1. 身份认证
在前一章中, 介绍了路由的过程, 这样我们就能URL中轻易地找到所对应的需要执行的代码。在这一章中, 我们看看具体的一个认证请求是如何被处理的。
假设有如下一个请求:
$ curl -s -X POST http://8.21.28.222:35357/v2.0/tokens \-H “Content-Type: application/json” \-d passwordCredentials”:{“usernamepassword\| python -m json.tool
从Keystone.paste.ini中/v2.0 = admin_api, 可以找出对应的流水线为admin_api, 然后找到流水线的最一个点如下:
[app:admin_service]paste.app_factory = keystone.service:admin_app_factory
最后可以在token/routers可以找到如下一条路由:
from keystone.token import controllers…token_controller = controllers.Auth()mapper.connect(‘/tokens’,controller=token_controller,action=’authenticate’,conditions=dict(method=[‘POST’]))
所以对应的controller为keystone.token.controllers.Auth, action为authenticate,找到对应的方法, 其代码如下:
:”””Authenticate credentials and return a token.Accept auth as a dict that looks like::{“auth”:{“passwordCredentials”:{“username”:”test_user”,”password”:”mypass”},”tenantName”:”customer-x”}}In this case, tenant is optional, if not provided the token will beconsidered “unscoped” and can later be used to get a scoped token.Alternatively, this call accepts auth with only a token and tenantthat will return a token that is scoped to that tenant.”””if auth is None:raise exception.ValidationError(attribute=’auth’,target=’request body’)auth_token_data = auth:# Try to authenticate using a tokenauth_info = self._authenticate_token(context, auth)else:# Try external authenticationtry:auth_info = self._authenticate_external(context, auth)except ExternalAuthNotApplicable:# Try local authenticationauth_info = self._authenticate_local(context, auth)user_ref, tenant_ref, metadata_ref, expiry, bind = auth_infocore.validate_auth_info(self, user_ref, tenant_ref)user_ref = self.identity_api.v3_to_v2_user(user_ref)if tenant_ref:tenant_ref = self.filter_domain_id(tenant_ref)auth_token_data = self._get_auth_token_data(user_ref,tenant_ref,metadata_ref,expiry)if tenant_ref:catalog_ref = self.catalog_api.get_catalog(user_ref[‘id’], tenant_ref[‘id’], metadata_ref)else:catalog_ref = {}auth_token_data[‘id’] = ‘placeholder’if bind:auth_token_data[‘bind’] = bindroles_ref = []for role_id in metadata_ref.get(‘roles’, []):role_ref = self.identity_api.get_role(role_id)roles_ref.append(dict(name=role_ref[‘name’]))(token_id, token_data) = self.token_provider_api.issue_v2_token(auth_token_data, roles_ref=roles_ref, catalog_ref=catalog_ref)return token_data
因为是采用的本地用户名和密码认证,所以最终会进入_authenticate_local,继续看代码
:”””Try to authenticate against the identity backend.Returns auth_token_data, (user_ref, tenant_ref, metadata_ref)”””auth:raise exception.ValidationError(attribute=’passwordCredentials’, target=’auth’)auth[‘passwordCredentials’]:raise exception.ValidationError(attribute=’password’, target=’passwordCredentials’)password = auth[‘passwordCredentials’][‘password’]if password and len(password) > CONF.identity.max_password_length:raise exception.ValidationSizeError(attribute=’password’, size=CONF.identity.max_password_length)auth[auth[‘passwordCredentials’]):raise exception.ValidationError(attribute=’username or userId’,target=’passwordCredentials’)user_id = auth[‘passwordCredentials’].get(‘userId’, None)if user_id and len(user_id) > CONF.max_param_size:raise exception.ValidationSizeError(attribute=’userId’,size=CONF.max_param_size)username = auth[‘passwordCredentials’].get(‘username’, ”)if len(username) > CONF.max_param_size:raise exception.ValidationSizeError(attribute=’username’,size=CONF.max_param_size)if username:try:user_ref = self.identity_api.get_user_by_name(username, DEFAULT_DOMAIN_ID)user_id = user_ref[‘id’]except exception.UserNotFound as e:raise exception.Unauthorized(e)try:user_ref = self.identity_api.authenticate(user_id=user_id,password=password)except AssertionError as e:raise exception.Unauthorized(e)metadata_ref = {}tenant_id = self._get_project_id_from_auth(auth)tenant_ref, metadata_ref[‘roles’] = self._get_project_roles_and_ref(user_id, tenant_id)expiry = core.default_expire_time()return (user_ref, tenant_ref, metadata_ref, expiry, None)微笑拥抱每一天,做像向日葵般温暖的女子。
