keystonemiddleware Package

_memcache_crypt Module

Utilities for memcache encryption and integrity check.

Data should be serialized before entering these functions. Encryption has a dependency on the pycrypto. If pycrypto is not available, CryptoUnavailableError will be raised.

This module will not be called unless signing or encryption is enabled in the config. It will always validate signatures, and will decrypt data if encryption is enabled. It is not valid to mix protection modes.

exception keystonemiddleware._memcache_crypt.CryptoUnavailableError

Bases: exceptions.Exception

raise when Python Crypto module is not available.

exception keystonemiddleware._memcache_crypt.DecryptError

Bases: exceptions.Exception

raise when unable to decrypt encrypted data.

exception keystonemiddleware._memcache_crypt.InvalidMacError

Bases: exceptions.Exception

raise when unable to verify MACed data.

This usually indicates that data had been expectedly modified in memcache.

keystonemiddleware._memcache_crypt.assert_crypto_availability(f)

Ensure Crypto module is available.

keystonemiddleware._memcache_crypt.constant_time_compare(first, second)

Returns True if both string inputs are equal, otherwise False.

This function should take a constant amount of time regardless of how many characters in the strings match.

keystonemiddleware._memcache_crypt.decrypt_data(*args, **kwds)

Decrypt the data with the given secret key.

keystonemiddleware._memcache_crypt.derive_keys(token, secret, strategy)

Derives keys for MAC and ENCRYPTION from the user-provided secret. The resulting keys should be passed to the protect and unprotect functions.

As suggested by NIST Special Publication 800-108, this uses the first 128 bits from the sha384 KDF for the obscured cache key value, the second 128 bits for the message authentication key and the remaining 128 bits for the encryption key.

This approach is faster than computing a separate hmac as the KDF for each desired key.

keystonemiddleware._memcache_crypt.encrypt_data(*args, **kwds)

Encrypt the data with the given secret key.

Padding is n bytes of the value n, where 1 <= n <= blocksize.

keystonemiddleware._memcache_crypt.get_cache_key(keys)

Given keys generated by derive_keys(), returns a base64 encoded value suitable for use as a cache key in memcached.

keystonemiddleware._memcache_crypt.protect_data(keys, data)

Given keys and serialized data, returns an appropriately protected string suitable for storage in the cache.

keystonemiddleware._memcache_crypt.sign_data(key, data)

Sign the data using the defined function and the derived key.

keystonemiddleware._memcache_crypt.unprotect_data(keys, signed_data)

Given keys and cached string data, verifies the signature, decrypts if necessary, and returns the original serialized data.

_memcache_pool Module

Thread-safe connection pool for python-memcached.

exception keystonemiddleware._memcache_pool.ConnectionGetTimeoutException

Bases: exceptions.Exception

class keystonemiddleware._memcache_pool.ConnectionPool(maxsize, unused_timeout, conn_get_timeout=None)

Bases: Queue.Queue

Base connection pool class

This class implements the basic connection pool logic as an abstract base class.

acquire(*args, **kwds)
class keystonemiddleware._memcache_pool.MemcacheClientPool(urls, arguments, **kwargs)

Bases: keystonemiddleware._memcache_pool.ConnectionPool

auth_token Module

TOKEN-BASED AUTH MIDDLEWARE

This WSGI component:

  • Verifies that incoming client requests have valid tokens by validating tokens with the auth service.
  • Rejects unauthenticated requests UNLESS it is in ‘delay_auth_decision’ mode, which means the final decision is delegated to the downstream WSGI component (usually the OpenStack service)
  • Collects and forwards identity information based on a valid token such as user name, tenant, etc

Refer to: http://docs.openstack.org/developer/python-keystoneclient/ middlewarearchitecture.html

HEADERS

  • Headers starting with HTTP_ is a standard http header
  • Headers starting with HTTP_X is an extended http header

Coming in from initial call from client or customer

HTTP_X_AUTH_TOKEN
The client token being passed in.
HTTP_X_SERVICE_TOKEN
A service token being passed in.
HTTP_X_STORAGE_TOKEN
The client token being passed in (legacy Rackspace use) to support swift/cloud files

Used for communication between components

WWW-Authenticate
HTTP header returned to a user indicating which endpoint to use to retrieve a new token

What we add to the request for use by the OpenStack service

When using composite authentication (a user and service token are present) additional service headers relating to the service user will be added. They take the same form as the standard headers but add ‘_SERVICE_’. These headers will not exist in the environment if no service token is present.

