OpenStack 源码系列之 Keystone：Token 认证

2017-06-09

在上一篇博文中我们已经简要介绍了 Keystone，该篇就重点介绍 Keystone Token（Scoped）认证的流程。

有一张图很好概括了 Keystone 的工作流程（图的原始来源目前尚未找到）：

下边我们主要介绍该图虚拟机创建前的流程。

获取 Token

注：因写作本文时，手头尚无搭建好的 OpenStack 用于实验，所以获取 Token 部分的例子摘录自博文 OpenStack Keystone 工作流

获取临时 Token

假设我们已经在 OpenStack 创建了用户和相应的租户，那我们可以通过用户名密码获得临时 Token：

示例请求：
POST http://192.168.56.2:5000/v2.0/tokens
{
	"auth": {
		"passwordCredentials": {
			"username": "demo",
			"password": "rootroot"
		}
	}
}

示例响应：
{
	"access": {
		"token": {
			"issued_at": "2015-01-04T14:23:33.501946",
			"expires": "2015-01-04T15:23:33Z",
			"id": "a19bc13b46ba459cb3104fa97e414a27",
			"audit_ids": ["KA6wWhLFQWGMRpoCv1VYpQ"]
		},
		"serviceCatalog": [],
		"user": {
			"username": "demo",
			"roles_links": [],
			"id": "f8b9c7807d95484fa829cdb68b410e77",
			"roles": [],
			"name": "demo"
		},
		"metadata": {
			"is_admin": 0,
			"roles": []
		}
	}
}

获取用户可以访问的租户

这里其实有个疑问，就是既然已经拿到了（临时） Token 了，直接用这个 Token 去访问资源（list servers）不就行了吗，为什么还要获取用户的租户？

看起来可行，实际却不可行，主要原因如下：

本质上，租户才是资源的集合，用户要有获取资源的权限，必须绑定到具体的租户上；而且在 OpenStack 中，一个用户可以对应于多个租户，在访问资源时必须指出要访问哪个租户的资源。以上所获取到的临时 Token 其实是一个 Unscoped Token，也即没有租户（及域）信息的 Token。所以，为了能够访问到具体租户的资源，需要找出该用户的租户，然后选择一个租户再次请求一个 Scoped Token，这样才可以访问该租户的资源。

GET http://192.168.56.2:5000/v2.0/tenants
HEADERS["X-Auth-Token":"a19bc13b46ba459cb3104fa97e414a27"]
{
	"tenants_links": [],
	"tenants": [{
		"description": null,
		"enabled": true,
		"id": "0e877c09c1924963800c7534bc03106e",
		"parent_id": null,
		"name": "demo"
	},
	{
		"description": null,
		"enabled": true,
		"id": "2b6f4d3001e841e9924c8278a8a745db",
		"parent_id": null,
		"name": "invisible_to_admin"
	}]
}

获取指定租户的 Token

这里最重要的一点在于获取到的 Token 包含了资源的服务目录（Service Catalog）。其中重要的是 端点（Endpoints），也即 OpenStack 各 API 服务（如 nova-api）的 URL（由这些 URL 可以路由到对应的后台服务，进而访问资源）。

示例请求：
POST http://192.168.56.2:5000/v2.0/tokens
{
	"auth": {
		"tenantName": "demo",
		"passwordCredentials": {
			"username": "demo",
			"password": "rootroot"
		}
	}
}

