openstack
/
keystonemiddleware
Code Issues Proposed changes
keystonemiddleware/releasenotes/notes
History
Tim Burke da5932affc Respect delay_auth_decision when Keystone is unavailable 
The delay_auth_decision option has two main uses:

  1. Allow a service to provide its own auth mechanism, separate from
     auth tokens (like Swift's tempurl middleware).
  2. Allow a service to integrate with multiple auth middlewares which
     may want to use the same X-Auth-Token header.

The first case works fine even when the service has trouble talking to
Keystone -- the client doesn't send an X-Auth-Token header, so we never
even attempt to contact Keystone.

The second case can be problematic, however. The client will provide
some token, and we don't know whether it's valid for Keystone, the other
auth system, or neither. We have to *try* contacting Keystone, but if
that was down we'd previously return a 503 without ever trying the other
auth system. As a result, a Keystone failure results in a total system
failure.

Now, when delay_auth_decision is True and we cannot determine whether a
token is valid or invalid, we'll instead declare the token invalid and
defer the rejection. As a result, Keystone failures only affect Keystone
users, and tokens issued by the other auth system may still be validated
and used.

Change-Id: Ie4b3319862ba7fbd329dc6883ce837e894d5270c
 		2018-09-11 07:54:43 -06:00
..
.placeholder Add release notes for keystonemiddleware 2015-11-29 20:04:01 -05:00
allow-expired-5ddbabcffc5678af.yaml Pass ?allow_expired 2016-12-15 16:15:35 +00:00
authprotocol-accepts-oslo-config-config-a37212b60f58e154.yaml Fix typo 'olso' to 'oslo' 2016-06-23 12:45:42 +05:30
bug-1490804-87c0ff8e764945c1.yaml auth_token verify revocation by audit_id 2015-12-17 10:55:58 -06:00
bug-1544840-a534127f8663e40f.yaml Adding audit middleware specific notification driver conf 2016-05-13 11:24:03 -07:00
bug-1583690-da67472d7afff0bf.yaml Determine project name from oslo_config or local config 2016-05-24 16:41:23 -07:00
bug-1583699-dba4fe6c057e2be5.yaml Make sure audit can handle API requests which does not require a token 2016-05-31 00:16:35 +00:00
bug-1583702-a4469dc1556878b9.yaml use local config options if available in audit middleware 2016-06-24 13:47:16 +00:00
bug-1677308-a2fa7de67f21cd84.yaml Replace pycrypto with cryptography 2017-05-22 16:52:37 -05:00
bug-1695038-2cbedcabf8ecc057.yaml Add option to disable using oslo_message notifier 2018-02-20 11:26:22 +01:00
bug-1737115-fa3d41e3d3cd7177.yaml rel-note and doc for lazy loading of oslo_cache 2017-12-13 11:57:54 +01:00
bug-1737119-4afe548d28fbf8bb.yaml cfg.CONF must not be used directly 2017-12-20 15:07:57 +00:00
bug-1747655-6e563d9317bb0f13.yaml Identify the keystone service when raising 503 2018-02-20 17:32:41 +01:00
bug-1762362-3d092b15c7bab3a4.yaml Double quote www_authenticate_uri 2018-04-12 12:05:38 +08:00
bug-1766731-3b29192cfeb77964.yaml Introduce new header for system-scoped tokens 2018-05-02 19:15:16 +00:00
bug-1782404-c4e37bbc83756a89.yaml Fix KeystoneMiddleware memcachepool abstraction 2018-07-18 11:56:43 -07:00
bug-1789351-102e2e5119be38b4.yaml No need to compare CONF content 2018-09-07 10:38:14 +08:00
bug_1540115-677cf5016bc46348.yaml Use extras for oslo.messaging dependency 2016-06-28 23:56:47 +00:00
delay_auth_instead_of_503-f9b46bf4fbc11455.yaml Respect delay_auth_decision when Keystone is unavailable 2018-09-11 07:54:43 -06:00
deprecate-caching-tokens-in-process-a412b0f1dea84cb9.yaml Deprecate in-process cache 2016-01-22 11:01:41 -06:00
ksm_4.1.0-3cd78446d8e63616.yaml create release notes for ksm 4.1.0 2016-01-12 14:19:11 -05:00
remove_kwargs_to_fetch_token-20e3451ed192ab6a.yaml Remove kwargs_to_fetch_token 2018-02-22 02:19:06 +00:00
rename-auth-uri-d223d883f5898aee.yaml Rename auth_uri to www_authenticate_uri 2017-10-11 14:00:49 +02:00
s3token_auth_uri-490c1287d90b9df7.yaml s3token config with auth URI 2016-05-03 16:31:17 -05:00
x-is-admin-project-header-97f1882e209fe727.yaml Pass X_IS_ADMIN_PROJECT header from auth_token 2016-06-21 12:09:12 +10:00