keystone WSGI流程

作为OpenStack两种主要的通信方式(RESTful API与消息总线)之一,理解RESTful API的设计思路和执行过程,有助于我们对OpenStack有更好的理解。RESTful只是设计风格而不是标准,Web服务中通常使用基于HTTP的符合RESTful风格的API。而WSGI(Web ServerGateway Interface)则是python语言中所定义的Web服务器和Web应用程序或框架之间的通用接口标准。



1. 创建WSGI server


#/usr/bin/keyston-allimport osimport sys# If ../keystone/ exists, add ../ to Python search path, so that# it will override what happens to be installed in /usr/(local/)lib/python...possible_topdir = os.path.normpath(os.path.join(os.path.abspath(__file__),                                   os.pardir,                                   os.pardir))if os.path.exists(os.path.join(possible_topdir,                               'keystone',                               '')):    sys.path.insert(0, possible_topdir)from keystone.server import eventlet as eventlet_serverif __name__ == '__main__':


#/keystone/server/eventlet.pydef run(possible_topdir):    dev_conf = os.path.join(possible_topdir,                            'etc',                            'keystone.conf')    config_files = None    if os.path.exists(dev_conf):        config_files = [dev_conf]    common.configure(        version=pbr.version.VersionInfo('keystone').version_string(),        config_files=config_files,        pre_setup_logging_fn=configure_threading)    paste_config = config.find_paste_config()    def create_servers():        admin_worker_count = _get_workers('admin_workers')        public_worker_count = _get_workers('public_workers')        servers = []        servers.append(create_server(paste_config,                                     'admin',                                     CONF.eventlet_server.admin_bind_host,                                     CONF.eventlet_server.admin_port,                                     admin_worker_count))        servers.append(create_server(paste_config,                                     'main',                                     CONF.eventlet_server.public_bind_host,                                     CONF.eventlet_server.public_port,                                     public_worker_count))        return servers    _unused, servers = common.setup_backends(        startup_application_fn=create_servers)    serve(*servers)

首先加载配置文件的配置选项,然后找到keystone的paste配置文件(paste_config= config.find_paste_config()),因为OpenStack使用paste的deploy组件来完成WSGI服务器和应用的构建,其中keystone的paste配置文件位于/usr/share/keystone目录下,文件名为keystone-dist-paste.ini,对于该配置文件的使用,我会在后续内容中进行介绍,更细致的使用可参考paste的deploy的官方文档(。

然后执行common.setup_backends方法加载backend driver和创建admin和main的WSGI的server。这里我们看看common.setup_backends如何操作的呢?

#/keystone/server/common.pydef setup_backends(load_extra_backends_fn=lambda: {},                   startup_application_fn=lambda: None):    drivers = backends.load_backends()    drivers.update(load_extra_backends_fn())    res = startup_application_fn()    drivers.update(dependency.resolve_future_dependencies())    return drivers, res#/keystone/backends.pydef load_backends():    # Configure and build the cache    cache.configure_cache_region(cache.REGION)    # Ensure that the identity driver is created before the assignment manager    # and that the assignment driver is created before the resource manager.    # The default resource driver depends on assignment, which in turn    # depends on identity - hence we need to ensure the chain is available.    _IDENTITY_API = identity.Manager()    _ASSIGNMENT_API = assignment.Manager()    DRIVERS = dict(        assignment_api=_ASSIGNMENT_API,        catalog_api=catalog.Manager(),        credential_api=credential.Manager(),        domain_config_api=resource.DomainConfigManager(),        endpoint_filter_api=endpoint_filter.Manager(),        endpoint_policy_api=endpoint_policy.Manager(),        federation_api=federation.Manager(),        id_generator_api=identity.generator.Manager(),        id_mapping_api=identity.MappingManager(),        identity_api=_IDENTITY_API,        oauth_api=oauth1.Manager(),        policy_api=policy.Manager(),        resource_api=resource.Manager(),        revoke_api=revoke.Manager(),        role_api=assignment.RoleManager(),        token_api=token.persistence.Manager(),        trust_api=trust.Manager(),        token_provider_api=token.provider.Manager())    auth.controllers.load_auth_methods()    return DRIVERS

参考这篇文章(以及《OpenStack设计与实现》,我们知道,在”DRIVERS”字典中,每一个键值对都定义了一类keystone API实现,它们之间存在相互依赖的可能(所以在这里采用了依赖注入的设计模式),如下:

#/keystone/identity/'identity_api')@dependency.requires('assignment_api', 'credential_api', 'id_mapping_api',                     'resource_api', 'revoke_api')class Manager(manager.Manager):

依赖注入模式就是在/keystone/common/dependency.py文件中实现的,对于上面的的作用为:如果一个class被加了@dependency.provider(‘xxx’),那么其就会生成一个实例,放置于_REGISTRY = {}全局变量中。名字叫做xxx。以后其他模块如果想要引用这个模块,那么只需要在class前面加上@dependency.requires(‘xxx’)或@dependency.optional(‘xxx’)就可以了。当加上了@dependency.requires后,这个模块就会有一个叫做xxx的属性,该属性的值就是对xxx的引用。


@dependency.provider('XXX')class XXX():    pass @dependency.requires('XXX')class YYY():    pass #然后YYY的实例就有了XXX这个属性:yyy = YYY()print type(yyy.XXX)

当然啦,这里还有一个细节那就是在初始化identity这个Manager的时候,我们的@dependency.requires(‘assignment_api’, ‘credential_api’, ‘token_api’)是不满足要求的,因为这三个API我们还没通过dependency.provider注册。所以在源码中有这样的注释:”Objects must not rely on the existence of these attributes untilafter ‘resolve_future_dependencies’ has been called; they may not existbeforehand.”。这些require的东东需要等到resolve_future_dependencies被调用后才能被正常使用。

因此调用load_backends方法就加载了后续会使用的backend driver。然后执行res = startup_application_fn()代码创建WSGI的server。

#/keystone/server/    def create_servers():        admin_worker_count = _get_workers('admin_workers')        public_worker_count = _get_workers('public_workers')        servers = []        servers.append(create_server(paste_config,                                     'admin',                                     CONF.eventlet_server.admin_bind_host,                                     CONF.eventlet_server.admin_port,                                     admin_worker_count))        servers.append(create_server(paste_config,                                     'main',                                     CONF.eventlet_server.public_bind_host,                                     CONF.eventlet_server.public_port,                                     public_worker_count))        return servers#/keystone/server/eventlet.pydef _get_workers(worker_type_config_opt):    # Get the value from config, if the config value is None (not set), return    # the number of cpus with a minimum of 2.    worker_count = CONF.eventlet_server.get(worker_type_config_opt)    if not worker_count:        worker_count = max(2, processutils.get_worker_count())    return worker_count#/keystone/server/eventlet.pydef create_server(conf, name, host, port, workers):    app = keystone_service.loadapp('config:%s' % conf, name)    server = environment.Server(app, host=host, port=port,                                keepalive=CONF.eventlet_server.tcp_keepalive,                                keepidle=CONF.eventlet_server.tcp_keepidle)    if CONF.eventlet_server_ssl.enable:        server.set_ssl(CONF.eventlet_server_ssl.certfile,                       CONF.eventlet_server_ssl.keyfile,                       CONF.eventlet_server_ssl.ca_certs,                       CONF.eventlet_server_ssl.cert_required)return name, ServerWrapper(server, workers)#/keystone/service.pydef loadapp(conf, name):    # NOTE(blk-u): Save the application being loaded in the controllers module.    # This is similar to how public_app_factory() and v3_app_factory()    # register the version with the controllers module.    controllers.latest_app = deploy.loadapp(conf, name=name)    return controllers.latest_app

其中create_servers方法首先获取欲创建的admin和main的WSGI server的进程个数(work count),如果配置文件没有定义创建的进程个数,则OpenStack将通过计算计算机的cpu个数与2进行比较,选择最大的那个数作为创建的进程个数。我的环境没有在配置文件中进行设置创建进程的个数,且本环境的cpu个数为4,因此这里会创建8个WSGI server进程(4个admin WSGI server和4个main WSGI server)。如下:

[root@jun ~]# ps -elf | grep keystone

5 S keystone   8882   4329  0  80   0 - 103806 poll_s 11:06 ?       00:00:01 keystone-admin  -DFOREGROUND

5 S keystone   8883   4329  0  80   0 - 103806 poll_s 11:06 ?       00:00:01 keystone-main   -DFOREGROUND

4 S keystone  50511      1  1  80   0 - 86478 poll_s 20:06 ?        00:00:09 /usr/bin/python /usr/bin/keystone-all

1 S keystone  50522  50511  0  80   0 - 114690 ep_pol 20:06 ?       00:00:01 /usr/bin/python /usr/bin/keystone-all

1 S keystone  50523  50511  0  80   0 - 114193 ep_pol 20:06 ?       00:00:00 /usr/bin/python /usr/bin/keystone-all

1 S keystone  50524  50511  0  80   0 - 114527 ep_pol 20:06 ?       00:00:00 /usr/bin/python /usr/bin/keystone-all

1 S keystone  50525  50511  0  80   0 - 114585 ep_pol 20:06 ?       00:00:00 /usr/bin/python /usr/bin/keystone-all

1 S keystone  50526  50511  0  80   0 - 86511 ep_pol 20:06 ?        00:00:00 /usr/bin/python /usr/bin/keystone-all

1 S keystone  50527  50511  0  80   0 - 86511 ep_pol 20:06 ?        00:00:00 /usr/bin/python /usr/bin/keystone-all

1 S keystone  50528  50511  0  80   0 - 86511 ep_pol 20:06 ?        00:00:00 /usr/bin/python /usr/bin/keystone-all

1 S keystone  50529  50511  0  80   0 - 86511 ep_pol 20:06 ?        00:00:00 /usr/bin/python /usr/bin/keystone-all

0 S root      51358   7967  0  80   0 - 28161 pipe_w 20:17 pts/2    00:00:00 grep --color=auto keystone

其中进程号为50511的进程为创建WSGI server的父进程,进程号为50522~50529的进程为8个WSGI server进程。

在得到欲创建的WSGI server的进程数后,则去执行create_server函数,该函数执行app = keystone_service.loadapp('config:%s' % conf, name)代码来从paste配置文件中生成一个WSGI应用。这里只是加载WSGI应用,并没有执行生成的WSGI应用,只有在keystone服务进程收到keystoneclient的HTTP请求时,才会触发使用WSGI应用,对于如何使用该WSGI应用,我们会在下一小节进行详细分析。