示例响应：
{
	"access": {
		"token": {
			"issued_at": "2015-01-04T14:30:42.669320",
			"expires": "2015-01-04T15:30:42Z",
			"id": "f84bd18554bd4e49b147293ccbabdae2",
			"tenant": {
				"description": null,
				"enabled": true,
				"id": "0e877c09c1924963800c7534bc03106e",
				"parent_id": null,
				"name": "demo"
			},
			"audit_ids": ["DnJZAdncS7KX-N5M02Q-Ew"]
		},
		"serviceCatalog": [{
			"endpoints": [{
				"adminURL": "http://192.168.56.2:8774/v2/0e877c09c1924963800c7534bc03106e",
				"region": "RegionOne",
				"internalURL": "http://192.168.56.2:8774/v2/0e877c09c1924963800c7534bc03106e",
				"id": "470f1cc24a1544d388b5f8312cb5e512",
				"publicURL": "http://192.168.56.2:8774/v2/0e877c09c1924963800c7534bc03106e"
			}],
			"endpoints_links": [],
			"type": "compute",
			"name": "nova"
		},
		{
			"endpoints": [{
				"adminURL": "http://192.168.56.2:9696/",
				"region": "RegionOne",
				"internalURL": "http://192.168.56.2:9696/",
				"id": "36c9fd04cda04a3f8e30771549343052",
				"publicURL": "http://192.168.56.2:9696/"
			}],
			"endpoints_links": [],
			"type": "network",
			"name": "neutron"
		},
		{
			"endpoints": [{
				"adminURL": "http://192.168.56.2:8776/v2/0e877c09c1924963800c7534bc03106e",
				"region": "RegionOne",
				"internalURL": "http://192.168.56.2:8776/v2/0e877c09c1924963800c7534bc03106e",
				"id": "48a15d71e8af4370b145b9db7d3f197c",
				"publicURL": "http://192.168.56.2:8776/v2/0e877c09c1924963800c7534bc03106e"
			}],
			"endpoints_links": [],
			"type": "volumev2",
			"name": "cinderv2"
		},
		{
			"endpoints": [{
				"adminURL": "http://192.168.56.2:3333",
				"region": "RegionOne",
				"internalURL": "http://192.168.56.2:3333",
				"id": "ae6067b19be947f3a21d7b1e5f141353",
				"publicURL": "http://192.168.56.2:3333"
			}],
			"endpoints_links": [],
			"type": "s3",
			"name": "s3"
		},
		{
			"endpoints": [{
				"adminURL": "http://192.168.56.2:9292",
				"region": "RegionOne",
				"internalURL": "http://192.168.56.2:9292",
				"id": "280059b3597b4274b36b16ecea4b8fff",
				"publicURL": "http://192.168.56.2:9292"
			}],
			"endpoints_links": [],
			"type": "image",
			"name": "glance"
		},
		{
			"endpoints": [{
				"adminURL": "http://192.168.56.2:8776/v1/0e877c09c1924963800c7534bc03106e",
				"region": "RegionOne",
				"internalURL": "http://192.168.56.2:8776/v1/0e877c09c1924963800c7534bc03106e",
				"id": "0bd31fcde6fe4272b11cd97c79ff4d17",
				"publicURL": "http://192.168.56.2:8776/v1/0e877c09c1924963800c7534bc03106e"
			}],
			"endpoints_links": [],
			"type": "volume",
			"name": "cinder"
		},
		{
			"endpoints": [{
				"adminURL": "http://192.168.56.2:8773/services/Admin",
				"region": "RegionOne",
				"internalURL": "http://192.168.56.2:8773/services/Cloud",
				"id": "02fe3abc06f1492089ef100f63299631",
				"publicURL": "http://192.168.56.2:8773/services/Cloud"
			}],
			"endpoints_links": [],
			"type": "ec2",
			"name": "ec2"
		},
		{
			"endpoints": [{
				"adminURL": "http://192.168.56.2:8774/v2.1/0e877c09c1924963800c7534bc03106e",
				"region": "RegionOne",
				"internalURL": "http://192.168.56.2:8774/v2.1/0e877c09c1924963800c7534bc03106e",
				"id": "86ead91555a44de285f94957c05200ac",
				"publicURL": "http://192.168.56.2:8774/v2.1/0e877c09c1924963800c7534bc03106e"
			}],
			"endpoints_links": [],
			"type": "computev21",
			"name": "novav21"
		},
		{
			"endpoints": [{
				"adminURL": "http://192.168.56.2:35357/v2.0",
				"region": "RegionOne",
				"internalURL": "http://192.168.56.2:5000/v2.0",
				"id": "19885c4b7ed7403eb6bec641b7105443",
				"publicURL": "http://192.168.56.2:5000/v2.0"
			}],
			"endpoints_links": [],
			"type": "identity",
			"name": "keystone"
		}],
		"user": {
			"username": "demo",
			"roles_links": [],
			"id": "f8b9c7807d95484fa829cdb68b410e77",
			"roles": [{
				"name": "_member_"
			},
			{
				"name": "Member"
			},
			{
				"name": "anotherrole"
			}],
			"name": "demo"
		},
		"metadata": {
			"is_admin": 0,
			"roles": ["9fe2ff9ee4384b1894a90878d3e92bab",
			"1fa59496fd6b4b07b4ce23a5ee8a3a0b",
			"89764090d30949acaf9da2f9e0887ec6"]
		}
	}
}

接下来，我们就可以通过 URL 列出所有虚拟机：

1
2
3

GET http://192.168.56.2:8774/v2/0e877c09c1924963800c7534bc03106e/servers
HEADERS["X-Auth-Token":"a19bc13b46ba459cb3104fa97e414a27"]
......

