review.fuel-infra Code Review - openstack-build/heat-build.git/commit

author	Steve Baker <sbaker@redhat.com>
	Wed, 21 Aug 2013 02:05:17 +0000 (14:05 +1200)
committer	Steve Baker <sbaker@redhat.com>
	Wed, 21 Aug 2013 23:10:22 +0000 (11:10 +1200)
commit	fc007a1ec8a7c14335b992638c96893d7bfe6762
tree	827328e9430dbf1fc01c0caf93f3e35db23427d6	tree \| snapshot
parent	ff24b65eaeca07c07ef70b62e18a286ee52fb54c	commit \| diff

EC2token middleware implement multi-cloud auth

Making ec2token middleware multi-cloud aware presents a
challenge as the API assumes there is only one cloud and
Heat must remain compatible. This means that unlike multi-cloud
heat-api, the request cannot explicitly say which endpoint it
wants to authenticate against.

However it must be possible to make authenticated cfn requests
against a multi-cloud heat for the sake of cfntools requests.

The approach taken in this commit is to attempt authentication
against each configured allowed_auth_uris until one succeeds.

This is safe for the following reasons:
1. AWSAccessKeyId is a randomly generated sequence
2. No secret is transferred to validate a request

If all auth attempts fail, the last failed reason is raised
as the error to the user.

Change-Id: I3a5a7adc97b110fcb8c6e8b156749fdec8924b88

etc/heat/heat.conf.sample		diff \| blob \| history
heat/api/aws/ec2token.py		diff \| blob \| history
heat/tests/test_api_ec2token.py		diff \| blob \| history