To secure the authentication middleware:
admin_token
middleware. This WSGI middleware
effectively bypasses identification + authentication. There is no
traceability or accountability in its use. It is exclusively intended
for bootstrapping Identity service before any user accounts exists and
is useful for a SQL-based identity deployment, but not necessarily against
a read-only LDAP deployment.To mitigate the risk admin_token
middleware,
disable it and move to domain-based approach for security management:
Create a new domain for cloud management purposes: cloud_admin_domain
.
Assign the admin
role to an appropriate user.
Update the Identity policy.json
file to match newly created domain.
Replace:
"cloud_admin": [["rule:admin_required", "domain_id:admin_domain_id"]],
with:
"cloud_admin": [["rule:admin_required","domain_id:<cloud_admin_domain_id>"]],
Remove admin_token
from /etc/keystone/keystone.conf
.
Remove the admin_token
auth middleware from /etc/keystone/keystone-paste.ini
:
[filter:admin_token_auth] paste.filter_factory = keystone.middleware:
AdminTokenAuthMiddleware.factory