keystonemiddleware

audit middleware broken for glance

Bug #1809101 reported by leehom on 2018-12-19

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	keystonemiddleware	Fix Released	Undecided	leehom

Bug Description

Glance use Decorator @utils.mutating to enforce read-only logic.
This requires use req.context.read_only of RequestContext.

```
def mutating(func):
    """Decorator to enforce read-only logic"""
    @functools.wraps(func)
    def wrapped(self, req, *args, **kwargs):
        if req.context.read_only:
            msg = "Read-only access"
            LOG.debug(msg)
            raise exc.HTTPForbidden(msg, request=req,
                                    content_type="text/plain")
        return func(self, req, *args, **kwargs)
    return wrapped
```

Look at the logic in keystonemiddleware audit. It will overwrite req.context with the dict() of RequestContext.
```
    @webob.dec.wsgify
    def __call__(self, req):
        if req.method in self._ignore_req_list:
            return req.get_response(self._application)

        # Cannot use a RequestClass on wsgify above because the `req` object is
        # a `WebOb.Request` when this method is called so the RequestClass is
        # ignored by the wsgify wrapper.
        req.context = oslo_context.get_admin_context().to_dict()

        self._process_request(req)
        try:
            response = req.get_response(self._application)
        except Exception:
            self._process_response(req)
            raise
        else:
            self._process_response(req, response)
        return response
```

The problem is Keystone audit middleware and glance both need to use own generated req.context.

Glance requires to access req.context.read_only
and
Keystone audit middleware requires to iterate req.context.

This problem is still exist in Stein Release.

Tags:

leehom (feli5) on 2018-12-19

Changed in keystonemiddleware:
assignee:	nobody → leehom (feli5)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-12-19: Fix proposed to keystonemiddleware (master)

Fix proposed to branch: master
Review: https://review.openstack.org/626226

Changed in keystonemiddleware:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-01-09: Fix merged to keystonemiddleware (master)

Reviewed: https://review.openstack.org/626226
Committed: https://git.openstack.org/cgit/openstack/keystonemiddleware/commit/?id=82707e15a5bce8de2d33b1c865c96844c9770580
Submitter: Zuul
Branch: master

commit 82707e15a5bce8de2d33b1c865c96844c9770580
Author: Leehom Li (feli5) <email address hidden>
Date: Wed Dec 19 15:52:03 2018 +0000

Make sure audit middleware use own context

    Keystone audit middleware requires to iterate req.context as dict,
    but Glance requires to access req.context.read_only.
    When glance enabled audit, they are conflict with each other.
    This patch fix this issue by store audit context in
    req.environ['audit.context']

    Change-Id: Ib9a62a4cd0b7b9ffb9fa2d6440e8072d45ee0fee
    Closes-Bug: #1809101
    Signed-off-by: Leehom Li <email address hidden>

Changed in keystonemiddleware:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-02-28: Fix included in openstack/keystonemiddleware 6.0.0

This issue was fixed in the openstack/keystonemiddleware 6.0.0 release.

Revision history for this message

Supreeth Shivanand (supreeth90) wrote on 2019-04-25:

This seems to be a critical issue to enable auditing for glance, It would be great if this fix can be backported to some 4.x.x version of keystonemiddleware ? We are currently on pike and this fix is currently not even part of rocky.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-04-29: Fix proposed to keystonemiddleware (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.opendev.org/656230

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-04-29: Fix proposed to keystonemiddleware (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.opendev.org/656232

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-04-29: Fix proposed to keystonemiddleware (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.opendev.org/656234

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-01-28: Fix merged to keystonemiddleware (stable/rocky)

Reviewed: https://review.opendev.org/656230
Committed: https://git.openstack.org/cgit/openstack/keystonemiddleware/commit/?id=47294755ab90b2c24a67836fb9321adc52b26bff
Submitter: Zuul
Branch: stable/rocky

commit 47294755ab90b2c24a67836fb9321adc52b26bff
Author: Leehom Li (feli5) <email address hidden>
Date: Wed Dec 19 15:52:03 2018 +0000

Make sure audit middleware use own context

    Change-Id: Ib9a62a4cd0b7b9ffb9fa2d6440e8072d45ee0fee
    Closes-Bug: #1809101
    Signed-off-by: Leehom Li <email address hidden>
    (cherry picked from commit 82707e15a5bce8de2d33b1c865c96844c9770580)

tags:

added: in-stable-rocky

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-02-15: Fix merged to keystonemiddleware (stable/pike)

Reviewed: https://review.opendev.org/656234
Committed: https://git.openstack.org/cgit/openstack/keystonemiddleware/commit/?id=ca2dede486ad22db37ee16d1152a495fd32f01c4
Submitter: Zuul
Branch: stable/pike

commit ca2dede486ad22db37ee16d1152a495fd32f01c4
Author: Leehom Li (feli5) <email address hidden>
Date: Wed Dec 19 15:52:03 2018 +0000

Make sure audit middleware use own context

tags:

added: in-stable-pike

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-02-24: Fix included in openstack/keystonemiddleware 5.2.2

#10

This issue was fixed in the openstack/keystonemiddleware 5.2.2 release.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-08-06: Fix merged to keystonemiddleware (stable/queens)

#11

Reviewed: https://review.opendev.org/656232
Committed: https://git.openstack.org/cgit/openstack/keystonemiddleware/commit/?id=3f90a86b60e2798c4b7b7c95c90bb882567cb9e6
Submitter: Zuul
Branch: stable/queens

commit 3f90a86b60e2798c4b7b7c95c90bb882567cb9e6
Author: Leehom Li (feli5) <email address hidden>
Date: Wed Dec 19 15:52:03 2018 +0000

Make sure audit middleware use own context

tags:

added: in-stable-queens

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-08-18: Fix included in openstack/keystonemiddleware pike-eol

#12

This issue was fixed in the openstack/keystonemiddleware pike-eol release.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-01-17: Fix included in openstack/keystonemiddleware queens-eol

#13

This issue was fixed in the openstack/keystonemiddleware queens-eol release.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.