diff options
| author | Nikola Dipanov <ndipanov@redhat.com> | 2015-04-01 14:35:13 +0100 |
|---|---|---|
| committer | Nikola Dipanov <ndipanov@redhat.com> | 2015-04-07 16:54:32 +0100 |
| commit | 2ffcf18d00eff6fb0777769469c4aa5ac7bbb6c9 (patch) | |
| tree | ff0825301c5884d7bca6c2fe3215e37d72d73135 /nova/consoleauth/manager.py | |
| parent | bf70df295b0529da9f4381f52fc94d328fa2fdb3 (diff) | |
| download | nova-2ffcf18d00eff6fb0777769469c4aa5ac7bbb6c9.tar.gz | |
consoleauth: Store access_url on token authorization
Related-bug: 1409142
As part of the fix for the related bug - we've added protocol checking
to mitigate MITM attacks, however we base protocol checking on a config
option that is normally only intended for compute hosts.
This is quite user hostile, as it is now important that all nodes
running compute and proxy services have this option in sync.
We can do better than that - we can persist the URL the client is
expected to use, and once we get it back on token validation, we can
make sure that the request is using the intended protocol, mitigating
the MITM injected script attacks.
This patch makes sure that the access_url is persisted with the token -
the follow-up patch makes consoles use that info.
Change-Id: I02a377f54de46536ca35413b615d3298967afc33
Diffstat (limited to 'nova/consoleauth/manager.py')
| -rw-r--r-- | nova/consoleauth/manager.py | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/nova/consoleauth/manager.py b/nova/consoleauth/manager.py index 9555404f59..3ad341bb12 100644 --- a/nova/consoleauth/manager.py +++ b/nova/consoleauth/manager.py @@ -47,7 +47,7 @@ CONF.import_opt('enable', 'nova.cells.opts', group='cells') class ConsoleAuthManager(manager.Manager): """Manages token based authentication.""" - target = messaging.Target(version='2.0') + target = messaging.Target(version='2.1') def __init__(self, scheduler_driver=None, *args, **kwargs): super(ConsoleAuthManager, self).__init__(service_name='consoleauth', @@ -65,7 +65,8 @@ class ConsoleAuthManager(manager.Manager): return tokens def authorize_console(self, context, token, console_type, host, port, - internal_access_path, instance_uuid): + internal_access_path, instance_uuid, + access_url=None): token_dict = {'token': token, 'instance_uuid': instance_uuid, @@ -73,6 +74,7 @@ class ConsoleAuthManager(manager.Manager): 'host': host, 'port': port, 'internal_access_path': internal_access_path, + 'access_url': access_url, 'last_activity_at': time.time()} data = jsonutils.dumps(token_dict) |