← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #46240

[Bug 1473553] Re: AuthContextMiddleware re-implements AdminToken

  Thread PreviousDate PreviousThread Next 
Reviewed:  https://review.openstack.org/198931
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=c29ff68a6f91d020ee248f70ba6f2a7a2801013b
Submitter: Jenkins
Branch:    master

commit c29ff68a6f91d020ee248f70ba6f2a7a2801013b
Author: Brant Knudson <bknudson@xxxxxxxxxx>
Date:   Mon Jul 6 19:51:48 2015 -0500

    AuthContextMiddleware admin token handling
    
    The AuthContextMiddleware shouldn't be re-implementing the
    AdminTokenAuthMiddleware but using the request environment
    context setting that the admin token middleware sets up.
    
    This makes it so that admin token handling is in one place
    rather than duplicating it and allows for an alternative
    implementation of the admin token middleware.
    
    The old behavior is left in place as deprecated to be removed
    in a future release.
    
    ReleaseNotesImpact
     - The paste.ini file is changed to put the admin token
       middleware first so that the auth context middleware can use
       the results. It's deprecated to have the admin token
       middleware after the auth context middleware.
    
    Closes-Bug: 1473553
    Change-Id: I658213699ac4af0abd08f893d9cf18ef0af5827d


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1473553

Title:
  AuthContextMiddleware re-implements AdminToken

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  
  AuthContextMiddleware essentially re-implements the default AdminTokenAuthMiddleware:

  class AdminTokenAuthMiddleware(wsgi.Middleware):
  ...
          context['is_admin'] = (token == CONF.admin_token)

  class AuthContextMiddleware(wsgi.Middleware):
  ...
          if token_id == CONF.admin_token:

  The problem is, what if someone decides they want to implement their
  own `AdminTokenAuthMiddleware` that implements "admin token"
  differently. For example, using a special client certificate instead.

  This should be possible, but it's not because AuthContextMiddleware
  decided to re-implement AdminTokenAuthMiddleware rather than using its
  output (the setting of is_admin in the context.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1473553/+subscriptions

References

  Thread PreviousDate PreviousThread Next