From 1e907602e37fb55bbe5a20164db6d074f87369af Mon Sep 17 00:00:00 2001 From: Eric Fried Date: Thu, 26 Sep 2019 16:52:12 -0500 Subject: Allow versioned discovery unauthenticated Make routes to the versioned discovery documents (/v2, /v2.1) go through paste pipelines that don't require authentication, while leaving their sub-URLs (/v2.1/servers etc) requiring authentication. To make this work, our URLMap matcher gets support for a very rudimentary wildcard syntax, whereby api-paste.ini can differentiate between {/v2.1, /v2.1/} and /v2.1/$anything_else. The former points to the unauthenticated discovery app pipeline; the latter points to the existing "real API" pipeline. Similar for legacy v2. This entails a slight behavior change: requests to /v2 and /v2.1 used to 302 redirect to /v2/ and /v2.1/, respectively. Now they just work. Change-Id: Id47515017982850b167d5c637d93b96ae00ba793 Closes-Bug: #1845530 Closes-Bug: #1728732 --- etc/nova/api-paste.ini | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) (limited to 'etc') diff --git a/etc/nova/api-paste.ini b/etc/nova/api-paste.ini index 2aaa7bf808..7e20eaa7e2 100644 --- a/etc/nova/api-paste.ini +++ b/etc/nova/api-paste.ini @@ -18,13 +18,15 @@ paste.app_factory = nova.api.metadata.handler:MetadataRequestHandler.factory [composite:osapi_compute] use = call:nova.api.openstack.urlmap:urlmap_factory /: oscomputeversions +/v2: oscomputeversion_legacy_v2 +/v2.1: oscomputeversion_v2 # v21 is an exactly feature match for v2, except it has more stringent # input validation on the wsgi surface (prevents fuzzing early on the # API). It also provides new features via API microversions which are # opt into for clients. Unaware clients will receive the same frozen # v2 API feature set, but with some relaxed validation -/v2: openstack_compute_api_v21_legacy_v2_compatible -/v2.1: openstack_compute_api_v21 +/v2/+: openstack_compute_api_v21_legacy_v2_compatible +/v2.1/+: openstack_compute_api_v21 [composite:openstack_compute_api_v21] use = call:nova.api.auth:pipeline_factory_v21 @@ -72,9 +74,18 @@ paste.app_factory = nova.api.openstack.compute:APIRouterV21.factory [pipeline:oscomputeversions] pipeline = cors faultwrap request_log http_proxy_to_wsgi oscomputeversionapp +[pipeline:oscomputeversion_v2] +pipeline = cors compute_req_id faultwrap request_log http_proxy_to_wsgi oscomputeversionapp_v2 + +[pipeline:oscomputeversion_legacy_v2] +pipeline = cors compute_req_id faultwrap request_log http_proxy_to_wsgi legacy_v2_compatible oscomputeversionapp_v2 + [app:oscomputeversionapp] paste.app_factory = nova.api.openstack.compute.versions:Versions.factory +[app:oscomputeversionapp_v2] +paste.app_factory = nova.api.openstack.compute.versions:VersionsV2.factory + ########## # Shared # ########## -- cgit v1.2.1