在加载WSGI应用之后,创建WSGI server,且如果配置文件中使能了SSL,则需对创建的WSGI server进行SSL 设置。

#/keystone/common/environment/ Server(object):    """Server class to manage multiple WSGI sockets and applications."""    def __init__(self, application, host=None, port=None, keepalive=False,                 keepidle=None):        self.application = application = host or ''        self.port = port or 0        # Pool for a green thread in which wsgi server will be running        self.pool = eventlet.GreenPool(POOL_SIZE)        self.socket_info = {}        self.greenthread = None        self.do_ssl = False        self.cert_required = False        self.keepalive = keepalive        self.keepidle = keepidle        self.socket = None

其中create_server只是创建创建了一个Server对象,并没有监听相应的端口(而创建这个Server对象的进程就是WSGI server的父进程,即上面举例的50511号进程)。

最后create_server将创建的server和workers使用ServerWrapper类进行封装,并将WSGI server的name(即admin和main)和封装后的WSGI server进行返回。

最后setup_backends函数执行drivers.update(dependency.resolve_future_dependencies())后返回。回到/keystone/server/eventlet.py的run函数,最终run函数执行serve方法,该方法会创建dmin和main的WSGI server。

#/keystone/server/eventlet.pydef serve(*servers):    logging.warning(_('Running keystone via eventlet is deprecated as of Kilo '                      'in favor of running in a WSGI server (e.g. mod_wsgi). '                      'Support for keystone under eventlet will be removed in '                      'the "M"-Release.'))    if max([server[1].workers for server in servers]) > 1:        launcher = service.ProcessLauncher()    else:        launcher = service.ServiceLauncher()    for name, server in servers:        try:            server.launch_with(launcher)        except socket.error:            logging.exception(_('Failed to start the %(name)s server') % {                'name': name})            raise    # notify calling process we are ready to serve    systemd.notify_once()    for name, server in servers:        launcher.wait()

因为admin和main的WSGI server的works都为4,所以执行lanuncher = service.ProcessLauncher(),即创建一个ProcessLauncher对象。

#/keystone/openstack/common/ ProcessLauncher(object):    _signal_handlers_set = set()    @classmethod    def _handle_class_signals(cls, *args, **kwargs):        for handler in cls._signal_handlers_set:            handler(*args, **kwargs)    def __init__(self, wait_interval=0.01):        """Constructor.        :param wait_interval: The interval to sleep for between checks                              of child process exit.        """        self.children = {}        self.sigcaught = None        self.running = True        self.wait_interval = wait_interval        rfd, self.writepipe = os.pipe()        self.readpipe = eventlet.greenio.GreenPipe(rfd, 'r')        self.handle_signal()

然后在对admin和main的WSGI server分别执行server.launch_with(launcher)语句。

#/keystone/server/ ServerWrapper(object):    """Wraps a Server with some launching info & capabilities."""    def __init__(self, server, workers):        self.server = server        self.workers = workers    def launch_with(self, launcher):        self.server.listen()        if self.workers > 1:            # Use multi-process launcher            launcher.launch_service(self.server, self.workers)        else:            # Use single process launcher            launcher.launch_service(self.server)#/keystone/common/environment/    def listen(self, key=None, backlog=128):        """Create and start listening on socket.        Call before forking worker processes.        Raises Exception if this has already been called.        """        # TODO(dims): eventlet's green dns/socket module does not actually        # support IPv6 in getaddrinfo(). We need to get around this in the        # future or monitor upstream for a fix.        # Please refer below link        # (        # src/e0f578180d7d82d2ed3d8a96d520103503c524ec/eventlet/support/        #        info = socket.getaddrinfo(,                                  self.port,                                  socket.AF_UNSPEC,                                  socket.SOCK_STREAM)[0]        try:            self.socket = eventlet.listen(info[-1], family=info[0],                                          backlog=backlog)        except EnvironmentError:            LOG.error(_LE("Could not bind to %(host)s:%(port)s"),                      {'host':, 'port': self.port})            raise'Starting %(arg0)s on %(host)s:%(port)s'),                 {'arg0': sys.argv[0],                  'host':,                  'port': self.port})

这里执行launch_with函数时,首先使用WSGI server的父进程对相应的端口进行监听。

[root@jun ~]#  netstat -tnulp | grep 50511

tcp        0      0  *               LISTEN      50511/python

tcp        0      0 *               LISTEN      50511/python

如上所示,WSGI server的父进程(50511号进程)开启两个socket去分别监听本环境的5000和35357号端口,其中5000号端口是为main的WSGI server提供的,35357号端口为admin的WSGI server提供的。即WSGI server的父进程接收到5000号端口的HTTP请求时,则将把该请求转发给为main开启的WSGI server去处理,而WSGI server的父进程接收到35357号端口的HTTP请求时,则将把该请求转发给为admin开启的WSGI server去处理。

在开启WSGI server的父进程的socket监听后,才会正式创建admin和main的WSGI server。即执行launcher.launch_service(self.server,self.workers)语句。

#/keystone/openstack/common/    def launch_service(self, service, workers=1):        wrap = ServiceWrapper(service, workers)'Starting %d workers'), wrap.workers)        while self.running and len(wrap.children) < wrap.workers:            self._start_child(wrap)
Launch_service函数将会根据admin和main的workers创建workers个数的WSGIserver。其中创建一个WSGI server就将其会塞进wrap.children集合中(python的set类型)。_start_child函数即为创建WSGIserver。
#/keystone/openstack/common/    def _start_child(self, wrap):        if len(wrap.forktimes) > wrap.workers:            # Limit ourselves to one process a second (over the period of            # number of workers * 1 second). This will allow workers to            # start up quickly but ensure we don't fork off children that            # die instantly too quickly.            if time.time() - wrap.forktimes[0] < wrap.workers:      'Forking too fast, sleeping'))                time.sleep(1)            wrap.forktimes.pop(0)        wrap.forktimes.append(time.time())        pid = os.fork()        if pid == 0:            launcher = self._child_process(wrap.service)            while True:                self._child_process_handle_signal()                status, signo = self._child_wait_for_exit_or_signal(launcher)                if not _is_sighup_and_daemon(signo):                    break                launcher.restart()            os._exit(status)'Started child %d'), pid)        wrap.children.add(pid)        self.children[pid] = wrap        return pid

其中在创建的子进程中执行(pid== 0)中执行launcher =self._child_process(wrap.service)创建一个Launcher对象,并加载/keystone/openstack/common/中的run_service函数。那么它如何加载run_service函数的呢?如下

#/keystone/openstack/common/    def _child_process(self, service):        self._child_process_handle_signal()        # Reopen the eventlet hub to make sure we don't share an epoll        # fd with parent and/or siblings, which would be bad        eventlet.hubs.use_hub()        # Close write to ensure only parent has it open        os.close(self.writepipe)        # Create greenthread to watch for parent to close pipe        eventlet.spawn_n(self._pipe_watcher)        # Reseed random number generator        random.seed()        launcher = Launcher()        launcher.launch_service(service)        return launcher#/keystone/openstack/common/ Launcher(object):    """Launch one or more services and wait for them to complete."""    def __init__(self):        """Initialize the service launcher.        :returns: None        """ = Services()        self.backdoor_port = eventlet_backdoor.initialize_if_enabled()    def launch_service(self, service):        """Load and start the given service.        :param service: The service you would like to start.        :returns: None        """        service.backdoor_port = self.backdoor_port Services(object):    def __init__(self): = [] = threadgroup.ThreadGroup()        self.done = event.Event()    def add(self, service):, service, self.done)

从上面的代码可以看出,加载run_service函数是在/keystone/openstack/common/中的launch_service函数中进行加载。当然,这里只是简单的加载run_service函数,并不会立即执行该函数。run_service函数的执行是在/keystone/openstack/common/中_start_child中的这条语句执行的:status,signo = self._child_wait_for_exit_or_signal(launcher)。如下

#/keystone/openstack/common/    def _child_wait_for_exit_or_signal(self, launcher):        status = 0        signo = 0        # NOTE(johannes): All exceptions are caught to ensure this        # doesn't fallback into the loop spawning children. It would        # be bad for a child to spawn more children.        try:            launcher.wait()        except SignalExit as exc:            signame = _signo_to_signame(exc.signo)  'Child caught %s, exiting'), signame)            status = exc.code            signo = exc.signo        except SystemExit as exc:            status = exc.code        except BaseException:            LOG.exception(_LE('Unhandled exception'))            status = 2        finally:            launcher.stop()        return status, signo


#/keystone/openstack/common/    @staticmethod    def run_service(service, done):        """Service start wrapper.        :param service: service to run        :param done: event to wait on until a shutdown is triggered        :returns: None        """        service.start()        done.wait()

这里run_service执行service.start则会去真正的创建WSGI server,这里service即为/keystone/common/environment/eventlet_server.py中的Server对象。即run_service执行Server对象的start函数。

#/keystone/common/environment/    def start(self, key=None, backlog=128):        """Run a WSGI server with the given application."""        if self.socket is None:            self.listen(key=key, backlog=backlog)        dup_socket = self.socket.dup()        if key:            self.socket_info[key] = self.socket.getsockname()        # SSL is enabled        if self.do_ssl:            if self.cert_required:                cert_reqs = ssl.CERT_REQUIRED            else:                cert_reqs = ssl.CERT_NONE            dup_socket = eventlet.wrap_ssl(dup_socket, certfile=self.certfile,                                           keyfile=self.keyfile,                                           server_side=True,                                           cert_reqs=cert_reqs,                                           ca_certs=self.ca_certs)        # Optionally enable keepalive on the wsgi socket.        if self.keepalive:            dup_socket.setsockopt(socket.SOL_SOCKET, socket.SO_KEEPALIVE, 1)            if self.keepidle is not None:                dup_socket.setsockopt(socket.IPPROTO_TCP, socket.TCP_KEEPIDLE,                                      self.keepidle)        self.greenthread = self.pool.spawn(self._run,                                           self.application,                                           dup_socket)#/keystone/common/environment/    def _run(self, application, socket):        """Start a WSGI server with a new green thread pool."""        logger = log.getLogger('eventlet.wsgi.server')        socket_timeout = CONF.eventlet_server.client_socket_timeout or None        try:            eventlet.wsgi.server(                socket, application, log=EventletFilteringLogger(logger),                debug=False, keepalive=CONF.eventlet_server.wsgi_keep_alive,                socket_timeout=socket_timeout)        except greenlet.GreenletExit:            # Wait until all servers have completed running            pass        except Exception:            LOG.exception(_LE('Server error'))            raise

