Clean up how we keystone

The docs were recommending a bad config (see related change).

Related-Change: I21e38884a2aefbb94b76c76deccd815f01db7362
Change-Id: Idca96a39f552083b55dc5a86d14ee4357777d6fe

Author: tipabu

README.md

@@ -60,6 +60,7 @@ Note:
  * The authtoken filter requires the keystonemiddleware package.
  * Swift3 explicitly checks that keystoneauth is in the pipeline.  You must use this name
    in the pipeline statement and in [filter:keystoneauth] section header.
+ * The authtoken filter is only required if Keystone users will use the native Swift API.
 
 3) Add to your proxy-server.conf the section for the Swift3 WSGI filter::
 

etc/proxy-server.conf-sample

@@ -5,8 +5,11 @@
 # more middleware.
 #
 # Keystone pipeline
-# Note that s3token and authtoken require the keystonemiddleware package.
-pipeline = proxy-logging cache swift3 s3token authtoken keystoneauth bulk slo proxy-logging proxy-server
+# Note that authtoken requires the keystonemiddleware package.
+pipeline = proxy-logging cache swift3 s3token keystoneauth bulk slo proxy-logging proxy-server
+# Keystone pipeline with access via both S3 and native Swift API
+# Note that authtoken requires the keystonemiddleware package.
+# pipeline = proxy-logging cache authtoken swift3 s3token keystoneauth bulk slo proxy-logging proxy-server
 
 # Tempauth pipeline
 # pipeline = proxy-logging cache swift3 tempauth bulk slo proxy-logging proxy-server
@@ -173,13 +176,14 @@ http_timeout = 10.0
 
 [filter:authtoken]
 # See swift manual for more details.
-paste.filter_factory = keystonemiddleware.auth_token:filter_factory
+use = egg:keystonemiddleware#auth_token
 identity_uri = http://keystonehost:35357/
 auth_uri = http://keystonehost:5000/
 admin_tenant_name = service
 admin_user = swift
 admin_password = password
 cache = swift.cache
+delay_auth_decision = True
 
 [filter:keystoneauth]
 # See swift manual for more details.

swift3/test/functional/conf/proxy-server.conf.in

@@ -9,7 +9,7 @@ account_autocreate = true
 log_level = DEBUG
 
 [pipeline:main]
-pipeline = catch_errors gatekeeper proxy-logging cache swift3 %MIDDLEWARE% bulk slo dlo proxy-logging proxy-server
+pipeline = catch_errors gatekeeper proxy-logging cache %MIDDLEWARE% bulk slo dlo proxy-logging proxy-server
 
 [app:proxy-server]
 use = egg:swift#proxy

swift3/test/functional/run_test.sh

@@ -27,9 +27,9 @@ mkdir -p ${TEST_DIR}/certs ${TEST_DIR}/private
 
 # create config files
 if [ "$AUTH" == 'keystone' ]; then
-    MIDDLEWARE="s3token keystoneauth"
+    MIDDLEWARE="swift3 s3token keystoneauth"
 elif [ "$AUTH" == 'tempauth' ]; then
-    MIDDLEWARE="tempauth"
+    MIDDLEWARE="swift3 tempauth"
 else
     echo "unknown auth: $AUTH"
     exit 1

swift3/test/functional/test_bucket.py

@@ -40,7 +40,26 @@ def test_bucket(self):
         self.assertEqual(status, 200)
 
         self.assertCommonResponseHeaders(headers)
-        self.assertEqual(headers['location'], '/' + bucket)
+        self.assertIn(headers['location'], (
+            '/' + bucket,  # swob won't touch it...
+            # but webob (which we get because of auth_token) *does*
+            'http://%s%s/%s' % (
+                self.conn.host,
+                '' if self.conn.port == 80 else ':%d' % self.conn.port,
+                bucket),
+            # This is all based on the Host header the client provided,
+            # and boto will double-up ports for sig v4. See
+            #   - https://github.com/boto/boto/issues/2623
+            #   - https://github.com/boto/boto/issues/3716
+            # with proposed fixes at
+            #   - https://github.com/boto/boto/pull/3513
+            #   - https://github.com/boto/boto/pull/3676
+            'http://%s%s:%d/%s' % (
+                self.conn.host,
+                '' if self.conn.port == 80 else ':%d' % self.conn.port,
+                self.conn.port,
+                bucket),
+        ))
         self.assertEqual(headers['content-length'], '0')
 
         # GET Bucket(Without Object)