那 Keystone 是怎么认证这个随请求一起发过来的 Token 呢？请看下文

Token 认证源码分析

其实，我们要是去 Keystone 源码中找 Token 认证（不是 CRUD）相关的代码还是真的找不到，拿这一块代码在哪里呢？且让我们来看看 Nova 的 PasteDeploy 配置文件：

[composite:osapi_compute]
use = call:nova.api.openstack.urlmap:urlmap_factory
/: oscomputeversions
/v2: openstack_compute_api_v21_legacy_v2_compatible
......

[composite:openstack_compute_api_v21_legacy_v2_compatible]
use = call:nova.api.auth:pipeline_factory_v21
......
keystone = ... authtoken keystonecontext ...
......

[filter:keystonecontext]
paste.filter_factory = nova.api.auth:NovaKeystoneContext.factory

[filter:authtoken]
paste.filter_factory = keystonemiddleware.auth_token:filter_factory

从这个配置文件中，当 Nova 的认证方式为 keystone（在 /etc/nova/nova.conf 中指定）时，Token 的认证是通过 keystonemiddleware 模块来进行的。当然，keystonemiddleware 需要到 keystone 模块获取 Token 的详细信息。所以，大家可以看出，如果每个模块都选择了 keystone 认证，那对这些模块的请求都需要走一次 Token 认证，这对 Keystone 模块的压力是比较大的。

下边就让我们进入源码分析（不会很细，重在流程）。

keystonemiddleware

keystonemiddleware/auth_token/__init__.py 文件对 keystonemiddleware 的功能已经介绍的相当明了：

Token-based Authentication Middleware.

This WSGI component:

* Verifies that incoming client requests have valid tokens by validating
  tokens with the auth service.
* Rejects unauthenticated requests unless the auth_token middleware is in
  ``delay_auth_decision`` mode, which means the final decision is delegated to
  the downstream WSGI component (usually the OpenStack service).
* Collects and forwards identity information based on a valid token
  such as user name, domain, project, etc.

也即，keystonemiddleware（本身是也一个 WSGI 应用）：

验证 Token 是否合法
拒绝非法请求（除非该中间件处于 delay_auth_decision 模式）
收集并转发合法 Token 的信息（如用户名）

该中间件接受两种类型的 Token，即 auth_token 和 service_token。这里我们只关注前者。

另外，我们还可以参考官方的文档：

接下来，我们来看一下源码骨架：

# keystonemiddleware/auth_token/__init__.py

class BaseAuthProtocol(object):
    ......

    @webob.dec.wsgify(RequestClass=_request._AuthTokenRequest)
    def __call__(self, req):
        """Handle incoming request."""
        response = self.process_request(req)
        if response:
            return response
        response = req.get_response(self._app)
        return self.process_response(response)

    def process_request(self, request):
        """Process request.

        If this method returns a value then that value will be used as the
        response. The next application down the stack will not be executed and
        process_response will not be called.

        Otherwise, the next application down the stack will be executed and
        process_response will be called with the generated response.

        By default this method does not return a value.

        :param request: Incoming request
        :type request: _request.AuthTokenRequest

        """
        user_auth_ref = None
        serv_auth_ref = None
        allow_expired = False

        if request.service_token:
            self.log.debug('Authenticating service token')
            try:
                _, serv_auth_ref = self._do_fetch_token(request.service_token)
                self._validate_token(serv_auth_ref)
                self._confirm_token_bind(serv_auth_ref, request)
            except ksm_exceptions.InvalidToken:
                self.log.info('Invalid service token')
                request.service_token_valid = False
            else:
                # FIXME(jamielennox): The new behaviour for service tokens is
                # that they have to pass the policy check to be allowed.
                # Previously any token was accepted here. For now we will
                # continue to mark service tokens as valid if they are valid
                # but we will only allow service role tokens to do
                # allow_expired. In future we should reject any token that
                # isn't a service token here.
                role_names = set(serv_auth_ref.role_names)
                check = self._service_token_roles.intersection(role_names)
                role_check_passed = bool(check)

