Reviewed: https://review.openstack.org/198931 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=c29ff68a6f91d020ee248f70ba6f2a7a2801013b Submitter: Jenkins Branch: master
commit c29ff68a6f91d020ee248f70ba6f2a7a2801013b Author: Brant Knudson <bknud...@us.ibm.com> Date: Mon Jul 6 19:51:48 2015 -0500 AuthContextMiddleware admin token handling The AuthContextMiddleware shouldn't be re-implementing the AdminTokenAuthMiddleware but using the request environment context setting that the admin token middleware sets up. This makes it so that admin token handling is in one place rather than duplicating it and allows for an alternative implementation of the admin token middleware. The old behavior is left in place as deprecated to be removed in a future release. ReleaseNotesImpact - The paste.ini file is changed to put the admin token middleware first so that the auth context middleware can use the results. It's deprecated to have the admin token middleware after the auth context middleware. Closes-Bug: 1473553 Change-Id: I658213699ac4af0abd08f893d9cf18ef0af5827d ** Changed in: keystone Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1473553 Title: AuthContextMiddleware re-implements AdminToken Status in OpenStack Identity (keystone): Fix Released Bug description: AuthContextMiddleware essentially re-implements the default AdminTokenAuthMiddleware: class AdminTokenAuthMiddleware(wsgi.Middleware): ... context['is_admin'] = (token == CONF.admin_token) class AuthContextMiddleware(wsgi.Middleware): ... if token_id == CONF.admin_token: The problem is, what if someone decides they want to implement their own `AdminTokenAuthMiddleware` that implements "admin token" differently. For example, using a special client certificate instead. This should be possible, but it's not because AuthContextMiddleware decided to re-implement AdminTokenAuthMiddleware rather than using its output (the setting of is_admin in the context. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1473553/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp