keystonemiddleware

Delayed denial should be allowed when service token is invalid

Bug #1422389 reported by Alistair Coles
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
keystonemiddleware
Fix Released
Medium
Jamie Lennox
keystonemiddleware 1.5.0

Bug Description

Currently an invalid service token will cause a request to be denied by auth_token middleware regardless of the setting of delay_auth_decision. This prevents service tokens being used with other auth middleware when auth_token co-exists in the wsgi pipeline, because auth_token will consider the other auth system's service token to be invalid and erroneously deny the request.

Devstack [1] and some production systems configure swift with auth_token and other auth middleware. Swift support for service tokens is currently in review [2] but functional tests will not pass using devstack unless auth_token allows delayed auth decisions when a service token is found but is invalid (i.e. same behavior as for X-Auth-Token.

[1] https://github.com/openstack-dev/devstack/blob/master/lib/swift#L396
[2] change I6072b4efb3a479a8e0cc2d9c11ffda5764b55e30

See original description
Alistair Coles (alistair-coles)
description: updated
OpenStack Infra (hudson-openstack)
Changed in keystonemiddleware:
assignee: nobody → Alistair Coles (alistair-coles)
status: New → In Progress
Revision history for this message
Alistair Coles (alistair-coles) wrote :

Fix proposed here:
https://review.openstack.org/#/c/153247

OpenStack Infra (hudson-openstack)
Changed in keystonemiddleware:
assignee: Alistair Coles (alistair-coles) → Jamie Lennox (jamielennox)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystonemiddleware (master)

Reviewed: https://review.openstack.org/153247
Committed: https://git.openstack.org/cgit/openstack/keystonemiddleware/commit/?id=c682b07a4f7ce8d66dbee9976582edf0bc3ff2c6
Submitter: Jenkins
Branch: master

commit c682b07a4f7ce8d66dbee9976582edf0bc3ff2c6
Author: Alistair Coles <email address hidden>
Date: Thu Feb 5 15:01:50 2015 +0000

    Delay denial when service token is invalid

    This patch modifies AuthProtocol to defer authentication
    to a downstream service if an invalid service token is found
    and delay_auth_decision is True. This makes the behavior for
    an invalid service token similar to that for an invalid user
    token.

    This is required by Swift because multiple auth middlewares
    may co-exist, and auth_token will currently deny a request
    on detecting an invalid service token when that service token
    is in fact intended to be validated by another downstream auth
    middleware. This is precisely the configuration used in
    devstack which configures both authtoken and tempauth in
    the Swift proxy pipeline [1].

    Swift support for service tokens is currently in review [2]
    and functional tests will not pass using devstack without the
    change proposed here.

    [1] https://github.com/openstack-dev/devstack/blob/master/lib/swift#L396
    [2] change I6072b4efb3a479a8e0cc2d9c11ffda5764b55e30

    DocImpact
    SecurityImpact
    Closes-Bug: #1422389

    Change-Id: Ic9402ef35ce3dd7c905d868a9eff7db5f3a4a40b

Changed in keystonemiddleware:
status: In Progress → Fix Committed
Morgan Fainberg (mdrnstm)
Changed in keystonemiddleware:
milestone: none → 1.5.0
Morgan Fainberg (mdrnstm)
Changed in keystonemiddleware:
status: Fix Committed → Fix Released
importance: Undecided → Medium
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.