                # if service_token_role_required then the service token is only
                # valid if the roles check out. Otherwise at this point it is
                # true because keystone has already validated it.
                if self._service_token_roles_required:
                    request.service_token_valid = role_check_passed
                else:
                    if not self._service_token_warning_emitted:
                        self.log.warning('A valid token was submitted as '
                                         'a service token, but it was not '
                                         'a valid service token. This is '
                                         'incorrect but backwards '
                                         'compatible behaviour. This will '
                                         'be removed in future releases.')
                        # prevent log spam on every single request
                        self._service_token_warning_emitted = True

                    request.service_token_valid = True

                # allow_expired always requires passing the role check.
                allow_expired = role_check_passed

        if request.user_token:
            self.log.debug('Authenticating user token')
            try:
                data, user_auth_ref = self._do_fetch_token(
                    request.user_token,
                    allow_expired=allow_expired)
                self._validate_token(user_auth_ref,
                                     allow_expired=allow_expired)
                if not request.service_token:
                    self._confirm_token_bind(user_auth_ref, request)
            except ksm_exceptions.InvalidToken:
                self.log.info('Invalid user token')
                request.user_token_valid = False
            else:
                request.user_token_valid = True
                request.token_info = data

        request.token_auth = _user_plugin.UserAuthPlugin(user_auth_ref,
                                                         serv_auth_ref)


......
class AuthProtocol(BaseAuthProtocol):
    """Middleware that handles authenticating client calls."""
    ......

    def process_request(self, request):
        """Process request.

        Evaluate the headers in a request and attempt to authenticate the
        request. If authenticated then additional headers are added to the
        request for use by applications. If not authenticated the request will
        be rejected or marked unauthenticated depending on configuration.
        """
        request.remove_auth_headers()
        self._token_cache.initialize(request.environ)

        resp = super(AuthProtocol, self).process_request(request)
        if resp:
            return resp

        if not request.user_token:
            # if no user token is present then that's an invalid request
            request.user_token_valid = False

        # NOTE(jamielennox): The service status is allowed to be missing if a
        # service token is not passed. If the service status is missing that's
        # a valid request. We should find a better way to expose this from the
        # request object.
        user_status = request.user_token and request.user_token_valid
        service_status = request.headers.get('X-Service-Identity-Status',
                                             'Confirmed')

        if not (user_status and service_status == 'Confirmed'):
            if self._delay_auth_decision:
                self.log.debug('Deferring reject downstream')
            else:
                self.log.info('Rejecting request')
                message = _('The request you have made requires '
                            'authentication.')
                body = {'error': {
                    'code': 401,
                    'title': 'Unauthorized',
                    'message': message,
                }}
                raise webob.exc.HTTPUnauthorized(
                    body=jsonutils.dumps(body),
                    headers=self._reject_auth_headers,
                    charset='UTF-8',
                    content_type='application/json')

        if request.user_token_valid:
            request.set_user_headers(request.token_auth.user)

            if self._include_service_catalog:
                request.set_service_catalog_headers(request.token_auth.user)

        if request.token_auth:
            request.token_auth._auth = self._auth
            request.token_auth._session = self._session

        if request.service_token and request.service_token_valid:
            request.set_service_headers(request.token_auth.service)

        if self.log.isEnabledFor(logging.DEBUG):
            self.log.debug('Received request from %s',
                           request.token_auth._log_format)

1. 去除请求中跟认证相关的头部

为了防止伪造认证的请求，去除掉跟认证信息相关的头部是非常有必要的，请看详细：

# keystonemiddleware/auth_token/__init__.py

class AuthProtocol(BaseAuthProtocol):
    ......

    def process_request(self, request):
        """Process request.

        Evaluate the headers in a request and attempt to authenticate the
        request. If authenticated then additional headers are added to the
        request for use by applications. If not authenticated the request will
        be rejected or marked unauthenticated depending on configuration.
        """
        request.remove_auth_headers()
        self._token_cache.initialize(request.environ)


# keystonemiddleware/auth_token/_request.py

class _AuthTokenRequest(webob.Request):
    ......

