[openstack-dev] [keysstone] External authentication

Adam Young ayoung at redhat.com
Tue Oct 2 17:06:44 UTC 2012 

On 10/02/2012 12:07 PM, Ralf Haferkamp wrote:
> On Thu, Sep 27, 2012 at 01:52:25PM -0400, Adam Young wrote:
>> On 09/27/2012 04:15 AM, Ralf Haferkamp wrote:
> [..]
>>>>> BTW, has anybody else been working on this already? Does this even sound like a
>>>>> feature worth adding?
>>
>> Yes, I have, but you are aehad of me.  Please post your patch.  It
>> is the right approach.
> I have just pushed the code to the "external-branch" in my github clone at:
> https://github.com/rhafer/keystone/tree/external-auth
>
> Feel free to review and comment. It still needs quite a bit of testing. But the
> basics seem to work for me. Currently, to use external authentication you need
> to POST something like this to the /tokens URL (as with username/password
> authentication the "tenantName" is optional):
>
>      {
>          "auth": {
>                  "external": "True",
>                  "tenantName": "test"
>          }
>      }

Good first take.  However, I would prefer to add an else block on:

  if auth is None
   if 'REMOTE_USER' in context:
      #assume external request for unscoped token
   if 'passwordCredentials' in auth:
     #UserID and Password passed explicitly here will trump REMOTE_USER
   elif 'token' in auth:
     ...
   else
      if 'REMOTE_USER' in context:
	if 'tenantName' in auth:
	   # allocate scoped token
            #not 100% sure I want to allow this, but that is a different discussion
         else:
	   #assume external request for unscoped token
            #don't fail just because there is an auth block.




>
> Of course you need keystone be backed by apache and apache configured to do
> somekind of authentication (up to now I just tested with mod_auth_kerb).
> Additionally the ExternalAuthMiddleware needs to be added to keystone's service
> pipelines in keystone.conf

Fantastic.  Thanks for doing that.

>
> I didn't have time yet to implement anything on the client side. Up to now I
> just used curl for testing. E.g. this works to request a scoped token using
> kerberos authentication:
>
>      curl -u : --negotiate http://<keystone-server>:5000/v2.0/tokens \
>          -d '{"auth": {"external": "True", "tenantName": "test"}}' \
>          -H "Content-type: application/json"
Yeah, lets Iron out the API before chasing the CLI.

Nice work.

>
> Feedback is very welcome. Regards,
>      Ralf
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

More information about the OpenStack-dev mailing list