[openstack-dev] [Keystone] How to check admin authentication?

Dolph Mathews dolph.mathews at gmail.com
Fri Feb 27 16:27:40 UTC 2015


On Fri, Feb 27, 2015 at 8:39 AM, Dmitry Tantsur <dtantsur at redhat.com> wrote:

> Hi all!
>
> This (presumably) pretty basic question tortures me for several months
> already, so I kindly seek for help here.
>
> I'm working on a Flask-based service [1] and I'd like to use Keystone
> tokens for authentication. This is an admin-only API, so we need to check
> for an admin role. We ended up with code [2] first accessing Keystone with
> a given token and (configurable) admin tenant name, then checking 'admin'
> role. Things went well for a while.
>
> Now I'm writing an Ironic driver accessing API of [1]. Pretty naively I
> was trying to use an Ironic service user credentials, that we use for
> accessing all other services. For TripleO-based installations it's a user
> with name 'ironic' and a special tenant 'service'. Here is where problems
> are. Our code perfectly authenticates a mere user (that has tenant
> 'admin'), but asks Ironic to go away.
>
> We've spent some time researching documentation and keystone middleware
> source code, but didn't find any more clues. Neither did we find a way to
> use keystone middleware without rewriting half of project. What we need is
> 2 simple things in a simple Flask application:
> 1. validate a token
> 2. make sure it belongs to admin
>

I'm not really clear on what problem you're having, because I'm not sure if
you care about an "admin" username, "admin" tenant name, or "admin" role
name. If you're implementing RBAC, you only really need to care about the
user have an "admin" role in their list of roles.

You can wrap your flask application with a configured instance of
auth_token middleware; this is about the simplest way to do it, and this
also demos the environment variables exposed to your application that you
can use to validation authorization:


https://github.com/dolph/keystone-deploy/blob/master/playbooks/roles/http/templates/echo.py#L33-L41


>
> I'll thankfully appreciate any ideas how to fix our situation.
> Thanks in advance!
>
> Dmitry.
>
> [1] https://github.com/stackforge/ironic-discoverd
> [2] https://github.com/stackforge/ironic-discoverd/blob/master/
> ironic_discoverd/utils.py#L50-L65
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150227/95f898d2/attachment.html>


More information about the OpenStack-dev mailing list