OpenStack Identity (keystone)

Pluggable auth provider: Can't write a custom plugin due to hardcoded check

Bug #1227980 reported by Haneef Ali
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Guang Yee
OpenStack Identity (keystone) 2013.2 "havana"

Bug Description

Provider plugin provides an interface so that some one customize or rewrite UUID and PKI providers. But unfortunately there is a hard coded check which prevents pluggablity

provider.py -- get_provider

 if ((CONF.signing.token_format == 'PKI' and
                    CONF.token.provider != PKI_PROVIDER or
                    (CONF.signing.token_format == 'UUID' and
                        CONF.token.provider != UUID_PROVIDER))):
                raise exception.UnexpectedError(
                    _('keystone.conf [signing] token_format (deprecated) '
                      'conflicts with keystone.conf [token] provider'))
            return CONF.token.provider

PKI_PROVIDER and UUID_PROVIDERS are global variable which hold default provider. Do we need this check?

Ofcourse, I can change the value of the global variable, but that doesn't fit the pluggable design.

Revision history for this message
Dolph Mathews (dolph) wrote :

Yes, we do need a check similar to that to manage backwards compatibility between token_format vs [token] provider, but it certainly blocks alternative implementations of either UUID or PKI, as is!

Changed in keystone:
importance: Undecided → Medium
status: New → Triaged
milestone: none → havana-rc1
Revision history for this message
Guang Yee (guang-yee) wrote :

As Dolph mentioned, this check is for ensuring backward compatibility with token_format. 'token_format' is not being used anymore. You can do this hack to get around this check.

1) in keystone.conf, set token_format to something else

[signing]
token_format = WHO_THE_FLIP_CARES

2) set token provider to your provider

[token]
provider = mypackage.MyUUIDProvider

Revision history for this message
Haneef Ali (haneef) wrote :

Ofcourse I can do that, but that will break most of the tests, since many tests rely on the format string. (ie). Also in future if you make decisions based on that string, it will break.

Better approach would be ( just a suggestion)

Add a method get_provider_name() and let it return "UUID" for UUID provider and "PKI" for PKI_PROVIDER. Then the code will become

if CONF.signing.token_format != configured_provider.get_provider_name()
  raise exception

Revision history for this message
Guang Yee (guang-yee) wrote :

I am working on it.

Changed in keystone:
assignee: nobody → Guang Yee (guang-yee)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/47938

Adam Young (ayoung)
Changed in keystone:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/47938
Committed: http://github.com/openstack/keystone/commit/dc62539d6f170a8c3901aceb052bb5a69d17812c
Submitter: Jenkins
Branch: master

commit dc62539d6f170a8c3901aceb052bb5a69d17812c
Author: guang-yee <email address hidden>
Date: Mon Sep 23 14:41:12 2013 -0700

    Check token_format for default token providers only.

    Ignore token_format check if the configured token provider is not one of
    Keystone default token providers.

    Fixed bug 1227980

    Change-Id: Id318177f186d1f68b0f3e5cba1bfaa98a4b2db24

Dolph Mathews (dolph)
Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in keystone:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in keystone:
milestone: havana-rc1 → 2013.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.