yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1473553] [NEW] AuthContextMiddleware re-implements AdminToken

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Brant Knudson <bknudson@xxxxxxxxxx>
Date: Fri, 10 Jul 2015 20:45:34 -0000
Reply-to: Bug 1473553 <1473553@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:


AuthContextMiddleware essentially re-implements the default AdminTokenAuthMiddleware:

class AdminTokenAuthMiddleware(wsgi.Middleware):
...
        context['is_admin'] = (token == CONF.admin_token)

class AuthContextMiddleware(wsgi.Middleware):
...
        if token_id == CONF.admin_token:

The problem is, what if someone decides they want to implement their own
`AdminTokenAuthMiddleware` that implements "admin token" differently.
For example, using a special client certificate instead.

This should be possible, but it's not because AuthContextMiddleware
decided to re-implement AdminTokenAuthMiddleware rather than using its
output (the setting of is_admin in the context.

** Affects: keystone
     Importance: Undecided
     Assignee: Brant Knudson (blk-u)
         Status: In Progress

** Changed in: keystone
     Assignee: (unassigned) => Brant Knudson (blk-u)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1473553

Title:
  AuthContextMiddleware re-implements AdminToken

Status in Keystone:
  In Progress

Bug description:
  
  AuthContextMiddleware essentially re-implements the default AdminTokenAuthMiddleware:

  class AdminTokenAuthMiddleware(wsgi.Middleware):
  ...
          context['is_admin'] = (token == CONF.admin_token)

  class AuthContextMiddleware(wsgi.Middleware):
  ...
          if token_id == CONF.admin_token:

  The problem is, what if someone decides they want to implement their
  own `AdminTokenAuthMiddleware` that implements "admin token"
  differently. For example, using a special client certificate instead.

  This should be possible, but it's not because AuthContextMiddleware
  decided to re-implement AdminTokenAuthMiddleware rather than using its
  output (the setting of is_admin in the context.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1473553/+subscriptions

Follow ups

[Bug 1473553] Re: AuthContextMiddleware re-implements AdminToken
From: OpenStack Infra, 2016-02-12