-
Notifications
You must be signed in to change notification settings - Fork 390
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Enhance security of discovery server
1) Discovery utility to require admin keystone credentials to perform any actions such as load-balance, set admin state etc. 2) Discovery server to authenticate load-balance and API to update publisher state (admin, operational) by requiring token and validating it against keystone 2) To prevent unauthorized publish or subscribe requests to effect discovery server state (and assuming such requests are coming through load-balancer such ha-proxy), discovery server to apply configured publish and subscribe white-lists to incoming IP addresses as obtained from X-Forwarded-For header. Load-Balancer must be enabled to forward client's real IP address in X-Forwarded-For header to discovery servers. The whitelist configuration in contrail-discovery.conf looks like this: white_list_publish=127.0.0.1 10.84.20.0/24 white_list_subscribe=127.0.0.1 10.84.20.0/24 RHS is list of IP prefixes seperated by white space. If X-Forwarded-For header is missing in incoming publish or subscribe request, white list configuration is ignored. Change-Id: If2bbe1d90ec93f0cf9f29ba8c7e768a6888de41b Partial-Bug: #1546801
- Loading branch information
Deepinder Setia
committed
Feb 24, 2016
1 parent
70a3afe
commit 1f508c3
Showing
9 changed files
with
363 additions
and
70 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
# | ||
# Copyright (c) 2013 Juniper Networks, Inc. All rights reserved. | ||
# | ||
# | ||
# authentication/authorization functionality for discovery server | ||
# | ||
|
||
try: | ||
from keystoneclient.middleware import auth_token | ||
except ImportError: | ||
from keystonemiddleware import auth_token | ||
except Exception: | ||
pass | ||
|
||
class AuthServiceKeystone(object): | ||
|
||
def __init__(self, conf): | ||
self._conf_info = conf | ||
# end __init__ | ||
|
||
# gets called from keystone middleware after token check | ||
def token_valid(self, env, start_response): | ||
status = env.get('HTTP_X_IDENTITY_STATUS') | ||
return True if status != 'Invalid' else False | ||
|
||
def validate_user_token(self, request): | ||
# following config forces keystone middleware to always return the result | ||
# back in HTTP_X_IDENTITY_STATUS env variable | ||
conf_info = self._conf_info.copy() | ||
conf_info['delay_auth_decision'] = True | ||
|
||
auth_middleware = auth_token.AuthProtocol(self.token_valid, conf_info) | ||
return auth_middleware(request.headers.environ, None) | ||
|
||
def is_admin(self, request): | ||
if not self.validate_user_token(request): | ||
return False | ||
roles = request.headers.environ.get('HTTP_X_ROLE', '').split(",") | ||
return 'admin' in [x.lower() for x in roles] | ||
# end class AuthServiceKeystone |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -15,3 +15,4 @@ vnc_api | |
discoveryclient | ||
sandesh | ||
sandesh-common | ||
keystonemiddleware |
Oops, something went wrong.