最终在所创建的每个子进程中创建一个协程来开启一个WSGI server,即在_run函数中创建和开启了一个WSGIserver。

那么在开启了WSGI server后,当WSGI server的父进程收到有HTTP请求,则将其请求发送到合适的WSGIserver上进行处理,而WSGI server如何处理HTTP请求,我们将在下一节进行分析。

2. 分析keystoneclient到keystone的HTTP请求过程


DEBUG (session:197) REQ: curl -g -i -X POST -H "Content-Type: application/json" -H "Accept: application/json" -H "User-Agent: python-keystoneclient" -d '{"auth": {"tenantName": "admin", "passwordCredentials": {"username": "admin", "password": "admin"}}}'


# Keystone PasteDeploy configuration file.



paste.filter_factory = keystone.common.wsgi:Debug.factory



paste.filter_factory = oslo_middleware:RequestId.factory



paste.filter_factory = keystone.middleware:AuthContextMiddleware.factory



paste.filter_factory = keystone.middleware:TokenAuthMiddleware.factory



paste.filter_factory = keystone.middleware:AdminTokenAuthMiddleware.factory



paste.filter_factory = keystone.middleware:JsonBodyMiddleware.factory



paste.filter_factory = keystone.contrib.user_crud:CrudExtension.factory



paste.filter_factory = keystone.contrib.admin_crud:CrudExtension.factory



paste.filter_factory = keystone.contrib.ec2:Ec2Extension.factory



paste.filter_factory = keystone.contrib.ec2:Ec2ExtensionV3.factory



paste.filter_factory = keystone.contrib.federation.routers:FederationExtension.factory



paste.filter_factory = keystone.contrib.oauth1.routers:OAuth1Extension.factory



paste.filter_factory = keystone.contrib.s3:S3Extension.factory



paste.filter_factory = keystone.contrib.endpoint_filter.routers:EndpointFilterExtension.factory



paste.filter_factory = keystone.contrib.endpoint_policy.routers:EndpointPolicyExtension.factory



paste.filter_factory = keystone.contrib.simple_cert:SimpleCertExtension.factory



paste.filter_factory = keystone.contrib.revoke.routers:RevokeExtension.factory



paste.filter_factory = keystone.middleware:NormalizingFilter.factory



paste.filter_factory = oslo_middleware.sizelimit:RequestBodySizeLimiter.factory



paste.app_factory = keystone.service:public_app_factory



paste.app_factory = keystone.service:v3_app_factory



paste.app_factory = keystone.service:admin_app_factory



# The last item in this pipeline must be public_service or an equivalent

# application. It cannot be a filter.

pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension user_crud_extension public_service



# The last item in this pipeline must be admin_service or an equivalent

# application. It cannot be a filter.

pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension s3_extension crud_extension admin_service



# The last item in this pipeline must be service_v3 or an equivalent

# application. It cannot be a filter.

pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension  oauth1_extension endpoint_filter_extension endpoint_policy_extension service_v3



paste.app_factory = keystone.service:public_version_app_factory



paste.app_factory = keystone.service:admin_version_app_factory



pipeline = sizelimit url_normalize public_version_service



pipeline = sizelimit url_normalize admin_version_service



use = egg:Paste#urlmap

/v2.0 = public_api

/v3 = api_v3

/ = public_version_api



use = egg:Paste#urlmap

/v2.0 = admin_api

/v3 = api_v3

/ = admin_version_api


(1) type = composite

这个类型的section会把URL请求分发到对应的Application,use表明具体的分发方式,比如”egg:Paste#urlmap”表示使用Paste包中的urlmap模块,这个section里的其他形式如”key = value”的行是使用urlmap进行分发时的参数。

(2) type = app

一个app就是一个具体的WSGI Application。

(3) type = filter-app


(4) type = filter


(5) type = pipeline




pipeline = filter1 filter2 filter3 app



paste.filter_factory = xxx



paste.filter_factory = yyy



paste.filter_factory = zzz

假设在ini文件中, 某条pipeline的顺序是filter1, filter2, filter3,app, 那么,最终运行的app_real是这样组织的: app_real =filter1(filter2(filter3(app)))



DEBUG (session:197) REQ: curl -g -i -X POST -H "Content-Type: application/json" -H "Accept: application/json" -H "User-Agent: python-keystoneclient" -d '{"auth": {"tenantName": "admin", "passwordCredentials": {"username": "admin", "password": "admin"}}}'

这里,我们的基本url为http://,而5000端口是为main的WSGI server开启的监听端口,所以当WSGI server的父进程监听到5000端口有HTTP请求,则它将会把HTTP请求转发给main的WSGI server进行处理,而main的WSGI server则根据keystone-dist-paste.ini配置文件内容对其HTTP请求作相应处理。

1. composite的处理


use = egg:Paste#urlmap

/v2.0 = public_api

/v3 = api_v3

/ = public_version_api


2. pipeline的处理


# The last item in this pipeline must be public_service or an equivalent

# application. It cannot be a filter.

pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension user_crud_extension public_service

2.1 sizelimite filter处理


paste.filter_factory = oslo_middleware.sizelimit:RequestBodySizeLimiter.factory

#/oslo_middleware/ RequestBodySizeLimiter(base.Middleware):    """Limit the size of incoming requests."""    @webob.dec.wsgify    def __call__(self, req):        max_size = CONF.oslo_middleware.max_request_body_size        if (req.content_length is not None and                req.content_length > max_size):            msg = _("Request is too large.")            raise webob.exc.HTTPRequestEntityTooLarge(explanation=msg)        if req.content_length is None and req.is_body_readable:            limiter = LimitingReader(req.body_file, max_size)            req.body_file = limiter        return self.application#/oslo_middleware/"""Base class(es) for WSGI Middleware."""import webob.decclass Middleware(object):    """Base WSGI middleware wrapper.    These classes require an application to be initialized that will be called    next.  By default the middleware will simply call its wrapped app, or you    can override __call__ to customize its behavior.    """    @classmethod    def factory(cls, global_conf, **local_conf):        """Factory method for paste.deploy."""        return cls    def __init__(self, application):        self.application = application    def process_request(self, req):        """Called on each request.        If this returns None, the next application down the stack will be        executed. If it returns a response then that response will be returned        and execution will stop here.        """        return None    def process_response(self, response):        """Do whatever you'd like to the response."""        return response    @webob.dec.wsgify    def __call__(self, req):        response = self.process_request(req)        if response:            return response        response = req.get_response(self.application)        return self.process_response(response)

这里,在paste的deploy的配置文件中,sizelimite filter的paste.filter_factory的value值为factory函数名,在执行paste的deploy.loadapp调用时,则执行了该factory函数,而该函数返回自身类,从而创建了一个自身类。所以当HTTP请求到来时,以函数的形式调用对象时,将会执行该对象的__call__方法。

因此对于本例中的HTTP请求到来时,首先用sizelimite filter去过来HTTP请求,即执行RequestBodySizeLimiter类的__call__方法。分析该方法可知,sizelimite filter主要判断request的内容是否超过配置文件keystone.conf设置的最大的request大小。keystone.conf配置文件默认的max_request_body_size为114688。


{'SCRIPT_NAME': '/v2.0', 'webob.adhoc_attrs': {'response': <Response at 0x3d13fd0 200 OK>}, 'REQUEST_METHOD': 'POST', 'PATH_INFO': '/tokens', 'SERVER_PROTOCOL': 'HTTP/1.0', 'REMOTE_ADDR': '', 'CONTENT_LENGTH': '102', 'HTTP_USER_AGENT': 'python-keystoneclient', 'eventlet.posthooks': [], 'RAW_PATH_INFO': '/v2.0/tokens', 'REMOTE_PORT': '42172', 'eventlet.input': <eventlet.wsgi.Input object at 0x3d13e10>, 'wsgi.url_scheme': 'http', 'webob._body_file': (<_io.BufferedReader>, <eventlet.wsgi.Input object at 0x3d13e10>), 'SERVER_PORT': '5000', 'wsgi.input': <_io.BytesIO object at 0x3d122f0>, 'HTTP_HOST': '', 'wsgi.multithread': True, 'HTTP_ACCEPT': 'application/json', 'wsgi.version': (1, 0), 'SERVER_NAME': '', 'GATEWAY_INTERFACE': 'CGI/1.1', 'wsgi.run_once': False, 'wsgi.errors': <open file '<stderr>', mode 'w' at 0x7fda61fb41e0>, 'wsgi.multiprocess': False, 'webob.is_body_seekable': True, 'CONTENT_TYPE': 'application/json'}

2.2 url_normalize filter处理


paste.filter_factory = keystone.middleware:NormalizingFilter.factory

#/keystone/common/ Middleware(Application):    """Base WSGI middleware.    These classes require an application to be    initialized that will be called next.  By default the middleware will    simply call its wrapped app, or you can override __call__ to customize its    behavior.    """    @classmethod    def factory(cls, global_config, **local_config):        """Used for paste app factories in paste.deploy config files.        Any local configuration (that is, values under the [filter:APPNAME]        section of the paste config) will be passed into the `__init__` method        as kwargs.        A hypothetical configuration would look like:            [filter:analytics]            redis_host =            paste.filter_factory =        which would result in a call to the `Analytics` class as            import  , redis_host='')        You could of course re-implement the `factory` method in subclasses,        but using the kwarg passing it shouldn't be necessary.        """        def _factory(app):            conf = global_config.copy()            conf.update(local_config)            return cls(app, **local_config)        return _factory    @webob.dec.wsgify()    def __call__(self, request):        try:            response = self.process_request(request)            if response:                return response            response = request.get_response(self.application)            return self.process_response(request, response)        except exception.Error as e:            LOG.warning(six.text_type(e))            return render_exception(e, request=request,                                    user_locale=best_match_language(request))        except TypeError as e:            LOG.exception(six.text_type(e))            return render_exception(exception.ValidationError(e),                                    request=request,                                    user_locale=best_match_language(request))        except Exception as e:            LOG.exception(six.text_type(e))            return render_exception(exception.UnexpectedError(exception=e),                                    request=request,                                    user_locale=best_match_language(request))#/keystone/middleware/ NormalizingFilter(wsgi.Middleware):    """Middleware filter to handle URL normalization."""    def process_request(self, request):        """Normalizes URLs."""        # Removes a trailing slash from the given path, if any.        if (len(request.environ['PATH_INFO']) > 1 and                request.environ['PATH_INFO'][-1] == '/'):            request.environ['PATH_INFO'] = request.environ['PATH_INFO'][:-1]        # Rewrites path to root if no path is given.        elif not request.environ['PATH_INFO']:            request.environ['PATH_INFO'] = '/'

url_normalize filter调用父类Middleware的__call__方法,在__call__方法中,调用自身的process_request函数,该函数主要处理sizelimiter filter传递下来的request的environ成员变量(字典)中的PATH_INFO的value值,由于本文例子sizelimiterfilter过滤后request的environ字典中的PATH_INFO的值为:’/tokens’,所以这里并未做任何处理。

