openstack-ossg team mailing list archive

[Adam Young <ayoung@xxxxxxxxxx>]

https://review.openstack.org/#/c/14823/

There are a lot of features that come with running in HTTPD.  The above 
patch is essential to HTTPD support, specificially for Keystone.

There has been some discussion about disabling REMOTE_USER via a config 
file option by default, but I think that is neither necessary nor 
sufficient. If using container based authentication has a security 
issue, we should be aware of it up front.  If it is not, a config file 
will just frustrate people trying to set up remote authentication.  
REMOTE_USER should become the default method of authentication in the 
future anyway, as it is the direct tie in with the HTTP spec.  Using 
Kerberos or PKI is dependant on this change. As such, it should be 
improving security, not lessening it.

As far as I have found, there is no way that a malicious user can affect 
the env var dictionary to falsely inject REMOTE_USER.

All headers that get set and passed in get modified such that they end 
up in the environment with 'HTTP_ ' prepended
Args passed to GET and post URLS, as well as cookies, go into internal 
collections, and do not show up in the top level dictionary.