[openstack-dev] [keystone] Support for external authentication (i.e. REMOTE_USER) in Havana

Fox, Kevin M kevin.fox at pnnl.gov
Tue Oct 29 15:52:50 UTC 2013 

Has the case been considered where REMOTE_USER is used with authentication mechanisms where the username is an email address? It will have to keep the @domain part because that's the only thing that makes it unique.

Thanks,
Kevin
________________________________________
From: Álvaro López García [alvaro.lopez.garcia at cern.ch]
Sent: Tuesday, October 29, 2013 5:59 AM
To: OpenStack dev
Subject: [openstack-dev] [keystone] Support for external authentication (i.e. REMOTE_USER) in Havana

Hi there,

I've been working on this bug [1,2] related with the pluggable external
authentication support in Havana. For those not familiar with it,
Keystone can rely on the usage of the REMOTE_USER env variable, assuming
that the user has been authenticated upstream (by an httpd server). This
REMOTE_USER variable is supposed to store the username information that
Keystone is going to use.

In the Havana external authentication plugins, the REMOTE_USER variable
is *always* split by the "@" character, assuming that the @ is being
used as the domain separator (i.e. REMOTE_USER=username at domain).

Now there are two plugins available:

- ExternalDefault: Only the leftmost part of the REMOTE_USER after the
  split is considered. The domain information is obtainted from the
  default domain configured in keystone.conf.

- ExternalDomain: The rightmost part is considered the domain, and the
  leftover is considered the username.

The change in [2] aims to solve this problem: ExternalDefault will not
split the username by an "@" since we are going to use the default
domain so we assume that no domain will be appended.

However, this will work only if we are using a WSGI filter that is aware
of the semantics: the filter should know if ExternalDefault is used so
that the domain information is not appended, but append it if
ExternalDomain is used. Moreover, if somebody is using directly the
REMOTE_USER variable from Apache without any WSGI filter (for example
using X509 auth with mod_ssl and the SSLUsername directive [3]) the
REMOTE_USER will contain only the username and no domain at all.

Does anybody have any concerns about this? Should we pass down the
domain information by any other mean?

[1] https://bugs.launchpad.net/keystone/+bug/1211233
[2] https://review.openstack.org/#/c/50362/
[3] http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslusername
--
Álvaro López García                              aloga at ifca.unican.es
Instituto de Física de Cantabria         http://alvarolopez.github.io
Ed. Juan Jordá, Campus UC                      tel: (+34) 942 200 969
Avda. de los Castros s/n
39005 Santander (SPAIN)
_____________________________________________________________________
"Everyone knows that debugging is twice as hard as writing a program in
 the first place. So if you are as clever as you can be when you write it,
 how will you ever debug it?" -- Brian Kernighan

_______________________________________________
OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

More information about the OpenStack-dev mailing list