[openstack-dev] [keysstone] External authentication

Ralf Haferkamp rhafer at suse.de
Thu Oct 25 13:59:18 UTC 2012


On Thu, Oct 25, 2012 at 03:47:42PM +0200, Ralf Haferkamp wrote:
> On Tue, Oct 02, 2012 at 01:06:44PM -0400, Adam Young wrote:
> > On 10/02/2012 12:07 PM, Ralf Haferkamp wrote:
> > >On Thu, Sep 27, 2012 at 01:52:25PM -0400, Adam Young wrote:
> > >>On 09/27/2012 04:15 AM, Ralf Haferkamp wrote:
[..]
> > 
> > Good first take.  However, I would prefer to add an else block on:
> > 
> >  if auth is None
> >   if 'REMOTE_USER' in context:
> >      #assume external request for unscoped token
> >   if 'passwordCredentials' in auth:
> >     #UserID and Password passed explicitly here will trump REMOTE_USER
> >   elif 'token' in auth:
> >     ...
> >   else
> >      if 'REMOTE_USER' in context:
> > 	if 'tenantName' in auth:
> > 	   # allocate scoped token
> >            #not 100% sure I want to allow this, but that is a different discussion
> >         else:
> > 	   #assume external request for unscoped token
> >            #don't fail just because there is an auth block.
> I finally found some time to rework my code according to your suggestion. See
> here again:
> https://github.com/rhafer/keystone/tree/external-auth
> 
> Currently the code will just allocate an unscoped token if no "auth" block is
> present and REMOTE_USER is set. If the auth block is present and contains a
> valid "tenantName" or "tenantId" a scoped toked will be returned. I guess
> that's what you intended, right?
> 
> Also there seems to be some code duplication in the different code paths
> (username/password auth vs. token auth). And I added more with external auth
> support :(. I'll check if I can reduce that a bit.
> 
Gah, I just saw that there is already in similar patch in review
(https://review.openstack.org/#/c/14775/) currently. Most have overlooked that.
So I guess I'd better look into that one. Sorry for the noise.

-- 
Ralf



More information about the OpenStack-dev mailing list