This can create a race condition for long running services that reuse
their token (eg. Kubernetes Cinder CSI plugin) in this case for
example:
1 [user] Asks nova to attach a volume to a server
2 ...the user's token expires
3 [user] Asks cinder if the volume has been attached
4 [nova] Asks cinder to attach the volume
In step 3 the token is marked as invalid in the cache and step 4 fails
even if allow_expired is true
Closes-Bug: #1987355
Change-Id: Ice8e34440a5fe1baa370646ed70b5e085c4af70e
The repo is Python 3 now, so update hacking to version 3.0 which
supports Python 3.
Blacklist:
W504 line break after binary operator
W503 line break before binary operator
Fix other problems found
Change-Id: I2fb257a4f42b499df3702f3e8f3c99ecb28557d6
Some regex strings contain invalid escape sequences for normal strings,
causing newer version of Python to emit DeprecationWarning messages.
This updates those instances to raw strings so they are not interpreted
as invalid.
Change-Id: I28ac26516bacab36578a5a7f6ec7f9dcf7d7eeb1
Signed-off-by: Sean McGinnis <sean.mcginnis@gmail.com>
This commit adds a validation step in the auth_token middleware to check
for the presence of an access_rules attribute in an application
credential token and to validate the request against the permissions
granted for that token. During token validation it sends a header to
keystone to indicate that it is capable of validating these access
rules, and not providing this header for a token like this would result
in the token failing validation. This disregards access rules for a
service request made by a service on behalf of a user, such as nova
making a request to glance, because such a request is not under the
control of the user and is not expected to be explicitly allowed in the
access rules.
bp whitelist-extension-for-app-creds
Depends-On: https://review.opendev.org/670377
Change-Id: I185e0541d5df538d74edadf9976b3034a2470c88
Keystone server no longer supports PKI/PKIZ. This change removes
keystonemiddleware's support of PKI/PKIZ and associated code.
Change-Id: I9a6639a2aa3774be61972d57f38220f66fd5c0e8
closes-bug: #1649735
partial-bug: #1736985
Previously the admin Identity endpoint was hardcoded to be used. Now
that keystone has dropped v2 support, deploying an admin Identity
endpoint is no longer useful, so allow this to be changed by the
deployer. Keep the default as using the `admin` endpoint, but create
a deprecation message so that we can change the default in the future.
Partial-Bug: 1830002
Change-Id: I993a45ccb1109d67e65bf32d1e134cc9bec2d88e
Currently auth_token middleware does not concern identity endpoint
update since service catalog is not updated after service having
auth_token middleware started.
Add invalidation logic when EndpointNotfound exception occurs so
that auth_token middleware can be notified of sevice catalog update
without restart.
Change-Id: I631ee1538883d732fe3987b172d987f703dad5c0
Closes-Bug: #1813739
Made a small fix to the documentation - replacing
the current auth_url port number 35357, in the
configuration section of the [keystone_authtoken],
with 5000.
This was based on an online conversation with Colleen;
with the removal of the v2 API from keystone the project
now recommends use of port 5000 instead of the previous one.
Change-Id: I750a4d0e75e0b919fd00ddf21c0e7ce62d495f95
With keystone's move to eliminating pki, pkiz, and uuid tokens the
revocation list is no longer generated. Keystonemiddleware no longer
needs to attempt to retrieve it and reference it.
Change-Id: Ief3bf1941e62f9136dbed11877bca81c4102041b
closes-bug: #1361743
partial-bug: #1649735
partial-bug: #1736985
The delay_auth_decision option has two main uses:
1. Allow a service to provide its own auth mechanism, separate from
auth tokens (like Swift's tempurl middleware).
2. Allow a service to integrate with multiple auth middlewares which
may want to use the same X-Auth-Token header.
The first case works fine even when the service has trouble talking to
Keystone -- the client doesn't send an X-Auth-Token header, so we never
even attempt to contact Keystone.
