The Keystone middleware sits in front of an OpenStack service and handles authenticating incoming requests. The middleware was designed according to this spec.
The middleware is found in source under Keystone/middleware.
The middleware supports two interfaces; WSGI and REST/HTTP.
If an unauthenticated call comes in, the middleware will respond with a 401 Unauthorized error. As per HTTP standards, it will also return a WWW-Authenticate header informing the caller of what protocols are supported. For Keystone authentication, the response syntax will be:
WWW-Authenticate: Keystone uri="url to Keystone server"
The client can then make the necessary calls to the Keystone server, obtain a token, and retry the call with the token.
The token is passed in using ther X-Auth-Token header.
Upon successful authentication the middleware sends the following headers to the downstream WSGI app:
The middleware is configured within the config file of the main application as a WSGI component. Example for the auth_token middleware:
[app:myService]
paste.app_factory = myService:app_factory
[pipeline:main]
pipeline =
tokenauth
myService
[filter:tokenauth]
paste.filter_factory = keystone.middleware.auth_token:filter_factory
auth_host = 127.0.0.1
auth_port = 35357
auth_protocol = http
auth_uri = http://127.0.0.1:5000/
admin_token = 999888777666
;Uncomment next line and check ip:port to use memcached to cache token requests
;memcache_hosts = 127.0.0.1:11211
The required configuration entries are:
The externally accessible URL of the Keystone server. This will be where unauthenticated clients are redirected to. This is in the form of a URL. For example, if they make an unauthenticated call, they get this response:
HTTP/1.1 401 Unauthorized
Www-Authenticate: Keystone uri='https://auth.example.com/'
Content-Length: 381
In this case, the auth_uri setting is set to https://auth.example.com/
Optional parameters are:
Warning
Tokens are cached for the duration of their validity. If they are revoked eariler in Keystone, the service will not know and will continue to honor the token as it has them stored in memcached. Also note that tokens and data stored in memcached are not encrypted. The memcached server must be trusted and on a secure network.
Parameters needed in a distributed topology. In this configuration, the middleware is running on a separate machine or cluster than the protected service (not common - see Middleware Architecture for details on different deployment topologies):