Reviewed: https://review.openstack.org/331374 Committed: https://git.openstack.org/cgit/openstack/keystonemiddleware/commit/?id=0562670d4e56c257aec8db5a2bb651b5e59fddb2 Submitter: Jenkins Branch: master
commit 0562670d4e56c257aec8db5a2bb651b5e59fddb2 Author: Jamie Lennox <[email protected]> Date: Sat Jun 18 09:14:26 2016 +1000 Pass X_IS_ADMIN_PROJECT header from auth_token To do policy enforcement around admin projects we need for auth_token middleware to pass this information down to context objects. Closes-Bug: #1577996 Change-Id: Ic680e6eaa683926914cf4b2152ec3bb67c6601ff ** Changed in: keystonemiddleware Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1577996 Title: Unable to distinguish between not is_admin_project and feature not enabled Status in OpenStack Identity (keystone): Fix Released Status in keystoneauth: Fix Released Status in keystonemiddleware: Fix Released Status in oslo.context: New Status in oslo.policy: New Bug description: The is_admin_project flag is used in a token to indicate that the current token is scoped to a project that is indicated as the admin project. Currently this is only added to the token when the admin_project is True and nothing added when False. From a policy perspective we need to write policy files that are backwards compatible, however we cannot determine the difference in policy between is_admin_project == False and the admin project not being set from config because both result in no flag being set in the token. If we were to enforce is_admin_project == True on a deployment that did not use it this would completely break backwards compatibility as the is_admin_project check would never pass. To fix this we need to make is_admin_project a required field of a token at least when the admin project is set. Because the current default is that every project can be the admin project, the default value of is_admin_project must be True. For deployments that do not configure an admin project we can either set is_admin_project=True for every project, or we can exclude the field from the token. I think exclude makes sense because the check from a policy perspective is going to have to default to True for backwards compatibility and you can then tell from a token whether the admin_project concept is in use (i'm not sure if this is an information leakage problem - please comment on preference). To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1577996/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