The second case can be problematic, however. The client will provide
some token, and we don't know whether it's valid for Keystone, the other
auth system, or neither. We have to *try* contacting Keystone, but if
that was down we'd previously return a 503 without ever trying the other
auth system. As a result, a Keystone failure results in a total system
failure.
Now, when delay_auth_decision is True and we cannot determine whether a
token is valid or invalid, we'll instead declare the token invalid and
defer the rejection. As a result, Keystone failures only affect Keystone
users, and tokens issued by the other auth system may still be validated
and used.
Change-Id: Ie4b3319862ba7fbd329dc6883ce837e894d5270c
When setup AuthProtocol class, if the CONF object contains
deprecated options, An Error "dictionary changed size during
iteration" will raise when comparing the CONF content.
Changing "!=" to "is not" here to avoid compare the CONF
content anymore.
Change-Id: I820aa244160db4f81149d2576386c86b46de0084
Closes-bug: #1789351
DiscoveryFailures can happen for a variety of reasons, ranging
from service misconfiguration to a keystone outage to a transient
network failure. If we don't catch and handle the failure here,
it will almost certainly cause something further up the WSGI stack
to send a 500 Internal Error (and likely log a traceback).
A log line like
Unable to validate token: Could not find versioned identity
endpoints when attempting to authenticate. Please check that
your auth_url is correct. Unable to establish connection to
http://keystone:35357: HTTPConnectionPool(host='keystone',
port=35357): Max retries exceeded with url: / (Caused by
NewConnectionError('<urllib3.connection.HTTPConnection
object at 0x7fc53e22e050>: Failed to establish a new
connection: [Errno 111] ECONNREFUSED',))
should be plenty enough for an operator to assess the situation;
I don't need a 29-frame traceback.
Change-Id: I946388c09b2ca0230d2cef009c679a7ac7c8398f
Keystonemiddleware attempts to parse user/service tokens and populate
request headers for other services to consume. This information is
important for services looking to build oslo.context objects from
request environments.
Change-Id: I0717c2a5207a647999b4f9bcdf11f728984f0812
Closes-Bug: 1766731
Based on the RFCs[1], in http header, a string of text is parsed
as a single value if it is quoted using double-quote marks.
This patch change the single quote to double quote in the header
"WWW-Authenticate" which is returned when 401 error raises.
[1]: https://tools.ietf.org/html/rfc7230#section-3.2.6https://tools.ietf.org/html/rfc7235#section-2.1
Change-Id: I524c93d30607ea6ab70de92ceea207ee77f34c25
Closes-bug: #1762362
When the keystonemiddleware is used directly in the WSGI stack of an
application, the 503 that is raised when the keystone service errors
or cannot be reached needs to identify that keystone is the service
that has failed, otherwise it appears to the client that it is the
service they are trying to access is down, which is misleading.
This addresses the problem in the most straightforward way possible:
the exception that causes the 503 is given a message including the
word "Keystone".
The call method in BaseAuthTokenTestCase gains an
expected_body_string kwarg. If not None, the response body (as
a six.text_type) is compared with the value.
Change-Id: Idf211e7bc99139744af232f5ea3ecb4be41551ca
Closes-Bug: #1747655
Closes-Bug: #1749797
cfg.CONF must not be used directly, Config().oslo_conf_obj must be used
instead.
Closes-bug: #1737119
Change-Id: I58ec9e25c7f04a8352535d8861e09c7e4c4c0a9d
Use the new oslo.cache library instead of using memcached directly.
This keeps the old options around and will continue to use those in
preference to the oslo.config library as there is no way to test whether
oslo.cache was explicitly configured to use that in preference.
Currently there are no messages or anything to deprecate the old options
until we've had a chance to test it in production environments.
