OpenStack Identity (keystone)

Keystone WSGI hides environment vars

Bug #1241812 reported by Adam Young on 2013-10-18

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Wishlist	Adam Young	OpenStack Identity (keystone) 2014.1 "icehouse"

Bug Description

THe _call_ operation on the wsgi app only copies selected values form the environment over to the context passed to the controllers. One value, REMOTE_USER, is used for external. However, X509 uses a different set of values. Other external mechanisms will et additional values as well.

Some modules perform lookups against a remote provider, or map over data from a remote provider (LDAP, SAML). Keystone will not necessarily have the configuration to requery these environments after the initial processing to get authorization attributes. The environment is the only way to pass on additional values, such a group assignments.

Revision history for this message

Morgan Fainberg (mdrnstm) wrote on 2013-10-18:

This seems like an appropriate and more flexible approach than outlining explicit variables to source from req.environment and constantly having to expand the list. These aren't settable by the requestor, so it should be safe to just make all of them available.

Adam Young (ayoung) on 2013-10-19

summary:

- Keystone WSGI hides environement vars
+ Keystone WSGI hides environment vars

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-10-19: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/52732

Changed in keystone:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-11-12: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/52732
Committed: http://github.com/openstack/keystone/commit/923b90ef8c35fa0298e2d280e9b47d1889d6c972
Submitter: Jenkins
Branch: master

commit 923b90ef8c35fa0298e2d280e9b47d1889d6c972
Author: Adam Young <email address hidden>
Date: Fri Oct 18 21:40:37 2013 -0400

Add WSGI environment to context

    The environment dictionary contains an unspecified set of variables
    that contain information about the authentication and authorization
    processes. Not all of the values are known ahead of time. The
    two values for Kerberos (REMOTE_USER, AUTH_TYPE) are a subset.

    Instead of making the WSGI layer know about a growing superset of
    authentication attributes, the context contains a link to the wsgi
    environment. The environment is removed from the request dictionary
    to prevent circular references and potential GC issues.

    Fixed tests to set environment in the context. While this
    changed many tests, the alternative was to make the check
    for the environment optional in the controllers. This is not a
    realistic way to test. If context['environment'] it missing, a test
    will trigger a key_error.

Closes-Bug: #1241812

Change-Id: I234677547204e9ddc0ab33db3e6aa8b7d959a01a

Changed in keystone:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2013-12-04

Changed in keystone:
milestone:	none → icehouse-1
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2014-04-17

Changed in keystone:
milestone:	icehouse-1 → 2014.1

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.