keystonemiddleware

System scoped tokens are unsupported

Bug #1766731 reported by Lance Bragstad
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
keystonemiddleware
Fix Released
High
Lance Bragstad

Bug Description

keystonemiddleware.auth_token will attempt to convert values from a user token or service token to request headers before passing the request along the pipeline. Since the introduction of system scope in Queens [0], it's possible for users to generate system-scoped tokens, but keystonemiddleware doesn't understand them.

This makes it harder for other OpenStack services to consume that specific flavor of scope and rely on protect their APIs with it. We should update auth_token middleware to populate that header when system scoped tokens are passed to services protected by keystonemiddleware.

[0] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html

See original description
Lance Bragstad (lbragstad)
description: updated
Changed in keystonemiddleware:
status: New → Confirmed
importance: Undecided → High
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystonemiddleware (master)

Fix proposed to branch: master
Review: https://review.openstack.org/564072

Changed in keystonemiddleware:
assignee: nobody → Lance Bragstad (lbragstad)
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystonemiddleware (master)

Reviewed: https://review.openstack.org/564072
Committed: https://git.openstack.org/cgit/openstack/keystonemiddleware/commit/?id=245c91f2e3d499498e5f0edd30c23504cda9d111
Submitter: Zuul
Branch: master

commit 245c91f2e3d499498e5f0edd30c23504cda9d111
Author: Lance Bragstad <email address hidden>
Date: Tue Apr 24 22:10:37 2018 +0000

    Introduce new header for system-scoped tokens

    Keystonemiddleware attempts to parse user/service tokens and populate
    request headers for other services to consume. This information is
    important for services looking to build oslo.context objects from
    request environments.

    Change-Id: I0717c2a5207a647999b4f9bcdf11f728984f0812
    Closes-Bug: 1766731

Changed in keystonemiddleware:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystonemiddleware 5.1.0

This issue was fixed in the openstack/keystonemiddleware 5.1.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.