    _HEADER_TEMPLATE = {
        'X%s-Domain-Id': 'domain_id',
        'X%s-Domain-Name': 'domain_name',
        'X%s-Project-Id': 'project_id',
        'X%s-Project-Name': 'project_name',
        'X%s-Project-Domain-Id': 'project_domain_id',
        'X%s-Project-Domain-Name': 'project_domain_name',
        'X%s-User-Id': 'user_id',
        'X%s-User-Name': 'username',
        'X%s-User-Domain-Id': 'user_domain_id',
        'X%s-User-Domain-Name': 'user_domain_name',
    }

    _ROLES_TEMPLATE = 'X%s-Roles'

    _USER_HEADER_PREFIX = ''
    _SERVICE_HEADER_PREFIX = '-Service'

    _USER_STATUS_HEADER = 'X-Identity-Status'
    _SERVICE_STATUS_HEADER = 'X-Service-Identity-Status'

    _ADMIN_PROJECT_HEADER = 'X-Is-Admin-Project'

    _SERVICE_CATALOG_HEADER = 'X-Service-Catalog'
    _TOKEN_AUTH = 'keystone.token_auth'
    _TOKEN_INFO = 'keystone.token_info'

    _CONFIRMED = 'Confirmed'
    _INVALID = 'Invalid'

    # header names that have been deprecated in favour of something else.
    _DEPRECATED_HEADER_MAP = {
        'X-Role': 'X-Roles',
        'X-User': 'X-User-Name',
        'X-Tenant-Id': 'X-Project-Id',
        'X-Tenant-Name': 'X-Project-Name',
        'X-Tenant': 'X-Project-Name',
    }

    def _all_auth_headers(self):
        """All the authentication headers that can be set on the request."""
        yield self._SERVICE_CATALOG_HEADER
        yield self._USER_STATUS_HEADER
        yield self._SERVICE_STATUS_HEADER
        yield self._ADMIN_PROJECT_HEADER

        for header in self._DEPRECATED_HEADER_MAP:
            yield header

        prefixes = (self._USER_HEADER_PREFIX, self._SERVICE_HEADER_PREFIX)

        for tmpl, prefix in itertools.product(self._HEADER_TEMPLATE, prefixes):
            yield tmpl % prefix

        for prefix in prefixes:
            yield self._ROLES_TEMPLATE % prefix

    def remove_auth_headers(self):
        """Remove headers so a user can't fake authentication."""
        for header in self._all_auth_headers():
            self.headers.pop(header, None)

2. 获取 Token

获取 Token 分了几个主要步骤：

从缓存中获取（如有，需进行合法性检查）
如无，则利用 PKI 或从 Keystone（identity server）获取 Token。

注：PKI 属于本地认证，这样可以减轻 Keystone 的压力。

详细请看源码：

# keystonemiddleware/auth_token/__init__.py

class BaseAuthProtocol(object):
    ......

    def _do_fetch_token(self, token, **kwargs):
        """Helper method to fetch a token and convert it into an AccessInfo."""
        if self.kwargs_to_fetch_token:
            data = self.fetch_token(token, **kwargs)
        else:
            m = _('Implementations of auth_token must set '
                  'kwargs_to_fetch_token this will be the required and '
                  'assumed in Pike.')
            warnings.warn(m)
            data = self.fetch_token(token)

        try:
            return data, access.create(body=data, auth_token=token)
        except Exception:
            self.log.warning('Invalid token contents.', exc_info=True)
            raise ksm_exceptions.InvalidToken(_('Token authorization failed'))


class AuthProtocol(BaseAuthProtocol):
    ......

    def fetch_token(self, token, allow_expired=False):
        """Retrieve a token from either a PKI bundle or the identity server.

        :param str token: token id

        :raises exc.InvalidToken: if token is rejected
        """
        data = None
        token_hashes = None

        try:
            token_hashes = self._token_hashes(token)
            cached = self._cache_get_hashes(token_hashes)

            if cached:
                if cached == _CACHE_INVALID_INDICATOR:
                    self.log.debug('Cached token is marked unauthorized')
                    raise ksm_exceptions.InvalidToken()

                if self._check_revocations_for_cached:
                    # A token might have been revoked, regardless of initial
                    # mechanism used to validate it, and needs to be checked.
                    self._revocations.check(token_hashes)