此时打印出来的request的environ成员变量的值与sizelimiter filter过滤后的相同,即为:

{'SCRIPT_NAME': '/v2.0', 'webob.adhoc_attrs': {'response': <Response at 0x5341310 200 OK>}, 'REQUEST_METHOD': 'POST', 'PATH_INFO': '/tokens', 'SERVER_PROTOCOL': 'HTTP/1.0', 'REMOTE_ADDR': '', 'CONTENT_LENGTH': '102', 'HTTP_USER_AGENT': 'python-keystoneclient', 'eventlet.posthooks': [], 'RAW_PATH_INFO': '/v2.0/tokens', 'REMOTE_PORT': '58290', 'eventlet.input': <eventlet.wsgi.Input object at 0x5339dd0>, 'wsgi.url_scheme': 'http', 'webob._body_file': (<_io.BufferedReader>, <eventlet.wsgi.Input object at 0x5339dd0>), 'SERVER_PORT': '5000', 'wsgi.input': <_io.BytesIO object at 0x5338350>, 'HTTP_HOST': '', 'wsgi.multithread': True, 'HTTP_ACCEPT': 'application/json', 'wsgi.version': (1, 0), 'SERVER_NAME': '', 'GATEWAY_INTERFACE': 'CGI/1.1', 'wsgi.run_once': False, 'wsgi.errors': <open file '<stderr>', mode 'w' at 0x7f82a39e61e0>, 'wsgi.multiprocess': False, 'webob.is_body_seekable': True, 'CONTENT_TYPE': 'application/json'}

2.3 request_id filter处理


paste.filter_factory = oslo_middleware:RequestId.factory

#/oslo_middleware/ = 'openstack.request_id'class RequestId(base.Middleware):    """Middleware that ensures request ID.    It ensures to assign request ID for each API request and set it to    request environment. The request ID is also added to API response.    """    @webob.dec.wsgify    def __call__(self, req):        req_id = context.generate_request_id()        req.environ[ENV_REQUEST_ID] = req_id        response = req.get_response(self.application)        if HTTP_RESP_HEADER_REQUEST_ID not in response.headers:            response.headers.add(HTTP_RESP_HEADER_REQUEST_ID, req_id)        return response



{'SCRIPT_NAME': '/v2.0', 'webob.adhoc_attrs': {'response': <Response at 0x52c9f50 200 OK>}, 'REQUEST_METHOD': 'POST', 'PATH_INFO': '/tokens', 'SERVER_PROTOCOL': 'HTTP/1.0', 'REMOTE_ADDR': '', 'CONTENT_LENGTH': '102', 'HTTP_USER_AGENT': 'python-keystoneclient', 'eventlet.posthooks': [], 'RAW_PATH_INFO': '/v2.0/tokens', 'REMOTE_PORT': '42320', 'eventlet.input': <eventlet.wsgi.Input object at 0x52c9d50>, 'wsgi.url_scheme': 'http', 'webob._body_file': (<_io.BufferedReader>, <eventlet.wsgi.Input object at 0x52c9d50>), 'SERVER_PORT': '5000', 'wsgi.input': <_io.BytesIO object at 0x52ca290>, 'HTTP_HOST': '', 'wsgi.multithread': True, 'HTTP_ACCEPT': 'application/json','openstack.request_id': 'req-c3af38d4-19c7-4454-9938-a2304f8baa3f', 'wsgi.version': (1, 0), 'SERVER_NAME': '', 'GATEWAY_INTERFACE': 'CGI/1.1', 'wsgi.run_once': False, 'wsgi.errors': <open file '<stderr>', mode 'w' at 0x7f590e2bc1e0>, 'wsgi.multiprocess': False, 'webob.is_body_seekable': True, 'CONTENT_TYPE': 'application/json'}

2.4 build_auth_context token_auth admin_token_authjson_body filter处理


paste.filter_factory = keystone.middleware:AuthContextMiddleware.factory



paste.filter_factory = keystone.middleware:TokenAuthMiddleware.factory



paste.filter_factory = keystone.middleware:AdminTokenAuthMiddleware.factory



paste.filter_factory = keystone.middleware:JsonBodyMiddleware.factory

这4个filter其实也跟前面的filter一样,没做任何实质性的工作,其代码流程跟url_normalize filter处理流程类似,我们就不在这里讲解了。

2.5 ec2_extension filter处理


paste.filter_factory = keystone.contrib.ec2:Ec2Extension.factory

#/keystone/contrib/ec2/ Ec2Extension(wsgi.ExtensionRouter):    def add_routes(self, mapper):        ec2_controller = controllers.Ec2Controller()        # validation        mapper.connect(            '/ec2tokens',            controller=ec2_controller,            action='authenticate',            conditions=dict(method=['POST']))        # crud        mapper.connect(            '/users/{user_id}/credentials/OS-EC2',            controller=ec2_controller,            action='create_credential',            conditions=dict(method=['POST']))        mapper.connect(            '/users/{user_id}/credentials/OS-EC2',            controller=ec2_controller,            action='get_credentials',            conditions=dict(method=['GET']))        mapper.connect(            '/users/{user_id}/credentials/OS-EC2/{credential_id}',            controller=ec2_controller,            action='get_credential',            conditions=dict(method=['GET']))        mapper.connect(            '/users/{user_id}/credentials/OS-EC2/{credential_id}',            controller=ec2_controller,            action='delete_credential',            conditions=dict(method=['DELETE']))#/keystone/common/ ExtensionRouter(Router):    """A router that allows extensions to supplement or overwrite routes.    Expects to be subclassed.    """    def __init__(self, application, mapper=None):        if mapper is None:            mapper = routes.Mapper()        self.application = application        self.add_routes(mapper)        mapper.connect('{path_info:.*}', controller=self.application)        super(ExtensionRouter, self).__init__(mapper)    def add_routes(self, mapper):        pass    @classmethod    def factory(cls, global_config, **local_config):        """Used for paste app factories in paste.deploy config files.        Any local configuration (that is, values under the [filter:APPNAME]        section of the paste config) will be passed into the `__init__` method        as kwargs.        A hypothetical configuration would look like:            [filter:analytics]            redis_host =            paste.filter_factory =        which would result in a call to the `Analytics` class as            import  , redis_host='')        You could of course re-implement the `factory` method in subclasses,        but using the kwarg passing it shouldn't be necessary.        """        def _factory(app):            conf = global_config.copy()            conf.update(local_config)            return cls(app, **local_config)        return _factory

这里引入了python的routes模块,具体使用方法参考官网链接。当HTTP请求到来时,route将根据请求的url信息转换成相应的资源,并路由到合适的函数上。对于ec2_extension filter的重点就在add_routes函数,这里提供了url到相应资源的转换且能route到合适的函数上,如我们提供HTTP请求的url为http://,且请求类型为POST,通过-d再加上其他一下验证参数,这样将会去执行 Ec2Controller类中的authenticate函数,执行完成后将得到的ec2类型的token值返回给请求者。当然,我们举例的url为http://,则不会路由到ec2_extension filter上的资源。

2.6 user_crud_extension filter处理


paste.filter_factory = keystone.contrib.user_crud:CrudExtension.factory

#/keystone/contrib/user_crud/ CrudExtension(wsgi.ExtensionRouter):    """Provides a subset of CRUD operations for internal data types."""    def add_routes(self, mapper):        user_controller = UserController()        mapper.connect('/OS-KSCRUD/users/{user_id}',                       controller=user_controller,                       action='set_user_password',                       conditions=dict(method=['PATCH']))

user_crud_extension filter处理与ec2_extension filter处理类似,且它们有相同的父类,这里user_crud_extension filter只是增加了一个route。

其实大部分route都在public_service filter上。

2.7 public_service app处理


paste.app_factory = keystone.service:public_app_factory

#/keystone/ public_app_factory(global_conf, **local_conf):    controllers.register_version('v2.0')    return wsgi.ComposingRouter(routes.Mapper(),                                [assignment.routers.Public(),                                 token.routers.Router(),                                 routers.VersionV2('public'),                                 routers.Extension(False)])#/keystone/common/ ComposingRouter(Router):    def __init__(self, mapper=None, routers=None):        if mapper is None:            mapper = routes.Mapper()        if routers is None:            routers = []        for router in routers:            router.add_routes(mapper)        super(ComposingRouter, self).__init__(mapper)


#/keystone/assignment/ Public(wsgi.ComposableRouter):    def add_routes(self, mapper):        tenant_controller = controllers.TenantAssignment()        mapper.connect('/tenants',                       controller=tenant_controller,                       action='get_projects_for_token',                       conditions=dict(method=['GET']))#/keystone/token/ Router(wsgi.ComposableRouter):    def add_routes(self, mapper):        token_controller = controllers.Auth()        mapper.connect('/tokens',                       controller=token_controller,                       action='authenticate',                       conditions=dict(method=['POST']))        mapper.connect('/tokens/revoked',                       controller=token_controller,                       action='revocation_list',                       conditions=dict(method=['GET']))        mapper.connect('/tokens/{token_id}',                       controller=token_controller,                       action='validate_token',                       conditions=dict(method=['GET']))        # NOTE(morganfainberg): For policy enforcement reasons, the        # ``validate_token_head`` method is still used for HEAD requests.        # The controller method makes the same call as the validate_token        # call and lets wsgi.render_response remove the body data.        mapper.connect('/tokens/{token_id}',                       controller=token_controller,                       action='validate_token_head',                       conditions=dict(method=['HEAD']))        mapper.connect('/tokens/{token_id}',                       controller=token_controller,                       action='delete_token',                       conditions=dict(method=['DELETE']))        mapper.connect('/tokens/{token_id}/endpoints',                       controller=token_controller,                       action='endpoints',                       conditions=dict(method=['GET']))        # Certificates used to verify auth tokens        mapper.connect('/certificates/ca',                       controller=token_controller,                       action='ca_cert',                       conditions=dict(method=['GET']))        mapper.connect('/certificates/signing',                       controller=token_controller,                       action='signing_cert',                       conditions=dict(method=['GET']))#/keystone/ VersionV2(wsgi.ComposableRouter):    def __init__(self, description):        self.description = description    def add_routes(self, mapper):        version_controller = controllers.Version(self.description)        mapper.connect('/',                       controller=version_controller,                       action='get_version_v2')#/keystone/ Extension(wsgi.ComposableRouter):    def __init__(self, is_admin=True):        if is_admin:            self.controller = controllers.AdminExtensions()        else:            self.controller = controllers.PublicExtensions()    def add_routes(self, mapper):        extensions_controller = self.controller        mapper.connect('/extensions',                       controller=extensions_controller,                       action='get_extensions_info',                       conditions=dict(method=['GET']))        mapper.connect('/extensions/{extension_alias}',                       controller=extensions_controller,                       action='get_extension_info',                       conditions=dict(method=['GET']))



