[openstack-dev] Keystone Apache2 Installation Question

Simo Sorce simo at redhat.com
Tue Oct 15 01:58:02 UTC 2013


On Mon, 2013-10-14 at 14:31 -0700, Fox, Kevin M wrote:
> Hi Adam,
> 
> I was trying to get both kerberos negotiate and kerberos basic auth working. Negotiate does not seem to be supported by any of the clients so I think it will be a fair amount of work to get working.
> 
> /keystone/main/v2.0/tokens can't support having an apache auth module on it, it seems because it is overloaded to do too many things. After playing around with it, it looks like some services (like horizon) assume they can give it a token and get back a restricted token without doing basic auth/negotiate all the time. You can't put auth around it in apache and Require valid-user and still have it perform its other functions. the tokens endpoint needs to be able to be split out so that you can do something like /auth/<type>/tokens so you can put a different handler on each url and /tokens has all the rest of the functionality. I guess this will have to wait for Icehouse.
> 
> I also played around with basic auth as an alternative in the mean time to negotiate and ran into that same issue. It also requires changes to not just python-keystoneclient but a lot of the other python-*clients as well, and even then, horizon breaks as described above.
> 
> I found a work around for basic auth though that is working quite nicely. I'm trying to get the patch through our legal department, but they are tripping over the contributor agreement. :/
> 
> The trick is, if you are using basic auth, you only support a username/password anyway and havana keystone is plugable in its handling of username/passwords.
> 
> So, I'll just tell you the idea of the patch so you can work on reimplementing it if you'd like.
>  * I made a new file /usr/lib/python2.6/site-packages/keystone/identity/backends/basic_auth_sql.py
>  * I made a class Identity that inherits from the sql Identity class.
>  * I overrode the _check_password function.
>  * I took the username/password and base64 encoded it, then make a http request with it to whatever http basic auth service url you want to validate with. apache on localhost works great.
>  * Check the result for status 200. You can even fall back to the super class's _chck_password to support both basic auth and sql passwords if you'd like.
> 
> The interesting bit about this configuration is keystone does not need to be embedded in apache to support apache basic auth, while still providing you most of the flexability of apache basic auth plugins. The only thing that doesn't work is REMOTE_USER rewriting. Though you could probably add that feature in somehow using a http response header or something.

If all you end up using is basic auth, what is the point of using
Kerberos at all ?

Basic Auth should never be used with kerberos except in exceptional
cases.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York




More information about the OpenStack-dev mailing list