Closes-Bug: #1523375
Change-Id: Ifccacc5db311ad538ce60191cbe221644d1a5807
Co-Authored-By: Nicolas Helgeson <nh202b@att.com>
The [keystone_authtoken]/auth_uri middleware parameter has been causing
extreme confusion amongst operators and developers ever since the
keystonemiddleware started accepting keystoneauth plugin parameters
including auth_url. The two parameters look identical and yet have
completely different meanings and are both required. This patch
deprecates auth_uri and renames it to www_authenticate_uri, which more
accurately describes the WWW-Authenticate header it is configuring and
is dissimilar to any other keystone_authtoken middleware parameter. This
also renames the internal variable names for consistency with the config
option.
Change-Id: I0cf11da3d395749df28077427689fdafc8a6b981
PKI tokens have been deprecated and removed from keystone server. To get
them removed from auth_token middleware we need to deprecate it.
We issue the warning when a successful validation has occurred as all
incoming tokens get checked for if we think they are PKI and tried to
decrypt.
Change-Id: Ibc6e3378aa7c851335bcb9abbcc31572e6cef9e7
bp: deprecated-as-of-queens
This change strips whitespace from incoming tokens to prevent errors
that are difficult for a caller to root cause.
Change-Id: I4b3fd18314c3ca94beb3b0c8c17280451d6c8755
Closes-Bug: #1689468
Jamie had a comment explain the requirement of fetching tokens
with kwargs and the token. This was suppose to be required in Pike
but it was missed. This commit updates the comment to be relevant for
the Queens release instead.
Change-Id: Iaa2c3fb02e76a87865a4ae7f06c4e86cc5b9b991
In Swift, we have a public access endpoint "/info", which
returns basics like version number, maximum object name length,
and such. When a user accesses it, the request travels the
pipeline, including authtoken, and since it has no valid token,
a message is logged. At some installations, monitoring agents
poll "/info" to see if Swift is up, and this floods the logs.
It would be best for us to dispose with this message altogether,
but I am concerned that operators of other services may find
this message useful. So, let's only mark it as a debug level.
Change-Id: I77abc3809a91e381b7650a9955046fe6d72a8089
The openstack.org pages now support https and our references to
the site should by default be one signed by the organization.
Change-Id: I8521461203fe40e4576f4de7cfb500bd64027d6d
The constants of log levels were added in the 1.8 version
of the oslo.log library.
So we can replace all usage of system logging module
with log module from oslo.log
Change-Id: I97a1d913b543dc9dbd4d228b04adbdf7ee320df5
The current behavior of a deprecation warning on every single
request is making the logs very difficult to scan for other
problems. One deprecation warning per run should be enough to
get the message across. This patch ensures only one warning per
lifetime of the middleware object.
Change-Id: I481a1b11305cc1c90edf7e26c686824c32fe781f
Closes-Bug: #1652929
The Content-Type header does not contain the charset used for the
message. It's now required by webob:
File "/home/jenkins/workspace/gate-gnocchi-tox-db-py35-mysql-ubuntu-xenial/.tox/py35-mysql/lib/python3.5/site-packages/keystonemiddleware/auth_token/__init__.py", line 331, in __call__
response = self.process_request(req)
File "/home/jenkins/workspace/gate-gnocchi-tox-db-py35-mysql-ubuntu-xenial/.tox/py35-mysql/lib/python3.5/site-packages/keystonemiddleware/auth_token/__init__.py", line 650, in process_request
content_type='application/json')
File "/home/jenkins/workspace/gate-gnocchi-tox-db-py35-mysql-ubuntu-xenial/.tox/py35-mysql/lib/python3.5/site-packages/webob/exc.py", line 268, in __init__'
**kw)
File "/home/jenkins/workspace/gate-gnocchi-tox-db-py35-mysql-ubuntu-xenial/.tox/py35-mysql/lib/python3.5/site-packages/webob/response.py", line 310, in __init__'
"You cannot set the body to a text value without a "
TypeError: You cannot set the body to a text value without a charset
Change-Id: Ia6c667c9afcba0811f51f3e50f34de05310d1433
When a service token is present we should bypass the expiry checks and
pass the allow_expired flag to the server. This will let the server
return expired tokens.