                # NOTE(jamielennox): Cached values used to be stored as a tuple
                # of data and expiry time. They no longer are but we have to
                # allow some time to transition the old format so if it's a
                # tuple just use the data.
                if len(cached) == 2:
                    cached = cached[0]

                data = cached
            else:
                data = self._validate_offline(token, token_hashes)
                if not data:
                    data = self._identity_server.verify_token(
                        token,
                        allow_expired=allow_expired)

                self._token_cache.set(token_hashes[0], data)

        except (ksa_exceptions.ConnectFailure,
                ksa_exceptions.RequestTimeout,
                ksm_exceptions.RevocationListError,
                ksm_exceptions.ServiceError) as e:
            self.log.critical('Unable to validate token: %s', e)
            raise webob.exc.HTTPServiceUnavailable()
        except ksm_exceptions.InvalidToken:
            self.log.debug('Token validation failure.', exc_info=True)
            if token_hashes:
                self._token_cache.set(token_hashes[0],
                                      _CACHE_INVALID_INDICATOR)
            self.log.warning('Authorization failed for token')
            raise

        return data

2. 验证 Token

主要验证 Token 是否已经失效：

# keystonemiddleware/auth_token/__init__.py

class BaseAuthProtocol(object):
    ......

    def _validate_token(self, auth_ref, allow_expired=False):
        """Perform the validation steps on the token.

        :param auth_ref: The token data
        :type auth_ref: keystoneauth1.access.AccessInfo

        :raises exc.InvalidToken: if token is rejected
        """
        # 0 seconds of validity means it is invalid right now
        if (not allow_expired) and auth_ref.will_expire_soon(stale_duration=0):
            raise ksm_exceptions.InvalidToken(_('Token authorization failed'))


class AuthProtocol(BaseAuthProtocol):
    ......

    def _validate_token(self, auth_ref, **kwargs):
        super(AuthProtocol, self)._validate_token(auth_ref, **kwargs)

        if auth_ref.version == 'v2.0' and not auth_ref.project_id:
            msg = _('Unable to determine service tenancy.')
            raise ksm_exceptions.InvalidToken(msg)

4. 判断认证状态

# keystonemiddleware/auth_token/__init__.py

class AuthProtocol(BaseAuthProtocol):
    ......

    def process_request(self, request):
        ......

        # NOTE(jamielennox): The service status is allowed to be missing if a
        # service token is not passed. If the service status is missing that's
        # a valid request. We should find a better way to expose this from the
        # request object.
        user_status = request.user_token and request.user_token_valid
        service_status = request.headers.get('X-Service-Identity-Status',
                                             'Confirmed')

        if not (user_status and service_status == 'Confirmed'):
            if self._delay_auth_decision:
                self.log.debug('Deferring reject downstream')
            else:
                self.log.info('Rejecting request')
                message = _('The request you have made requires '
                            'authentication.')
                body = {'error': {
                    'code': 401,
                    'title': 'Unauthorized',
                    'message': message,
                }}
                raise webob.exc.HTTPUnauthorized(
                    body=jsonutils.dumps(body),
                    headers=self._reject_auth_headers,
                    charset='UTF-8',
                    content_type='application/json')

5. 设置头部信息

这部分特别重要，因为这部分会把请求用户已认证的详细身份信息填写到请求头部中，作为 keystonemiddleware 下一个 WSGI 应用的认证信息（请看下文的 Nova Context 部分）。

# keystonemiddleware/auth_token/__init__.py

class AuthProtocol(BaseAuthProtocol):
    ......

    def process_request(self, request):
        ......
        if request.user_token_valid:
            request.set_user_headers(request.token_auth.user)

            if self._include_service_catalog:
                request.set_service_catalog_headers(request.token_auth.user)


# keystonemiddleware/auth_token/_request.py

class _AuthTokenRequest(webob.Request):
    ......

    _HEADER_TEMPLATE = {
        'X%s-Domain-Id': 'domain_id',
        'X%s-Domain-Name': 'domain_name',
        'X%s-Project-Id': 'project_id',
        'X%s-Project-Name': 'project_name',
        'X%s-Project-Domain-Id': 'project_domain_id',
        'X%s-Project-Domain-Name': 'project_domain_name',
        'X%s-User-Id': 'user_id',
        'X%s-User-Name': 'username',
        'X%s-User-Domain-Id': 'user_domain_id',
        'X%s-User-Domain-Name': 'user_domain_name',
    }

    _ROLES_TEMPLATE = 'X%s-Roles'

    _USER_HEADER_PREFIX = ''
    _SERVICE_HEADER_PREFIX = '-Service'

    _USER_STATUS_HEADER = 'X-Identity-Status'
    _SERVICE_STATUS_HEADER = 'X-Service-Identity-Status'

    _ADMIN_PROJECT_HEADER = 'X-Is-Admin-Project'

