diff options
author | Alistair Coles <alistair.coles@hp.com> | 2015-02-05 15:01:50 +0000 |
---|---|---|
committer | Jamie Lennox <jamielennox@redhat.com> | 2015-03-06 05:20:56 +0000 |
commit | c682b07a4f7ce8d66dbee9976582edf0bc3ff2c6 (patch) | |
tree | 933d798d579815c4870dda158646f570bc426cfc /keystonemiddleware/auth_token/__init__.py | |
parent | 249d9ddb8e05b10d7db9b63bdb99103949512c88 (diff) | |
download | keystonemiddleware-c682b07a4f7ce8d66dbee9976582edf0bc3ff2c6.tar.gz |
Delay denial when service token is invalid
This patch modifies AuthProtocol to defer authentication
to a downstream service if an invalid service token is found
and delay_auth_decision is True. This makes the behavior for
an invalid service token similar to that for an invalid user
token.
This is required by Swift because multiple auth middlewares
may co-exist, and auth_token will currently deny a request
on detecting an invalid service token when that service token
is in fact intended to be validated by another downstream auth
middleware. This is precisely the configuration used in
devstack which configures both authtoken and tempauth in
the Swift proxy pipeline [1].
Swift support for service tokens is currently in review [2]
and functional tests will not pass using devstack without the
change proposed here.
[1] https://github.com/openstack-dev/devstack/blob/master/lib/swift#L396
[2] change I6072b4efb3a479a8e0cc2d9c11ffda5764b55e30
DocImpact
SecurityImpact
Closes-Bug: #1422389
Change-Id: Ic9402ef35ce3dd7c905d868a9eff7db5f3a4a40b
Diffstat (limited to 'keystonemiddleware/auth_token/__init__.py')
-rw-r--r-- | keystonemiddleware/auth_token/__init__.py | 26 |
1 files changed, 19 insertions, 7 deletions
diff --git a/keystonemiddleware/auth_token/__init__.py b/keystonemiddleware/auth_token/__init__.py index 0d4b41e..98010ed 100644 --- a/keystonemiddleware/auth_token/__init__.py +++ b/keystonemiddleware/auth_token/__init__.py @@ -69,10 +69,15 @@ will be added. They take the same form as the standard headers but add '_SERVICE_'. These headers will not exist in the environment if no service token is present. -HTTP_X_IDENTITY_STATUS +HTTP_X_IDENTITY_STATUS, HTTP_X_SERVICE_IDENTITY_STATUS 'Confirmed' or 'Invalid' The underlying service will only see a value of 'Invalid' if the Middleware - is configured to run in 'delay_auth_decision' mode + is configured to run in 'delay_auth_decision' mode. As with all such + headers, HTTP_X_SERVICE_IDENTITY_STATUS will only exist in the + environment if a service token is presented. This is different than + HTTP_X_IDENTITY_STATUS which is always set even if no user token is + presented. This allows the underlying service to determine if a + denial should use 401 or 403. HTTP_X_DOMAIN_ID, HTTP_X_SERVICE_DOMAIN_ID Identity service managed unique identifier, string. Only present if @@ -938,11 +943,16 @@ class AuthProtocol(object): serv_headers = self._build_service_headers(serv_token_info) self._add_headers(env, serv_headers) except exc.InvalidToken: - # Delayed auth not currently supported for service tokens. - # (Can be implemented if a use case is found.) - self._LOG.info( - _LI('Invalid service token - rejecting request')) - return self._reject_request(env, start_response) + if self._delay_auth_decision: + self._LOG.info( + _LI('Invalid service token - deferring reject ' + 'downstream')) + self._add_headers(env, + {'X-Service-Identity-Status': 'Invalid'}) + else: + self._LOG.info( + _LI('Invalid service token - rejecting request')) + return self._reject_request(env, start_response) env['keystone.token_auth'] = _UserAuthPlugin(user_auth_ref, serv_auth_ref) @@ -967,6 +977,7 @@ class AuthProtocol(object): """ auth_headers = ['X-Service-Catalog', 'X-Identity-Status', + 'X-Service-Identity-Status', 'X-Roles', 'X-Service-Roles'] for key in six.iterkeys(_HEADER_TEMPLATE): @@ -1164,6 +1175,7 @@ class AuthProtocol(object): roles = ','.join(auth_ref.role_names) rval = { + 'X-Service-Identity-Status': 'Confirmed', 'X-Service-Roles': roles, } |