This has a very basic policy enforcement that is not backwards
compatible with the current (sensible) default. We will need to discuss
how we can make this work.
Implements bp: allow-expired
Change-Id: If3583ac08e33380f1c52ad50d7d5c74194393480
Fixed two warnings:
- keystonemiddleware/auth_token/__init__.py:docstring of
keystonemiddleware.auth_token.BaseAuthProtocol.kwargs_to_fetch_token
WARNING: Inline strong start-string without end-string.
- keystonemiddleware/doc/source/api/modules.rst
WARNING: document isn't included in any toctree
Change-Id: Iaec9adb228fe9131365ab1c15d4c85567921ccdd
Include the X-Service-Token along with the X-Auth-Token for any requests
made with the user authentication plugin. This indicates that the
request came from another service rather than the user.
Implements: bp allow-expired
Change-Id: Ib8db4bcfc49c2598dcacdd1dd2222e78c2459af7
To allow flags to be added to fetch_token we need to ensure that any
implementations understand that new information can be passed via the
fetch_token function and that they should ignore this information if
they don't know how to handle it.
This just codifies this information for the equivalent keystone change.
Note that the default implementation of fetch_token in AuthProtocol has
not been updated as it should know of all flags that could be passed to
it.
Implements bp: allow-expired
Change-Id: I7312beb7cdd9527d959d6b7a94c6bfc6bf3c5952
The authentication failure error during token
validation is currently not globalized. This
patch provides a fix for that.
Change-Id: If5ccdbfd2fc215e3d0013d45c8908344db20789e
Closes-Bug: 1614994
The UserAuthPlugin in auth_token_middleware provided a sanitized view of
an AccessInfo object. This was required in keystoneclient time when it
would do things like default to the 'default' domain on v2 tokens which
was wrong and should not be exposed to other services.
This was one of the things that was cleaned up in the keystoneauth
transition and so there's really no further need to hide this from
services. It also meant every time we wanted to expose something
additional to a service we had to hack in a proxy property.
Remove the old _TokenData proxy and expose the keystoneauth AccessInfo
object to services.
Change-Id: I95a7a7a7ad59daf6cb623923de6c8a8533c4734a
We've finally got to the point where tokens are abstracted to the point
where we don't actually need to test by content what version of token it
is. Rejoice and remove the helpers.
Change-Id: Ia968ea68a9731c2a8f6a120acf697b30a2fcef8b
To do policy enforcement around admin projects we need for auth_token
middleware to pass this information down to context objects.
Closes-Bug: #1577996
Change-Id: Ic680e6eaa683926914cf4b2152ec3bb67c6601ff
The list of all auth token opts is currently calculated in opts.py.
That module is included in auth_token/__init__.py, which in turn owns
some opts that are needed by the former.
This creates a circular import dependency.
In order to fix such situation, this patch proposes to move the auth
token opts calculation into auth_token/__init__.py, so that it will
no longer need opts.py.
Co-Authored-By: Alfredo Moralejo <amoralej@redhat.com>
Closes-Bug: #1591913
Change-Id: If67d8bdb68a5ab9c07b960ad0111e2310ad82c83
Move all the auth_token middleware user_agent calculation into config
and only expose the user_agent property.
Change-Id: Ia6833845262c4de87ef95079de24d264e06f54fc
The _conf_get ugliness in auth_token middleware has been around for a
long time now to handle the abstraction from different oslo.config
options and the paste overrides. This logic is now also being needed in
other middlewares. Extract this into a common config object that has a
better interface and is easier to work with.
Change-Id: I8b8a1427bc527e43bb1baec25a881d93df3f93cc
Jorge Merlino