HTTP_X_IDENTITY_STATUS
‘Confirmed’ or ‘Invalid’ The underlying service will only see a value of ‘Invalid’ if the Middleware is configured to run in ‘delay_auth_decision’ mode
HTTP_X_DOMAIN_ID, HTTP_X_SERVICE_DOMAIN_ID
Identity service managed unique identifier, string. Only present if this is a domain-scoped v3 token.
HTTP_X_DOMAIN_NAME, HTTP_X_SERVICE_DOMAIN_NAME
Unique domain name, string. Only present if this is a domain-scoped v3 token.
HTTP_X_PROJECT_ID, HTTP_X_SERVICE_PROJECT_ID
Identity service managed unique identifier, string. Only present if this is a project-scoped v3 token, or a tenant-scoped v2 token.
HTTP_X_PROJECT_NAME, HTTP_X_SERVICE_PROJECT_NAME
Project name, unique within owning domain, string. Only present if this is a project-scoped v3 token, or a tenant-scoped v2 token.
HTTP_X_PROJECT_DOMAIN_ID, HTTP_X_SERVICE_PROJECT_DOMAIN_ID
Identity service managed unique identifier of owning domain of project, string. Only present if this is a project-scoped v3 token. If this variable is set, this indicates that the PROJECT_NAME can only be assumed to be unique within this domain.
HTTP_X_PROJECT_DOMAIN_NAME, HTTP_X_SERVICE_PROJECT_DOMAIN_NAME
Name of owning domain of project, string. Only present if this is a project-scoped v3 token. If this variable is set, this indicates that the PROJECT_NAME can only be assumed to be unique within this domain.
HTTP_X_USER_ID, HTTP_X_SERVICE_USER_ID
Identity-service managed unique identifier, string
HTTP_X_USER_NAME, HTTP_X_SERVICE_USER_NAME
User identifier, unique within owning domain, string
HTTP_X_USER_DOMAIN_ID, HTTP_X_SERVICE_USER_DOMAIN_ID
Identity service managed unique identifier of owning domain of user, string. If this variable is set, this indicates that the USER_NAME can only be assumed to be unique within this domain.
HTTP_X_USER_DOMAIN_NAME, HTTP_X_SERVICE_USER_DOMAIN_NAME
Name of owning domain of user, string. If this variable is set, this indicates that the USER_NAME can only be assumed to be unique within this domain.
HTTP_X_ROLES, HTTP_X_SERVICE_ROLES
Comma delimited list of case-sensitive role names
HTTP_X_SERVICE_CATALOG

json encoded keystone service catalog (optional). For compatibility reasons this catalog will always be in the V2 catalog format even if it is a v3 token.

Note: This is an exception in that it contains ‘SERVICE’ but relates to a
user token, not a service token. The existing user’s catalog can be very large; it was decided not to present a catalog relating to the service token to avoid using more HTTP header space.
HTTP_X_TENANT_ID
Deprecated in favor of HTTP_X_PROJECT_ID Identity service managed unique identifier, string. For v3 tokens, this will be set to the same value as HTTP_X_PROJECT_ID
HTTP_X_TENANT_NAME
Deprecated in favor of HTTP_X_PROJECT_NAME Project identifier, unique within owning domain, string. For v3 tokens, this will be set to the same value as HTTP_X_PROJECT_NAME
HTTP_X_TENANT
Deprecated in favor of HTTP_X_TENANT_ID and HTTP_X_TENANT_NAME Keystone-assigned unique identifier, string. For v3 tokens, this will be set to the same value as HTTP_X_PROJECT_ID
HTTP_X_USER
Deprecated in favor of HTTP_X_USER_ID and HTTP_X_USER_NAME User name, unique within owning domain, string
HTTP_X_ROLE
Deprecated in favor of HTTP_X_ROLES Will contain the same values as HTTP_X_ROLES.

OTHER ENVIRONMENT VARIABLES

keystone.token_info
Information about the token discovered in the process of validation. This may include extended information returned by the Keystone token validation call, as well as basic information about the tenant and user.
keystone.token_auth
A keystoneclient auth plugin that may be used with a keystoneclient.session.Session. This plugin will load the authentication data provided to auth_token middleware.
class keystonemiddleware.auth_token.AuthProtocol(app, conf)

Bases: object

Auth Middleware that handles authenticating client calls.

exception keystonemiddleware.auth_token.ConfigurationError

Bases: exceptions.Exception

exception keystonemiddleware.auth_token.InvalidToken

Bases: exceptions.Exception

exception keystonemiddleware.auth_token.NetworkError

Bases: exceptions.Exception

exception keystonemiddleware.auth_token.ServiceError

Bases: exceptions.Exception

keystonemiddleware.auth_token.app_factory(global_conf, **local_conf)
keystonemiddleware.auth_token.filter_factory(global_conf, **local_conf)

Returns a WSGI filter app for use with paste.deploy.

ec2_token Module

Starting point for routing EC2 requests.

class keystonemiddleware.ec2_token.EC2Token(application)

Bases: object

Authenticate an EC2 request with keystone and convert to token.

keystonemiddleware.ec2_token.app_factory(global_conf, **local_conf)
keystonemiddleware.ec2_token.filter_factory(global_conf, **local_conf)

Returns a WSGI filter app for use with paste.deploy.

opts Module

keystonemiddleware.opts.list_auth_token_opts()

Return a list of oslo.config options available in auth_token middleware.

The returned list includes all oslo.config options which may be registered at runtime by the project.

Each element of the list is a tuple. The first element is the name of the group under which the list of elements in the second element will be registered. A group name of None corresponds to the [DEFAULT] group in config files.

This function is also discoverable via the entry point ‘keystonemiddleware.auth_token’ under the ‘oslo.config.opts’ namespace.

The purpose of this is to allow tools like the Oslo sample config file generator to discover the options exposed to users by this middleware.

Returns:a list of (group_name, opts) tuples

s3_token Module

S3 TOKEN MIDDLEWARE

This WSGI component:

  • Get a request from the swift3 middleware with an S3 Authorization access key.
  • Validate s3 token in Keystone.
  • Transform the account name to AUTH_%(tenant_name).
class keystonemiddleware.s3_token.S3Token(app, conf)

Bases: object

Auth Middleware that handles S3 authenticating client calls.

exception keystonemiddleware.s3_token.ServiceError

Bases: exceptions.Exception

keystonemiddleware.s3_token.filter_factory(global_conf, **local_conf)

Returns a WSGI filter app for use with paste.deploy.