DEBUG (session:197) REQ: curl -g -i -X POST -H "Content-Type: application/json" -H "Accept: application/json" -H "User-Agent: python-keystoneclient" -d '{"auth": {"tenantName": "admin", "passwordCredentials": {"username": "admin", "password": "admin"}}}'







#/keystone/token/    @controller.v2_deprecated    def authenticate(self, context, auth=None):        """Authenticate credentials and return a token.        Accept auth as a dict that looks like::            {                "auth":{                    "passwordCredentials":{                        "username":"test_user",                        "password":"mypass"                    },                    "tenantName":"customer-x"                }            }        In this case, tenant is optional, if not provided the token will be        considered "unscoped" and can later be used to get a scoped token.        Alternatively, this call accepts auth with only a token and tenant        that will return a token that is scoped to that tenant.        """        if auth is None:            raise exception.ValidationError(attribute='auth',                                            target='request body')        if "token" in auth:            # Try to authenticate using a token            auth_info = self._authenticate_token(                context, auth)        else:            # Try external authentication            try:                auth_info = self._authenticate_external(                    context, auth)            except ExternalAuthNotApplicable:                # Try local authentication                auth_info = self._authenticate_local(                    context, auth)        user_ref, tenant_ref, metadata_ref, expiry, bind, audit_id = auth_info        # Validate that the auth info is valid and nothing is disabled        try:            self.identity_api.assert_user_enabled(                user_id=user_ref['id'], user=user_ref)            if tenant_ref:                self.resource_api.assert_project_enabled(                    project_id=tenant_ref['id'], project=tenant_ref)        except AssertionError as e:            six.reraise(exception.Unauthorized, exception.Unauthorized(e),                        sys.exc_info()[2])        # NOTE(morganfainberg): Make sure the data is in correct form since it        # might be consumed external to Keystone and this is a v2.0 controller.        # The user_ref is encoded into the auth_token_data which is returned as        # part of the token data. The token provider doesn't care about the        # format.        user_ref = self.v3_to_v2_user(user_ref)        if tenant_ref:            tenant_ref = self.v3_to_v2_project(tenant_ref)        auth_token_data = self._get_auth_token_data(user_ref,                                                    tenant_ref,                                                    metadata_ref,                                                    expiry,                                                    audit_id)        if tenant_ref:            catalog_ref = self.catalog_api.get_catalog(                user_ref['id'], tenant_ref['id'])        else:            catalog_ref = {}        auth_token_data['id'] = 'placeholder'        if bind:            auth_token_data['bind'] = bind        roles_ref = []        for role_id in metadata_ref.get('roles', []):            role_ref = self.role_api.get_role(role_id)            roles_ref.append(dict(name=role_ref['name']))        (token_id, token_data) = self.token_provider_api.issue_v2_token(            auth_token_data, roles_ref=roles_ref, catalog_ref=catalog_ref)        # NOTE(wanghong): We consume a trust use only when we are using trusts        # and have successfully issued a token.        if and 'trust_id' in auth:            self.trust_api.consume_use(auth['trust_id'])        return token_data
2.7.1 验证HTTP请求


{u'tenantName': u'admin', u'passwordCredentials': {u'username': u'admin', u'password': u'admin'}}



"auth": {"tenantName": "admin","token": {"id": "9b390c37959f44b5ad5e8b2aa403267a "}}


curl -g -i -X POST -H "Content-Type: application/json" -H "Accept: application/json" -H "User-Agent: python-keystoneclient"-d '{"auth": {"tenantName": "admin","token": {"id": "9b390c37959f44b5ad5e8b2aa403267a"}}}'



#/keystone/token/    def _authenticate_local(self, context, auth):        """Try to authenticate against the identity backend.        Returns auth_token_data, (user_ref, tenant_ref, metadata_ref)        """        if 'passwordCredentials' not in auth:            raise exception.ValidationError(                attribute='passwordCredentials', target='auth')        if "password" not in auth['passwordCredentials']:            raise exception.ValidationError(                attribute='password', target='passwordCredentials')        password = auth['passwordCredentials']['password']        if password and len(password) > CONF.identity.max_password_length:            raise exception.ValidationSizeError(                attribute='password', size=CONF.identity.max_password_length)        if (not auth['passwordCredentials'].get("userId") and                not auth['passwordCredentials'].get("username")):            raise exception.ValidationError(                attribute='username or userId',                target='passwordCredentials')        user_id = auth['passwordCredentials'].get('userId')        if user_id and len(user_id) > CONF.max_param_size:            raise exception.ValidationSizeError(attribute='userId',                                                size=CONF.max_param_size)        username = auth['passwordCredentials'].get('username', '')        if username:            if len(username) > CONF.max_param_size:                raise exception.ValidationSizeError(attribute='username',                                                    size=CONF.max_param_size)            try:                user_ref = self.identity_api.get_user_by_name(                    username, CONF.identity.default_domain_id)                user_id = user_ref['id']            except exception.UserNotFound as e:                raise exception.Unauthorized(e)        try:            user_ref = self.identity_api.authenticate(                context,                user_id=user_id,                password=password)        except AssertionError as e:            raise exception.Unauthorized(e.args[0])        metadata_ref = {}        tenant_id = self._get_project_id_from_auth(auth)        tenant_ref, metadata_ref['roles'] = self._get_project_roles_and_ref(            user_id, tenant_id)        expiry = provider.default_expire_time()        bind = None        audit_id = None        return (user_ref, tenant_ref, metadata_ref, expiry, bind, audit_id)



user_ref = self.identity_api.authenticate(





#/keystone/identity/    @notifications.emit_event('authenticate')    @domains_configured    @exception_translated('assertion')    def authenticate(self, context, user_id, password):        domain_id, driver, entity_id = (            self._get_domain_driver_and_entity_id(user_id))        ref = driver.authenticate(entity_id, password)        return self._set_domain_id_and_mapping(            ref, domain_id, driver, mapping.EntityType.USER)#/keystone/identity/    def _get_domain_driver_and_entity_id(self, public_id):        """Look up details using the public ID.        :param public_id: the ID provided in the call        :returns: domain_id, which can be None to indicate that the driver                  in question supports multiple domains                  driver selected based on this domain                  entity_id which will is understood by the driver.        Use the mapping table to look up the domain, driver and local entity        that is represented by the provided public ID.  Handle the situations        were we do not use the mapping (e.g. single driver that understands        UUIDs etc.)        """        conf = CONF.identity        # First, since we don't know anything about the entity yet, we must        # assume it needs mapping, so long as we are using domain specific        # drivers.        if conf.domain_specific_drivers_enabled:            local_id_ref = self.id_mapping_api.get_id_mapping(public_id)            if local_id_ref:                return (                    local_id_ref['domain_id'],                    self._select_identity_driver(local_id_ref['domain_id']),                    local_id_ref['local_id'])        # So either we are using multiple drivers but the public ID is invalid        # (and hence was not found in the mapping table), or the public ID is        # being handled by the default driver.  Either way, the only place left        # to look is in that standard driver. However, we don't yet know if        # this driver also needs mapping (e.g. LDAP in non backward        # compatibility mode).        driver = self.driver        if driver.generates_uuids():            if driver.is_domain_aware:                # No mapping required, and the driver can handle the domain                # information itself.  The classic case of this is the                # current SQL driver.                return (None, driver, public_id)            else:                # Although we don't have any drivers of this type, i.e. that                # understand UUIDs but not domains, conceptually you could.                return (conf.default_domain_id, driver, public_id)        # So the only place left to find the ID is in the default driver which        # we now know doesn't generate UUIDs        if not CONF.identity_mapping.backward_compatible_ids:            # We are not running in backward compatibility mode, so we            # must use a mapping.            local_id_ref = self.id_mapping_api.get_id_mapping(public_id)            if local_id_ref:                return (                    local_id_ref['domain_id'],                    driver,                    local_id_ref['local_id'])            else:                raise exception.PublicIDNotFound(id=public_id)        # If we reach here, this means that the default driver        # requires no mapping - but also doesn't understand domains        # (e.g. the classic single LDAP driver situation). Hence we pass        # back the public_ID unmodified and use the default domain (to        # keep backwards compatibility with existing installations).        #        # It is still possible that the public ID is just invalid in        # which case we leave this to the caller to check.        return (conf.default_domain_id, driver, public_id)

这里我们重点关注从_get_domain_driver_and_entity_id函数返回的driver是什么?从上面的代码可以看出driver= self.driver,那么我们看看Manger类如何定义driver的?

