From 57d7c852dddd54fede42018486fa341334660554 Mon Sep 17 00:00:00 2001 From: Tin Lam Date: Mon, 19 Jun 2017 09:41:28 -0500 Subject: [PATCH] Remove admin_token_auth The admin_token_auth in keystone paste posts a security issue, and has been deprecated in the M release, and removed in O release. Operators should be using ``keystone-manage bootstrap`` to bootstrap the "admin" user. This patch set removes the filter and its usage in the various pipelines from the paste.ini file. Implements: bp keystone-admin-token-disable External-Tracking-Id: OSH-102 [0] https://blueprints.launchpad.net/openstack-helm/+spec/keystone-admin-token-disable Change-Id: I5ae29cad4f7daa4bc8fa117b6f5ed998c2ec6cad --- keystone/templates/etc/_keystone-paste.ini.tpl | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/keystone/templates/etc/_keystone-paste.ini.tpl b/keystone/templates/etc/_keystone-paste.ini.tpl index e24d09d11c..ebaf1b843e 100644 --- a/keystone/templates/etc/_keystone-paste.ini.tpl +++ b/keystone/templates/etc/_keystone-paste.ini.tpl @@ -26,11 +26,6 @@ use = egg:keystone#build_auth_context [filter:token_auth] use = egg:keystone#token_auth -[filter:admin_token_auth] -# This is deprecated in the M release and will be removed in the O release. -# Use `keystone-manage bootstrap` and remove this from the pipelines below. -use = egg:keystone#admin_token_auth - [filter:json_body] use = egg:keystone#json_body @@ -71,17 +66,17 @@ use = egg:keystone#admin_service [pipeline:public_api] # The last item in this pipeline must be public_service or an equivalent # application. It cannot be a filter. -pipeline = cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id admin_token_auth build_auth_context token_auth json_body ec2_extension public_service +pipeline = cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension public_service [pipeline:admin_api] # The last item in this pipeline must be admin_service or an equivalent # application. It cannot be a filter. -pipeline = cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id admin_token_auth build_auth_context token_auth json_body ec2_extension s3_extension admin_service +pipeline = cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension s3_extension admin_service [pipeline:api_v3] # The last item in this pipeline must be service_v3 or an equivalent # application. It cannot be a filter. -pipeline = cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id admin_token_auth build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3 +pipeline = cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3 [app:public_version_service] use = egg:keystone#public_version_service