OpenStack-Ansible

Keystone admin_token_auth middleware deprecation

Bug #1586159 reported by Tom Cameron
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack-Ansible
Fix Released
Wishlist
Jimmy McCrory

Bug Description

Keystone warns of deprecation of the admin_token_auth middleware and notes that it presents a security risk. An example warning from the keystone-apache-error.log file:

2016-05-26 20:16:44.912455 2016-05-26 20:16:44.912 10146 WARNING keystone.middleware.core [req-0a96e99f-7443-475b-b3f0-9226b8351694 - - - - -] The admin_token_auth middleware presents a security risk and should be removed from the [pipeline:api_v3], [pipeline:admin_api], and [pipeline:public_api] sections of your paste ini file.

Tags: mitaka
Revision history for this message
Dolph Mathews (dolph) wrote :

Removing the middleware is easy, but that means you can't use keystone.conf [DEFAULT] admin_token anymore, either. Instead, 'keystone-manage bootstrap' provides a means to bootstrap your initial admin user + admin project + admin role.

Revision history for this message
Dolph Mathews (dolph) wrote :

Just a partial patch to illustrate what it's talking about: https://review.openstack.org/321854

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on openstack-ansible-os_keystone (master)

Change abandoned by Dolph Mathews (<email address hidden>) on branch: master
Review: https://review.openstack.org/321854
Reason: Abandoning then, because it'll be another year before this can merge.

Revision history for this message
Jean-Philippe Evrard (jean-philippe-evrard) wrote :

Like mentioned in the commit, OSA is barely consuming keystone changes.

OSA will add a release note to state the current known issue.

Changed in openstack-ansible:
importance: Undecided → Wishlist
status: New → Confirmed
assignee: nobody → Jimmy McCrory (jimmy-mccrory)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-ansible-os_keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/330251

Changed in openstack-ansible:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-ansible-os_keystone (master)

Reviewed: https://review.openstack.org/330251
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-os_keystone/commit/?id=d27d055dbe2857dde236c8c8e6df5f530cc83efa
Submitter: Jenkins
Branch: master

commit d27d055dbe2857dde236c8c8e6df5f530cc83efa
Author: Jimmy McCrory <email address hidden>
Date: Wed Jun 15 15:24:54 2016 -0700

    Add note on admin_token_auth deprecation

    The admin_token_auth middleware has been deprecated. Include a note
    informing users and providing instructions on removing it from
    keystone's WSGI pipelines.

    Closes-Bug: 1586159
    Change-Id: I4ec9e6f098585ddbfcfb7ee826e582af7a12c734

Changed in openstack-ansible:
status: In Progress → Fix Released
Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/openstack-ansible-os_keystone 14.0.0.0b2

This issue was fixed in the openstack/openstack-ansible-os_keystone 14.0.0.0b2 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.