeline_factory(loader, global_conf, **local_conf):
+    """A paste pipeline replica that keys off of auth_strategy."""
+    pipeline = local_conf[FLAGS.auth_strategy].split()
+    filters = [loader.get_filter(n) for n in pipeline[:-1]]
+    app = loader.get_app(pipeline[-1])
+    filters.reverse()
+    for filter in filters:
+        app = filter(app)
+    return app
+
+
 class InjectContext(wsgi.Middleware):
     """Add a 'nova.context' to WSGI environ."""
 
@@ -82,7 +93,6 @@ class NovaKeystoneContext(wsgi.Middleware):
                                      project_id,
                                      roles=roles,
                                      auth_token=auth_token,
-                                     strategy='keystone',
                                      remote_address=remote_address)
 
         req.environ['nova.context'] = ctx
diff --git a/nova/api/ec2/__init__.py b/nova/api/ec2/__init__.py
index 6566ab7a9..89ac27542 100644
--- a/nova/api/ec2/__init__.py
+++ b/nova/api/ec2/__init__.py
@@ -327,7 +327,6 @@ class EC2KeystoneAuth(wsgi.Middleware):
                                       project_id,
                                       roles=roles,
                                       auth_token=token_id,
-                                      strategy='keystone',
                                       remote_address=remote_address)
 
         req.environ['nova.context'] = ctxt