← Back to team overview

openstack-ossg team mailing list archive

Please provide additional eyes on this patch



There are a lot of features that come with running in HTTPD. The above patch is essential to HTTPD support, specificially for Keystone.

There has been some discussion about disabling REMOTE_USER via a config file option by default, but I think that is neither necessary nor sufficient. If using container based authentication has a security issue, we should be aware of it up front. If it is not, a config file will just frustrate people trying to set up remote authentication. REMOTE_USER should become the default method of authentication in the future anyway, as it is the direct tie in with the HTTP spec. Using Kerberos or PKI is dependant on this change. As such, it should be improving security, not lessening it.

As far as I have found, there is no way that a malicious user can affect the env var dictionary to falsely inject REMOTE_USER.

All headers that get set and passed in get modified such that they end up in the environment with 'HTTP_ ' prepended Args passed to GET and post URLS, as well as cookies, go into internal collections, and do not show up in the top level dictionary.

Follow ups