REMOTE_USER support should be more flexible in how domain is specified
Bug #1211233 reported by
Henry Nash
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Wishlist
|
Dolph Mathews |
Bug Description
The Havana implementation of REMOTE_USER assumes that the domain is specified as part of the name (to the right of the @ character). While this is certainly one valid way of doing this and suitable for Apache front-ended implementation, we should not assume that this is the only configuration (and indeed @ may be used for other uses in the username). We should also support the regular processing of the auth request block which contains the domain (other front-ends may allow to be passed through, e.g. a wsgi plugin). To guard against potential spoofing via front-ends that don't support passing a request-block, we should have a config switch (default disabled) for this capability.
Changed in keystone: | |
milestone: | none → havana-3 |
importance: | Undecided → Medium |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
Changed in keystone: | |
milestone: | havana-3 → none |
Changed in keystone: | |
importance: | Medium → Wishlist |
Changed in keystone: | |
assignee: | Alvaro Lopez (aloga) → Adam Young (ayoung) |
Changed in keystone: | |
assignee: | Adam Young (ayoung) → Dolph Mathews (dolph) |
Changed in keystone: | |
milestone: | none → icehouse-2 |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | icehouse-2 → 2014.1 |
To post a comment you must log in.
(from IRC discussion)
This bug makes difficult to properly use external authentication with usernames containing a "@" in Havana. For example, authentication based in X.509 certificates containing a "@" in their DNs (REMOTE_USER is set to the DN in these cases) will cause that the username is splited by the "@" and the username will be wrong.
The solution of passing the domain via the request-block will work for WSGI filters, but may fail in the case of Apache setting the REMOTE_USER variable (for example in X.509 auth [1]).
[1] http:// docs.openstack. org/developer/ keystone/ external- auth.html# x-509-example