[openstack-dev] [keystone] External authentication

Adam Young ayoung at redhat.com
Thu Nov 14 18:05:03 UTC 2013

On 11/14/2013 10:52 AM, Álvaro López García wrote:
> Hi all,
> During the review of [1] I had a look at the tests that are related
> with external authentication (i.e. the usage of REMOTE_USER) in
> Keystone and I realised that there is a bunch of them that are setting
> "external" as one of the authentication methods. However, in
> keystone.auth.controllers there is an explicit call to the "external"
> methods whenever REMOTE_USER is set [2].
> Should we call the external authentication only when "external" is set
> (i.e. in [3]) regardless of the REMOTE_USER presence in the context?
I'd like to.  We made a decision to make the user explicitly enable 
External authentication in the config, but there is no reason that it 
would have to extend to the request body itself.
In theory we could do token creation request with no Body at all, the 
same way we do role assignments:

To create a project scoped token
PUT /auth/tokens/domain/<domid>/project<projectid>

And to create a domain token
PUT /auth/tokens/domain/<domid>

Would work very well with Basic-Auth or other External formats. Then the 
Body would only have to contain any mitigating factors, like a shorter 
expiry or reduced set of roles.

More information about the OpenStack-dev mailing list