openstack-ossg team mailing list archive
-
openstack-ossg team
-
Mailing list archive
-
Message #00007
Please provide additional eyes on this patch
https://review.openstack.org/#/c/14823/
There are a lot of features that come with running in HTTPD. The above
patch is essential to HTTPD support, specificially for Keystone.
There has been some discussion about disabling REMOTE_USER via a config
file option by default, but I think that is neither necessary nor
sufficient. If using container based authentication has a security
issue, we should be aware of it up front. If it is not, a config file
will just frustrate people trying to set up remote authentication.
REMOTE_USER should become the default method of authentication in the
future anyway, as it is the direct tie in with the HTTP spec. Using
Kerberos or PKI is dependant on this change. As such, it should be
improving security, not lessening it.
As far as I have found, there is no way that a malicious user can affect
the env var dictionary to falsely inject REMOTE_USER.
All headers that get set and passed in get modified such that they end
up in the environment with 'HTTP_ ' prepended
Args passed to GET and post URLS, as well as cookies, go into internal
collections, and do not show up in the top level dictionary.
Follow ups