Rackspace Auth User filter


The Rackspace Auth User filter enables Rackspace's identity service to extract usernames from authentication payloads for rate-limiting purposes. The filter will parse out, from both JSON and XML, the username in the request payload and place it in the X-PP-User header. Additionally, this filter will use the configured group name as the X-PP-Groups header, if it is able to parse out a username. These headers will have the quality assigned to them from the configuration or will the default. If the filter cannot parse a username, it will pass without modifying any headers.

In newer releases, if there is a domain in the request, then it is placed in the X-Domain header. Also if the domain is Rackspace, then Racker: is prepended to the the username in the X-PP-User header. The functionality was backported to v7.3.7.0 and will be included in v8.1.1.0 forward.

General filter information

Filter name: rackspace-auth-user

Filter configuration: rackspace-auth-user.xml

Released: version 3.1.1


Required headers: The Rackspace Auth User filter has no required request headers.

Required preceding filters: The Rackspace Auth User filter has no required preceding filters.

Recommended follow-on (succeeding) filters: Rate Limiting filter

Basic configuration

To enable Rackspace's identity service to extract usernames from authentication payloads with the Rackspace Auth User filter, edit the rackspace-auth-user.xml file.

1. Set Up Repose 
Configure Repose using either a cluster or a single instance configuration.

2. Add the Rackspace Auth User filter 
Add the Rackspace Auth User filter to your system model configuration. Place this filter before authentication filters.

3. Configure the Rackspace Auth User filter 

Within the rackspace-auth-user element:

  • Configure <v1_1> and <v2_0> for the versions of the Rackspace authentication service to parse. 
  • Optional elements and attributes are listed in the Configurable parameters table below.

In the following configuration, the filter is configured to parse payloads for the Auth 1.1 and Auth 2.0 contracts. Group and quality are optional elements.

Sample Rackspace Auth User configuration
<rackspace-auth-user xmlns='http://docs.openrepose.org/repose/rackspace-auth-user/v1.0'>
    <!-- Both of the version configurations are optional; however, if neither are specified, this filter is a no-op. -->
    <v1_1 content-body-read-limit="1234">
        <group>1_1 Group</group>
    <v2_0 content-body-read-limit="1234">
        <group>2_0 Group</group>

Configurable parameters

XML schema definition

Example configuration

Configure the Rackspace Auth User filter by editing the rackspace-auth-user.xml.  Add the filter to the Repose deployment through the system model configuration by editing the following elements and attributes.





<rackspace-auth-user>-RequiredSpecifies the sub-elements and attributes to define your Rackspace Auth User configuration.




Specifies which version of the Rackspace identity contract to parse the username from. Both <v1_1> and <v2_0> have the same attributes & abilities.

<group>-OptionalDefines the X-PP Groups header for this filter, including the quality. If no group is specified, Repose will default to the Pre_Auth group.

Defines the quality assigned to the header. For example, if the quality value is .7, the resulting header is X-PP-User: derp;q=0.7.
If no value is specified, Repose assigns the default value which is 0.6.

content-body-read-limitOptionalSpecifies the size of the content. The default value is 4 KB. If the the content exceeds the limit, Repose does not reject the request. It processes content up to the specified limit, and then stops.

Return codes and conditions

This filter does not return specific response codes. The request will simply pass through to the next filter or to the origin service.

Request headers created

The Rackspace Auth User filter will set X-PP-User and X-PP-Groups headers with the quality value that you configure. The default quality value is 0.6. If there is a domain in the response, the X-Domain header is also populated.

NOTE: The X-Domain header is only added in v7.3.7.0 and v8.1.1.0 forward and also modifies the username as appropriate.