Go to file

Alistair Coles c682b07a4f Delay denial when service token is invalid

This patch modifies AuthProtocol to defer authentication
to a downstream service if an invalid service token is found
and delay_auth_decision is True. This makes the behavior for
an invalid service token similar to that for an invalid user
token.

This is required by Swift because multiple auth middlewares
may co-exist, and auth_token will currently deny a request
on detecting an invalid service token when that service token
is in fact intended to be validated by another downstream auth
middleware. This is precisely the configuration used in
devstack which configures both authtoken and tempauth in
the Swift proxy pipeline [1].

Swift support for service tokens is currently in review [2]
and functional tests will not pass using devstack without the
change proposed here.

[1] https://github.com/openstack-dev/devstack/blob/master/lib/swift#L396
[2] change I6072b4efb3a479a8e0cc2d9c11ffda5764b55e30

DocImpact
SecurityImpact
Closes-Bug: #1422389

Change-Id: Ic9402ef35ce3dd7c905d868a9eff7db5f3a4a40b

2015-03-06 05:20:56 +00:00

doc

Delay denial when service token is invalid

2015-03-06 05:20:56 +00:00

examples/pki

Example JSON files should be human-readable

2014-07-22 11:48:27 -04:00

keystonemiddleware

Delay denial when service token is invalid

2015-03-06 05:20:56 +00:00

tools

Use oslo_debug_helper and remove our own version

2014-09-09 10:18:51 -04:00

.coveragerc

Initial commit

2014-06-19 15:45:29 -07:00

.gitignore

Update .gitignore files

2014-06-20 07:23:39 -07:00

.gitreview

Initial commit

2014-06-19 15:45:29 -07:00

.testr.conf

Initial commit

2014-06-19 15:45:29 -07:00

babel.cfg

Initial commit

2014-06-19 15:45:29 -07:00

CONTRIBUTING.rst

Workflow documentation is now in infra-manual

2014-12-05 03:30:37 +00:00

HACKING.rst

Update python-keystoneclient reference

2014-10-28 22:28:56 -03:00

LICENSE

Initial commit

2014-06-19 15:45:29 -07:00

MANIFEST.in

Update MANIFEST.in

2014-06-19 17:30:35 -07:00

openstack-common.conf

Sync with oslo-incubator

2015-02-09 13:13:20 -05:00

README.rst

add CONTRIBUTING.rst

2014-06-30 14:07:56 -05:00

requirements.txt

Updated from global requirements

2015-02-20 13:52:04 +00:00

setup.cfg

Merge "Mark keystonemiddleware as being a universal wheel"

2014-07-28 22:53:17 +00:00

setup.py

Updated from global requirements

2014-07-21 16:24:10 +00:00

test-requirements-py3.txt

Updated from global requirements

2015-02-09 18:24:10 +00:00

test-requirements.txt

Merge "Add python-memcached to test-requirements"

2015-02-07 08:10:31 +00:00

tox.ini

Merge "Add python-memcached to test-requirements"

2015-02-07 08:10:31 +00:00

README.rst

Middleware for the OpenStack Identity API (Keystone)

This package contains middleware modules designed to provide authentication and authorization features to web services other than Keystone <https://github.com/openstack/keystone>. The most prominent module is keystonemiddleware.auth_token. This package does not expose any CLI or Python API features.

The source is available on GitHub at:

http://github.com/openstack/keystonemiddleware

Bugs and feature requests are tracked on Launchpad at:

https://bugs.launchpad.net/keystonemiddleware

For any other information, refer to the parent project, Keystone:

https://github.com/openstack/keystone

For information on contributing, see CONTRIBUTING.rst.