Re-enable and undeprecate admin_token_auth
Partial-Bug: 1545761 Partial-Bug: 1545789 Change-Id: I717b7bae146daaca086292c568b87a0f6aa7e1d9
This commit is contained in:
parent
406fbfaa26
commit
a14d761387
@ -54,17 +54,17 @@ use = egg:keystone#admin_service
|
||||
[pipeline:public_api]
|
||||
# The last item in this pipeline must be public_service or an equivalent
|
||||
# application. It cannot be a filter.
|
||||
pipeline = cors sizelimit url_normalize request_id build_auth_context token_auth json_body ec2_extension public_service
|
||||
pipeline = cors sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension public_service
|
||||
|
||||
[pipeline:admin_api]
|
||||
# The last item in this pipeline must be admin_service or an equivalent
|
||||
# application. It cannot be a filter.
|
||||
pipeline = cors sizelimit url_normalize request_id build_auth_context token_auth json_body ec2_extension s3_extension admin_service
|
||||
pipeline = cors sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension s3_extension admin_service
|
||||
|
||||
[pipeline:api_v3]
|
||||
# The last item in this pipeline must be service_v3 or an equivalent
|
||||
# application. It cannot be a filter.
|
||||
pipeline = cors sizelimit url_normalize request_id build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3
|
||||
pipeline = cors sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension service_v3
|
||||
|
||||
[app:public_version_service]
|
||||
use = egg:keystone#public_version_service
|
||||
|
@ -14,12 +14,11 @@
|
||||
|
||||
from oslo_config import cfg
|
||||
from oslo_log import log
|
||||
from oslo_log import versionutils
|
||||
from oslo_serialization import jsonutils
|
||||
|
||||
from keystone.common import wsgi
|
||||
from keystone import exception
|
||||
from keystone.i18n import _
|
||||
from keystone.i18n import _LW
|
||||
|
||||
|
||||
CONF = cfg.CONF
|
||||
@ -61,13 +60,11 @@ class AdminTokenAuthMiddleware(wsgi.Middleware):
|
||||
|
||||
def __init__(self, application):
|
||||
super(AdminTokenAuthMiddleware, self).__init__(application)
|
||||
msg = _("Remove admin_token_auth from the paste-ini file, the "
|
||||
"admin_token_auth middleware has been deprecated in favor of "
|
||||
"using keystone-manage bootstrap and real users after "
|
||||
"bootstrap process. Update the [pipeline:api_v3], "
|
||||
"[pipeline:admin_api], and [pipeline:public_api] sections "
|
||||
"accordingly, as it will be removed in the O release.")
|
||||
versionutils.report_deprecated_feature(LOG, msg)
|
||||
LOG.warning(_LW("The admin_token_auth middleware presents a security "
|
||||
"risk and should be removed from the "
|
||||
"[pipeline:api_v3], [pipeline:admin_api], and "
|
||||
"[pipeline:public_api] sections of your paste ini "
|
||||
"file."))
|
||||
|
||||
def process_request(self, request):
|
||||
token = request.headers.get(AUTH_TOKEN_HEADER)
|
||||
|
@ -1,12 +1,4 @@
|
||||
---
|
||||
upgrade:
|
||||
- >
|
||||
The ``keystone-paste.ini`` file must be updated to remove middleware filters
|
||||
and their use in ``[pipeline:api_v3]``, ``[pipeline:public_api]``,
|
||||
and ``[pipeline:admin_api]``. Remove ``[filter:admin_token_auth]``. See the
|
||||
sample `keystone-paste.ini
|
||||
<https://git.openstack.org/cgit/openstack/keystone/tree/etc/keystone-paste.ini>`_
|
||||
file for guidance.
|
||||
deprecations:
|
||||
- >
|
||||
[`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka>`_]
|
||||
@ -32,8 +24,3 @@ deprecations:
|
||||
As of the Mitaka release, the simple_cert_extension is deprecated since it
|
||||
is only used in support of the PKI and PKIz token formats. It will be
|
||||
removed in the 'O' release.
|
||||
- >
|
||||
[`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka>`_]
|
||||
As of the Mitaka release, the use of ``admin_token_auth`` is deprecated in favor
|
||||
of using the ``keystone-manage bootstrap`` CLI. It will be removed in the
|
||||
'O' release.
|
||||
|
Loading…
Reference in New Issue
Block a user