keystonemiddleware

keystonemiddleware audit selects the wrong target service

Bug #1797584 reported by Michael Johnson on 2018-10-12

This bug affects 1 person

Affects

Status

Importance

Assigned to

Milestone

keystonemiddleware

Fix Released

Medium

Michael Johnson

You need to log in to change this bug's status.

Affecting:	keystonemiddleware
Filed here by:	Michael Johnson
When:	2018-10-12
Confirmed:	2018-10-12
Assigned:	2018-10-12
Started work:	2018-10-12
Completed:	2018-11-03

Target

Distribution
Package	(Find…)
Project	(Find…)

Status	Importance
	Medium

Assigned to

	Me
	Michael Johnson (johnsom)

Comment on this change (optional)

Email me about changes to this bug report

(?)

Bug Description

Keystonemiddleware audit support is selecting the wrong "target" service when OpenStack service endpoints are not using unique TCP ports.

The incorrect code is here: https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/audit/_api.py#L270

With that code, if the services are not using unique TCP ports for each endpoint, the first endpoint that matches the IP adddress of the request will be selected.

Since most services have moved to not using TCP ports for their endpoints, this needs to be fixed to allow the proper target service to be selected.

Add tags Tag help

Michael Johnson (johnsom) on 2018-10-12

Changed in keystonemiddleware:
assignee:	nobody → Michael Johnson (johnsom)

OpenStack Infra (hudson-openstack) wrote on 2018-10-12: Fix proposed to keystonemiddleware (master)

Fix proposed to branch: master
Review: https://review.openstack.org/610099

Changed in keystonemiddleware:
status:	New → In Progress

Morgan Fainberg (mdrnstm) on 2018-10-26

Changed in keystonemiddleware:
importance:	Undecided → Medium

OpenStack Infra (hudson-openstack) wrote on 2018-11-03: Fix merged to keystonemiddleware (master)

Reviewed: https://review.openstack.org/610099
Committed: https://git.openstack.org/cgit/openstack/keystonemiddleware/commit/?id=782729b6e98c1d2857c7e4f24bb69219e43c108f
Submitter: Zuul
Branch: master

commit 782729b6e98c1d2857c7e4f24bb69219e43c108f
Author: Michael Johnson <email address hidden>
Date: Fri Oct 12 09:05:10 2018 -0700

Fix audit target service selection

    The keystonemiddleware audit code would select the wrong OpenStack service
    endpoint for a request if the cloud is not using unique TCP ports for each
    service endpoint. As most services are no longer using a port per service,
    but instead using unique paths, this caused the audit to select the wrong
    target service. This leads to incorrect audit logging due to the wrong
    audit map being used.

    This patch checks the request to see if a TCP port was present in the request,
    and if not, fall back to using the target_endpoint_type configured in the
    audit map file.

Change-Id: Ie2e0bf74ecca485d599a4041bb770bd6e296bc99
Closes-bug: 1797584

Changed in keystonemiddleware:
status:	In Progress → Fix Released

OpenStack Infra (hudson-openstack) wrote on 2019-02-28: Fix included in openstack/keystonemiddleware 6.0.0

This issue was fixed in the openstack/keystonemiddleware 6.0.0 release.

Report a bug

This report contains Public information Edit

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers