[openstack-dev] [keysstone] External authentication

Dolph Mathews dolph.mathews at gmail.com
Thu Oct 25 14:09:41 UTC 2012 

Would love to have you feedback on
https://review.openstack.org/#/c/14823/(a redux of the review you just
linked).

-Dolph


On Thu, Oct 25, 2012 at 8:59 AM, Ralf Haferkamp <rhafer at suse.de> wrote:

> On Thu, Oct 25, 2012 at 03:47:42PM +0200, Ralf Haferkamp wrote:
> > On Tue, Oct 02, 2012 at 01:06:44PM -0400, Adam Young wrote:
> > > On 10/02/2012 12:07 PM, Ralf Haferkamp wrote:
> > > >On Thu, Sep 27, 2012 at 01:52:25PM -0400, Adam Young wrote:
> > > >>On 09/27/2012 04:15 AM, Ralf Haferkamp wrote:
> [..]
> > >
> > > Good first take.  However, I would prefer to add an else block on:
> > >
> > >  if auth is None
> > >   if 'REMOTE_USER' in context:
> > >      #assume external request for unscoped token
> > >   if 'passwordCredentials' in auth:
> > >     #UserID and Password passed explicitly here will trump REMOTE_USER
> > >   elif 'token' in auth:
> > >     ...
> > >   else
> > >      if 'REMOTE_USER' in context:
> > >     if 'tenantName' in auth:
> > >        # allocate scoped token
> > >            #not 100% sure I want to allow this, but that is a
> different discussion
> > >         else:
> > >        #assume external request for unscoped token
> > >            #don't fail just because there is an auth block.
> > I finally found some time to rework my code according to your
> suggestion. See
> > here again:
> > https://github.com/rhafer/keystone/tree/external-auth
> >
> > Currently the code will just allocate an unscoped token if no "auth"
> block is
> > present and REMOTE_USER is set. If the auth block is present and
> contains a
> > valid "tenantName" or "tenantId" a scoped toked will be returned. I guess
> > that's what you intended, right?
> >
> > Also there seems to be some code duplication in the different code paths
> > (username/password auth vs. token auth). And I added more with external
> auth
> > support :(. I'll check if I can reduce that a bit.
> >
> Gah, I just saw that there is already in similar patch in review
> (https://review.openstack.org/#/c/14775/) currently. Most have overlooked
> that.
> So I guess I'd better look into that one. Sorry for the noise.
>
> --
> Ralf
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20121025/25713a95/attachment.html>

More information about the OpenStack-dev mailing list