OpenStack Identity (keystone)

AuthContextMiddleware re-implements AdminToken

Bug #1473553 reported by Brant Knudson on 2015-07-10

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Low	Brant Knudson	OpenStack Identity (keystone) mitaka-3 "m3"

Bug Description

AuthContextMiddleware essentially re-implements the default AdminTokenAuthMiddleware:

class AdminTokenAuthMiddleware(wsgi.Middleware):
...
context['is_admin'] = (token == CONF.admin_token)

class AuthContextMiddleware(wsgi.Middleware):
...
if token_id == CONF.admin_token:

The problem is, what if someone decides they want to implement their own `AdminTokenAuthMiddleware` that implements "admin token" differently. For example, using a special client certificate instead.

This should be possible, but it's not because AuthContextMiddleware decided to re-implement AdminTokenAuthMiddleware rather than using its output (the setting of is_admin in the context.

Tags:

Brant Knudson (blk-u) on 2015-07-10

Changed in keystone:
assignee:	nobody → Brant Knudson (blk-u)

OpenStack Infra (hudson-openstack) on 2015-07-10

Changed in keystone:
status:	New → In Progress

Revision history for this message

Brant Knudson (blk-u) wrote on 2015-07-10:

Also, keystone needs to support removal of the AdminTokenAuthMiddleware from the paste pipeline, and since this is re-implemented in AuthContextMiddleware that doesn't work as expected.

Revision history for this message

Brant Knudson (blk-u) wrote on 2015-07-10:

https://review.openstack.org/#/c/198931/

Dolph Mathews (dolph) on 2015-07-10

Changed in keystone:
importance:	Undecided → Low
tags:	added: refactor

Steve Martinelli (stevemar) on 2016-01-28

Changed in keystone:
milestone:	none → mitaka-3

OpenStack Infra (hudson-openstack) on 2016-01-28

Changed in keystone:
assignee:	Brant Knudson (blk-u) → Steve Martinelli (stevemar)

Steve Martinelli (stevemar) on 2016-01-28

Changed in keystone:
assignee:	Steve Martinelli (stevemar) → Brant Knudson (blk-u)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-02-12: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/198931
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=c29ff68a6f91d020ee248f70ba6f2a7a2801013b
Submitter: Jenkins
Branch: master

commit c29ff68a6f91d020ee248f70ba6f2a7a2801013b
Author: Brant Knudson <email address hidden>
Date: Mon Jul 6 19:51:48 2015 -0500

AuthContextMiddleware admin token handling

    The AuthContextMiddleware shouldn't be re-implementing the
    AdminTokenAuthMiddleware but using the request environment
    context setting that the admin token middleware sets up.

    This makes it so that admin token handling is in one place
    rather than duplicating it and allows for an alternative
    implementation of the admin token middleware.

The old behavior is left in place as deprecated to be removed
in a future release.

    ReleaseNotesImpact
     - The paste.ini file is changed to put the admin token
       middleware first so that the auth context middleware can use
       the results. It's deprecated to have the admin token
       middleware after the auth context middleware.

Closes-Bug: 1473553
Change-Id: I658213699ac4af0abd08f893d9cf18ef0af5827d

Changed in keystone:
status:	In Progress → Fix Released

Revision history for this message

Thierry Carrez (ttx) wrote on 2016-03-03: Fix included in openstack/keystone 9.0.0.0b3

This issue was fixed in the openstack/keystone 9.0.0.0b3 development milestone.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.