#/keystone/identity/'identity_api')@dependency.requires('assignment_api', 'credential_api', 'id_mapping_api',                     'resource_api', 'revoke_api')class Manager(manager.Manager):    """Default pivot point for the Identity backend.    See :mod:`keystone.common.manager.Manager` for more details on how this    dynamically calls the backend.    This class also handles the support of domain specific backends, by using    the DomainConfigs class. The setup call for DomainConfigs is called    from with the @domains_configured wrapper in a lazy loading fashion    to get around the fact that we can't satisfy the assignment api it needs    from within our __init__() function since the assignment driver is not    itself yet initialized.    Each of the identity calls are pre-processed here to choose, based on    domain, which of the drivers should be called. The non-domain-specific    driver is still in place, and is used if there is no specific driver for    the domain in question (or we are not using multiple domain drivers).    Starting with Juno, in order to be able to obtain the domain from    just an ID being presented as part of an API call, a public ID to domain    and local ID mapping is maintained.  This mapping also allows for the local    ID of drivers that do not provide simple UUIDs (such as LDAP) to be    referenced via a public facing ID.  The mapping itself is automatically    generated as entities are accessed via the driver.    This mapping is only used when:    - the entity is being handled by anything other than the default driver, or    - the entity is being handled by the default LDAP driver and backward    compatible IDs are not required.    This means that in the standard case of a single SQL backend or the default    settings of a single LDAP backend (since backward compatible IDs is set to    True by default), no mapping is used. An alternative approach would be to    always use the mapping table, but in the cases where we don't need it to    make the public and local IDs the same. It is felt that not using the    mapping by default is a more prudent way to introduce this functionality.    """    _USER = 'user'    _GROUP = 'group'    def __init__(self):        super(Manager, self).__init__(CONF.identity.driver)        self.domain_configs = DomainConfigs()        self.event_callbacks = {            notifications.ACTIONS.deleted: {                'domain': [self._domain_deleted],            },        }#/keystone/common/ Manager(object):    """Base class for intermediary request layer.    The Manager layer exists to support additional logic that applies to all    or some of the methods exposed by a service that are not specific to the    HTTP interface.    It also provides a stable entry point to dynamic backends.    An example of a probable use case is logging all the calls.    """    def __init__(self, driver_name):        self.driver = importutils.import_object(driver_name)    def __getattr__(self, name):        """Forward calls to the underlying driver."""        f = getattr(self.driver, name)        setattr(self, name, f)        return f


        cfg.StrOpt('driver',                   default=('keystone.identity.backends'                            '.sql.Identity'),                   help='Identity backend driver.'),



我们发现driver的值是/keystone/identity/backends/sql.py中的Identity对象。所以/keystone/identity/core.py中Manager类中的authenticate函数此代码(ref= driver.authenticate(entity_id, password))将调用/keystone/identity/backends/sql.py中的Identity对象中的authenticate函数。

   #/keystone/identity/backends/ Identity interface    def authenticate(self, user_id, password):        session = sql.get_session()        user_ref = None        try:            user_ref = self._get_user(session, user_id)        except exception.UserNotFound:            raise AssertionError(_('Invalid user / password'))        if not self._check_password(password, user_ref):            raise AssertionError(_('Invalid user / password'))        return identity.filter_user(user_ref.to_dict())   #/keystone/identity/backends/    def _get_user(self, session, user_id):        user_ref = session.query(User).get(user_id)        if not user_ref:            raise exception.UserNotFound(user_id=user_id)        return user_ref#/keystone/identity/backends/ User(sql.ModelBase, sql.DictBase):    __tablename__ = 'user'    attributes = ['id', 'name', 'domain_id', 'password', 'enabled',                  'default_project_id']    id = sql.Column(sql.String(64), primary_key=True)    name = sql.Column(sql.String(255), nullable=False)    domain_id = sql.Column(sql.String(64), nullable=False)    password = sql.Column(sql.String(128))    enabled = sql.Column(sql.Boolean)    extra = sql.Column(sql.JsonBlob())    default_project_id = sql.Column(sql.String(64))    # Unique constraint across two columns to create the separation    # rather than just only 'name' being unique    __table_args__ = (sql.UniqueConstraint('domain_id', 'name'), {})    def to_dict(self, include_extra_dict=False):        d = super(User, self).to_dict(include_extra_dict=include_extra_dict)        if 'default_project_id' in d and d['default_project_id'] is None:            del d['default_project_id']        return d

/keystone/identity/backends/sql.py中的Identity对象中的authenticate函数首先调用_get_user函数,该函数根据user id从keystone数据库中的user表查询user的相关信息,其中查询的user信息中包括加密后的user的密码信息。如我环境中的keystone数据库中的user表数据。

MariaDB [keystone]> select * from user;


| id                               | name       | extra                             | password                                                                                                                | enabled | domain_id | default_project_id               |


| 1677a7f58d7d4c98a56f8c2be5e16068 | neutron    | {"email": "neutron@localhost"}    | $6$rounds=40000$S7Zg3JPb/iFgH0aw$/fnQFBc.pYH8wsOSxBWhDHevIx2zTphl0eSxb6akKNoXUgbUDc9pb5TXNhL3xgGms6RVZm1BFxDK48R2LHPgv0 |       1 | default   | c9960b417968496387e6b96a244cc2be |

| 7a0fd47f67e94d6e99fe6f0298067102 | cinder     | {"email": "cinder@localhost"}     | $6$rounds=40000$EZp3iGcBcL9CpXbt$wN/qjTr2m.0PBkXz/HYGcf65QXm0qPqlVTE9n84U1lXqmS1JsdJnxRno8eptuPcVUV91mx39b449FYMfMnuXT/ |       1 | default   | c9960b417968496387e6b96a244cc2be |

| bde55802097c475592741efc5096d90a | nova       | {"email": "nova@localhost"}       | $6$rounds=40000$ezqZ86aPM0o1J8DH$hS2cBDqAzminTsL9x7H/kIV6PfLQKude6Z.JQ2ugnW.aBF0n4sevPZVibK30DGrP9/0sY7J5HzBwlmKsCYM8./ |       1 | default   | c9960b417968496387e6b96a244cc2be |

| d317cfbab4544707a5f323fc1317cf65 | glance     | {"email": "glance@localhost"}     | $6$rounds=40000$fyCPnCYRF.t6.2Se$PRcMbqExrngnZPAhKiX7BME.MEh7k19VcN.L5GbjeTprXcbODM.ntSd2ezsKuhIx/LMU9ezgPZz0ki92XZTTZ0 |       1 | default   | c9960b417968496387e6b96a244cc2be |

| e4ea11ef20e0439596b4df43cb7687ac | ceilometer | {"email": "ceilometer@localhost"} | $6$rounds=40000$k9qUckdICo7hY6ZD$4ccb/TkTklY9iRATB9V/DJZoQVigvFGjhJH1nBC19VAW.FIXbCf27yyfIJfpHtCIYR8gsfsQA6cDHNiY3dCHw. |       1 | default   | c9960b417968496387e6b96a244cc2be |

| f59f17d8e9774eef8730b23ecdc86a4b | admin      | {"email": "root@localhost"}       | $6$rounds=40000$rPma7p.3qcixVvDW$/rCywiBa74Jg2J7z/m5zH5a.poLSd4haDKgpSJEfa4IK3j.HPbOnClFYO4Nd4ADiTOxX/OUuc2N4Fr8dy/BHx1 |       1 | default   | 09e04766c06d477098201683497d3878 |


6 rows in set (0.00 sec)

   #/keystone/identity/backends/    def _check_password(self, password, user_ref):        """Check the specified password against the data store.        Note that we'll pass in the entire user_ref in case the subclass        needs things like user_ref.get('name')        For further justification, please see the follow up suggestion at        """        return utils.check_password(password, user_ref.password)#/keystone/common/utils.pydef check_password(password, hashed):    """Check that a plaintext password matches hashed.    hashpw returns the salt value concatenated with the actual hash value.    It extracts the actual salt if this value is then passed as the salt.    """    if password is None or hashed is None:        return False    password_utf8 = verify_length_and_trunc_password(password).encode('utf-8')    return passlib.hash.sha512_crypt.verify(password_utf8, hashed)





auth_info: ({'domain_id': u'default',

                   'name': u'admin',

                   'id': u'f59f17d8e9774eef8730b23ecdc86a4b',

                   'enabled': True,

                   u'email': u'root@localhost',

                   'default_project_id': u'09e04766c06d477098201683497d3878'



                   'description': u'admin tenant',

                   'enabled': True,

                   'id': u'09e04766c06d477098201683497d3878',

                   'parent_id': None,

                   'domain_id': u'default',

                   'name': u'admin'



                   {'roles': [u'397eaf49b01549dab8be01804bec7972']},


                   datetime.datetime(2016, 3, 24, 13, 8, 30, 626964),





2.7.2 auth_info格式处理
        user_ref = self.v3_to_v2_user(user_ref)        if tenant_ref:            tenant_ref = self.v3_to_v2_project(tenant_ref)        auth_token_data = self._get_auth_token_data(user_ref,                                                    tenant_ref,                                                    metadata_ref,                                                    expiry,                                                    audit_id)


auth_token_data: {'expires': datetime.datetime(2016, 3, 24, 13, 8, 30, 626964),

                             'parent_audit_id': None,

                             'user': {'username': u'admin',

                                      'name': u'admin',

                                      'id': u'f59f17d8e9774eef8730b23ecdc86a4b',

                                      'enabled': True,

                                      u'email': u'root@localhost',

                                      'tenantId': u'09e04766c06d477098201683497d3878'


                             'tenant': {'description': u'admin tenant',

                                       'enabled': True,

                                       'id': u'09e04766c06d477098201683497d3878',

                                       'name': u'admin'


                             'metadata': {'roles': [u'397eaf49b01549dab8be01804bec7972']}


2.7.3 获取catalog信息
        if tenant_ref:            catalog_ref = self.catalog_api.get_catalog(                user_ref['id'], tenant_ref['id'])        else:            catalog_ref = {}


#keystone/catalog/    def get_catalog(self, user_id, tenant_id):        try:            return self.driver.get_catalog(user_id, tenant_id)        except exception.NotFound:            raise exception.NotFound('Catalog not found for user and tenant')


#keystone/catalog/'catalog_api')class Manager(manager.Manager):    """Default pivot point for the Catalog backend.    See :mod:`keystone.common.manager.Manager` for more details on how this    dynamically calls the backend.    """    _ENDPOINT = 'endpoint'    _SERVICE = 'service'    _REGION = 'region'    def __init__(self):        super(Manager, self).__init__(CONF.catalog.driver)#/keystone/common/ Manager(object):    """Base class for intermediary request layer.    The Manager layer exists to support additional logic that applies to all    or some of the methods exposed by a service that are not specific to the    HTTP interface.    It also provides a stable entry point to dynamic backends.    An example of a probable use case is logging all the calls.    """    def __init__(self, driver_name):        self.driver = importutils.import_object(driver_name)    def __getattr__(self, name):        """Forward calls to the underlying driver."""        f = getattr(self.driver, name)        setattr(self, name, f)        return f

所以self.driver为keystone配置文件中catalog section设置的driver对象(查看/keystone/backends.py的load_backends函数中的定义)。如下

        cfg.StrOpt('driver',                   default='keystone.catalog.backends.sql.Catalog',                   help='Catalog backend driver.'),


