Pluggable auth provider: Can't write a custom plugin due to hardcoded check

Bug #1227980 reported by Haneef Ali on 2013-09-20
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Guang Yee

Bug Description

Provider plugin provides an interface so that some one customize or rewrite UUID and PKI providers. But unfortunately there is a hard coded check which prevents pluggablity -- get_provider

 if ((CONF.signing.token_format == 'PKI' and
                    CONF.token.provider != PKI_PROVIDER or
                    (CONF.signing.token_format == 'UUID' and
                        CONF.token.provider != UUID_PROVIDER))):
                raise exception.UnexpectedError(
                    _('keystone.conf [signing] token_format (deprecated) '
                      'conflicts with keystone.conf [token] provider'))
            return CONF.token.provider

PKI_PROVIDER and UUID_PROVIDERS are global variable which hold default provider. Do we need this check?

Ofcourse, I can change the value of the global variable, but that doesn't fit the pluggable design.

Dolph Mathews (dolph) wrote :

Yes, we do need a check similar to that to manage backwards compatibility between token_format vs [token] provider, but it certainly blocks alternative implementations of either UUID or PKI, as is!

Changed in keystone:
importance: Undecided → Medium
status: New → Triaged
milestone: none → havana-rc1
Guang Yee (guang-yee) wrote :

As Dolph mentioned, this check is for ensuring backward compatibility with token_format. 'token_format' is not being used anymore. You can do this hack to get around this check.

1) in keystone.conf, set token_format to something else

token_format = WHO_THE_FLIP_CARES

2) set token provider to your provider

provider = mypackage.MyUUIDProvider

Haneef Ali (haneef) wrote :

Ofcourse I can do that, but that will break most of the tests, since many tests rely on the format string. (ie). Also in future if you make decisions based on that string, it will break.

Better approach would be ( just a suggestion)

Add a method get_provider_name() and let it return "UUID" for UUID provider and "PKI" for PKI_PROVIDER. Then the code will become

if CONF.signing.token_format != configured_provider.get_provider_name()
  raise exception

Guang Yee (guang-yee) wrote :

I am working on it.

Changed in keystone:
assignee: nobody → Guang Yee (guang-yee)
Adam Young (ayoung) on 2013-09-24
Changed in keystone:
status: Triaged → In Progress

Submitter: Jenkins
Branch: master

commit dc62539d6f170a8c3901aceb052bb5a69d17812c
Author: guang-yee <email address hidden>
Date: Mon Sep 23 14:41:12 2013 -0700

    Check token_format for default token providers only.

    Ignore token_format check if the configured token provider is not one of
    Keystone default token providers.

    Fixed bug 1227980

    Change-Id: Id318177f186d1f68b0f3e5cba1bfaa98a4b2db24

Dolph Mathews (dolph) on 2013-09-24
Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2013-10-02
Changed in keystone:
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2013-10-17
Changed in keystone:
milestone: havana-rc1 → 2013.2
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers