The original intention was to allow heat to orchestrate
on any requested cloud when allowed_auth_uris is configured
with an empty list.
This change makes all requests be validated against
allowed_auth_uris for the following reasons:
- there is a potential security issue with requests
being authorised by a fake keystone, allowing an exploit in
heat to be executed without any valid authentication factors
first being presented.
- ec2token middleware will also need to be made multi-cloud aware
however as a compatible API it is not possible to specify the desired
auth_uri with each request. Instead ec2token will need a list of
configured endpoints so that it can try each one until a request
is authenticated.
Code Review / openstack-build / heat-build.git / commit