#/keystone/catalog/backends/    def get_catalog(self, user_id, tenant_id):        """Retrieve and format the V2 service catalog.        :param user_id: The id of the user who has been authenticated for            creating service catalog.        :param tenant_id: The id of the project. 'tenant_id' will be None            in the case this being called to create a catalog to go in a            domain scoped token. In this case, any endpoint that requires            a tenant_id as part of their URL will be skipped (as would a whole            service if, as a consequence, it has no valid endpoints).        :returns: A nested dict representing the service catalog or an                  empty dict.        """        substitutions = dict(            itertools.chain(six.iteritems(CONF),                            six.iteritems(CONF.eventlet_server)))        substitutions.update({'user_id': user_id})        silent_keyerror_failures = []        if tenant_id:            substitutions.update({'tenant_id': tenant_id})        else:            silent_keyerror_failures = ['tenant_id']        session = sql.get_session()        endpoints = (session.query(Endpoint).                     options(sql.joinedload(Endpoint.service)).                     filter(Endpoint.enabled == true()).all())        catalog = {}        for endpoint in endpoints:            if not endpoint.service['enabled']:                continue            try:                formatted_url = core.format_url(                    endpoint['url'], substitutions,                    silent_keyerror_failures=silent_keyerror_failures)                if formatted_url is not None:                    url = formatted_url                else:                    continue            except exception.MalformedEndpoint:                continue  # this failure is already logged in format_url()            region = endpoint['region_id']            service_type = endpoint.service['type']            default_service = {                'id': endpoint['id'],                'name': endpoint.service.extra.get('name', ''),                'publicURL': ''            }            catalog.setdefault(region, {})            catalog[region].setdefault(service_type, default_service)            interface_url = '%sURL' % endpoint['interface']            catalog[region][service_type][interface_url] = url        return catalog


#/keystone/catalog/backends/ Endpoint(sql.ModelBase, sql.DictBase):    __tablename__ = 'endpoint'    attributes = ['id', 'interface', 'region_id', 'service_id', 'url',                  'legacy_endpoint_id', 'enabled']    id = sql.Column(sql.String(64), primary_key=True)    legacy_endpoint_id = sql.Column(sql.String(64))    interface = sql.Column(sql.String(8), nullable=False)    region_id = sql.Column(sql.String(255),                           sql.ForeignKey('',                                          ondelete='RESTRICT'),                           nullable=True,                           default=None)    service_id = sql.Column(sql.String(64),                            sql.ForeignKey(''),                            nullable=False)    url = sql.Column(sql.Text(), nullable=False)    enabled = sql.Column(sql.Boolean, nullable=False, default=True,                         server_default=sqlalchemy.sql.expression.true())    extra = sql.Column(sql.JsonBlob())


MariaDB [keystone]> select * from endpoint;


| id                               | legacy_endpoint_id               | interface | service_id                       | url                                        | extra | enabled | region_id |


| 03966fa6606945b985d8ff3ba1912f00 | 5e483b6c64fd44158215b3e285a3614a | admin     | f3f4b449f7244b28b65940af94fd8a47 | | {}    |       1 | RegionOne |

| 0ab5626e37714ead9c1be3a7fb322d66 | 5e483b6c64fd44158215b3e285a3614a | internal  | f3f4b449f7244b28b65940af94fd8a47 | | {}    |       1 | RegionOne |

| 11b8c840c71c4258a644bf93ddee8d0f | da4a4ab4857840b0aa9d7c5acc4c82e3 | admin     | 9e0e0000b90645cc8a5fcbcc7ad3b02c |            | {}    |       1 | RegionOne |

| 16b0ed99d09044229a7c67992f514aa3 | 5e483b6c64fd44158215b3e285a3614a | public    | f3f4b449f7244b28b65940af94fd8a47 | | {}    |       1 | RegionOne |

| 1a22050d1c404a1fa257b7de8453f7b5 | 6870936c855741319bdbd915a9284f19 | admin     | bcc3368ce9384e63ac5f8f4c894f232a | | {}    |       1 | RegionOne |

| 1b6b0ae5906345d3a6ec0352c97e724d | 58abac45c14c44879d39e5c9c65dab61 | internal  | 7a4407c4eb7a4f2c97813b0d0a9729ab |   | {}    |       1 | RegionOne |

| 3572f3870f21445bb82c5e622d87f5cd | 58abac45c14c44879d39e5c9c65dab61 | public    | 7a4407c4eb7a4f2c97813b0d0a9729ab |   | {}    |       1 | RegionOne |

| 3d9c418b79f641a291a885fe20ec6a84 | f5173bb8e2ca4cefb4c0cc123c6a4b58 | admin     | 2a2b254ccf6742a2af7f2736c5246b13 |                  | {}    |       1 | RegionOne |

| 4095ec6b1d9c4e3ba87994a90a0d1ed5 | 278489f69a414670b5e66e03db79e580 | internal  | c333b7e90e8742c6adf726f199338f04 |               | {}    |       1 | RegionOne |

| 40a799e5ac0f4731bd2206299f303917 | da4a4ab4857840b0aa9d7c5acc4c82e3 | public    | 9e0e0000b90645cc8a5fcbcc7ad3b02c |             | {}    |       1 | RegionOne |

| 589ae871719c46308e7179271c66e43a | 58abac45c14c44879d39e5c9c65dab61 | admin     | 7a4407c4eb7a4f2c97813b0d0a9729ab |   | {}    |       1 | RegionOne |

| 63e42f266d9b432abdbf6f62da6bffaa | 6870936c855741319bdbd915a9284f19 | internal  | bcc3368ce9384e63ac5f8f4c894f232a | | {}    |       1 | RegionOne |

| 65560ec5eed64581a72f4ac3d1fa519d | 4cbcc6153af54f40b4bf5e7fe3e60533 | admin     | c90e95ef71164659beb0fa413b4a292f | | {}    |       1 | RegionOne |

| 65c0727bdee74006bec9fbd3ca6f90a6 | f5173bb8e2ca4cefb4c0cc123c6a4b58 | internal  | 2a2b254ccf6742a2af7f2736c5246b13 |                  | {}    |       1 | RegionOne |

| 6ecc803364da42b7a250bf9fe2e71cc4 | 45bf231a5a9a41eea1b879132b152dda | internal  | c75d6dc0a8574c979ccdc1ea44ad41b2 |                 | {}    |       1 | RegionOne |

| 6fb8352c59f141dfb69725f0a7a81280 | 6870936c855741319bdbd915a9284f19 | public    | bcc3368ce9384e63ac5f8f4c894f232a | | {}    |       1 | RegionOne |

| 7cd86837358f4c19bb551fe3c36fadf9 | 2e8e4627677f4cec8e4aaee2c61e064b | public    | 591dfc7f5b434674bf3566646ffb37ec |                  | {}    |       1 | RegionOne |

| 7f980243a75740378e1ac27c0b9cc8fd | 45bf231a5a9a41eea1b879132b152dda | public    | c75d6dc0a8574c979ccdc1ea44ad41b2 |                 | {}    |       1 | RegionOne |

| 8fb40f64a7024518bce652cbf1bba9cd | 4cbcc6153af54f40b4bf5e7fe3e60533 | public    | c90e95ef71164659beb0fa413b4a292f | | {}    |       1 | RegionOne |

| a4b0a96daca1412891c299783527f648 | 45bf231a5a9a41eea1b879132b152dda | admin     | c75d6dc0a8574c979ccdc1ea44ad41b2 |                 | {}    |       1 | RegionOne |

| be2bdd1ed6fc4232b46be46548a292e9 | da4a4ab4857840b0aa9d7c5acc4c82e3 | internal  | 9e0e0000b90645cc8a5fcbcc7ad3b02c |             | {}    |       1 | RegionOne |

| c38c9bf499b64d8d8eee0a0e226e84df | 2e8e4627677f4cec8e4aaee2c61e064b | admin     | 591dfc7f5b434674bf3566646ffb37ec |                  | {}    |       1 | RegionOne |

| c77d7cfc578f4299ae3e6e0c78e23cc9 | 2e8e4627677f4cec8e4aaee2c61e064b | internal  | 591dfc7f5b434674bf3566646ffb37ec |                  | {}    |       1 | RegionOne |

| c7c6ca1359ab424e9fdac3c407ce45c9 | f5173bb8e2ca4cefb4c0cc123c6a4b58 | public    | 2a2b254ccf6742a2af7f2736c5246b13 |                  | {}    |       1 | RegionOne |

| db973fd1d8cd46699325be0912abda75 | 278489f69a414670b5e66e03db79e580 | admin     | c333b7e90e8742c6adf726f199338f04 |               | {}    |       1 | RegionOne |

| de47b4c075ab4402bf57111bc84dcb50 | 4cbcc6153af54f40b4bf5e7fe3e60533 | internal  | c90e95ef71164659beb0fa413b4a292f | | {}    |       1 | RegionOne |

| e29c0a5af91b4e32834b5b93629bffe5 | 278489f69a414670b5e66e03db79e580 | public    | c333b7e90e8742c6adf726f199338f04 |               | {}    |       1 | RegionOne |



MariaDB [keystone]> select count(*) from endpoint;


| count(*) |


|       27 |


1 row in set (0.05 sec)

即在数据库中endpoint表有27条信息。每个服务会占3条endpoint(URL)信息,即adminURL, publicURL和internalURL,所以总共有9个服务的endpoint在OpenStack上。这9个service在keystone数据库中的service表中保存。

MariaDB [keystone]> select * from service;


| id                               | type      | enabled | extra                                                               |


| 2a2b254ccf6742a2af7f2736c5246b13 | metering  |       1 | {"name": "ceilometer", "description": "Openstack Metering Service"} |

| 591dfc7f5b434674bf3566646ffb37ec | image     |       1 | {"name": "glance", "description": "OpenStack Image Service"}        |

| 7a4407c4eb7a4f2c97813b0d0a9729ab | ec2       |       1 | {"name": "nova_ec2", "description": "EC2 Service"}                  |

| 9e0e0000b90645cc8a5fcbcc7ad3b02c | identity  |       1 | {"name": "keystone", "description": "OpenStack Identity Service"}   |

| bcc3368ce9384e63ac5f8f4c894f232a | volumev2  |       1 | {"name": "cinderv2", "description": "Cinder Service v2"}            |

| c333b7e90e8742c6adf726f199338f04 | computev3 |       1 | {"name": "novav3", "description": "Openstack Compute Service v3"}   |

| c75d6dc0a8574c979ccdc1ea44ad41b2 | network   |       1 | {"name": "neutron", "description": "Neutron Networking Service"}    |

| c90e95ef71164659beb0fa413b4a292f | volume    |       1 | {"name": "cinder", "description": "Cinder Service"}                 |

| f3f4b449f7244b28b65940af94fd8a47 | compute   |       1 | {"name": "nova", "description": "Openstack Compute Service"}        |



