[Openstack-security] [openstack/keystonemiddleware] SecurityImpact review request change Ic9402ef35ce3dd7c905d868a9eff7db5f3a4a40b
gerrit2 at review.openstack.org
gerrit2 at review.openstack.org
Fri Mar 6 05:21:03 UTC 2015
Hi, I'd like you to take a look at this patch for potential
SecurityImpact.
https://review.openstack.org/153247
Log:
commit c682b07a4f7ce8d66dbee9976582edf0bc3ff2c6
Author: Alistair Coles <alistair.coles at hp.com>
Date: Thu Feb 5 15:01:50 2015 +0000
Delay denial when service token is invalid
This patch modifies AuthProtocol to defer authentication
to a downstream service if an invalid service token is found
and delay_auth_decision is True. This makes the behavior for
an invalid service token similar to that for an invalid user
token.
This is required by Swift because multiple auth middlewares
may co-exist, and auth_token will currently deny a request
on detecting an invalid service token when that service token
is in fact intended to be validated by another downstream auth
middleware. This is precisely the configuration used in
devstack which configures both authtoken and tempauth in
the Swift proxy pipeline [1].
Swift support for service tokens is currently in review [2]
and functional tests will not pass using devstack without the
change proposed here.
[1] https://github.com/openstack-dev/devstack/blob/master/lib/swift#L396
[2] change I6072b4efb3a479a8e0cc2d9c11ffda5764b55e30
DocImpact
SecurityImpact
Closes-Bug: #1422389
Change-Id: Ic9402ef35ce3dd7c905d868a9eff7db5f3a4a40b
More information about the Openstack-security
mailing list