Keystone WSGI hides environment vars
Bug #1241812 reported by
Adam Young
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Wishlist
|
Adam Young |
Bug Description
THe _call_ operation on the wsgi app only copies selected values form the environment over to the context passed to the controllers. One value, REMOTE_USER, is used for external. However, X509 uses a different set of values. Other external mechanisms will et additional values as well.
Some modules perform lookups against a remote provider, or map over data from a remote provider (LDAP, SAML). Keystone will not necessarily have the configuration to requery these environments after the initial processing to get authorization attributes. The environment is the only way to pass on additional values, such a group assignments.
summary: |
- Keystone WSGI hides environement vars + Keystone WSGI hides environment vars |
Changed in keystone: | |
milestone: | none → icehouse-1 |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | icehouse-1 → 2014.1 |
To post a comment you must log in.
This seems like an appropriate and more flexible approach than outlining explicit variables to source from req.environment and constantly having to expand the list. These aren't settable by the requestor, so it should be safe to just make all of them available.