openstack/openstack-helm
Code Issues Proposed changes

Remove admin_token_auth

Browse Source 
The admin_token_auth in keystone paste posts a security issue, and has
been deprecated in the M release, and removed in O release.  Operators
should be using ``keystone-manage bootstrap`` to bootstrap the "admin"
user.  This patch set removes the filter and its usage in the various
pipelines from the paste.ini file.

Implements: bp keystone-admin-token-disable
External-Tracking-Id: OSH-102

[0] https://blueprints.launchpad.net/openstack-helm/+spec/keystone-admin-token-disable

Change-Id: I5ae29cad4f7daa4bc8fa117b6f5ed998c2ec6cad
This commit is contained in:
Tin Lam 2017-06-19 09:41:28 -05:00
parent 2cec7222f7
commit 57d7c852dd
1 changed files with 3 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
keystone/templates/etc/_keystone-paste.ini.tpl
View File

@ -26,11 +26,6 @@ use = egg:keystone#build_auth_context
[filter:token_auth]
use = egg:keystone#token_auth
[filter:admin_token_auth]
# This is deprecated in the M release and will be removed in the O release.
# Use `keystone-manage bootstrap` and remove this from the pipelines below.
use = egg:keystone#admin_token_auth
[filter:json_body]
use = egg:keystone#json_body
@ -71,17 +66,17 @@ use = egg:keystone#admin_service
[pipeline:public_api]
# The last item in this pipeline must be public_service or an equivalent
# application. It cannot be a filter.
pipeline = cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id admin_token_auth build_auth_context token_auth json_body ec2_extension public_service
pipeline = cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension public_service
[pipeline:admin_api]
# The last item in this pipeline must be admin_service or an equivalent
# application. It cannot be a filter.
pipeline = cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id admin_token_auth build_auth_context token_auth json_body ec2_extension s3_extension admin_service
pipeline = cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension s3_extension admin_service
[pipeline:api_v3]
# The last item in this pipeline must be service_v3 or an equivalent
# application. It cannot be a filter.
pipeline = cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id admin_token_auth build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3
pipeline = cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3
[app:public_version_service]
use = egg:keystone#public_version_service