    _SERVICE_CATALOG_HEADER = 'X-Service-Catalog'
    _TOKEN_AUTH = 'keystone.token_auth'
    _TOKEN_INFO = 'keystone.token_info'

    _CONFIRMED = 'Confirmed'
    _INVALID = 'Invalid'

    # header names that have been deprecated in favour of something else.
    _DEPRECATED_HEADER_MAP = {
        'X-Role': 'X-Roles',
        'X-User': 'X-User-Name',
        'X-Tenant-Id': 'X-Project-Id',
        'X-Tenant-Name': 'X-Project-Name',
        'X-Tenant': 'X-Project-Name',
    }

    def _set_auth_headers(self, auth_ref, prefix):
        names = ','.join(auth_ref.role_names)
        self.headers[self._ROLES_TEMPLATE % prefix] = names

        for header_tmplt, attr in six.iteritems(self._HEADER_TEMPLATE):
            self.headers[header_tmplt % prefix] = getattr(auth_ref, attr)

    def set_user_headers(self, auth_ref):
        """Convert token object into headers.

        Build headers that represent authenticated user - see main
        doc info at start of __init__ file for details of headers to be defined
        """
        self._set_auth_headers(auth_ref, self._USER_HEADER_PREFIX)
        self.headers[self._ADMIN_PROJECT_HEADER] = _is_admin_project(auth_ref)

        for k, v in six.iteritems(self._DEPRECATED_HEADER_MAP):
            self.headers[k] = self.headers[v]

    def set_service_catalog_headers(self, auth_ref):
        """Convert service catalog from token object into headers.

        Build headers that represent the catalog - see main
        doc info at start of __init__ file for details of headers to be defined

        :param auth_ref: The token data
        :type auth_ref: keystoneauth.access.AccessInfo
        """
        if not auth_ref.has_service_catalog():
            self.headers.pop(self._SERVICE_CATALOG_HEADER, None)
            return

        catalog = auth_ref.service_catalog.catalog
        if auth_ref.version == 'v3':
            catalog = _v3_to_v2_catalog(catalog)

        c = jsonutils.dumps(catalog)
        self.headers[self._SERVICE_CATALOG_HEADER] = c

Nova Context

请求经过 keystonemiddleware 处理后，就会进行下一步，设置具体模块 Nova 的请求上下文 context，详细源码如下：

# nova/api/auth.py

class NovaKeystoneContext(wsgi.Middleware):
    """Make a request context from keystone headers."""

    @webob.dec.wsgify(RequestClass=wsgi.Request)
    def __call__(self, req):
        # Build a context, including the auth_token...
        remote_address = req.remote_addr
        if CONF.api.use_forwarded_for:
            remote_address = req.headers.get('X-Forwarded-For', remote_address)

        service_catalog = None
        if req.headers.get('X_SERVICE_CATALOG') is not None:
            try:
                catalog_header = req.headers.get('X_SERVICE_CATALOG')
                service_catalog = jsonutils.loads(catalog_header)
            except ValueError:
                raise webob.exc.HTTPInternalServerError(
                          _('Invalid service catalog json.'))

        # NOTE(jamielennox): This is a full auth plugin set by auth_token
        # middleware in newer versions.
        user_auth_plugin = req.environ.get('keystone.token_auth')

        # 上下文设置
        ctx = context.RequestContext.from_environ(
            req.environ,
            user_auth_plugin=user_auth_plugin,
            remote_address=remote_address,
            service_catalog=service_catalog)

        if ctx.user_id is None:
            LOG.debug("Neither X_USER_ID nor X_USER found in request")
            return webob.exc.HTTPUnauthorized()

        req.environ['nova.context'] = ctx	# 这就是底层 Nova API 经常使用的 nova.context
        return self.application


# nova/context.py

class RequestContext(context.RequestContext):
    ......