MariaDB [keystone]> select count(*) from service;


| count(*) |


|        9 |


1 row in set (0.07 sec)



{u'RegionOne': {

                u'compute': {u'adminURL': u'',

                              'publicURL': u'',

                              'id': u'03966fa6606945b985d8ff3ba1912f00',

                             u'internalURL': u'',

                              'name': u'nova'


                u'network': {u'adminURL': u'',

                              'publicURL': u'',

                              'id': u'6ecc803364da42b7a250bf9fe2e71cc4',

                             u'internalURL': u'',

                              'name': u'neutron'


                u'volumev2': {u'adminURL': u'',

                               'publicURL': u'',

                               'id': u'1a22050d1c404a1fa257b7de8453f7b5',

                              u'internalURL': u'',

                               'name': u'cinderv2'


                u'computev3': {u'adminURL': u'',

                                'publicURL': u'',

                                'id': u'4095ec6b1d9c4e3ba87994a90a0d1ed5',

                               u'internalURL': u'',

                                'name': u'novav3'


                u'image': {u'adminURL': u'',

                            'publicURL': u'',

                            'id': u'7cd86837358f4c19bb551fe3c36fadf9',

                           u'internalURL': u'',

                            'name': u'glance'


                u'metering': {u'adminURL': u'',

                               'publicURL': u'',

                               'id': u'3d9c418b79f641a291a885fe20ec6a84',

                              u'internalURL': u'',

                               'name': u'ceilometer'


                u'volume': {u'adminURL': u'',

                             'publicURL': u'',

                             'id': u'65560ec5eed64581a72f4ac3d1fa519d',

                            u'internalURL': u'',

                             'name': u'cinder'


                u'ec2': {u'adminURL': u'',

                          'publicURL': u'',

                          'id': u'1b6b0ae5906345d3a6ec0352c97e724d',

                         u'internalURL': u'',

                          'name': u'nova_ec2'


                u'identity': {u'adminURL': u'',

                               'publicURL': u'',

                               'id': u'11b8c840c71c4258a644bf93ddee8d0f',

                              u'internalURL': u'',

                               'name': u'keystone'




2.7.4 生成token id

生成token id执行的代码如下

        (token_id, token_data) = self.token_provider_api.issue_v2_token(            auth_token_data, roles_ref=roles_ref, catalog_ref=catalog_ref)

其中self.toekn_provider_api为/keystone/token/provider中的Manager对象 (查看/keystone/backends.py的load_backends函数中的定义)。

    #/keystone/token/ issue_v2_token(self, token_ref, roles_ref=None, catalog_ref=None):        token_id, token_data = self.driver.issue_v2_token(            token_ref, roles_ref, catalog_ref)        if self._needs_persistence:            data = dict(key=token_id,                        id=token_id,                        expires=token_data['access']['token']['expires'],                        user=token_ref['user'],                        tenant=token_ref['tenant'],                        metadata=token_ref['metadata'],                        token_data=token_data,                        bind=token_ref.get('bind'),                        trust_id=token_ref['metadata'].get('trust_id'),                        token_version=self.V2)            self._create_token(token_id, data)        return token_id, token_data


#/keystone/token/'token_provider_api')@dependency.requires('assignment_api', 'revoke_api')class Manager(manager.Manager):    """Default pivot point for the token provider backend.    See :mod:`keystone.common.manager.Manager` for more details on how this    dynamically calls the backend.    """    V2 = V2    V3 = V3    VERSIONS = VERSIONS    INVALIDATE_PROJECT_TOKEN_PERSISTENCE = 'invalidate_project_tokens'    INVALIDATE_USER_TOKEN_PERSISTENCE = 'invalidate_user_tokens'    _persistence_manager = None    def __init__(self):        super(Manager, self).__init__(CONF.token.provider)        self._register_callback_listeners()#/keystone/common/ Manager(object):    """Base class for intermediary request layer.    The Manager layer exists to support additional logic that applies to all    or some of the methods exposed by a service that are not specific to the    HTTP interface.    It also provides a stable entry point to dynamic backends.    An example of a probable use case is logging all the calls.    """    def __init__(self, driver_name):        self.driver = importutils.import_object(driver_name)    def __getattr__(self, name):        """Forward calls to the underlying driver."""        f = getattr(self.driver, name)        setattr(self, name, f)        return f
        cfg.StrOpt('provider',                   default='keystone.token.providers.uuid.Provider',                   help='Controls the token construction, validation, and '                        'revocation operations. Core providers are '                        '"keystone.token.providers.[fernet|pkiz|pki|uuid].'                        'Provider".'),


#/keystone/token/providers/ Provider(common.BaseProvider):    def __init__(self, *args, **kwargs):        super(Provider, self).__init__(*args, **kwargs)    def _get_token_id(self, token_data):        return uuid.uuid4().hex    def needs_persistence(self):        """Should the token be written to a backend."""        return True#/keystone/token/providers/    def issue_v2_token(self, token_ref, roles_ref=None,                       catalog_ref=None):        metadata_ref = token_ref['metadata']        trust_ref = None        if and metadata_ref and 'trust_id' in metadata_ref:            trust_ref = self.trust_api.get_trust(metadata_ref['trust_id'])        token_data = self.v2_token_data_helper.format_token(            token_ref, roles_ref, catalog_ref, trust_ref)        token_id = self._get_token_id(token_data)        token_data['access']['token']['id'] = token_id        return token_id, token_data

最终token id通过_get_token_id函数进行生成,且为16进制的id(uuid.uuid4().hex)。且将生成的token id塞进返回给authenticate函数的token_data中。


{'access': {'token': {'issued_at': '2016-03-24T12:08:30.807133',

                      'expires': '2016-03-24T13:08:30Z',

                      'id': 'fcb6cd4b7c3e400baca630adf8d878cf',

                      'tenant': {'description': u'admin tenant',

                                 'enabled': True,

                                 'id': u'09e04766c06d477098201683497d3878',

                                 'name': u'admin'


                      'audit_ids': ['yjGRG7A-S6asfuvYLESR-g']


             'serviceCatalog': [

                                {'endpoints': [{u'adminURL': u'',

                                                 'region': u'RegionOne',

                                                u'internalURL': u'',

                                                 'id': u'03966fa6606945b985d8ff3ba1912f00',

                                                 'publicURL': u''


                                'endpoints_links': [],

                                'type': u'compute',

                                'name': u'nova'


                                {'endpoints': [{u'adminURL': u'',

                                                 'region': u'RegionOne',

                                                u'internalURL': u'',

                                                 'id': u'6ecc803364da42b7a250bf9fe2e71cc4',

                                                 'publicURL': u''


                                'endpoints_links': [],

                                'type': u'network',

                                'name': u'neutron'


                                {'endpoints': [{u'adminURL': u'',

                                                 'region': u'RegionOne',

                                                u'internalURL': u'',

                                                 'id': u'1a22050d1c404a1fa257b7de8453f7b5',

                                                 'publicURL': u''


                                'endpoints_links': [],

                                'type': u'volumev2',    

                                'name': u'cinderv2'


                                {'endpoints': [{u'adminURL': u'',

                                                 'region': u'RegionOne',

                                                u'internalURL': u'',

                                                 'id': u'4095ec6b1d9c4e3ba87994a90a0d1ed5',

                                                 'publicURL': u''


                                'endpoints_links': [], 

                                'type': u'computev3',

                                'name': u'novav3'


                                {'endpoints': [{u'adminURL': u'',

                                                 'region': u'RegionOne',

                                                u'internalURL': u'',

                                                 'id': u'7cd86837358f4c19bb551fe3c36fadf9',

                                                 'publicURL': u''


                                'endpoints_links': [],

                                'type': u'image',

                                'name': u'glance'


                                {'endpoints': [{u'adminURL': u'',

                                                 'region': u'RegionOne',

                                                u'internalURL': u'',

                                                 'id': u'3d9c418b79f641a291a885fe20ec6a84',

                                                 'publicURL': u''


                                'endpoints_links': [],

                                'type': u'metering',

                                'name': u'ceilometer'


                                {'endpoints': [{u'adminURL': u'',

                                                 'region': u'RegionOne',

                                                u'internalURL': u'',

                                                 'id': u'65560ec5eed64581a72f4ac3d1fa519d',

                                                 'publicURL': u''


                                'endpoints_links': [],

                                'type': u'volume',

                                'name': u'cinder'


                                {'endpoints': [{u'adminURL': u'',

                                                 'region': u'RegionOne',

                                                u'internalURL': u'',

                                                 'id': u'1b6b0ae5906345d3a6ec0352c97e724d',

                                                 'publicURL': u''


                                'endpoints_links': [],

                                'type': u'ec2',

                                'name': u'nova_ec2'


                                {'endpoints': [{u'adminURL': u'',

                                                 'region': u'RegionOne',

                                                u'internalURL': u'',

                                                 'id': u'11b8c840c71c4258a644bf93ddee8d0f',

                                                 'publicURL': u''


                                 'endpoints_links': [],

                                'type': u'identity',

                                'name': u'keystone'



             'user': {'username': u'admin',

                      'roles_links': [],

                      'id': u'f59f17d8e9774eef8730b23ecdc86a4b',

                      'roles': [{'name': u'admin'}],

                      'name': u'admin'


             'metadata': {'is_admin': 0, 'roles': [u'397eaf49b01549dab8be01804bec7972']}



所以当HTTP请求获取token信息时,keystone将会把token id和   各种服务的endpoint信息也一起返回给HTTP请求者,将上述的token_data(keystone返回的)与《nova list命令的代码流程分析》文章中keystoneclient收到的auth_ref信息做比较可知,两者信息几乎完全相同。

目前,authenticate函数的代码流程分析完成。即验证用户信息,获取endpoint列表,生成token id。


DEBUG (session:197) REQ: curl -g -i -X POST -H "Content-Type: application/json" -H "Accept: application/json" -H "User-Agent: python-keystoneclient" -d '{"auth": {"tenantName": "admin", "passwordCredentials": {"username": "admin", "password": "admin"}}}'


3. 总结


1. 分析了OpenStack创建WSGI server的代码流程。

WSGI server的父进程监听5000和35357端口获取keystone HTTP请求,然后将HTTP请求下发到合适的WSGIserver上。

2. 分析了keystone的HTTP请求的处理流程


2 0