[openstack-dev] [keysstone] External authentication

Ralf Haferkamp rhafer at suse.de
Thu Oct 25 13:47:42 UTC 2012 

On Tue, Oct 02, 2012 at 01:06:44PM -0400, Adam Young wrote:
> On 10/02/2012 12:07 PM, Ralf Haferkamp wrote:
> >On Thu, Sep 27, 2012 at 01:52:25PM -0400, Adam Young wrote:
> >>On 09/27/2012 04:15 AM, Ralf Haferkamp wrote:
> >[..]
> >>>>>BTW, has anybody else been working on this already? Does this even sound like a
> >>>>>feature worth adding?
> >>
> >>Yes, I have, but you are aehad of me.  Please post your patch.  It
> >>is the right approach.
> >I have just pushed the code to the "external-branch" in my github clone at:
> >https://github.com/rhafer/keystone/tree/external-auth
> >
> >Feel free to review and comment. It still needs quite a bit of testing. But the
> >basics seem to work for me. Currently, to use external authentication you need
> >to POST something like this to the /tokens URL (as with username/password
> >authentication the "tenantName" is optional):
> >
> >     {
> >         "auth": {
> >                 "external": "True",
> >                 "tenantName": "test"
> >         }
> >     }
> 
> Good first take.  However, I would prefer to add an else block on:
> 
>  if auth is None
>   if 'REMOTE_USER' in context:
>      #assume external request for unscoped token
>   if 'passwordCredentials' in auth:
>     #UserID and Password passed explicitly here will trump REMOTE_USER
>   elif 'token' in auth:
>     ...
>   else
>      if 'REMOTE_USER' in context:
> 	if 'tenantName' in auth:
> 	   # allocate scoped token
>            #not 100% sure I want to allow this, but that is a different discussion
>         else:
> 	   #assume external request for unscoped token
>            #don't fail just because there is an auth block.
I finally found some time to rework my code according to your suggestion. See
here again:
https://github.com/rhafer/keystone/tree/external-auth

Currently the code will just allocate an unscoped token if no "auth" block is
present and REMOTE_USER is set. If the auth block is present and contains a
valid "tenantName" or "tenantId" a scoped toked will be returned. I guess
that's what you intended, right?

Also there seems to be some code duplication in the different code paths
(username/password auth vs. token auth). And I added more with external auth
support :(. I'll check if I can reduce that a bit.

-- 
Ralf

More information about the OpenStack-dev mailing list