    @classmethod
    def from_environ(cls, environ, **kwargs):
        ctx = super(RequestContext, cls).from_environ(environ, **kwargs)

        # the base oslo.context sets its user param and tenant param but not
        # our user_id and project_id param so fix those up.
        if ctx.user and not ctx.user_id:
            ctx.user_id = ctx.user
        if ctx.tenant and not ctx.project_id:
            ctx.project_id = ctx.tenant

        return ctx


# oslo.context\oslo_context\context.py

# These arguments will be passed to a new context from the first available
# header to support backwards compatibility.
_ENVIRON_HEADERS = {
    'auth_token': ['HTTP_X_AUTH_TOKEN',
                   'HTTP_X_STORAGE_TOKEN'],
    'user': ['HTTP_X_USER_ID',
             'HTTP_X_USER'],
    'tenant': ['HTTP_X_PROJECT_ID',
               'HTTP_X_TENANT_ID',
               'HTTP_X_TENANT'],
    'user_domain': ['HTTP_X_USER_DOMAIN_ID'],
    'project_domain': ['HTTP_X_PROJECT_DOMAIN_ID'],
    'user_name': ['HTTP_X_USER_NAME'],
    'project_name': ['HTTP_X_PROJECT_NAME',
                     'HTTP_X_TENANT_NAME'],
    'user_domain_name': ['HTTP_X_USER_DOMAIN_NAME'],
    'project_domain_name': ['HTTP_X_PROJECT_DOMAIN_NAME'],
    'request_id': ['openstack.request_id'],
    'global_request_id': ['openstack.global_request_id'],


    'service_token': ['HTTP_X_SERVICE_TOKEN'],
    'service_user_id': ['HTTP_X_SERVICE_USER_ID'],
    'service_user_name': ['HTTP_X_SERVICE_USER_NAME'],
    'service_user_domain_id': ['HTTP_X_SERVICE_USER_DOMAIN_ID'],
    'service_user_domain_name': ['HTTP_X_SERVICE_USER_DOMAIN_NAME'],
    'service_project_id': ['HTTP_X_SERVICE_PROJECT_ID'],
    'service_project_name': ['HTTP_X_SERVICE_PROJECT_NAME'],
    'service_project_domain_id': ['HTTP_X_SERVICE_PROJECT_DOMAIN_ID'],
    'service_project_domain_name': ['HTTP_X_SERVICE_PROJECT_DOMAIN_NAME'],
}

class RequestContext(object):
    ......

    @classmethod
    def from_environ(cls, environ, **kwargs):
        """Load a context object from a request environment.

        If keyword arguments are provided then they override the values in the
        request environment.

        :param environ: The environment dictionary associated with a request.
        :type environ: dict
        """
        # Load a new context object from the environment variables set by
        # auth_token middleware. See:
        # https://docs.openstack.org/developer/keystonemiddleware/api/keystonemiddleware.auth_token.html#what-auth-token-adds-to-the-request-for-use-by-the-openstack-service

        # add kwarg if not specified by user from a list of possible headers
        for k, v_list in _ENVIRON_HEADERS.items():
            if k in kwargs:
                continue

            for v in v_list:
                if v in environ:
                    kwargs[k] = environ[v]
                    break

        if 'roles' not in kwargs:
            roles = environ.get('HTTP_X_ROLES', environ.get('HTTP_X_ROLE'))
            roles = [r.strip() for r in roles.split(',')] if roles else []
            kwargs['roles'] = roles

        if 'service_roles' not in kwargs:
            roles = environ.get('HTTP_X_SERVICE_ROLES')
            roles = [r.strip() for r in roles.split(',')] if roles else []
            kwargs['service_roles'] = roles

        if 'is_admin_project' not in kwargs:
            # NOTE(jamielennox): we default is_admin_project to true because if
            # nothing is provided we have to assume it is the admin project to
            # make old policy continue to work.
            is_admin_proj_str = environ.get('HTTP_X_IS_ADMIN_PROJECT', 'true')
            kwargs['is_admin_project'] = is_admin_proj_str.lower() == 'true'

        return cls(**kwargs)

接下来的请求操作就可以利用以上设置的上下文了。

访问控制和授权

如果你足够细心，会发现其实以上 Keystonemiddleware 的 Token 认证并没有完成一件很重要的事——访问控制和授权。这也不能怪 Keystonemiddleware，因为这跟其主要定位于校验 Token 合法性有关系，关注的是大的方面的权限验证；而对于很多模块而言，如 nova，资源多种多样，每种资源的操作权限可能都不一样，如果让 Keystonemiddleware 也来做这些很细的东西，那它将会是非常复杂，还不如把这些小的方面的权限控制放到具体模块去，由具体模块来控制实施。这样各个模块在复用 Keystonemiddleware 的同时还能够保持灵活性。

这进一步的访问控制是通过 Policy 机制来完成的。具体可以参考以前博文 OpenStack 源码系列之 Keystone：简介及基本概念介绍的“访问管理和授权”部分。