Authentication middleware

Authentication middleware

To secure the authentication middleware:

  • Do not use a custom WSGI authentication middleware as it may bring additional security risks due to improper implementation.

  • Remove admin_token middleware. This WSGI middleware effectively bypasses identification + authentication. There is no traceability or accountability in its use. It is exclusively intended for bootstrapping Identity service before any user accounts exists and is useful for a SQL-based identity deployment, but not necessarily against a read-only LDAP deployment.

To mitigate the risk admin_token middleware, disable it and move to domain-based approach for security management:

  1. Create a new domain for cloud management purposes: cloud_admin_domain.

  2. Assign the admin role to an appropriate user.

  3. Update the Identity policy.json file to match newly created domain.

    Replace:

    "cloud_admin": [["rule:admin_required", "domain_id:admin_domain_id"]],
    

    with:

    "cloud_admin": [["rule:admin_required","domain_id:<cloud_admin_domain_id>"]],
    
  4. Remove admin_token from /etc/keystone/keystone.conf.

  5. Remove the admin_token auth middleware from /etc/keystone/keystone-paste.ini:

    [filter:admin_token_auth] paste.filter_factory = keystone.middleware:
    AdminTokenAuthMiddleware.factory