Disable Admin tokens set to None

Partial-Bug: 1545761

Change-Id: Ie292f447f2fe1357824b322817b1585c82d0c552
This commit is contained in:
Adam Young 2016-02-16 14:53:54 -05:00 committed by ayoung
parent a14d761387
commit 37e9d6bbf1
6 changed files with 34 additions and 5 deletions

View File

@ -46,10 +46,13 @@ _DEPRECATE_EP_MSG = ('The option to enable the OS-ENDPOINT-POLICY extension '
FILE_OPTIONS = {
None: [
cfg.StrOpt('admin_token', secret=True, default='ADMIN',
cfg.StrOpt('admin_token', secret=True, default=None,
help='A "shared secret" that can be used to bootstrap '
'Keystone. This "token" does not represent a user, '
'and carries no explicit authorization. To disable '
'and carries no explicit authorization. If set '
'to `None`, the value is ignored and the '
'`admin_token` log in mechanism is effectively '
'disabled. To completely disable `admin_token` '
'in production (highly recommended), remove '
'AdminTokenAuthMiddleware from your paste '
'application pipelines (for example, in '

View File

@ -69,7 +69,7 @@ class AdminTokenAuthMiddleware(wsgi.Middleware):
def process_request(self, request):
token = request.headers.get(AUTH_TOKEN_HEADER)
context = request.environ.get(CONTEXT_ENV, {})
context['is_admin'] = (token == CONF.admin_token)
context['is_admin'] = CONF.admin_token and (token == CONF.admin_token)
request.environ[CONTEXT_ENV] = context

View File

@ -114,8 +114,13 @@ class AdminTokenAuthMiddlewareTest(MiddlewareRequestTestBase):
MIDDLEWARE_CLASS = middleware.AdminTokenAuthMiddleware
def config_overrides(self):
super(AdminTokenAuthMiddlewareTest, self).config_overrides()
self.config_fixture.config(
admin_token='ADMIN')
def test_request_admin(self):
headers = {middleware.AUTH_TOKEN_HEADER: CONF.admin_token}
headers = {middleware.AUTH_TOKEN_HEADER: 'ADMIN'}
req = self._do_middleware_request(headers=headers)
self.assertTrue(req.environ[middleware.CONTEXT_ENV]['is_admin'])

View File

@ -1330,6 +1330,11 @@ class VersionTestCase(RestfulTestCase):
class AuthContextMiddlewareAdminTokenTestCase(RestfulTestCase):
EXTENSION_TO_ADD = 'admin_token_auth'
def config_overrides(self):
super(AuthContextMiddlewareAdminTokenTestCase, self).config_overrides()
self.config_fixture.config(
admin_token='ADMIN')
# NOTE(morganfainberg): This is knowingly copied from below for simplicity
# during the deprecation cycle.
def _middleware_request(self, token, extra_environ=None):
@ -1364,7 +1369,7 @@ class AuthContextMiddlewareAdminTokenTestCase(RestfulTestCase):
# For backwards compatibility AuthContextMiddleware will check that the
# admin token (as configured in the CONF file) is present and not
# attempt to build the auth context. This is deprecated.
req = self._middleware_request(CONF.admin_token)
req = self._middleware_request('ADMIN')
auth_context = req.environ.get(authorization.AUTH_CONTEXT_ENV)
self.assertDictEqual({}, auth_context)
self.assertEqual(1, mock_report_deprecated.call_count)

View File

@ -36,6 +36,11 @@ CONF = cfg.CONF
class IdentityTestCaseStaticAdminToken(test_v3.RestfulTestCase):
EXTENSION_TO_ADD = 'admin_token_auth'
def config_overrides(self):
super(IdentityTestCaseStaticAdminToken, self).config_overrides()
self.config_fixture.config(
admin_token='ADMIN')
def test_list_users_with_static_admin_token_and_multiple_backends(self):
# domain-specific operations with the bootstrap ADMIN token is
# disallowed when domain-specific drivers are enabled

View File

@ -0,0 +1,11 @@
---
security:
- The admin_token method of authentication was never intended to be
used for any purpose other than bootstrapping an install. However
many deployments had to leave the admin_token method enabled due
to restrictions on editing the paste file used to configure the
web pipelines. To minimize the risk from this mechanism, the
`admin_token` configuration value now defaults to a python `None`
value. In addition, if the value is set to `None`, either explicitly or
implicitly, the `admin_token` will not be enabled, and an attempt to
use it will lead to a failed authentication.