Designate

middleware ignores "delay_auth_decision" from keystone

Bug #1253074 reported by Graham Hayes on 2013-11-20

256

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Designate	Fix Released	Medium	Graham Hayes	Designate icehouse-2 "i-2"
Havana	Fix Released	Medium	Graham Hayes	Designate 2013.2.1
Icehouse	Fix Released	Medium	Graham Hayes	Designate icehouse-2 "i-2"

Bug Description

If keystone has delay_auth_decision enabled, it sends a HTTP header to show that a key is invalid.

Designate does not check for this header, and allows a the key to be used

Graham Hayes (grahamhayes) on 2013-11-20

Changed in designate:
milestone:	none → icehouse-1

Kiall Mac Innes (kiall) on 2013-11-20

information type:

Public → Public Security

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-11-20: Fix proposed to designate (stable/havana)

Fix proposed to branch: stable/havana
Review: https://review.openstack.org/57439

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-11-20: Fix merged to designate (master)

Reviewed: https://review.openstack.org/57434
Committed: http://github.com/stackforge/designate/commit/a993ea93dcff69c392e62f77ccb428e5be1c7b8d
Submitter: Jenkins
Branch: master

commit a993ea93dcff69c392e62f77ccb428e5be1c7b8d
Author: Graham Hayes <email address hidden>
Date: Wed Nov 20 12:51:18 2013 +0000

Added a check for HTTP_X_IDENTITY_STATUS

    If keystone is configured to run in 'delay_auth_decision' mode it will
    pass the token, along with the HTTP header X-Identity-Status set to
    'Invalid'. This check for this, and returns a 401

Closes-Bug: #1253074

Change-Id: Ia531f73f98418594f867f3c2849865c26b13e18d

Changed in designate:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-11-24: Fix merged to designate (stable/havana)

Reviewed: https://review.openstack.org/57439
Committed: http://github.com/stackforge/designate/commit/fa9e9a1d53bb14b1438dce78dcc9019a09dd8c2c
Submitter: Jenkins
Branch: stable/havana

commit fa9e9a1d53bb14b1438dce78dcc9019a09dd8c2c
Author: Graham Hayes <email address hidden>
Date: Wed Nov 20 12:51:18 2013 +0000

Added a check for HTTP_X_IDENTITY_STATUS

    If keystone is configured to run in 'delay_auth_decision' mode it will
    pass the token, along with the HTTP header X-Identity-Status set to
    'Invalid'. This check for this, and returns a 401

Change-Id: Ib57ccd1f40ecca0f05197f1b4677eb3e3cd24969
Closes-Bug: #1253074

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.