AuthContextMiddleware re-implements AdminToken

Bug #1473553 reported by Brant Knudson on 2015-07-10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Brant Knudson

Bug Description

AuthContextMiddleware essentially re-implements the default AdminTokenAuthMiddleware:

class AdminTokenAuthMiddleware(wsgi.Middleware):
        context['is_admin'] = (token == CONF.admin_token)

class AuthContextMiddleware(wsgi.Middleware):
        if token_id == CONF.admin_token:

The problem is, what if someone decides they want to implement their own `AdminTokenAuthMiddleware` that implements "admin token" differently. For example, using a special client certificate instead.

This should be possible, but it's not because AuthContextMiddleware decided to re-implement AdminTokenAuthMiddleware rather than using its output (the setting of is_admin in the context.

Brant Knudson (blk-u) on 2015-07-10
Changed in keystone:
assignee: nobody → Brant Knudson (blk-u)
Changed in keystone:
status: New → In Progress
Brant Knudson (blk-u) wrote :

Also, keystone needs to support removal of the AdminTokenAuthMiddleware from the paste pipeline, and since this is re-implemented in AuthContextMiddleware that doesn't work as expected.

Dolph Mathews (dolph) on 2015-07-10
Changed in keystone:
importance: Undecided → Low
tags: added: refactor
Changed in keystone:
milestone: none → mitaka-3
Changed in keystone:
assignee: Brant Knudson (blk-u) → Steve Martinelli (stevemar)
Changed in keystone:
assignee: Steve Martinelli (stevemar) → Brant Knudson (blk-u)

Submitter: Jenkins
Branch: master

commit c29ff68a6f91d020ee248f70ba6f2a7a2801013b
Author: Brant Knudson <email address hidden>
Date: Mon Jul 6 19:51:48 2015 -0500

    AuthContextMiddleware admin token handling

    The AuthContextMiddleware shouldn't be re-implementing the
    AdminTokenAuthMiddleware but using the request environment
    context setting that the admin token middleware sets up.

    This makes it so that admin token handling is in one place
    rather than duplicating it and allows for an alternative
    implementation of the admin token middleware.

    The old behavior is left in place as deprecated to be removed
    in a future release.

     - The paste.ini file is changed to put the admin token
       middleware first so that the auth context middleware can use
       the results. It's deprecated to have the admin token
       middleware after the auth context middleware.

    Closes-Bug: 1473553
    Change-Id: I658213699ac4af0abd08f893d9cf18ef0af5827d

Changed in keystone:
status: In Progress → Fix Released

This issue was fixed in the openstack/keystone development milestone.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers