audit middleware broken for glance

Bug #1809101 reported by leehom on 2018-12-19
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
keystonemiddleware
Undecided
leehom

Bug Description

Glance use Decorator @utils.mutating to enforce read-only logic.
This requires use req.context.read_only of RequestContext.

```
def mutating(func):
    """Decorator to enforce read-only logic"""
    @functools.wraps(func)
    def wrapped(self, req, *args, **kwargs):
        if req.context.read_only:
            msg = "Read-only access"
            LOG.debug(msg)
            raise exc.HTTPForbidden(msg, request=req,
                                    content_type="text/plain")
        return func(self, req, *args, **kwargs)
    return wrapped
```

Look at the logic in keystonemiddleware audit. It will overwrite req.context with the dict() of RequestContext.
```
    @webob.dec.wsgify
    def __call__(self, req):
        if req.method in self._ignore_req_list:
            return req.get_response(self._application)

        # Cannot use a RequestClass on wsgify above because the `req` object is
        # a `WebOb.Request` when this method is called so the RequestClass is
        # ignored by the wsgify wrapper.
        req.context = oslo_context.get_admin_context().to_dict()

        self._process_request(req)
        try:
            response = req.get_response(self._application)
        except Exception:
            self._process_response(req)
            raise
        else:
            self._process_response(req, response)
        return response
```

The problem is Keystone audit middleware and glance both need to use own generated req.context.

Glance requires to access req.context.read_only
and
Keystone audit middleware requires to iterate req.context.

This problem is still exist in Stein Release.

leehom (feli5) on 2018-12-19
Changed in keystonemiddleware:
assignee: nobody → leehom (feli5)

Fix proposed to branch: master
Review: https://review.openstack.org/626226

Changed in keystonemiddleware:
status: New → In Progress

Reviewed: https://review.openstack.org/626226
Committed: https://git.openstack.org/cgit/openstack/keystonemiddleware/commit/?id=82707e15a5bce8de2d33b1c865c96844c9770580
Submitter: Zuul
Branch: master

commit 82707e15a5bce8de2d33b1c865c96844c9770580
Author: Leehom Li (feli5) <email address hidden>
Date: Wed Dec 19 15:52:03 2018 +0000

    Make sure audit middleware use own context

    Keystone audit middleware requires to iterate req.context as dict,
    but Glance requires to access req.context.read_only.
    When glance enabled audit, they are conflict with each other.
    This patch fix this issue by store audit context in
    req.environ['audit.context']

    Change-Id: Ib9a62a4cd0b7b9ffb9fa2d6440e8072d45ee0fee
    Closes-Bug: #1809101
    Signed-off-by: Leehom Li <email address hidden>

Changed in keystonemiddleware:
status: In Progress → Fix Released

This issue was fixed in the openstack/keystonemiddleware 6.0.0 release.

Supreeth Shivanand (supreeth90) wrote :

This seems to be a critical issue to enable auditing for glance, It would be great if this fix can be backported to some 4.x.x version of keystonemiddleware ? We are currently on pike and this fix is currently not even part of rocky.

Reviewed: https://review.opendev.org/656230
Committed: https://git.openstack.org/cgit/openstack/keystonemiddleware/commit/?id=47294755ab90b2c24a67836fb9321adc52b26bff
Submitter: Zuul
Branch: stable/rocky

commit 47294755ab90b2c24a67836fb9321adc52b26bff
Author: Leehom Li (feli5) <email address hidden>
Date: Wed Dec 19 15:52:03 2018 +0000

    Make sure audit middleware use own context

    Keystone audit middleware requires to iterate req.context as dict,
    but Glance requires to access req.context.read_only.
    When glance enabled audit, they are conflict with each other.
    This patch fix this issue by store audit context in
    req.environ['audit.context']

    Change-Id: Ib9a62a4cd0b7b9ffb9fa2d6440e8072d45ee0fee
    Closes-Bug: #1809101
    Signed-off-by: Leehom Li <email address hidden>
    (cherry picked from commit 82707e15a5bce8de2d33b1c865c96844c9770580)

tags: added: in-stable-rocky

Reviewed: https://review.opendev.org/656234
Committed: https://git.openstack.org/cgit/openstack/keystonemiddleware/commit/?id=ca2dede486ad22db37ee16d1152a495fd32f01c4
Submitter: Zuul
Branch: stable/pike

commit ca2dede486ad22db37ee16d1152a495fd32f01c4
Author: Leehom Li (feli5) <email address hidden>
Date: Wed Dec 19 15:52:03 2018 +0000

    Make sure audit middleware use own context

    Keystone audit middleware requires to iterate req.context as dict,
    but Glance requires to access req.context.read_only.
    When glance enabled audit, they are conflict with each other.
    This patch fix this issue by store audit context in
    req.environ['audit.context']

    Change-Id: Ib9a62a4cd0b7b9ffb9fa2d6440e8072d45ee0fee
    Closes-Bug: #1809101
    Signed-off-by: Leehom Li <email address hidden>
    (cherry picked from commit 82707e15a5bce8de2d33b1c865c96844c9770580)

tags: added: in-stable-pike

This issue was fixed in the openstack/keystonemiddleware 5.2.2 release.

Reviewed: https://review.opendev.org/656232
Committed: https://git.openstack.org/cgit/openstack/keystonemiddleware/commit/?id=3f90a86b60e2798c4b7b7c95c90bb882567cb9e6
Submitter: Zuul
Branch: stable/queens

commit 3f90a86b60e2798c4b7b7c95c90bb882567cb9e6
Author: Leehom Li (feli5) <email address hidden>
Date: Wed Dec 19 15:52:03 2018 +0000

    Make sure audit middleware use own context

    Keystone audit middleware requires to iterate req.context as dict,
    but Glance requires to access req.context.read_only.
    When glance enabled audit, they are conflict with each other.
    This patch fix this issue by store audit context in
    req.environ['audit.context']

    Change-Id: Ib9a62a4cd0b7b9ffb9fa2d6440e8072d45ee0fee
    Closes-Bug: #1809101
    Signed-off-by: Leehom Li <email address hidden>
    (cherry picked from commit 82707e15a5bce8de2d33b1c865c96844c9770580)

tags: added: in-stable-queens
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers