Open Stack

2015-02-27 17:27 GMT+01:00 Dolph Mathews <dolph.mathews at gmail.com>:

>
> On Fri, Feb 27, 2015 at 8:39 AM, Dmitry Tantsur <dtantsur at redhat.com>
> wrote:
>
>> Hi all!
>>
>> This (presumably) pretty basic question tortures me for several months
>> already, so I kindly seek for help here.
>>
>> I'm working on a Flask-based service [1] and I'd like to use Keystone
>> tokens for authentication. This is an admin-only API, so we need to check
>> for an admin role. We ended up with code [2] first accessing Keystone with
>> a given token and (configurable) admin tenant name, then checking 'admin'
>> role. Things went well for a while.
>>
>> Now I'm writing an Ironic driver accessing API of [1]. Pretty naively I
>> was trying to use an Ironic service user credentials, that we use for
>> accessing all other services. For TripleO-based installations it's a user
>> with name 'ironic' and a special tenant 'service'. Here is where problems
>> are. Our code perfectly authenticates a mere user (that has tenant
>> 'admin'), but asks Ironic to go away.
>>
>> We've spent some time researching documentation and keystone middleware
>> source code, but didn't find any more clues. Neither did we find a way to
>> use keystone middleware without rewriting half of project. What we need is
>> 2 simple things in a simple Flask application:
>> 1. validate a token
>> 2. make sure it belongs to admin
>>
>
> I'm not really clear on what problem you're having, because I'm not sure
> if you care about an "admin" username, "admin" tenant name, or "admin" role
> name. If you're implementing RBAC, you only really need to care about the
> user have an "admin" role in their list of roles.
>

Yeah, I guess that's what I need.


>
> You can wrap your flask application with a configured instance of
> auth_token middleware; this is about the simplest way to do it, and this
> also demos the environment variables exposed to your application that you
> can use to validation authorization:
>
>
> https://github.com/dolph/keystone-deploy/blob/master/playbooks/roles/http/templates/echo.py#L33-L41
>

Thanks a lot, I will give it a try!


>
>
>>
>> I'll thankfully appreciate any ideas how to fix our situation.
>> Thanks in advance!
>>
>> Dmitry.
>>
>> [1] https://github.com/stackforge/ironic-discoverd
>> [2] https://github.com/stackforge/ironic-discoverd/blob/master/
>> ironic_discoverd/utils.py#L50-L65
>>
>> ____________________________________________________________
>> ______________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:
>> unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>


-- 
--
-- Dmitry Tantsur
--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150302/0fe43cbf/attachment.html>