yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1211233] Re: REMOTE_USER support should be more flexible in how domain is specified

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Wed, 22 Jan 2014 15:47:07 -0000
Reply-to: Bug 1211233 <1211233@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: keystone
       Status: Fix Committed => Fix Released

** Changed in: keystone
    Milestone: None => icehouse-2

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1211233

Title:
  REMOTE_USER support should be more flexible in how domain is specified

Status in OpenStack Identity (Keystone):
  Fix Released

Bug description:
  The Havana implementation of REMOTE_USER assumes that the domain is
  specified as part of the name (to the right of the @ character).
  While this is certainly one valid way of doing this and suitable for
  Apache front-ended implementation, we should not assume that this is
  the only configuration (and indeed @ may be used for other uses in the
  username).  We should also support the regular processing of the auth
  request block which contains the domain (other front-ends may allow to
  be passed through, e.g. a wsgi plugin).  To guard against potential
  spoofing via front-ends that don't support passing a request-block, we
  should have a config switch (default disabled) for this capability.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1211233/+subscriptions